nvdimm: fix possible null-ptr-deref in nd_dax_probe()

Message ID	20241026010622.2641355-1-yiyang13@huawei.com (mailing list archive)
State	Changes Requested, archived
Delegated to:	Ira Weiny
Headers	show Received: from szxga03-in.huawei.com (szxga03-in.huawei.com [45.249.212.189]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 2793B2AF0E for <nvdimm@lists.linux.dev>; Sat, 26 Oct 2024 01:13:45 +0000 (UTC) From: Yi Yang <yiyang13@huawei.com> To: <dan.j.williams@intel.com>, <vishal.l.verma@intel.com>, <dave.jiang@intel.com>, <ira.weiny@intel.com> CC: <nvdimm@lists.linux.dev>, <wangweiyang2@huawei.com> Subject: [PATCH] nvdimm: fix possible null-ptr-deref in nd_dax_probe() Date: Sat, 26 Oct 2024 01:06:22 +0000 Message-ID: <20241026010622.2641355-1-yiyang13@huawei.com> Precedence: bulk MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Content-Type: text/plain
Series	nvdimm: fix possible null-ptr-deref in nd_dax_probe() \| expand nvdimm: fix possible null-ptr-deref in nd_dax_probe()

Message ID

20241026010622.2641355-1-yiyang13@huawei.com (mailing list archive)

State

Changes Requested, archived

Delegated to:

Ira Weiny

Headers

From: Yi Yang <yiyang13@huawei.com>
To: <dan.j.williams@intel.com>, <vishal.l.verma@intel.com>,
	<dave.jiang@intel.com>, <ira.weiny@intel.com>
CC: <nvdimm@lists.linux.dev>, <wangweiyang2@huawei.com>
Subject: [PATCH] nvdimm: fix possible null-ptr-deref in nd_dax_probe()
Date: Sat, 26 Oct 2024 01:06:22 +0000
Message-ID: <20241026010622.2641355-1-yiyang13@huawei.com>
Precedence: bulk
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Content-Type: text/plain

Series

nvdimm: fix possible null-ptr-deref in nd_dax_probe() | expand

Commit Message

Yi Yang Oct. 26, 2024, 1:06 a.m. UTC

It will cause null-ptr-deref when nd_dax_alloc() returns NULL, fix it by
add check for nd_dax_alloc().

Fixes: c5ed9268643c ("libnvdimm, dax: autodetect support")
Signed-off-by: Yi Yang <yiyang13@huawei.com>
---
 drivers/nvdimm/dax_devs.c | 4 ++++
 1 file changed, 4 insertions(+)

Comments

Ira Weiny Oct. 28, 2024, 2:17 p.m. UTC | #1

Yi Yang wrote:
> It will cause null-ptr-deref when nd_dax_alloc() returns NULL, fix it by
> add check for nd_dax_alloc().

Was this found with a real workload or just by inspection?

Ira

> 
> Fixes: c5ed9268643c ("libnvdimm, dax: autodetect support")
> Signed-off-by: Yi Yang <yiyang13@huawei.com>
> ---
>  drivers/nvdimm/dax_devs.c | 4 ++++
>  1 file changed, 4 insertions(+)
> 
> diff --git a/drivers/nvdimm/dax_devs.c b/drivers/nvdimm/dax_devs.c
> index 6b4922de3047..70a7e401f90d 100644
> --- a/drivers/nvdimm/dax_devs.c
> +++ b/drivers/nvdimm/dax_devs.c
> @@ -106,6 +106,10 @@ int nd_dax_probe(struct device *dev, struct nd_namespace_common *ndns)
>  
>  	nvdimm_bus_lock(&ndns->dev);
>  	nd_dax = nd_dax_alloc(nd_region);
> +	if (!nd_dax) {
> +		nvdimm_bus_unlock(&ndns->dev);
> +		return -ENOMEM;
> +	}
>  	nd_pfn = &nd_dax->nd_pfn;
>  	dax_dev = nd_pfn_devinit(nd_pfn, ndns);
>  	nvdimm_bus_unlock(&ndns->dev);
> -- 
> 2.25.1
> 
>

Dan Williams Oct. 28, 2024, 4:26 p.m. UTC | #2

Yi Yang wrote:
> It will cause null-ptr-deref when nd_dax_alloc() returns NULL, fix it by
> add check for nd_dax_alloc().
> 
> Fixes: c5ed9268643c ("libnvdimm, dax: autodetect support")
> Signed-off-by: Yi Yang <yiyang13@huawei.com>
> ---
>  drivers/nvdimm/dax_devs.c | 4 ++++
>  1 file changed, 4 insertions(+)
> 
> diff --git a/drivers/nvdimm/dax_devs.c b/drivers/nvdimm/dax_devs.c
> index 6b4922de3047..70a7e401f90d 100644
> --- a/drivers/nvdimm/dax_devs.c
> +++ b/drivers/nvdimm/dax_devs.c
> @@ -106,6 +106,10 @@ int nd_dax_probe(struct device *dev, struct nd_namespace_common *ndns)
>  
>  	nvdimm_bus_lock(&ndns->dev);
>  	nd_dax = nd_dax_alloc(nd_region);
> +	if (!nd_dax) {
> +		nvdimm_bus_unlock(&ndns->dev);
> +		return -ENOMEM;
> +	}
>  	nd_pfn = &nd_dax->nd_pfn;

No, this isn't a NULL pointer de-reference, but it is indeed
unreasonably subtle.

