Received: by 10.223.164.221 with SMTP id h29csp1425510wrb;
        Wed, 1 Nov 2017 16:35:06 -0700 (PDT)
X-Google-Smtp-Source: ABhQp+Rd239krkq1z/mLNEFHdk9rDrkwC6dW9cGThDGK1wEQpwF56XNRZUHiFnF2LglBocm34Z1j
X-Received: by 10.101.97.167 with SMTP id i7mr1451465pgv.449.1509579306730;
        Wed, 01 Nov 2017 16:35:06 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1509579306; cv=none;
        d=google.com; s=arc-20160816;
        b=Mw9VONfSPMw1QKxK6czyFri4oLp+pf5X+waDdzV7mqNcDMabpZahhhOFuUG2nSsEN6
         NbthVBziflQYSEwlu0V3runxsB76ZfsP8j3/kORFwK9TxmqXnSrFqu8EUcSJ9R1vc+Kv
         Rr+qn4VF82bCpWgNqpjAKsjirQn4bHqQa6EdE0J+fShWClk03b+mhMtBUgQKwght2wek
         rgeZpJSPe44Eju/jEFKM0+SvdiWi7tI28HF7DGLE/2HG+Tft3vBZ4nQDvvP1CXcx2L3y
         QfxWwTnPAc6Ub86QnrkHMfVtbb5K1l+c6HyEwr4dxL0fiqV1bkLz6Wk/a2JLFq6U9QbG
         SCbw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:date:subject:message-id:to:user-agent:cc
         :from:content-transfer-encoding:mime-version:dkim-signature
         :arc-authentication-results;
        bh=4dFHuBZ5G/RVaBgPZTDYU+/dGXKL65OBAN4zUaEPb+g=;
        b=mk9aP7h+lAZcwBfRMgcFv42QCT3sqMmjOk3/gklRShTtpB4yxPX72cgQ3/RaZi+nqV
         0MESnmULoLDQ+B3nI+sHuRTlSIhA3rpC4Y9y6JFz0lps/fwbtFdLkV3Fmxq+xLxTdml4
         nk2BJfqy1wMlRvMshP2SVjvwJOdj6DxiBzojKi2sh1mglAD3B6geogz4peupUreeX0tS
         AeVJtpKmHMLrpbP+5lJoCVI8PAuKn5NsCjyhoo+xpCUyP9cxZWcLzth6212zMNfqUiy0
         rgIWlsFhGNwtjtgPkhiq1WWgyFUIcsD5sS2GAAxgUAU+n6rCssC4wJ8KWa7IGJYlDQPQ
         wpfA==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@cisco.com header.s=iport header.b=bq8ijwMY;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=cisco.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id t6si2000573pgr.822.2017.11.01.16.34.52;
        Wed, 01 Nov 2017 16:35:06 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@cisco.com header.s=iport header.b=bq8ijwMY;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=cisco.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S933695AbdKAXeR (ORCPT <rfc822;luizmacielfranco@gmail.com>
        + 99 others); Wed, 1 Nov 2017 19:34:17 -0400
Received: from rcdn-iport-9.cisco.com ([173.37.86.80]:31891 "EHLO
        rcdn-iport-9.cisco.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S932964AbdKAXeO (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Wed, 1 Nov 2017 19:34:14 -0400
X-Greylist: delayed 565 seconds by postgrey-1.27 at vger.kernel.org; Wed, 01 Nov 2017 19:34:14 EDT
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple;
  d=cisco.com; i=@cisco.com; l=3350; q=dns/txt; s=iport;
  t=1509579254; x=1510788854;
  h=mime-version:content-transfer-encoding:from:cc:to:
   message-id:subject:date;
  bh=7Q37lbmXYAsiaauk8HvZS4PEemmWnrzUaGvuoZt4VT0=;
  b=bq8ijwMYkSLuau3iLIF3SjPI+YVlakh1UrLZWcZTobqv3PSMR/LRSaFM
   JyE8RWbRXuq5vIwKQPd8Whgry1c7uhw05I5gjok1qhQYaIdv8PL3KShnp
   fq5TLnQLo41lTXfPoZDnKba9neDf0c4hRpM9147ncRZPMOOuelEHlH6Sj
   Y=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: =?us-ascii?q?A0DUAACdVvpZ/4wNJK1cGgEBAQECAQEBA?=
 =?us-ascii?q?QgBAQEBg1+BUoQkih+PGIFWlmqCEQqFO4UCPxgBAgEBAQEBAQFrKIVHVikMAiY?=
 =?us-ascii?q?CSRaKKQ2pToInixIBAQEBAQEBAQIBAQEBAQEiFHuCH4IHgVOCHYscgmEFkm+PG?=
 =?us-ascii?q?4Fvpj2WE4E5HziBbHoVgQoFBkWBVIJbHIIHIY0sAQEB?=
X-IronPort-AV: E=Sophos;i="5.44,331,1505779200"; 
   d="scan'208";a="309102748"
Received: from alln-core-7.cisco.com ([173.36.13.140])
  by rcdn-iport-9.cisco.com with ESMTP/TLS/DHE-RSA-AES256-SHA; 01 Nov 2017 23:24:48 +0000
Received: from localhost ([10.156.154.59])
        by alln-core-7.cisco.com (8.14.5/8.14.5) with ESMTP id vA1NOmFZ024090;
        Wed, 1 Nov 2017 23:24:48 GMT
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
From:   Taras Kondratiuk <takondra@cisco.com>
Cc:     linux-ide@vger.kernel.org, linux-kernel@vger.kernel.org,
        xe-linux-external@cisco.com
User-Agent: alot/0.6
To:     Tejun Heo <tj@kernel.org>
Message-ID: <150957868766.7160.13267337838101258462@takondra-t460s>
Subject: Manual unbind of ATA devices causes use-after-free
Date:   Wed, 01 Nov 2017 16:24:47 -0700
X-Auto-Response-Suppress: DR, OOF, AutoReply
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

