A local syzkaller issue shows that rapidly triggering floppy ioctls
can cause a race condition between the interrupt handler and the workqueue,
leading to a NULL pointer dereference.
A valid context pointer () is overwritten with NULL between
a work item being scheduled and its execution.
This fix introduces a spinlock floppy_lock This lock protects all reads
and writes to the shared floppy_work_fn and cont global variables.
Tested in a qemu instance using crepro by syzkaller
Signed-off-by: Kevin Paul Reddy Janagari <kevinpaul468@gmail.com>
---
drivers/block/floppy.c | 11 ++++++++++-
1 file changed, 10 insertions(+), 1 deletion(-)
diff --git a/drivers/block/floppy.c b/drivers/block/floppy.c
index 24be0c2c4075..3a1c8b204912 100644
--- a/drivers/block/floppy.c
+++ b/drivers/block/floppy.c
@@ -992,7 +992,16 @@ static void (*floppy_work_fn)(void);
static void floppy_work_workfn(struct work_struct *work)
{
- floppy_work_fn();
+ void (*handler)(void);
+ unsigned long flags;
+
+ spin_lock_irqsave(&floppy_lock, flags);
+ handler = floppy_work_fn;
+
+ spin_unlock_irqrestore(&floppy_lock, flags);
+
+ if (handler)
+ handler();
}
static DECLARE_WORK(floppy_work, floppy_work_workfn);
--
2.39.5