On 2020/6/15 15:47, Richard Palethorpe wrote:
> It is possible to cause a division error and use-after-free by querying the
> nmem device before the driver data is fully initialised in nvdimm_probe. E.g
> by doing
>
> (while true; do
> cat /sys/bus/nd/devices/nmem*/available_slots 2>&1 > /dev/null
> done) &
>
> while true; do
> for i in $(seq 0 4); do
> echo nmem$i > /sys/bus/nd/drivers/nvdimm/bind
> done
> for i in $(seq 0 4); do
> echo nmem$i > /sys/bus/nd/drivers/nvdimm/unbind
> done
> done
>
> On 5.7-rc3 this causes:
[snipped]
>
> This can be prevented by setting the driver data after initialisation is
> complete.
>
> Fixes: 4d88a97aa9e8 ("libnvdimm, nvdimm: dimm driver and base libnvdimm
> device-driver infrastructure")
> Cc: Dan Williams <dan.j.willi...@intel.com>
> Cc: Vishal Verma <vishal.l.ve...@intel.com>
> Cc: Dave Jiang <dave.ji...@intel.com>
> Cc: Ira Weiny <ira.we...@intel.com>
> Cc: linux-nvd...@lists.01.org
> Cc: linux-kernel@vger.kernel.org
> Cc: Coly Li <col...@suse.com>
> Signed-off-by: Richard Palethorpe <rpaletho...@suse.com>
Reviewed-by: Coly Li <col...@suse.de>
Thanks.
Coly Li
> ---
>
> V2:
> + Reviewed by Coly and removed unecessary lock
>
> drivers/nvdimm/dimm.c | 3 ++-
> 1 file changed, 2 insertions(+), 1 deletion(-)
>
> diff --git a/drivers/nvdimm/dimm.c b/drivers/nvdimm/dimm.c
> index 7d4ddc4d9322..3d3988e1d9a0 100644
> --- a/drivers/nvdimm/dimm.c
> +++ b/drivers/nvdimm/dimm.c
> @@ -43,7 +43,6 @@ static int nvdimm_probe(struct device *dev)
> if (!ndd)
> return -ENOMEM;
>
> - dev_set_drvdata(dev, ndd);
> ndd->dpa.name = dev_name(dev);
> ndd->ns_current = -1;
> ndd->ns_next = -1;
> @@ -106,6 +105,8 @@ static int nvdimm_probe(struct device *dev)
> if (rc)
> goto err;
>
> + dev_set_drvdata(dev, ndd);
> +
> return 0;
>
> err:
>
