aboutsummaryrefslogtreecommitdiffstats
path: root/drivers/ata/libata-transport.c
diff options
context:
space:
mode:
authorTaras Kondratiuk <takondra@cisco.com>2018-03-09 08:34:41 +0000
committerTejun Heo <tj@kernel.org>2018-03-13 13:29:10 -0700
commit2623c7a5f2799569d8bb05eb211da524a8144cb3 (patch)
tree7ff753d1e024524a77fef933c149f1d96627ebff /drivers/ata/libata-transport.c
parentpata_bk3710: clarify license version and use SPDX header (diff)
downloadlinux-dev-2623c7a5f2799569d8bb05eb211da524a8144cb3.tar.xz
linux-dev-2623c7a5f2799569d8bb05eb211da524a8144cb3.zip
libata: add refcounting to ata_host
After commit 9a6d6a2ddabb ("ata: make ata port as parent device of scsi host") manual driver unbind/remove causes use-after-free. Unbind unconditionally invokes devres_release_all() which calls ata_host_release() and frees ata_host/ata_port memory while it is still being referenced as a parent of SCSI host. When SCSI host is finally released scsi_host_dev_release() calls put_device(parent) and accesses freed ata_port memory. Add reference counting to make sure that ata_host lives long enough. Bug report: https://lkml.org/lkml/2017/11/1/945 Fixes: 9a6d6a2ddabb ("ata: make ata port as parent device of scsi host") Cc: Tejun Heo <tj@kernel.org> Cc: Lin Ming <minggr@gmail.com> Cc: linux-ide@vger.kernel.org Cc: linux-kernel@vger.kernel.org Signed-off-by: Taras Kondratiuk <takondra@cisco.com> Signed-off-by: Tejun Heo <tj@kernel.org>
Diffstat (limited to 'drivers/ata/libata-transport.c')
-rw-r--r--drivers/ata/libata-transport.c4
1 files changed, 4 insertions, 0 deletions
diff --git a/drivers/ata/libata-transport.c b/drivers/ata/libata-transport.c
index 19e6e539a061..a0b0b4d986f2 100644
--- a/drivers/ata/libata-transport.c
+++ b/drivers/ata/libata-transport.c
@@ -224,6 +224,8 @@ static DECLARE_TRANSPORT_CLASS(ata_port_class,
static void ata_tport_release(struct device *dev)
{
+ struct ata_port *ap = tdev_to_port(dev);
+ ata_host_put(ap->host);
}
/**
@@ -284,6 +286,7 @@ int ata_tport_add(struct device *parent,
dev->type = &ata_port_type;
dev->parent = parent;
+ ata_host_get(ap->host);
dev->release = ata_tport_release;
dev_set_name(dev, "ata%d", ap->print_id);
transport_setup_device(dev);
@@ -314,6 +317,7 @@ int ata_tport_add(struct device *parent,
tport_err:
transport_destroy_device(dev);
put_device(dev);
+ ata_host_put(ap->host);
return error;
}
Copyright © 1996 – 2023 Jason A. Donenfeld. All Rights Reverse Engineered.