From: sashiko-bot@kernel.org
To: "Danilo Krummrich" <dakr@kernel.org>
Cc: linux-pci@vger.kernel.org, ojeda@kernel.org
Subject: Re: [PATCH v5 15/24] rust: usb: make Driver trait lifetime-parameterized
Date: Mon, 25 May 2026 21:14:24 +0000 [thread overview]
Message-ID: <20260525211424.991271F000E9@smtp.kernel.org> (raw)
In-Reply-To: <20260525202921.124698-16-dakr@kernel.org>
Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:
- [High] Lifetime transmute in `drvdata_borrow` and `drvdata_obtain` violates `ForeignOwnable` safety invariants.
--
commit 7eabedf806aa3828a851211d08e32adafe52e9bb
Author: Danilo Krummrich <dakr@kernel.org>
rust: usb: make Driver trait lifetime-parameterized
This commit adds a 'bound lifetime to the associated Data type in the USB
Driver trait. This allows driver data to capture the device bound lifetime
and store device resources directly by reference without requiring Devres.
> diff --git a/rust/kernel/usb.rs b/rust/kernel/usb.rs
> index 1dbb8387b4636..7aff0c82d0afc 100644
> --- a/rust/kernel/usb.rs
> +++ b/rust/kernel/usb.rs
[ ... ]
> @@ -109,8 +109,8 @@ extern "C" fn disconnect_callback(intf: *mut bindings::usb_interface) {
>
> // SAFETY: disconnect_callback is only ever called after a successful call to
> // probe_callback, hence it's guaranteed that Device::set_drvdata() has been called
> - // and stored a Pin<KBox<T::Data>>.
> - let data = unsafe { dev.drvdata_borrow::<T::Data>() };
> + // and stored a Pin<KBox<T::Data<'_>>>.
> + let data = unsafe { dev.drvdata_borrow::<T::Data<'_>>() };
[Severity: High]
Does this lifetime transmute in drvdata_borrow violate the ForeignOwnable
safety invariants?
The safety documentation for drvdata_borrow and drvdata_obtain requires
that the type T must match the exact type of the ForeignOwnable previously
stored. Because the probe callback stores the data with its local lifetime
and the disconnect callback retrieves it with a different local lifetime,
T::Data<'probe> and T::Data<'_> represent distinct types in Rust. Passing
a different type to these unsafe functions violates their documented
preconditions.
Additionally, since the Data<'bound> associated type does not guarantee
covariance, could a driver implement an invariant type (for example, using
Cell<&'bound Device>)?
While an immediate use-after-free might be hard to trigger because the C
pointer remains valid, bypassing the borrow checker and casting lifetimes
via raw pointers without covariance bounds appears to be structurally unsound.
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260525202921.124698-1-dakr@kernel.org?part=15
next prev parent reply other threads:[~2026-05-25 21:14 UTC|newest]
Thread overview: 55+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-05-25 20:20 [PATCH v5 00/24] rust: device: Higher-Ranked Lifetime Types for device drivers Danilo Krummrich
2026-05-25 20:20 ` [PATCH v5 01/24] rust: pci: use 'static lifetime for PCI BAR resource names Danilo Krummrich
2026-05-25 21:02 ` sashiko-bot
2026-05-26 0:38 ` Eliot Courtney
2026-05-26 2:22 ` Alexandre Courbot
2026-05-27 11:58 ` Gary Guo
2026-05-25 20:20 ` [PATCH v5 02/24] rust: alloc: remove `'static` bound on `ForeignOwnable` Danilo Krummrich
2026-05-26 18:21 ` Miguel Ojeda
