linux-kernel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
	stable@vger.kernel.org, John Garry <john.garry@huawei.com>,
	Jens Axboe <axboe@kernel.dk>, Sasha Levin <sashal@kernel.org>
Subject: [PATCH 4.4 007/100] libata: Remove extra scsi_host_put() in ata_scsi_add_hosts()
Date: Wed, 22 Apr 2020 11:55:37 +0200	[thread overview]
Message-ID: <20200422095024.046830392@linuxfoundation.org> (raw)
In-Reply-To: <20200422095022.476101261@linuxfoundation.org>

From: John Garry <john.garry@huawei.com>

[ Upstream commit 1d72f7aec3595249dbb83291ccac041a2d676c57 ]

If the call to scsi_add_host_with_dma() in ata_scsi_add_hosts() fails,
then we may get use-after-free KASAN warns:

==================================================================
BUG: KASAN: use-after-free in kobject_put+0x24/0x180
Read of size 1 at addr ffff0026b8c80364 by task swapper/0/1
CPU: 1 PID: 1 Comm: swapper/0 Tainted: G        W         5.6.0-rc3-00004-g5a71b206ea82-dirty #1765
Hardware name: Huawei TaiShan 200 (Model 2280)/BC82AMDD, BIOS 2280-V2 CS V3.B160.01 02/24/2020
Call trace:
dump_backtrace+0x0/0x298
show_stack+0x14/0x20
dump_stack+0x118/0x190
print_address_description.isra.9+0x6c/0x3b8
__kasan_report+0x134/0x23c
kasan_report+0xc/0x18
__asan_load1+0x5c/0x68
kobject_put+0x24/0x180
put_device+0x10/0x20
scsi_host_put+0x10/0x18
ata_devres_release+0x74/0xb0
release_nodes+0x2d0/0x470
devres_release_all+0x50/0x78
really_probe+0x2d4/0x560
driver_probe_device+0x7c/0x148
device_driver_attach+0x94/0xa0
__driver_attach+0xa8/0x110
bus_for_each_dev+0xe8/0x158
driver_attach+0x30/0x40
bus_add_driver+0x220/0x2e0
driver_register+0xbc/0x1d0
__pci_register_driver+0xbc/0xd0
ahci_pci_driver_init+0x20/0x28
do_one_initcall+0xf0/0x608
kernel_init_freeable+0x31c/0x384
kernel_init+0x10/0x118
ret_from_fork+0x10/0x18

Allocated by task 5:
save_stack+0x28/0xc8
__kasan_kmalloc.isra.8+0xbc/0xd8
kasan_kmalloc+0xc/0x18
__kmalloc+0x1a8/0x280
scsi_host_alloc+0x44/0x678
ata_scsi_add_hosts+0x74/0x268
ata_host_register+0x228/0x488
ahci_host_activate+0x1c4/0x2a8
ahci_init_one+0xd18/0x1298
local_pci_probe+0x74/0xf0
work_for_cpu_fn+0x2c/0x48
process_one_work+0x488/0xc08
worker_thread+0x330/0x5d0
kthread+0x1c8/0x1d0
ret_from_fork+0x10/0x18

Freed by task 5:
save_stack+0x28/0xc8
__kasan_slab_free+0x118/0x180
kasan_slab_free+0x10/0x18
slab_free_freelist_hook+0xa4/0x1a0
kfree+0xd4/0x3a0
scsi_host_dev_release+0x100/0x148
device_release+0x7c/0xe0
kobject_put+0xb0/0x180
put_device+0x10/0x20
scsi_host_put+0x10/0x18
ata_scsi_add_hosts+0x210/0x268
ata_host_register+0x228/0x488
ahci_host_activate+0x1c4/0x2a8
ahci_init_one+0xd18/0x1298
local_pci_probe+0x74/0xf0
work_for_cpu_fn+0x2c/0x48
process_one_work+0x488/0xc08
worker_thread+0x330/0x5d0
kthread+0x1c8/0x1d0
ret_from_fork+0x10/0x18

There is also refcount issue, as well:
WARNING: CPU: 1 PID: 1 at lib/refcount.c:28 refcount_warn_saturate+0xf8/0x170

The issue is that we make an erroneous extra call to scsi_host_put()
for that host:

So in ahci_init_one()->ata_host_alloc_pinfo()->ata_host_alloc(), we setup
a device release method - ata_devres_release() - which intends to release
the SCSI hosts:

static void ata_devres_release(struct device *gendev, void *res)
{
	...
	for (i = 0; i < host->n_ports; i++) {
		struct ata_port *ap = host->ports[i];

		if (!ap)
			continue;

		if (ap->scsi_host)
			scsi_host_put(ap->scsi_host);

	}
	...
}

However in the ata_scsi_add_hosts() error path, we also call
scsi_host_put() for the SCSI hosts.

