From: Tejun Heo <tj@kernel.org>
To: Taras Kondratiuk <takondra@cisco.com>
Cc: Lin Ming <minggr@gmail.com>,
xe-linux-external@cisco.com, linux-ide@vger.kernel.org,
linux-kernel@vger.kernel.org
Subject: Re: [PATCH] libata: add refcounting to ata_host
Date: Tue, 13 Mar 2018 13:29:38 -0700 [thread overview]
Message-ID: <20180313202938.GI2943022@devbig577.frc2.facebook.com> (raw)
In-Reply-To: <1520584481-9643-1-git-send-email-takondra@cisco.com>
On Fri, Mar 09, 2018 at 08:34:41AM +0000, Taras Kondratiuk wrote:
> After commit 9a6d6a2ddabb ("ata: make ata port as parent device of scsi
> host") manual driver unbind/remove causes use-after-free.
>
> Unbind unconditionally invokes devres_release_all() which calls
> ata_host_release() and frees ata_host/ata_port memory while it is still
> being referenced as a parent of SCSI host. When SCSI host is finally
> released scsi_host_dev_release() calls put_device(parent) and accesses
> freed ata_port memory.
>
> Add reference counting to make sure that ata_host lives long enough.
>
> Bug report: https://lkml.org/lkml/2017/11/1/945
> Fixes: 9a6d6a2ddabb ("ata: make ata port as parent device of scsi host")
> Cc: Tejun Heo <tj@kernel.org>
> Cc: Lin Ming <minggr@gmail.com>
> Cc: linux-ide@vger.kernel.org
> Cc: linux-kernel@vger.kernel.org
> Signed-off-by: Taras Kondratiuk <takondra@cisco.com>
Applied to libata/for-4.17.
Thanks.
--
tejun
prev parent reply other threads:[~2018-03-13 20:29 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-11-01 23:24 Manual unbind of ATA devices causes use-after-free Taras Kondratiuk
2017-11-03 13:19 ` Tejun Heo
2017-11-03 16:32 ` Taras Kondratiuk
2017-11-06 15:24 ` Tejun Heo
2017-11-13 20:09 ` Taras Kondratiuk
2017-11-13 20:10 ` Tejun Heo
2018-03-09 8:34 ` [PATCH] libata: add refcounting to ata_host Taras Kondratiuk
2018-03-13 20:29 ` Tejun Heo [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20180313202938.GI2943022@devbig577.frc2.facebook.com \
--to=tj@kernel.org \
--cc=linux-ide@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=minggr@gmail.com \
--cc=takondra@cisco.com \
--cc=xe-linux-external@cisco.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.