Received: by 10.223.164.221 with SMTP id h29csp5287wrb; Fri, 3 Nov 2017 09:33:43 -0700 (PDT) X-Google-Smtp-Source: ABhQp+Qedd1lOIq8jC9/KnY+O7bFERtQn5LOwcMARJazorqz0OXSWV2Z43uiTO1JVZvNDVweeJRa X-Received: by 10.98.56.18 with SMTP id f18mr8206368pfa.81.1509726823357; Fri, 03 Nov 2017 09:33:43 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1509726823; cv=none; d=google.com; s=arc-20160816; b=uXYetcMtYLj1a+Iyu904UaqQpRxlhUN5/rfa4EtaAmhRVjU3wPs/i1fUwSQ3poYAtE 0Ou1Q5x7li7Z7W7xhgLL7O/hJIDFrAujhLuLgEHQeuu4/CF72IGqizsfcuOLPXqBAv1z ReaKTx1mPBHlkXi4z7iTxqf6vakS0yB6wD5/k/EL2XKndv/noXksVweUQApvdUvQLMKT Q5+S6nL305J+/aw9rqcINT6GLFTWJgXEs7LQmBU40eIKKjm0UjcOnOzr412ZSb4S/qVU r+el3SjF9piBR/vcr764nfHViU2FIuQwXErQqeadZgcR/K88PVIOmCOnq6sd7+mb+M8q zU+A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:date:subject:user-agent:message-id :references:cc:in-reply-to:from:to:content-transfer-encoding :mime-version:dkim-signature:arc-authentication-results; bh=AsztLXnYrH/t4CjGrEXi7lqsK+RaOgMF7skgxctadcY=; b=HNchsUSkD7Gq0cCfO7fTEYdsOPOw1grFGyTLEsYf/07cqU0VcXDxQ2MklebgIaVKy7 KmW8QRtLYL+5bRryK3BtMAbuIFarN4h3HPrTpXFxORm2nzg8AD6M3S6hG5MiUDPUgWFU c3Dhc9FPUbiKByx4ss1z4RHdf57F/3E2yworESsUcqHOj4dJXGx534slaxpAt/SKayU1 x3ljIxv/mAx2EOzTFO/2aHMR+EtOHaAtUUFKgSiZI8gfeSxGHiEQ17nafVMglvGL5BN1 TRbIAtsa94OALlDC0fSZzGa6xBJOH9MTLjeX66sydI1E2SeDcHAt11fuvjzsqonKLvPX 8KSg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@cisco.com header.s=iport header.b=EjySlHue; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=cisco.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id n67si6881725pfh.31.2017.11.03.09.33.06; Fri, 03 Nov 2017 09:33:43 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@cisco.com header.s=iport header.b=EjySlHue; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=cisco.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1754121AbdKCQcd (ORCPT + 94 others); Fri, 3 Nov 2017 12:32:33 -0400 Received: from rcdn-iport-2.cisco.com ([173.37.86.73]:2133 "EHLO rcdn-iport-2.cisco.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752076AbdKCQca (ORCPT ); Fri, 3 Nov 2017 12:32:30 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=1299; q=dns/txt; s=iport; t=1509726750; x=1510936350; h=mime-version:content-transfer-encoding:to:from: in-reply-to:cc:references:message-id:subject:date; bh=AsztLXnYrH/t4CjGrEXi7lqsK+RaOgMF7skgxctadcY=; b=EjySlHueTqxOvsn8pmMX2TvmnAqO9ZfyUwV0ymDoEmxWpLfZxhdjQQjn lo6x2zKwWVQp7jPHklZp8Da5psOwciHfutdodVo5BRHEB8IEtMnP052v4 b5hNoJavaTxpX965mHNdsTdhhkWwZI0zdQA8+9hn0ooZkuUp41XDqzvC0 Q=; X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: =?us-ascii?q?A0D6AADJmfxZ/51dJa1dGQEBAQEBAQEBA?= =?us-ascii?q?QEBBwEBAQEBgzSBUoQkih+PG4FWJpZFghEKhTsChFc/GAEBAQEBAQEBAWsohR4?= =?us-ascii?q?BBSMEUhALDgoCAiYCAkcQBoopDacigW06ixEBAQEBAQEBAQEBAQEBAQEBAQEgF?= =?us-ascii?q?HuCH4IHgVOCHYJ2hRGDFYJiBZJxjx2oMJYWgTkfOIFsehWBCgtFgVSEfiGNaAE?= =?us-ascii?q?BAQ?= X-IronPort-AV: E=Sophos;i="5.44,339,1505779200"; d="scan'208";a="319128221" Received: from rcdn-core-6.cisco.com ([173.37.93.157]) by rcdn-iport-2.cisco.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 03 Nov 2017 16:32:19 +0000 Received: from localhost ([10.156.154.59]) by rcdn-core-6.cisco.com (8.14.5/8.14.5) with ESMTP id vA3GWJE0018092; Fri, 3 Nov 2017 16:32:19 GMT Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable To: Tejun Heo From: Taras Kondratiuk In-Reply-To: <20171103131937.GQ3252168@devbig577.frc2.facebook.com> Cc: linux-ide@vger.kernel.org, linux-kernel@vger.kernel.org, xe-linux-external@cisco.com References: <150957868766.7160.13267337838101258462@takondra-t460s> <20171103131937.GQ3252168@devbig577.frc2.facebook.com> Message-ID: <150972673653.5502.7168940193960185267@takondra-t460s> User-Agent: alot/0.6 Subject: Re: Manual unbind of ATA devices causes use-after-free Date: Fri, 03 Nov 2017 09:32:16 -0700 X-Auto-Response-Suppress: DR, OOF, AutoReply Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Quoting Tejun Heo (2017-11-03 06:19:37) > Hello, > = > On Wed, Nov 01, 2017 at 04:24:47PM -0700, Taras Kondratiuk wrote: > > Manual unbind/remove unconditionally invokes devres_release_all which > > calls ata_host_release() and frees ata_host/ata_port memory while it is > > still being referenced (e.g as a parent of SCSI host). > > = > > Is there a reason why ata_host is using derves which is not refcounted? > > Does it make sense to add recounting to ata_host? > = > Hmm... the removal path is supposed to drain everything synchronously. > What kind of controller is it? It drains synchronously if scsi_host_put(ap->scsi_host) in ata_host_release() releases the last scsi_host reference. But when the issue happens there is one more reference to scsi_host because sg device is still open. The last reference will be dropped from sg_release. I forgot to mention that the disk may not be clearly unmounted when I'm unbinding it, but IMO it shouldn't cause use-after-free in the kernel. Also even if sg_release() is called before ata_host_release() there is still no guarantee that the last reference will be dropped, because sg_release() schedules sg_remove_sfp_usercontext() to do actual release and the work may not be completed in time. Driver is AHCI PCI. From 1583051197354176807@xxx Fri Nov 03 13:21:08 +0000 2017 X-GM-THRID: 1582908631068481434 X-Gmail-Labels: Inbox,Category Forums,HistoricalUnread