Fix by removing the the scsi_host_put() calls in ata_scsi_add_hosts() and
leave this to ata_devres_release().

Fixes: f31871951b38 ("libata: separate out ata_host_alloc() and ata_host_register()")
Signed-off-by: John Garry <john.garry@huawei.com>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/ata/libata-scsi.c | 9 +++------
 1 file changed, 3 insertions(+), 6 deletions(-)

diff --git a/drivers/ata/libata-scsi.c b/drivers/ata/libata-scsi.c
index a44aeda571091..59dc033408be7 100644
--- a/drivers/ata/libata-scsi.c
+++ b/drivers/ata/libata-scsi.c
@@ -3720,22 +3720,19 @@ int ata_scsi_add_hosts(struct ata_host *host, struct scsi_host_template *sht)
 		 */
 		shost->max_host_blocked = 1;
 
-		rc = scsi_add_host_with_dma(ap->scsi_host,
-						&ap->tdev, ap->host->dev);
+		rc = scsi_add_host_with_dma(shost, &ap->tdev, ap->host->dev);
 		if (rc)
-			goto err_add;
+			goto err_alloc;
 	}
 
 	return 0;
 
- err_add:
-	scsi_host_put(host->ports[i]->scsi_host);
  err_alloc:
 	while (--i >= 0) {
 		struct Scsi_Host *shost = host->ports[i]->scsi_host;
 
+		/* scsi_host_put() is in ata_devres_release() */
 		scsi_remove_host(shost);
-		scsi_host_put(shost);
 	}
 	return rc;
 }
-- 
2.20.1




  parent reply	other threads:[~2020-04-22  9:59 UTC|newest]