Hi Heo,

Manual unbind/remove unconditionally invokes devres_release_all which
calls ata_host_release() and frees ata_host/ata_port memory while it is
still being referenced (e.g as a parent of SCSI host).

Is there a reason why ata_host is using derves which is not refcounted?
Does it make sense to add recounting to ata_host?

We have noticed the issue when put_device(parent) in
scsi_host_dev_release() complained about not initialized kobject.

  WARNING: CPU: 3 PID: 247 at lib/kobject.c:690 kobject_put+0x34/0x92()
  kobject: '(null)' (ffff8804040baf18): is not initialized, yet kobject_put=
() is being called.
  Modules linked in: lxc_wd(O) contdev_generic(O) pca8550(O) uhci_hcd tipc =
ip6_udp_tunnel udp_tunnel liin(O) lfts(O) ez_np5c(O) quack(O) ngio(O) ds265=
21(O) ds31408(O) astro(O) epa(O) dev_obj_lib(PO) pdmaif(O) cpp_kipc_mod(O) =
cpp_pdma_mod(O) cpp_il_mod(O) cpp_intr_mod(O) yoda_drv_mod(O) cpp_hw_drv_mo=
d(O) cpp_drv_mod(O) ich9spi(O) mtdblock mtd_blkdevs oct_drv_mcp(PO) gladden=
_edac(O) edac_core max3674(O) pmbus_ps(O) pmbus_core(O) seeprom(O) beeprom(=
O) luna_fpga(O) i2c_2kh_luna(O) i2c_2kh_reset(O) ck420(O) adm1066(O) ltc421=
5(O) ltc4151(O) pc
  CPU: 3 PID: 247 Comm: kworker/3:2 Tainted: P           O    4.4.76 #1
  Workqueue: events sg_remove_sfp_usercontext
   0000000000000006 ffffffff81294c0e ffff8804247e3c88 0000000000000009
   ffffffff81044b1e ffffffff812966ab ffff8804040baf18 ffff8804247e3ce0
   ffff880403f54300 ffff8804278a92b0 ffffffff81044b7b ffffffff818224af
  Call Trace:
   [<ffffffff81294c0e>] ? dump_stack+0x5e/0x84
   [<ffffffff81044b1e>] ? warn_slowpath_common+0x93/0xa8
   [<ffffffff812966ab>] ? kobject_put+0x34/0x92
   [<ffffffff81044b7b>] ? warn_slowpath_fmt+0x48/0x50
   [<ffffffff8134d618>] ? scsi_host_dev_release+0xe2/0x107
   [<ffffffff812966ab>] ? kobject_put+0x34/0x92
   [<ffffffff8134d631>] ? scsi_host_dev_release+0xfb/0x107
   [<ffffffff8133d0a2>] ? device_release+0x54/0x86
   [<ffffffff812966f3>] ? kobject_put+0x7c/0x92
   [<ffffffff8133d0a2>] ? device_release+0x54/0x86
   [<ffffffff812966f3>] ? kobject_put+0x7c/0x92
   [<ffffffff81056f56>] ? execute_in_process_context+0x20/0x59
   [<ffffffff8133d0a2>] ? device_release+0x54/0x86
   [<ffffffff812966f3>] ? kobject_put+0x7c/0x92
   [<ffffffff813600d5>] ? sg_remove_sfp_usercontext+0xcc/0xef
   [<ffffffff81057706>] ? process_one_work+0x1c4/0x333
   [<ffffffff810582a5>] ? worker_thread+0x264/0x347
   [<ffffffff81058041>] ? rescuer_thread+0x274/0x274
   [<ffffffff8105c028>] ? kthread+0xd0/0xd8
   [<ffffffff8105bf58>] ? kthread_worker_fn+0x129/0x129
   [<ffffffff8152832f>] ? ret_from_fork+0x3f/0x70
   [<ffffffff8105bf58>] ? kthread_worker_fn+0x129/0x129

This happens if freed memory is already zeroed by the next user. Otherwise =

put_device() just silently corrupts memory. KASAN reports issues in
several other places where freed ata_host memory is accessed.

My setup has v4.4 kernel, but the related code seems to be the same in
v4.14.  I'm reproducing the issue by manually removing or unbinding
device. KASAN starts to complain about use-after-free within 10 cycles.

while true;
    do echo 1 > /sys/devices/pci0000\:00/0000\:00\:1c.0/rescan
    sleep 5
    echo 1 > /sys/devices/pci0000\:00/0000\:00\:1c.0/0000\:05\:00.0/remove
    sleep 5
done


From 1583958459049902277@xxx Mon Nov 13 13:41:40 +0000 2017
X-GM-THRID: 1583956079220548787
X-Gmail-Labels: Inbox,Category Forums,HistoricalUnread