diff options
| author |   Taras Kondratiuk <takondra@cisco.com> | 2018-03-09 08:34:41 +0000 |
|---|---|---|
| committer |   Tejun Heo <tj@kernel.org> | 2018-03-13 13:29:10 -0700 |
| commit | 2623c7a5f2799569d8bb05eb211da524a8144cb3 (patch) | |
| tree | 7ff753d1e024524a77fef933c149f1d96627ebff /include/linux/libata.h | |
| parent | pata_bk3710: clarify license version and use SPDX header (diff) | |
| download | linux-dev-2623c7a5f2799569d8bb05eb211da524a8144cb3.tar.xz linux-dev-2623c7a5f2799569d8bb05eb211da524a8144cb3.zip | |
libata: add refcounting to ata_host
After commit 9a6d6a2ddabb ("ata: make ata port as parent device of scsi
host") manual driver unbind/remove causes use-after-free.
Unbind unconditionally invokes devres_release_all() which calls
ata_host_release() and frees ata_host/ata_port memory while it is still
being referenced as a parent of SCSI host. When SCSI host is finally
released scsi_host_dev_release() calls put_device(parent) and accesses
freed ata_port memory.
Add reference counting to make sure that ata_host lives long enough.
Bug report: https://lkml.org/lkml/2017/11/1/945
Fixes: 9a6d6a2ddabb ("ata: make ata port as parent device of scsi host")
Cc: Tejun Heo <tj@kernel.org>
Cc: Lin Ming <minggr@gmail.com>
Cc: linux-ide@vger.kernel.org
Cc: linux-kernel@vger.kernel.org
Signed-off-by: Taras Kondratiuk <takondra@cisco.com>
Signed-off-by: Tejun Heo <tj@kernel.org>
Diffstat (limited to 'include/linux/libata.h')
| -rw-r--r-- | include/linux/libata.h | 1 |
1 files changed, 1 insertions, 0 deletions
diff --git a/include/linux/libata.h b/include/linux/libata.h index ed9826b21c5e..1795fecdea17 100644 --- a/include/linux/libata.h +++ b/include/linux/libata.h @@ -617,6 +617,7 @@ struct ata_host { void *private_data; struct ata_port_operations *ops; unsigned long flags; + struct kref kref; struct mutex eh_mutex; struct task_struct *eh_owner; |