Thread overview: 105+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2020-04-22  9:55 [PATCH 4.4 000/100] 4.4.220-rc1 review Greg Kroah-Hartman
2020-04-22  9:55 ` [PATCH 4.4 001/100] bus: sunxi-rsb: Return correct data when mixing 16-bit and 8-bit reads Greg Kroah-Hartman
2020-04-22  9:55 ` [PATCH 4.4 002/100] net: vxge: fix wrong __VA_ARGS__ usage Greg Kroah-Hartman
2020-04-22  9:55 ` [PATCH 4.4 003/100] qlcnic: Fix bad kzalloc null test Greg Kroah-Hartman
2020-04-22  9:55 ` [PATCH 4.4 004/100] i2c: st: fix missing struct parameter description Greg Kroah-Hartman
2020-04-22  9:55 ` [PATCH 4.4 005/100] irqchip/versatile-fpga: Handle chained IRQs properly Greg Kroah-Hartman
2020-04-22  9:55 ` [PATCH 4.4 006/100] selftests/x86/ptrace_syscall_32: Fix no-vDSO segfault Greg Kroah-Hartman
2020-04-22  9:55 ` Greg Kroah-Hartman [this message]
2020-04-22  9:55 ` [PATCH 4.4 008/100] gfs2: Dont demote a glock until its revokes are written Greg Kroah-Hartman
2020-04-22  9:55 ` [PATCH 4.4 009/100] x86/boot: Use unsigned comparison for addresses Greg Kroah-Hartman
2020-04-22  9:55 ` [PATCH 4.4 010/100] locking/lockdep: Avoid recursion in lockdep_count_{for,back}ward_deps() Greg Kroah-Hartman
2020-04-22  9:55 ` [PATCH 4.4 011/100] btrfs: remove a BUG_ON() from merge_reloc_roots() Greg Kroah-Hartman
2020-04-22  9:55 ` [PATCH 4.4 012/100] btrfs: track reloc roots based on their commit root bytenr Greg Kroah-Hartman
2020-04-22  9:55 ` [PATCH 4.4 013/100] misc: rtsx: set correct pcr_ops for rts522A Greg Kroah-Hartman
2020-04-22  9:55 ` [PATCH 4.4 014/100] ASoC: fix regwmask Greg Kroah-Hartman
2020-04-22  9:55 ` [PATCH 4.4 015/100] ASoC: dapm: connect virtual mux with default value Greg Kroah-Hartman
2020-04-22  9:55 ` [PATCH 4.4 016/100] ASoC: dpcm: allow start or stop during pause for backend Greg Kroah-Hartman
2020-04-22  9:55 ` [PATCH 4.4 017/100] ASoC: topology: use name_prefix for new kcontrol Greg Kroah-Hartman
2020-04-22  9:55 ` [PATCH 4.4 018/100] usb: gadget: f_fs: Fix use after free issue as part of queue failure Greg Kroah-Hartman
2020-04-22  9:55 ` [PATCH 4.4 019/100] usb: gadget: composite: Inform controller driver of self-powered Greg Kroah-Hartman
2020-04-22  9:55 ` [PATCH 4.4 020/100] ALSA: usb-audio: Add mixer workaround for TRX40 and co Greg Kroah-Hartman
2020-04-22  9:55 ` [PATCH 4.4 021/100] ALSA: hda: Add driver blacklist Greg Kroah-Hartman
2020-04-22  9:55 ` [PATCH 4.4 022/100] ALSA: hda: Fix potential access overflow in beep helper Greg Kroah-Hartman
2020-04-22  9:55 ` [PATCH 4.4 023/100] ALSA: ice1724: Fix invalid access for enumerated ctl items Greg Kroah-Hartman
2020-04-22  9:55 ` [PATCH 4.4 024/100] ALSA: pcm: oss: Fix regression by buffer overflow fix Greg Kroah-Hartman
2020-04-22  9:55 ` [PATCH 4.4 025/100] acpi/x86: ignore unspecified bit positions in the ACPI global lock field Greg Kroah-Hartman
2020-04-22  9:55 ` [PATCH 4.4 026/100] thermal: devfreq_cooling: inline all stubs for CONFIG_DEVFREQ_THERMAL=n Greg Kroah-Hartman
2020-04-22  9:55 ` [PATCH 4.4 027/100] KEYS: reaching the keys quotas correctly Greg Kroah-Hartman
2020-04-22  9:55 ` [PATCH 4.4 028/100] irqchip/versatile-fpga: Apply clear-mask earlier Greg Kroah-Hartman
2020-04-22  9:55 ` [PATCH 4.4 029/100] MIPS: OCTEON: irq: Fix potential NULL pointer dereference Greg Kroah-Hartman
2020-04-22  9:56 ` [PATCH 4.4 030/100] ath9k: Handle txpower changes even when TPC is disabled Greg Kroah-Hartman
2020-04-22  9:56 ` [PATCH 4.4 031/100] signal: Extend exec_id to 64bits Greg Kroah-Hartman
2020-04-22  9:56 ` [PATCH 4.4 032/100] x86/entry/32: Add missing ASM_CLAC to general_protection entry Greg Kroah-Hartman
2020-04-22  9:56 ` [PATCH 4.4 033/100] KVM: x86: Allocate new rmap and large page tracking when moving memslot Greg Kroah-Hartman
2020-04-22  9:56 ` [PATCH 4.4 034/100] crypto: mxs-dcp - fix scatterlist linearization for hash Greg Kroah-Hartman
2020-04-22  9:56 ` [PATCH 4.4 035/100] futex: futex_wake_op, do not fail on invalid op Greg Kroah-Hartman
