acpi/nfit: Fix race accessing memdev in nfit_get_smbios_id()

Possible race accessing memdev structures after dropping the mutex. Dan Williams says this could race against another thread that is doing: # echo "ACPI0012:00" > /sys/bus/acpi/drivers/nfit/unbind Reported-by: Jane Chu <[email protected]> Fixes: 23222f8 ("acpi, nfit: Add function to look up nvdimm...") Signed-off-by: Tony Luck <[email protected]> Signed-off-by: Dan Williams <[email protected]>
strager · Jan 11, 2019 · 0919871 · 0919871
1 parent 1cb95e0
commit 0919871
Showing 1 changed file with 4 additions and 2 deletions.
diff --git a/drivers/acpi/nfit/core.c b/drivers/acpi/nfit/core.c
@@ -714,17 +714,19 @@ int nfit_get_smbios_id(u32 device_handle, u16 *flags)
 	struct acpi_nfit_memory_map *memdev;
 	struct acpi_nfit_desc *acpi_desc;
 	struct nfit_mem *nfit_mem;
+	u16 physical_id;
 
 	mutex_lock(&acpi_desc_lock);
 	list_for_each_entry(acpi_desc, &acpi_descs, list) {
 		mutex_lock(&acpi_desc->init_mutex);
 		list_for_each_entry(nfit_mem, &acpi_desc->dimms, list) {
 			memdev = __to_nfit_memdev(nfit_mem);
 			if (memdev->device_handle == device_handle) {
+				*flags = memdev->flags;
+				physical_id = memdev->physical_id;
 				mutex_unlock(&acpi_desc->init_mutex);
 				mutex_unlock(&acpi_desc_lock);
-				*flags = memdev->flags;
-				return memdev->physical_id;
+				return physical_id;
 			}
 		}
 		mutex_unlock(&acpi_desc->init_mutex);