Re: Manual unbind of ATA devices causes use-after-free

From: Tejun Heo
Date: Fri Nov 03 2017 - 09:20:05 EST

Next message: Adrian Hunter: "[PATCH V13 00/10] mmc: Add Command Queue support"
Previous message: Colin King: "[PATCH] staging: fbtft: remove redundant initialization of buf"
In reply to: Taras Kondratiuk: "Manual unbind of ATA devices causes use-after-free"
Next in thread: Taras Kondratiuk: "Re: Manual unbind of ATA devices causes use-after-free"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hello,

On Wed, Nov 01, 2017 at 04:24:47PM -0700, Taras Kondratiuk wrote:
> Manual unbind/remove unconditionally invokes devres_release_all which
> calls ata_host_release() and frees ata_host/ata_port memory while it is
> still being referenced (e.g as a parent of SCSI host).
>
> Is there a reason why ata_host is using derves which is not refcounted?
> Does it make sense to add recounting to ata_host?

Hmm... the removal path is supposed to drain everything synchronously.
What kind of controller is it?

Thanks.

--
tejun

Next message: Adrian Hunter: "[PATCH V13 00/10] mmc: Add Command Queue support"
Previous message: Colin King: "[PATCH] staging: fbtft: remove redundant initialization of buf"
In reply to: Taras Kondratiuk: "Manual unbind of ATA devices causes use-after-free"
Next in thread: Taras Kondratiuk: "Re: Manual unbind of ATA devices causes use-after-free"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]