From 4e2d5c3e469a5631f0d72412db10d0743d55c7d8 Mon Sep 17 00:00:00 2001 From: Cen Zhang Date: Mon, 4 May 2026 11:28:53 +0800 Subject: [PATCH] floppy: select FDC before arming timeout work floppy_shutdown() uses current_fdc to choose which controller state to mark for reset when fd_timeout expires. lock_fdc() currently arms that timeout before set_fdc() has selected the drive/FDC and updated current_drive/current_fdc. drive_params[drive].timeout is user configurable, so the timeout can be immediate. Even with a non-zero timeout, a delayed caller can leave the timeout work running while set_fdc() is still testing fdc_state[fdc].rawcmd and updating the adjacent reset bitfield. The timeout can then use stale selected-controller state or race the reset bitfield update. Move the timeout arm after set_fdc() in lock_fdc(), and keep the same ordering for the direct floppy_queue_rq() path. This ensures fd_timeout cannot run until the selected-controller state describes the operation being timed. Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Signed-off-by: Cen Zhang Reviewed-by: Denis Efremov (Oracle) --- drivers/block/floppy.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/drivers/block/floppy.c b/drivers/block/floppy.c index 0509746f8aed0..ec85883e45a06 100644 --- a/drivers/block/floppy.c +++ b/drivers/block/floppy.c @@ -892,8 +892,8 @@ static int lock_fdc(int drive) command_status = FD_COMMAND_NONE; - reschedule_timeout(drive, "lock fdc"); set_fdc(drive); + reschedule_timeout(drive, "lock fdc"); return 0; } @@ -2872,8 +2872,8 @@ static blk_status_t floppy_queue_rq(struct blk_mq_hw_ctx *hctx, spin_unlock_irq(&floppy_lock); command_status = FD_COMMAND_NONE; - __reschedule_timeout(MAXTIMEOUT, "fd_request"); set_fdc(0); + __reschedule_timeout(MAXTIMEOUT, "fd_request"); process_fd_request(); is_alive(__func__, ""); return BLK_STS_OK;