Re: [PATCH RESEND] scsi: ppa: Fix use-after-free caused by unfinished delayed work
From: James Bottomley
Date: Thu Jan 01 2026 - 10:21:44 EST
On Thu, 2026-01-01 at 21:55 +0800, Duoming Zhou wrote:
> diff --git a/drivers/scsi/ppa.c b/drivers/scsi/ppa.c
> index ea682f3044b..8da2a78ebac 100644
> --- a/drivers/scsi/ppa.c
> +++ b/drivers/scsi/ppa.c
> @@ -1136,6 +1136,7 @@ static void ppa_detach(struct parport *pb)
> ppa_struct *dev;
> list_for_each_entry(dev, &ppa_hosts, list) {
> if (dev->dev->port == pb) {
> + disable_delayed_work_sync(&dev->ppa_tq);
> list_del_init(&dev->list);
> scsi_remove_host(dev->host);
> scsi_host_put(dev->host);
This fix looks bogus: if there's an active workqueue on ppa it's
because there's an outstanding command and it's emulating polling. If
you stop the polling by disabling the workqueue, the command will never
return and the host will never get freed, so this will leak resources,
won't it?
Also the race condition you identify is one of many tied to an
incorrect ppa_struct lifetime: it should never be free'd before the
host itself is gone because a live host may do a callback which will
get the ppa_struct from hostdata, so if the host is still alive for any
reason when ppa_detach() is called, we'll get the same problem.
Regards,
James