2026-05-25 20:20 ` [PATCH v5 03/24] rust: driver: move 'static bounds to constructor Danilo Krummrich
2026-05-25 20:20 ` [PATCH v5 04/24] rust: driver: decouple driver private data from driver type Danilo Krummrich
2026-05-25 20:47 ` sashiko-bot
2026-05-25 20:20 ` [PATCH v5 05/24] rust: driver core: drop drvdata before devres release Danilo Krummrich
2026-05-25 21:03 ` sashiko-bot
2026-05-25 20:20 ` [PATCH v5 06/24] rust: pci: implement Sync for Device<Bound> Danilo Krummrich
2026-05-25 20:20 ` [PATCH v5 07/24] rust: platform: " Danilo Krummrich
2026-05-25 21:33 ` sashiko-bot
2026-05-25 20:20 ` [PATCH v5 08/24] rust: auxiliary: " Danilo Krummrich
2026-05-25 20:20 ` [PATCH v5 09/24] rust: usb: " Danilo Krummrich
2026-05-25 21:15 ` sashiko-bot
2026-05-25 20:20 ` [PATCH v5 10/24] rust: device: " Danilo Krummrich
2026-05-25 20:20 ` [PATCH v5 11/24] rust: device: make Core and CoreInternal lifetime-parameterized Danilo Krummrich
2026-05-27 13:13 ` Gary Guo
2026-05-25 20:20 ` [PATCH v5 12/24] rust: pci: make Driver trait lifetime-parameterized Danilo Krummrich
2026-05-27 13:21 ` Gary Guo
2026-05-25 20:21 ` [PATCH v5 13/24] rust: platform: " Danilo Krummrich
2026-05-27 13:22 ` Gary Guo
2026-05-25 20:21 ` [PATCH v5 14/24] rust: auxiliary: " Danilo Krummrich
2026-05-27 13:22 ` Gary Guo
2026-05-25 20:21 ` [PATCH v5 15/24] rust: usb: " Danilo Krummrich
2026-05-25 21:14 ` sashiko-bot [this message]
2026-05-27 13:22 ` Gary Guo
2026-05-27 13:38 ` Daniel Almeida
2026-05-25 20:21 ` [PATCH v5 16/24] rust: i2c: " Danilo Krummrich
2026-05-25 21:12 ` sashiko-bot
2026-05-27 13:23 ` Gary Guo
2026-05-25 20:21 ` [PATCH v5 17/24] rust: driver: update module documentation for GAT-based Data type Danilo Krummrich
2026-05-27 13:24 ` Gary Guo
2026-05-25 20:21 ` [PATCH v5 18/24] rust: pci: make Bar lifetime-parameterized Danilo Krummrich
2026-05-27 13:30 ` Gary Guo
2026-05-25 20:21 ` [PATCH v5 19/24] rust: io: make IoMem and ExclusiveIoMem lifetime-parameterized Danilo Krummrich
2026-05-25 21:44 ` sashiko-bot
2026-05-27 13:31 ` Gary Guo
2026-05-25 20:21 ` [PATCH v5 20/24] samples: rust: rust_driver_pci: use HRT lifetime for Bar Danilo Krummrich
2026-05-27 13:41 ` Gary Guo
2026-05-25 20:21 ` [PATCH v5 21/24] gpu: nova-core: separate driver type from driver data Danilo Krummrich
2026-05-27 13:39 ` Gary Guo
2026-05-25 20:21 ` [PATCH v5 22/24] rust: types: add `ForLt` trait for higher-ranked lifetime support Danilo Krummrich
2026-05-25 21:20 ` sashiko-bot
2026-05-26 5:44 ` Alexandre Courbot
2026-05-26 18:49 ` Miguel Ojeda
2026-05-25 20:21 ` [PATCH v5 23/24] rust: auxiliary: generalize Registration over ForLt Danilo Krummrich
2026-05-27 13:55 ` Gary Guo
2026-05-25 20:21 ` [PATCH v5 24/24] samples: rust: rust_driver_auxiliary: showcase lifetime-bound registration data Danilo Krummrich
2026-05-25 21:24 ` sashiko-bot
2026-05-27 21:24 ` [PATCH v5 00/24] rust: device: Higher-Ranked Lifetime Types for device drivers Danilo Krummrich
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260525211424.991271F000E9@smtp.kernel.org \
--to=sashiko-bot@kernel.org \
--cc=dakr@kernel.org \
--cc=linux-pci@vger.kernel.org \
--cc=ojeda@kernel.org \
--cc=sashiko-reviews@lists.linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.