From: sashiko-bot@kernel.org
To: "Danilo Krummrich" <dakr@kernel.org>
Cc: ojeda@kernel.org, "Alexandre Courbot" <acourbot@nvidia.com>,
dri-devel@lists.freedesktop.org
Subject: Re: [PATCH v3 4/7] rust: auxiliary: sample: demonstrate ForLt with invariant Mutex type
Date: Thu, 18 Jun 2026 23:21:43 +0000 [thread overview]
Message-ID: <20260618232144.09FC91F000E9@smtp.kernel.org> (raw)
In-Reply-To: <20260618230834.812007-5-dakr@kernel.org>
Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:
Pre-existing issues:
- [Critical] Safe Rust code can cause a Use-After-Free (UAF) and lock a freed Mutex by calling `registration_data_with()` on a surviving `ARef<Device>` after the parent device is unbound.
--
commit 9c83313149d56b7513a5eff4702ae4ca9adae277
Author: Danilo Krummrich <dakr@kernel.org>
rust: auxiliary: sample: demonstrate ForLt with invariant Mutex type
Extend the auxiliary driver sample to demonstrate both access patterns:
- registration_data() with CovariantForLt!(Data<'_>) for the covariant
data type that holds a plain &'bound reference.
- registration_data_with() with ForLt!(MutexData<'_>) for an invariant
data type that wraps a Mutex<&'bound Device>. Since Mutex<T> is
invariant over T, MutexData cannot implement CovariantForLt and must
use the closure-based accessor.
> diff --git a/samples/rust/rust_driver_auxiliary.rs b/samples/rust/rust_driver_auxiliary.rs
> index 92ee6a6d348e7..e441ae81fa2cf 100644
> --- a/samples/rust/rust_driver_auxiliary.rs
> +++ b/samples/rust/rust_driver_auxiliary.rs
[ ... ]
> @@ -115,22 +140,39 @@ fn probe<'bound>(
>
> impl ParentDriver {
> fn connect(adev: &auxiliary::Device<Bound>) -> Result {
[ ... ]
> + // Invariant ForLt types (e.g. containing a Mutex) require the closure-based accessor.
> + INVARIANT_DEV_ID => {
> + adev.registration_data_with::<ForLt!(MutexData<'_>), _>(|data| {
> + let pdev = *data.parent.lock();
[Severity: Critical]
This is a pre-existing issue, but can this safe Rust code cause a
use-after-free if called on a surviving ARef<Device> after the parent device
is unbound?
In the auxiliary core, Registration::drop() frees the RegistrationData:
rust/kernel/auxiliary.rs:Registration::drop() {
...
drop(unsafe {
Pin::<KBox<RegistrationData<F::Of<'static>>>>::from_foreign(
(*self.adev.as_ptr()).registration_data_rust,
)
});
...
}
However, it leaves the registration_data_rust pointer dangling.
Since the auxiliary_device can safely outlive the Registration (e.g. via a
safe ARef<Device> inside an async task, cdev, or sysfs file), a caller holding
that reference could safely call registration_data_with() and trigger a
use-after-free when the dangling pointer is read:
rust/kernel/auxiliary.rs:Device::registration_data_pinned() {
...
let type_id = unsafe { ptr.cast::<TypeId>().read() };
...
}
In this sample, wouldn't that result in locking a freed Mutex when
data.parent.lock() is called?
> + dev_info!(
> + pdev,
> + "Connected to auxiliary device with index {} (via Mutex).\n",
> + data.index
> + );
> + })?;
> + }
> + _ => return Err(EINVAL),
> + }
>
> Ok(())
> }
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260618230834.812007-1-dakr@kernel.org?part=4
next prev parent reply other threads:[~2026-06-18 23:21 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-18 23:08 [PATCH v3 0/7] ForLt/CovariantForLt split, auxiliary closure API and DevresLt Danilo Krummrich
2026-06-18 23:08 ` [PATCH v3 1/7] rust: types: rename ForLt to CovariantForLt Danilo Krummrich
2026-06-18 23:15 ` sashiko-bot
2026-06-18 23:08 ` [PATCH v3 2/7] rust: types: introduce ForLt base trait for CovariantForLt Danilo Krummrich
2026-06-18 23:08 ` [PATCH v3 3/7] rust: auxiliary: add registration_data_with() for ForLt types Danilo Krummrich
2026-06-18 23:22 ` sashiko-bot
2026-06-18 23:08 ` [PATCH v3 4/7] rust: auxiliary: sample: demonstrate ForLt with invariant Mutex type Danilo Krummrich
2026-06-18 23:21 ` sashiko-bot [this message]
2026-06-18 23:08 ` [PATCH v3 5/7] rust: devres: add DevresLt for ForLt-aware device resource access Danilo Krummrich
2026-06-18 23:21 ` sashiko-bot
2026-06-18 23:08 ` [PATCH v3 6/7] rust: pci: return DevresLt from Bar::into_devres() Danilo Krummrich
2026-06-18 23:08 ` [PATCH v3 7/7] rust: io: mem: return DevresLt from IoMem/ExclusiveIoMem::into_devres() Danilo Krummrich
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260618232144.09FC91F000E9@smtp.kernel.org \
--to=sashiko-bot@kernel.org \
--cc=acourbot@nvidia.com \
--cc=dakr@kernel.org \
--cc=dri-devel@lists.freedesktop.org \
--cc=ojeda@kernel.org \
--cc=sashiko-reviews@lists.linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.