2020-04-22  9:56 ` [PATCH 4.4 036/100] xen-netfront: Rework the fix for Rx stall during OOM and network stress Greg Kroah-Hartman
2020-04-22  9:56 ` [PATCH 4.4 037/100] ALSA: hda: Initialize power_state field properly Greg Kroah-Hartman
2020-04-22  9:56 ` [PATCH 4.4 038/100] Btrfs: incremental send, fix invalid memory access Greg Kroah-Hartman
2020-04-22  9:56 ` [PATCH 4.4 039/100] IB/ipoib: Fix lockdep issue found on ipoib_ib_dev_heavy_flush Greg Kroah-Hartman
2020-04-22  9:56 ` [PATCH 4.4 040/100] scsi: zfcp: fix missing erp_lock in port recovery trigger for point-to-point Greg Kroah-Hartman
2020-04-22  9:56 ` [PATCH 4.4 041/100] arm64: armv8_deprecated: Fix undef_hook mask for thumb setend Greg Kroah-Hartman
2020-04-22  9:56 ` [PATCH 4.4 042/100] ext4: fix a data race at inode->i_blocks Greg Kroah-Hartman
2020-04-22  9:56 ` [PATCH 4.4 043/100] ocfs2: no need try to truncate file beyond i_size Greg Kroah-Hartman
2020-04-22  9:56 ` [PATCH 4.4 044/100] s390/diag: fix display of diagnose call statistics Greg Kroah-Hartman
2020-04-22  9:56 ` [PATCH 4.4 045/100] Input: i8042 - add Acer Aspire 5738z to nomux list Greg Kroah-Hartman
2020-04-22  9:56 ` [PATCH 4.4 046/100] kmod: make request_module() return an error when autoloading is disabled Greg Kroah-Hartman
2020-04-22  9:56 ` [PATCH 4.4 047/100] hfsplus: fix crash and filesystem corruption when deleting files Greg Kroah-Hartman
2020-04-22  9:56 ` [PATCH 4.4 048/100] libata: Return correct status in sata_pmp_eh_recover_pm() when ATA_DFLAG_DETACH is set Greg Kroah-Hartman
2020-04-22  9:56 ` [PATCH 4.4 049/100] powerpc/64/tm: Dont let userspace set regs->trap via sigreturn Greg Kroah-Hartman
2020-04-22  9:56 ` [PATCH 4.4 050/100] Btrfs: fix crash during unmount due to race with delayed inode workers Greg Kroah-Hartman
2020-04-22  9:56 ` [PATCH 4.4 051/100] drm/dp_mst: Fix clearing payload state on topology disable Greg Kroah-Hartman
2020-04-22  9:56 ` [PATCH 4.4 052/100] ipmi: fix hung processes in __get_guid() Greg Kroah-Hartman
2020-04-22  9:56 ` [PATCH 4.4 053/100] powerpc/fsl_booke: Avoid creating duplicate tlb1 entry Greg Kroah-Hartman
2020-04-22  9:56 ` [PATCH 4.4 054/100] misc: echo: Remove unnecessary parentheses and simplify check for zero Greg Kroah-Hartman
2020-04-22  9:56 ` [PATCH 4.4 055/100] mfd: dln2: Fix sanity checking for endpoints Greg Kroah-Hartman
2020-04-22  9:56 ` [PATCH 4.4 056/100] net: ipv4: devinet: Fix crash when add/del multicast IP with autojoin Greg Kroah-Hartman
2020-04-22  9:56 ` [PATCH 4.4 057/100] net: ipv6: do not consider routes via gateways for anycast address check Greg Kroah-Hartman
2020-04-22  9:56 ` [PATCH 4.4 058/100] scsi: ufs: Fix ufshcd_hold() caused scheduling while atomic Greg Kroah-Hartman
2020-04-22  9:56 ` [PATCH 4.4 059/100] jbd2: improve comments about freeing data buffers whose page mapping is NULL Greg Kroah-Hartman
2020-04-22  9:56 ` [PATCH 4.4 060/100] ext4: fix incorrect group count in ext4_fill_super error message Greg Kroah-Hartman
2020-04-22  9:56 ` [PATCH 4.4 061/100] ext4: fix incorrect inodes per group in " Greg Kroah-Hartman
2020-04-22  9:56 ` [PATCH 4.4 062/100] ASoC: Intel: mrfld: fix incorrect check on p->sink Greg Kroah-Hartman
2020-04-22  9:56 ` [PATCH 4.4 063/100] ASoC: Intel: mrfld: return error codes when an error occurs Greg Kroah-Hartman
2020-04-22  9:56 ` [PATCH 4.4 064/100] ALSA: usb-audio: Dont override ignore_ctl_error value from the map Greg Kroah-Hartman
2020-04-22  9:56 ` [PATCH 4.4 065/100] mac80211_hwsim: Use kstrndup() in place of kasprintf() Greg Kroah-Hartman
2020-04-22  9:56 ` [PATCH 4.4 066/100] ext4: do not zeroout extents beyond i_disksize Greg Kroah-Hartman
2020-04-22  9:56 ` [PATCH 4.4 067/100] dm flakey: check for null arg_name in parse_features() Greg Kroah-Hartman
2020-04-22  9:56 ` [PATCH 4.4 068/100] kvm: x86: Host feature SSBD doesnt imply guest feature SPEC_CTRL_SSBD Greg Kroah-Hartman
2020-04-22  9:56 ` [PATCH 4.4 069/100] x86/mitigations: Clear CPU buffers on the SYSCALL fast path Greg Kroah-Hartman
