lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20171103131937.GQ3252168@devbig577.frc2.facebook.com>
Date:   Fri, 3 Nov 2017 06:19:37 -0700
From:   Tejun Heo <tj@...nel.org>
To:     Taras Kondratiuk <takondra@...co.com>
Cc:     linux-ide@...r.kernel.org, linux-kernel@...r.kernel.org,
        xe-linux-external@...co.com
Subject: Re: Manual unbind of ATA devices causes use-after-free

Hello,

On Wed, Nov 01, 2017 at 04:24:47PM -0700, Taras Kondratiuk wrote:
> Manual unbind/remove unconditionally invokes devres_release_all which
> calls ata_host_release() and frees ata_host/ata_port memory while it is
> still being referenced (e.g as a parent of SCSI host).
> 
> Is there a reason why ata_host is using derves which is not refcounted?
> Does it make sense to add recounting to ata_host?

Hmm... the removal path is supposed to drain everything synchronously.
What kind of controller is it?

Thanks.

-- 
tejun

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