libata: add refcounting to ata_host
After commit9a6d6a2dda("ata: make ata port as parent device of scsi host") manual driver unbind/remove causes use-after-free. Unbind unconditionally invokes devres_release_all() which calls ata_host_release() and frees ata_host/ata_port memory while it is still being referenced as a parent of SCSI host. When SCSI host is finally released scsi_host_dev_release() calls put_device(parent) and accesses freed ata_port memory. Add reference counting to make sure that ata_host lives long enough. Bug report: https://lkml.org/lkml/2017/11/1/945 Fixes:9a6d6a2dda("ata: make ata port as parent device of scsi host") Cc: Tejun Heo <tj@kernel.org> Cc: Lin Ming <minggr@gmail.com> Cc: linux-ide@vger.kernel.org Cc: linux-kernel@vger.kernel.org Signed-off-by: Taras Kondratiuk <takondra@cisco.com> Signed-off-by: Tejun Heo <tj@kernel.org>
This commit is contained in:
Taras Kondratiuk
committed by
Tejun Heo
Tejun Heo
parent
a80ea4cb94
commit
2623c7a5f2
@@ -617,6 +617,7 @@ struct ata_host {
|
||||
void *private_data;
|
||||
struct ata_port_operations *ops;
|
||||
unsigned long flags;
|
||||
struct kref kref;
|
||||
|
||||
struct mutex eh_mutex;
|
||||
struct task_struct *eh_owner;
|
||||
|
||||
Reference in New Issue
Block a user