From: James Bottomley <James.Bottomley@HansenPartnership.com>
To: Duoming Zhou <duoming@zju.edu.cn>, linux-scsi@vger.kernel.org
Cc: linux-kernel@vger.kernel.org, martin.petersen@oracle.com,
stable@kernel.org
Subject: Re: [PATCH RESEND] scsi: ppa: Fix use-after-free caused by unfinished delayed work
Date: Thu, 01 Jan 2026 10:21:28 -0500 [thread overview]
Message-ID: <91a16901ab4cd35fa00011a472c025f55068a4c7.camel@HansenPartnership.com> (raw)
In-Reply-To: <20260101135532.19522-1-duoming@zju.edu.cn>
On Thu, 2026-01-01 at 21:55 +0800, Duoming Zhou wrote:
> diff --git a/drivers/scsi/ppa.c b/drivers/scsi/ppa.c
> index ea682f3044b..8da2a78ebac 100644
> --- a/drivers/scsi/ppa.c
> +++ b/drivers/scsi/ppa.c
> @@ -1136,6 +1136,7 @@ static void ppa_detach(struct parport *pb)
> ppa_struct *dev;
> list_for_each_entry(dev, &ppa_hosts, list) {
> if (dev->dev->port == pb) {
> + disable_delayed_work_sync(&dev->ppa_tq);
> list_del_init(&dev->list);
> scsi_remove_host(dev->host);
> scsi_host_put(dev->host);
This fix looks bogus: if there's an active workqueue on ppa it's
because there's an outstanding command and it's emulating polling. If
you stop the polling by disabling the workqueue, the command will never
return and the host will never get freed, so this will leak resources,
won't it?
Also the race condition you identify is one of many tied to an
incorrect ppa_struct lifetime: it should never be free'd before the
host itself is gone because a live host may do a callback which will
get the ppa_struct from hostdata, so if the host is still alive for any
reason when ppa_detach() is called, we'll get the same problem.
Regards,
James
next prev parent reply other threads:[~2026-01-01 15:21 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-01-01 13:55 [PATCH RESEND] scsi: ppa: Fix use-after-free caused by unfinished delayed work Duoming Zhou
2026-01-01 15:21 ` James Bottomley [this message]
2026-01-03 2:24 ` duoming
2026-01-03 19:55 ` James Bottomley
2026-01-04 14:35 ` duoming
2026-01-04 23:30 ` James Bottomley
2026-01-06 5:35 ` duoming
2026-01-07 3:35 ` James Bottomley
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=91a16901ab4cd35fa00011a472c025f55068a4c7.camel@HansenPartnership.com \
--to=james.bottomley@hansenpartnership.com \
--cc=duoming@zju.edu.cn \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-scsi@vger.kernel.org \
--cc=martin.petersen@oracle.com \
--cc=stable@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox