Received: by 2002:a05:6a10:8c0a:0:0:0:0 with SMTP id go10csp4174264pxb; Mon, 8 Feb 2021 09:36:45 -0800 (PST) X-Google-Smtp-Source: ABdhPJzUSsVVRmqc/PQpUViEnmwzqCeAC5K7om5UCCodcBtuZYtlNdl4oL6mUWdfmk1io3hcHzZ9 X-Received: by 2002:a2e:a312:: with SMTP id l18mr4505844lje.490.1612805802903; Mon, 08 Feb 2021 09:36:42 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1612805802; cv=none; d=google.com; s=arc-20160816; b=IWVPEnximsjayH6s6ybKv2hPScsR9eQZCjdPlC+SsIwlU94Pd9Kf4hDDhrsht8usVr hMiTYTvfgZ8KQjeNuRjaiyDoEHo4aqROJRkoj6lfwbn4mJKr+5zFrb97NloWFivQnXBe SfpDAH0b/WKCr7nVE3YjwzfAThf4k8FQXt9n0MwUJ7+SZ769RIIyRdaEtGG51IeSUpVp sGJT4P4MoGSJCfB6HDgBFzPDz3wkxJwtKqNk5GoC85bFWoqfEK+UEYoNFoZoMkzH1FuD mN9BsfRmMjFa3kru4fgN+WA33+ifR46ksQp13IRS3ylths+jcRWpTx8djWMcvTQcFA3Y pvNA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=GYDO4QqpdZyLA3A6+Wgsq/s3UvOADDaAaeox/qSl9KU=; b=LRt1ZF/xCbO67XmXB4FZDsc/ysPVpccNp3Xo1Yj04nLcGzSU7oizDg3lLPZsYxuNC4 RW0cMmp14G731RbcKBiPh+VGyA7/azJHaIVht3y144qiV/f1f+Ko89Gb3a9RtOycVmxI kgiwuoj8dWLs+/Y/bvbIgEzc4XEjSPROgm73tAMTyCCvL7lL2t3PpFt/+/HMXEgsbCkg 6Xso0n+41iqSv7FgsBGL3BeHJNDzIfYe+5kGfiONI6t4U3pjf93OHFrZ3Y/pp5huL75s OPJb0XXP9elRnBK9L7TGT3j/yLY5I2ItPu1An454QvSWwvwGmWT/hhd1QwG2/efvI8aV Dj1g== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=sUKaszj7; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id x21si11076655edv.185.2021.02.08.09.36.17; Mon, 08 Feb 2021 09:36:42 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=sUKaszj7; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S234513AbhBHReH (ORCPT + 99 others); Mon, 8 Feb 2021 12:34:07 -0500 Received: from mail.kernel.org ([198.145.29.99]:37828 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S233618AbhBHP3o (ORCPT ); Mon, 8 Feb 2021 10:29:44 -0500 Received: by mail.kernel.org (Postfix) with ESMTPSA id E7A3B64F2D; Mon, 8 Feb 2021 15:16:41 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1612797402; bh=2Wn2QtIPTcMY8mV8M/ua3sUQdAnq+iKCTTApCEh63Ms=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=sUKaszj7tBvEJVI7SyKrkFbq5biKB320JF5sSlNFXA1NTIC4y81dcZG+wuRPDV7zG PUPyreAubTdzuuZ0y8JAcKUH302N3LK3h8Qcf4Jl633FGRXY8zbm4OwGk2oAEnqqbU qqfUvg/k8er8G4mmZMrwAob1sKV87ceftJdddGV4= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Vishal Verma , Dave Jiang , Ira Weiny , Coly Li , Richard Palethorpe , Dan Williams Subject: [PATCH 5.10 065/120] libnvdimm/dimm: Avoid race between probe and available_slots_show() Date: Mon, 8 Feb 2021 16:00:52 +0100 Message-Id: <20210208145821.016000283@linuxfoundation.org> X-Mailer: git-send-email 2.30.0 In-Reply-To: <20210208145818.395353822@linuxfoundation.org> References: <20210208145818.395353822@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Dan Williams commit 7018c897c2f243d4b5f1b94bc6b4831a7eab80fb upstream. Richard reports that the following test: (while true; do cat /sys/bus/nd/devices/nmem*/available_slots 2>&1 > /dev/null done) & while true; do for i in $(seq 0 4); do echo nmem$i > /sys/bus/nd/drivers/nvdimm/bind done for i in $(seq 0 4); do echo nmem$i > /sys/bus/nd/drivers/nvdimm/unbind done done ...fails with a crash signature like: divide error: 0000 [#1] SMP KASAN PTI RIP: 0010:nd_label_nfree+0x134/0x1a0 [libnvdimm] [..] Call Trace: available_slots_show+0x4e/0x120 [libnvdimm] dev_attr_show+0x42/0x80 ? memset+0x20/0x40 sysfs_kf_seq_show+0x218/0x410 The root cause is that available_slots_show() consults driver-data, but fails to synchronize against device-unbind setting up a TOCTOU race to access uninitialized memory. Validate driver-data under the device-lock. Fixes: 4d88a97aa9e8 ("libnvdimm, nvdimm: dimm driver and base libnvdimm device-driver infrastructure") Cc: Cc: Vishal Verma Cc: Dave Jiang Cc: Ira Weiny Cc: Coly Li Reported-by: Richard Palethorpe Acked-by: Richard Palethorpe Signed-off-by: Dan Williams Signed-off-by: Greg Kroah-Hartman --- drivers/nvdimm/dimm_devs.c | 18 +++++++++++++++--- 1 file changed, 15 insertions(+), 3 deletions(-) --- a/drivers/nvdimm/dimm_devs.c +++ b/drivers/nvdimm/dimm_devs.c @@ -335,16 +335,16 @@ static ssize_t state_show(struct device } static DEVICE_ATTR_RO(state); -static ssize_t available_slots_show(struct device *dev, - struct device_attribute *attr, char *buf) +static ssize_t __available_slots_show(struct nvdimm_drvdata *ndd, char *buf) { - struct nvdimm_drvdata *ndd = dev_get_drvdata(dev); + struct device *dev; ssize_t rc; u32 nfree; if (!ndd) return -ENXIO; + dev = ndd->dev; nvdimm_bus_lock(dev); nfree = nd_label_nfree(ndd); if (nfree - 1 > nfree) { @@ -356,6 +356,18 @@ static ssize_t available_slots_show(stru nvdimm_bus_unlock(dev); return rc; } + +static ssize_t available_slots_show(struct device *dev, + struct device_attribute *attr, char *buf) +{ + ssize_t rc; + + nd_device_lock(dev); + rc = __available_slots_show(dev_get_drvdata(dev), buf); + nd_device_unlock(dev); + + return rc; +} static DEVICE_ATTR_RO(available_slots); __weak ssize_t security_show(struct device *dev,