If nd_dax is NULL, then nd_pfn is NULL because nd_dax is just a
type-wrapper around nd_pfn.

When nd_pfn is NULL then nd_pfn_devinit will fail.

What I think this needs to make this clear is something like this:

---

diff --git a/drivers/nvdimm/dax_devs.c b/drivers/nvdimm/dax_devs.c
index 6b4922de3047..37b743acbb7b 100644
--- a/drivers/nvdimm/dax_devs.c
+++ b/drivers/nvdimm/dax_devs.c
@@ -106,12 +106,12 @@ int nd_dax_probe(struct device *dev, struct nd_namespace_common *ndns)
 
 	nvdimm_bus_lock(&ndns->dev);
 	nd_dax = nd_dax_alloc(nd_region);
-	nd_pfn = &nd_dax->nd_pfn;
-	dax_dev = nd_pfn_devinit(nd_pfn, ndns);
+	dax_dev = nd_dax_devinit(nd_dax, ndns);
 	nvdimm_bus_unlock(&ndns->dev);
 	if (!dax_dev)
 		return -ENOMEM;
 	pfn_sb = devm_kmalloc(dev, sizeof(*pfn_sb), GFP_KERNEL);
+	nd_pfn = &nd_dax->nd_pfn;
 	nd_pfn->pfn_sb = pfn_sb;
 	rc = nd_pfn_validate(nd_pfn, DAX_SIG);
 	dev_dbg(dev, "dax: %s\n", rc == 0 ? dev_name(dax_dev) : "<none>");
diff --git a/drivers/nvdimm/nd.h b/drivers/nvdimm/nd.h
index 2dbb1dca17b5..5ca06e9a2d29 100644
--- a/drivers/nvdimm/nd.h
+++ b/drivers/nvdimm/nd.h
@@ -600,6 +600,13 @@ struct nd_dax *to_nd_dax(struct device *dev);
 int nd_dax_probe(struct device *dev, struct nd_namespace_common *ndns);
 bool is_nd_dax(const struct device *dev);
 struct device *nd_dax_create(struct nd_region *nd_region);
+static inline struct device *nd_dax_devinit(struct nd_dax *nd_dax,
+					    struct nd_namespace_common *ndns)
+{
+	if (!nd_dax)
+		return NULL;
+	return nd_pfn_devinit(&nd_dax->nd_pfn, ndns);
+}
 #else
 static inline int nd_dax_probe(struct device *dev,
 		struct nd_namespace_common *ndns)