2020-04-22  9:56 ` [PATCH 4.4 070/100] tracing: Fix the race between registering snapshot event trigger and triggering snapshot operation Greg Kroah-Hartman
2020-04-22  9:56 ` [PATCH 4.4 071/100] scsi: sg: add sg_remove_request in sg_common_write Greg Kroah-Hartman
2020-04-22  9:56 ` [PATCH 4.4 072/100] ALSA: hda: Dont release card at firmware loading error Greg Kroah-Hartman
2020-04-22  9:56 ` [PATCH 4.4 073/100] of: unittest: kmemleak on changeset destroy Greg Kroah-Hartman
2020-04-22  9:56 ` [PATCH 4.4 074/100] video: fbdev: sis: Remove unnecessary parentheses and commented code Greg Kroah-Hartman
2020-04-22  9:56 ` [PATCH 4.4 075/100] drm: NULL pointer dereference [null-pointer-deref] (CWE 476) problem Greg Kroah-Hartman
2020-04-22  9:56 ` [PATCH 4.4 076/100] wil6210: increase firmware ready timeout Greg Kroah-Hartman
2020-04-22  9:56 ` [PATCH 4.4 077/100] wil6210: fix temperature debugfs Greg Kroah-Hartman
2020-04-22  9:56 ` [PATCH 4.4 078/100] scsi: ufs: ufs-qcom: remove broken hci version quirk Greg Kroah-Hartman
2020-04-22  9:56 ` [PATCH 4.4 079/100] wil6210: rate limit wil_rx_refill error Greg Kroah-Hartman
2020-04-22  9:56 ` [PATCH 4.4 080/100] rtc: pm8xxx: Fix issue in RTC write path Greg Kroah-Hartman
2020-04-22  9:56 ` [PATCH 4.4 081/100] soc: qcom: smem: Use le32_to_cpu for comparison Greg Kroah-Hartman
2020-04-22  9:56 ` [PATCH 4.4 082/100] of: fix missing kobject init for !SYSFS && OF_DYNAMIC config Greg Kroah-Hartman
2020-04-22  9:56 ` [PATCH 4.4 083/100] of: unittest: kmemleak in of_unittest_platform_populate() Greg Kroah-Hartman
2020-04-22  9:56 ` [PATCH 4.4 084/100] clk: at91: usb: continue if clk_hw_round_rate() return zero Greg Kroah-Hartman
2020-04-22  9:56 ` [PATCH 4.4 085/100] clk: tegra: Fix Tegra PMC clock out parents Greg Kroah-Hartman
2020-04-22  9:56 ` [PATCH 4.4 086/100] NFS: direct.c: Fix memory leak of dreq when nfs_get_lock_context fails Greg Kroah-Hartman
2020-04-22  9:56 ` [PATCH 4.4 087/100] ext4: do not commit super on read-only bdev Greg Kroah-Hartman
2020-04-22  9:56 ` [PATCH 4.4 088/100] percpu_counter: fix a data race at vm_committed_as Greg Kroah-Hartman
2020-04-22  9:56 ` [PATCH 4.4 089/100] compiler.h: fix error in BUILD_BUG_ON() reporting Greg Kroah-Hartman
2020-04-22  9:57 ` [PATCH 4.4 090/100] NFS: Fix memory leaks in nfs_pageio_stop_mirroring() Greg Kroah-Hartman
2020-04-22  9:57 ` [PATCH 4.4 091/100] ext2: fix empty body warnings when -Wextra is used Greg Kroah-Hartman
2020-04-25 11:43   ` Joe Perches
2020-04-25 11:47     ` Joe Perches
2020-04-22  9:57 ` [PATCH 4.4 092/100] iommu/amd: Fix the configuration of GCR3 table root pointer Greg Kroah-Hartman
2020-04-22  9:57 ` [PATCH 4.4 093/100] fbdev: potential information leak in do_fb_ioctl() Greg Kroah-Hartman
2020-04-22  9:57 ` [PATCH 4.4 094/100] tty: evh_bytechan: Fix out of bounds accesses Greg Kroah-Hartman
2020-04-22  9:57 ` [PATCH 4.4 095/100] locktorture: Print ratio of acquisitions, not failures Greg Kroah-Hartman
2020-04-22  9:57 ` [PATCH 4.4 096/100] mtd: lpddr: Fix a double free in probe() Greg Kroah-Hartman
2020-04-22  9:57 ` [PATCH 4.4 097/100] mtd: phram: fix a double free issue in error path Greg Kroah-Hartman
2020-04-22  9:57 ` [PATCH 4.4 098/100] x86/CPU: Add native CPUID variants returning a single datum Greg Kroah-Hartman
2020-04-22  9:57 ` [PATCH 4.4 099/100] x86/microcode/intel: replace sync_core() with native_cpuid_reg(eax) Greg Kroah-Hartman
2020-04-22  9:57 ` [PATCH 4.4 100/100] x86/vdso: Fix lsl operand order Greg Kroah-Hartman
2020-04-22 11:16 ` [PATCH 4.4 000/100] 4.4.220-rc1 review Chris Paterson
2020-04-23 10:20 ` Jon Hunter

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20200422095024.046830392@linuxfoundation.org \
    --to=gregkh@linuxfoundation.org \
    --cc=axboe@kernel.dk \
    --cc=john.garry@huawei.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=sashal@kernel.org \
    --cc=stable@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).