On 3/6/26 11:33 AM, Ira Weiny wrote:
> Dingisoul with KASAN reports a use after free if device_add() fails in
> nd_async_device_register().
>
> Commit b6eae0f61db2 ("libnvdimm: Hold reference on parent while
> scheduling async init") correctly added a reference on the parent device
> to be held until asynchronous initialization was complete. However, if
> device_add() results in an allocation failure the ref count of the
> device drops to 0 prior to the parent pointer being accessed. Thus
> resulting in use after free.
>
> The bug bot AI correctly identified the fix. Save a reference to the
> parent pointer to be used to drop the parent reference regardless of the
> outcome of device_add().
>
> Reported-by: Dingisoul <[email protected]>
> Closes: http://lore.kernel.org/[email protected]
> Fixes: b6eae0f61db2 ("libnvdimm: Hold reference on parent while scheduling
> async init")
> Cc: [email protected]
> Signed-off-by: Ira Weiny <[email protected]>
Reviewed-by: Dave Jiang <[email protected]>
> ---
> drivers/nvdimm/bus.c | 5 +++--
> 1 file changed, 3 insertions(+), 2 deletions(-)
>
> diff --git a/drivers/nvdimm/bus.c b/drivers/nvdimm/bus.c
> index bd9621d3f73c..45b7d756e39a 100644
> --- a/drivers/nvdimm/bus.c
> +++ b/drivers/nvdimm/bus.c
> @@ -486,14 +486,15 @@ EXPORT_SYMBOL_GPL(nd_synchronize);
> static void nd_async_device_register(void *d, async_cookie_t cookie)
> {
> struct device *dev = d;
> + struct device *parent = dev->parent;
>
> if (device_add(dev) != 0) {
> dev_err(dev, "%s: failed\n", __func__);
> put_device(dev);
> }
> put_device(dev);
> - if (dev->parent)
> - put_device(dev->parent);
> + if (parent)
> + put_device(parent);
> }
>
> static void nd_async_device_unregister(void *d, async_cookie_t cookie)
>
> ---
> base-commit: c107785c7e8dbabd1c18301a1c362544b5786282
> change-id: 20260306-fix-uaf-async-init-3697998d8faf
>
> Best regards,
> --
> Ira Weiny <[email protected]>
>
