git.osdn.net Git - uclinux-h8/linux.git/commit

author	Taras Kondratiuk <takondra@cisco.com>
	Fri, 9 Mar 2018 08:34:41 +0000 (08:34 +0000)
committer	Tejun Heo <tj@kernel.org>
	Tue, 13 Mar 2018 20:29:10 +0000 (13:29 -0700)
commit	2623c7a5f2799569d8bb05eb211da524a8144cb3
tree	7ff753d1e024524a77fef933c149f1d96627ebff	tree \| snapshot
parent	a80ea4cb944efc38e490a172e7afe635b2800db3	commit \| diff

libata: add refcounting to ata_host

After commit 9a6d6a2ddabb ("ata: make ata port as parent device of scsi
host") manual driver unbind/remove causes use-after-free.

Unbind unconditionally invokes devres_release_all() which calls
ata_host_release() and frees ata_host/ata_port memory while it is still
being referenced as a parent of SCSI host. When SCSI host is finally
released scsi_host_dev_release() calls put_device(parent) and accesses
freed ata_port memory.

Add reference counting to make sure that ata_host lives long enough.

Bug report: https://lkml.org/lkml/2017/11/1/945
Fixes: 9a6d6a2ddabb ("ata: make ata port as parent device of scsi host")
Cc: Tejun Heo <tj@kernel.org>
Cc: Lin Ming <minggr@gmail.com>
Cc: linux-ide@vger.kernel.org
Cc: linux-kernel@vger.kernel.org
Signed-off-by: Taras Kondratiuk <takondra@cisco.com>
Signed-off-by: Tejun Heo <tj@kernel.org>

drivers/ata/libata-core.c		diff \| blob \| history
drivers/ata/libata-transport.c		diff \| blob \| history
drivers/ata/libata.h		diff \| blob \| history
include/linux/libata.h		diff \| blob \| history