• Taras Kondratiuk's avatar
    libata: add refcounting to ata_host · 2623c7a5
    Taras Kondratiuk authored
    After commit 9a6d6a2d ("ata: make ata port as parent device of scsi
    host") manual driver unbind/remove causes use-after-free.
    
    Unbind unconditionally invokes devres_release_all() which calls
    ata_host_release() and frees ata_host/ata_port memory while it is still
    being referenced as a parent of SCSI host. When SCSI host is finally
    released scsi_host_dev_release() calls put_device(parent) and accesses
    freed ata_port memory.
    
    Add reference counting to make sure that ata_host lives long enough.
    
    Bug report: https://lkml.org/lkml/2017/11/1/945
    Fixes: 9a6d6a2d ("ata: make ata port as parent device of scsi host")
    Cc: Tejun Heo <tj@kernel.org>
    Cc: Lin Ming <minggr@gmail.com>
    Cc: linux-ide@vger.kernel.org
    Cc: linux-kernel@vger.kernel.org
    Signed-off-by: default avatarTaras Kondratiuk <takondra@cisco.com>
    Signed-off-by: default avatarTejun Heo <tj@kernel.org>
    2623c7a5
libata-core.c 188 KB