7018c897c2
Richard reports that the following test:
(while true; do
cat /sys/bus/nd/devices/nmem*/available_slots 2>&1 > /dev/null
done) &
while true; do
for i in $(seq 0 4); do
echo nmem$i > /sys/bus/nd/drivers/nvdimm/bind
done
for i in $(seq 0 4); do
echo nmem$i > /sys/bus/nd/drivers/nvdimm/unbind
done
done
...fails with a crash signature like:
divide error: 0000 [#1] SMP KASAN PTI
RIP: 0010:nd_label_nfree+0x134/0x1a0 [libnvdimm]
[..]
Call Trace:
available_slots_show+0x4e/0x120 [libnvdimm]
dev_attr_show+0x42/0x80
? memset+0x20/0x40
sysfs_kf_seq_show+0x218/0x410
The root cause is that available_slots_show() consults driver-data, but
fails to synchronize against device-unbind setting up a TOCTOU race to
access uninitialized memory.
Validate driver-data under the device-lock.
Fixes:
|
||
---|---|---|
.. | ||
badrange.c | ||
blk.c | ||
btt_devs.c | ||
btt.c | ||
btt.h | ||
bus.c | ||
claim.c | ||
core.c | ||
dax_devs.c | ||
dimm_devs.c | ||
dimm.c | ||
e820.c | ||
Kconfig | ||
label.c | ||
label.h | ||
Makefile | ||
namespace_devs.c | ||
nd_virtio.c | ||
nd-core.h | ||
nd.h | ||
of_pmem.c | ||
pfn_devs.c | ||
pfn.h | ||
pmem.c | ||
pmem.h | ||
region_devs.c | ||
region.c | ||
security.c | ||
virtio_pmem.c | ||
virtio_pmem.h |