From: Tejun Heo <tj@kernel.org>
To: Taras Kondratiuk <takondra@cisco.com>
Cc: linux-ide@vger.kernel.org, linux-kernel@vger.kernel.org,
xe-linux-external@cisco.com, Lin Ming <minggr@gmail.com>
Subject: Re: Manual unbind of ATA devices causes use-after-free
Date: Mon, 6 Nov 2017 07:24:52 -0800 [thread overview]
Message-ID: <20171106152452.GA3252168@devbig577.frc2.facebook.com> (raw)
In-Reply-To: <150972673653.5502.7168940193960185267@takondra-t460s>
Hello,
On Fri, Nov 03, 2017 at 09:32:16AM -0700, Taras Kondratiuk wrote:
> Quoting Tejun Heo (2017-11-03 06:19:37)
> > Hello,
> >
> > On Wed, Nov 01, 2017 at 04:24:47PM -0700, Taras Kondratiuk wrote:
> > > Manual unbind/remove unconditionally invokes devres_release_all which
> > > calls ata_host_release() and frees ata_host/ata_port memory while it is
> > > still being referenced (e.g as a parent of SCSI host).
> > >
> > > Is there a reason why ata_host is using derves which is not refcounted?
> > > Does it make sense to add recounting to ata_host?
> >
> > Hmm... the removal path is supposed to drain everything synchronously.
> > What kind of controller is it?
>
> It drains synchronously if scsi_host_put(ap->scsi_host) in
> ata_host_release() releases the last scsi_host reference. But when the issue
> happens there is one more reference to scsi_host because sg device is
> still open. The last reference will be dropped from sg_release.
I see.
> I forgot to mention that the disk may not be clearly unmounted when I'm
> unbinding it, but IMO it shouldn't cause use-after-free in the kernel.
Oh, it shouldn't. It's a bug.
> Also even if sg_release() is called before ata_host_release() there is
> still no guarantee that the last reference will be dropped, because
> sg_release() schedules sg_remove_sfp_usercontext() to do actual release
> and the work may not be completed in time.
Hmmm, we didn't use to put in ata device structs in the kobject tree,
so this wasn't an issue. This was changed by 9a6d6a2ddabb ("ata: make
ata port as parent device of scsi host") while adding the transport
support. While doing that, we didn't change the release path to match
it, so the failure.
cc'ing Lin. Lin, can you take a look at this?
Thanks.
--
tejun
next prev parent reply other threads:[~2017-11-06 15:24 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-11-01 23:24 Manual unbind of ATA devices causes use-after-free Taras Kondratiuk
2017-11-03 13:19 ` Tejun Heo
2017-11-03 16:32 ` Taras Kondratiuk
2017-11-06 15:24 ` Tejun Heo [this message]
2017-11-13 20:09 ` Taras Kondratiuk
2017-11-13 20:10 ` Tejun Heo
2018-03-09 8:34 ` [PATCH] libata: add refcounting to ata_host Taras Kondratiuk
2018-03-13 20:29 ` Tejun Heo
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20171106152452.GA3252168@devbig577.frc2.facebook.com \
--to=tj@kernel.org \
--cc=linux-ide@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=minggr@gmail.com \
--cc=takondra@cisco.com \
--cc=xe-linux-external@cisco.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox