From: sashiko-bot@kernel.org
To: "Danilo Krummrich" <dakr@kernel.org>
Cc: linux-pci@vger.kernel.org, ojeda@kernel.org
Subject: Re: [PATCH v4 01/27] rust: alloc: remove `'static` bound on `ForeignOwnable`
Date: Fri, 22 May 2026 00:13:59 +0000 [thread overview]
Message-ID: <20260522001359.BA1CC1F000E9@smtp.kernel.org> (raw)
In-Reply-To: <20260521233501.1191842-2-dakr@kernel.org>
Thank you for your contribution! Sashiko AI review found 2 potential issue(s) to consider:
- [Critical] Removing the `'static` bound on `Box` and `Pin<Box>` implementations of `ForeignOwnable` allows safe Rust code to cause use-after-free vulnerabilities by passing short-lived references to long-lived C subsystems.
- [Low] The commit lifts the `'static` requirement from the `ForeignOwnable` trait for `Box` implementations but fails to apply it uniformly, leaving `Arc<T>` inconsistently restricted.
--
commit 3010ad31fe43876a42708e20baf90c11f6c4ba78
Author: Gary Guo <gary@garyguo.net>
rust: alloc: remove 'static bound on ForeignOwnable
The 'static bound is currently necessary because there's no
restriction on the lifetime of the GAT. Add a Self: 'a bound to
restrict possible lifetimes on Borrowed and BorrowedMut, and lift
the 'static requirement.
> diff --git a/rust/kernel/alloc/kbox.rs b/rust/kernel/alloc/kbox.rs
> index c824ed6e15233..2f8c16473c2cf 100644
> --- a/rust/kernel/alloc/kbox.rs
> +++ b/rust/kernel/alloc/kbox.rs
[ ... ]
> @@ -477,7 +477,7 @@ fn try_init<E>(init: impl Init<T, E>, flags: Flags) -> Result<Self, E>
>
> // SAFETY: The pointer returned by `into_foreign` comes from a well aligned
> // pointer to `T` allocated by `A`.
> -unsafe impl<T: 'static, A> ForeignOwnable for Box<T, A>
> +unsafe impl<T, A> ForeignOwnable for Box<T, A>
[Severity: Critical]
Does removing the 'static bound here allow safe Rust code to cause use-after-free
vulnerabilities by passing short-lived references to long-lived C subsystems?
For example, GenDiskBuilder::build accepts a generic Operations type T, takes
its QueueData, and stores it in the C subsystem via ForeignOwnable::into_foreign.
Previously, the 'static bound implicitly ensured QueueData did not contain local
references.
If safe code constructs a GenDisk using a Box holding stack references, and then
that GenDisk is leaked via core::mem::forget(disk), the block device would
remain registered in C while the stack frame ends.
When the C callback queue_rq executes asynchronously, could it dereference a
dangling pointer resulting in a use-after-free?
[Severity: Low]
This isn't a bug, but should the 'static bound on Arc<T> in rust/kernel/sync/arc.rs
also be removed for consistency?
The commit message implies lifting the 'static requirement generally, but it
appears Arc<T> still retains its explicit unsafe impl<T: 'static> ForeignOwnable
for Arc<T> implementation.
> where
> A: Allocator,
> {
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260521233501.1191842-1-dakr@kernel.org?part=1
next prev parent reply other threads:[~2026-05-22 0:14 UTC|newest]
Thread overview: 63+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-05-21 23:34 [PATCH v4 00/27] rust: device: Higher-Ranked Lifetime Types for device drivers Danilo Krummrich
2026-05-21 23:34 ` [PATCH v4 01/27] rust: alloc: remove `'static` bound on `ForeignOwnable` Danilo Krummrich
2026-05-22 0:13 ` sashiko-bot [this message]
2026-05-21 23:34 ` [PATCH v4 02/27] rust: driver: move 'static bounds to constructor Danilo Krummrich
2026-05-21 23:34 ` [PATCH v4 03/27] rust: driver: decouple driver private data from driver type Danilo Krummrich
2026-05-21 23:56 ` sashiko-bot
2026-05-21 23:34 ` [PATCH v4 04/27] rust: driver core: drop drvdata before devres release Danilo Krummrich
2026-05-22 0:10 ` sashiko-bot
2026-05-21 23:34 ` [PATCH v4 05/27] rust: pci: implement Sync for Device<Bound> Danilo Krummrich
2026-05-21 23:34 ` [PATCH v4 06/27] rust: platform: " Danilo Krummrich
2026-05-21 23:34 ` [PATCH v4 07/27] rust: auxiliary: " Danilo Krummrich
2026-05-21 23:34 ` [PATCH v4 08/27] rust: usb: " Danilo Krummrich
2026-05-22 0:16 ` sashiko-bot
2026-05-21 23:34 ` [PATCH v4 09/27] rust: device: " Danilo Krummrich
2026-05-21 23:34 ` [PATCH v4 10/27] rust: device: make Core and CoreInternal lifetime-parameterized Danilo Krummrich
2026-05-25 4:21 ` Eliot Courtney
2026-05-25 11:02 ` Alexandre Courbot
2026-05-21 23:34 ` [PATCH v4 11/27] rust: pci: make Driver trait lifetime-parameterized Danilo Krummrich
2026-05-22 0:14 ` sashiko-bot
2026-05-21 23:34 ` [PATCH v4 12/27] rust: platform: " Danilo Krummrich
2026-05-21 23:34 ` [PATCH v4 13/27] rust: auxiliary: " Danilo Krummrich
2026-05-21 23:34 ` [PATCH v4 14/27] rust: usb: " Danilo Krummrich
2026-05-22 0:23 ` sashiko-bot
2026-05-25 4:31 ` Eliot Courtney
2026-05-21 23:34 ` [PATCH v4 15/27] rust: i2c: " Danilo Krummrich
2026-05-21 23:34 ` [PATCH v4 16/27] rust: driver: update module documentation for GAT-based Data type Danilo Krummrich
2026-05-21 23:34 ` [PATCH v4 17/27] rust: pci: make Bar lifetime-parameterized Danilo Krummrich
2026-05-22 0:49 ` sashiko-bot
2026-05-25 4:37 ` Eliot Courtney
2026-05-25 11:40 ` Gary Guo
2026-05-25 12:05 ` Danilo Krummrich
2026-05-25 11:10 ` Alexandre Courbot
2026-05-25 11:12 ` Alexandre Courbot
2026-05-21 23:34 ` [PATCH v4 18/27] rust: io: make IoMem and ExclusiveIoMem lifetime-parameterized Danilo Krummrich
2026-05-22 0:45 ` sashiko-bot
2026-05-25 13:10 ` Alexandre Courbot
2026-05-21 23:34 ` [PATCH v4 19/27] samples: rust: rust_driver_pci: use HRT lifetime for Bar Danilo Krummrich
2026-05-22 1:27 ` sashiko-bot
2026-05-25 13:55 ` Alexandre Courbot
2026-05-21 23:34 ` [PATCH v4 20/27] gpu: nova-core: separate driver type from driver data Danilo Krummrich
2026-05-25 4:40 ` Eliot Courtney
2026-05-25 14:11 ` Alexandre Courbot
2026-05-21 23:34 ` [PATCH v4 21/27] rust: types: add `ForLt` trait for higher-ranked lifetime support Danilo Krummrich
2026-05-22 0:31 ` sashiko-bot
2026-05-23 15:46 ` Danilo Krummrich
2026-05-25 12:31 ` Eliot Courtney
2026-05-21 23:34 ` [PATCH v4 22/27] rust: auxiliary: generalize Registration over ForLt Danilo Krummrich
2026-05-22 0:49 ` sashiko-bot
2026-05-25 6:03 ` Eliot Courtney
2026-05-25 14:42 ` Alexandre Courbot
2026-05-21 23:34 ` [PATCH v4 23/27] samples: rust: rust_driver_auxiliary: showcase lifetime-bound registration data Danilo Krummrich
2026-05-25 14:48 ` Alexandre Courbot
2026-05-21 23:34 ` [PATCH REF v4 24/27] gpu: nova-core: use lifetime for Bar Danilo Krummrich
2026-05-22 1:28 ` sashiko-bot
2026-05-26 2:10 ` Alexandre Courbot
2026-05-26 5:48 ` Alexandre Courbot
2026-05-21 23:34 ` [PATCH REF v4 25/27] gpu: nova-core: unregister sysmem flush page from Drop Danilo Krummrich
2026-05-22 0:47 ` sashiko-bot
2026-05-21 23:34 ` [PATCH REF v4 26/27] gpu: nova-core: replace ARef<Device> with &'bound Device in SysmemFlush Danilo Krummrich
2026-05-22 0:46 ` sashiko-bot
2026-05-21 23:34 ` [PATCH REF v4 27/27] gpu: drm: tyr: use lifetime for IoMem Danilo Krummrich
2026-05-22 0:42 ` sashiko-bot
2026-05-22 10:14 ` [PATCH v4 00/27] rust: device: Higher-Ranked Lifetime Types for device drivers Greg KH
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260522001359.BA1CC1F000E9@smtp.kernel.org \
--to=sashiko-bot@kernel.org \
--cc=dakr@kernel.org \
--cc=linux-pci@vger.kernel.org \
--cc=ojeda@kernel.org \
--cc=sashiko-reviews@lists.linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.