Yi Yang Oct. 29, 2024, 1:57 a.m. UTC | #3

On 2024/10/29 0:26, Dan Williams wrote:
> Yi Yang wrote:
>> It will cause null-ptr-deref when nd_dax_alloc() returns NULL, fix it by
>> add check for nd_dax_alloc().
>>
>> Fixes: c5ed9268643c ("libnvdimm, dax: autodetect support")
>> Signed-off-by: Yi Yang <yiyang13@huawei.com>
>> ---
>>   drivers/nvdimm/dax_devs.c | 4 ++++
>>   1 file changed, 4 insertions(+)
>>
>> diff --git a/drivers/nvdimm/dax_devs.c b/drivers/nvdimm/dax_devs.c
>> index 6b4922de3047..70a7e401f90d 100644
>> --- a/drivers/nvdimm/dax_devs.c
>> +++ b/drivers/nvdimm/dax_devs.c
>> @@ -106,6 +106,10 @@ int nd_dax_probe(struct device *dev, struct nd_namespace_common *ndns)
>>   
>>   	nvdimm_bus_lock(&ndns->dev);
>>   	nd_dax = nd_dax_alloc(nd_region);
>> +	if (!nd_dax) {
>> +		nvdimm_bus_unlock(&ndns->dev);
>> +		return -ENOMEM;
>> +	}
>>   	nd_pfn = &nd_dax->nd_pfn;
> 
> No, this isn't a NULL pointer de-reference, but it is indeed
> unreasonably subtle.
> 
> If nd_dax is NULL, then nd_pfn is NULL because nd_dax is just a
> type-wrapper around nd_pfn.
> 
> When nd_pfn is NULL then nd_pfn_devinit will fail.
> 
> What I think this needs to make this clear is something like this:
> 
> ---
> 
> diff --git a/drivers/nvdimm/dax_devs.c b/drivers/nvdimm/dax_devs.c
> index 6b4922de3047..37b743acbb7b 100644
> --- a/drivers/nvdimm/dax_devs.c
> +++ b/drivers/nvdimm/dax_devs.c
> @@ -106,12 +106,12 @@ int nd_dax_probe(struct device *dev, struct nd_namespace_common *ndns)
>   
>   	nvdimm_bus_lock(&ndns->dev);
>   	nd_dax = nd_dax_alloc(nd_region);
> -	nd_pfn = &nd_dax->nd_pfn;
> -	dax_dev = nd_pfn_devinit(nd_pfn, ndns);
> +	dax_dev = nd_dax_devinit(nd_dax, ndns);
>   	nvdimm_bus_unlock(&ndns->dev);
>   	if (!dax_dev)
>   		return -ENOMEM;
>   	pfn_sb = devm_kmalloc(dev, sizeof(*pfn_sb), GFP_KERNEL);
> +	nd_pfn = &nd_dax->nd_pfn;
>   	nd_pfn->pfn_sb = pfn_sb;
>   	rc = nd_pfn_validate(nd_pfn, DAX_SIG);
>   	dev_dbg(dev, "dax: %s\n", rc == 0 ? dev_name(dax_dev) : "<none>");
> diff --git a/drivers/nvdimm/nd.h b/drivers/nvdimm/nd.h
> index 2dbb1dca17b5..5ca06e9a2d29 100644
> --- a/drivers/nvdimm/nd.h
> +++ b/drivers/nvdimm/nd.h
> @@ -600,6 +600,13 @@ struct nd_dax *to_nd_dax(struct device *dev);
>   int nd_dax_probe(struct device *dev, struct nd_namespace_common *ndns);
>   bool is_nd_dax(const struct device *dev);
>   struct device *nd_dax_create(struct nd_region *nd_region);
> +static inline struct device *nd_dax_devinit(struct nd_dax *nd_dax,
> +					    struct nd_namespace_common *ndns)
> +{
> +	if (!nd_dax)
> +		return NULL;
> +	return nd_pfn_devinit(&nd_dax->nd_pfn, ndns);
> +}
>   #else
>   static inline int nd_dax_probe(struct device *dev,
>   		struct nd_namespace_common *ndns)
> 
> .
> 

LGTM,.
Your code is better.

Best regards,
Yiyang

--

Yi Yang Oct. 29, 2024, 2:10 a.m. UTC | #4

On 2024/10/28 22:17, Ira Weiny wrote:
> Yi Yang wrote:
>> It will cause null-ptr-deref when nd_dax_alloc() returns NULL, fix it by
>> add check for nd_dax_alloc().
> 
> Was this found with a real workload or just by inspection?
> 
> Ira
> 

I just found the problem by reading the code.

Regards,
Yiyang
>>
>> Fixes: c5ed9268643c ("libnvdimm, dax: autodetect support")
>> Signed-off-by: Yi Yang <yiyang13@huawei.com>
>> ---
>>   drivers/nvdimm/dax_devs.c | 4 ++++
>>   1 file changed, 4 insertions(+)
>>
>> diff --git a/drivers/nvdimm/dax_devs.c b/drivers/nvdimm/dax_devs.c
>> index 6b4922de3047..70a7e401f90d 100644
>> --- a/drivers/nvdimm/dax_devs.c
>> +++ b/drivers/nvdimm/dax_devs.c
>> @@ -106,6 +106,10 @@ int nd_dax_probe(struct device *dev, struct nd_namespace_common *ndns)
>>   
>>   	nvdimm_bus_lock(&ndns->dev);
>>   	nd_dax = nd_dax_alloc(nd_region);
>> +	if (!nd_dax) {
>> +		nvdimm_bus_unlock(&ndns->dev);
>> +		return -ENOMEM;
>> +	}
>>   	nd_pfn = &nd_dax->nd_pfn;
>>   	dax_dev = nd_pfn_devinit(nd_pfn, ndns);
>>   	nvdimm_bus_unlock(&ndns->dev);
>> -- 
>> 2.25.1
>>
>>
> 
> 
> 
> .
>

diff --git a/drivers/nvdimm/dax_devs.c b/drivers/nvdimm/dax_devs.c
index 6b4922de3047..70a7e401f90d 100644
--- a/drivers/nvdimm/dax_devs.c
+++ b/drivers/nvdimm/dax_devs.c
@@ -106,6 +106,10 @@  int nd_dax_probe(struct device *dev, struct nd_namespace_common *ndns)
 
 	nvdimm_bus_lock(&ndns->dev);
 	nd_dax = nd_dax_alloc(nd_region);
+	if (!nd_dax) {
+		nvdimm_bus_unlock(&ndns->dev);
+		return -ENOMEM;
+	}
 	nd_pfn = &nd_dax->nd_pfn;
 	dax_dev = nd_pfn_devinit(nd_pfn, ndns);
 	nvdimm_bus_unlock(&ndns->dev);

nvdimm: fix possible null-ptr-deref in nd_dax_probe()

Commit Message

Comments

Patch