From: sashiko-bot@kernel.org
To: "Gary Guo" <gary@garyguo.net>
Cc: ojeda@kernel.org, dri-devel@lists.freedesktop.org,
"Danilo Krummrich" <dakr@kernel.org>,
conor+dt@kernel.org, linux-pci@vger.kernel.org,
devicetree@vger.kernel.org, robh@kernel.org,
"Alexandre Courbot" <acourbot@nvidia.com>
Subject: Re: [PATCH 03/10] rust: pci: use `Option<&IdInfo>` for device ID info
Date: Fri, 19 Jun 2026 17:05:02 +0000 [thread overview]
Message-ID: <20260619170503.518F61F00A3A@smtp.kernel.org> (raw)
In-Reply-To: <20260618-id_info-v1-3-96af1e559ef9@garyguo.net>
Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:
Pre-existing issues:
- [High] The dynamic ID matching in the PCI core returns a pointer to a dynamically allocated ID without holding a lock or reference, leading to a Use-After-Free if the ID is concurrently removed via sysfs.
--
commit d1889a1b7c5b08bca9b93c95bb95cf7a983ddfea
Author: Gary Guo <gary@garyguo.net>
rust: pci: use Option<&IdInfo> for device ID info
This commit updates the Rust PCI probe functions to accept an Option<&IdInfo>
instead of a direct reference. This allows the driver to handle situations
where the driver_data is 0, such as when driver_override is used.
[ ... ]
> diff --git a/rust/kernel/pci.rs b/rust/kernel/pci.rs
> index 5071cae6543fd..0e055e4df99ee 100644
> --- a/rust/kernel/pci.rs
> +++ b/rust/kernel/pci.rs
> @@ -113,7 +113,7 @@ extern "C" fn probe_callback(
> let info = T::ID_TABLE.info(id.index());
>
> from_result(|| {
> - let data = T::probe(pdev, info);
> + let data = T::probe(pdev, Some(info));
[Severity: High]
This isn't a bug introduced by this patch, but there is a pre-existing
Use-After-Free in the C PCI core that impacts this callback.
In the C subsystem, pci_match_device() searches for dynamic IDs under
drv->dynids.lock and returns a pointer to the interior of dynid after
dropping the lock:
drivers/pci/pci-driver.c:pci_match_device() {
...
found_id = &dynid->id;
break;
}
}
spin_unlock(&drv->dynids.lock);
if (found_id)
return found_id;
}
Concurrently, if a user removes the ID via sysfs, remove_id_store() frees
it unconditionally:
drivers/pci/pci-driver.c:remove_id_store() {
...
list_del(&dynid->node);
kfree(dynid);
}
When local_pci_probe() calls the driver's probe callback, it passes this
potentially dangling id pointer. Since the Rust probe_callback() receives
this pointer from C, will dereferencing it (such as when calling id.index()
just above this change) trigger a Use-After-Free crash?
[ ... ]
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260618-id_info-v1-0-96af1e559ef9@garyguo.net?part=3
next prev parent reply other threads:[~2026-06-19 17:05 UTC|newest]
Thread overview: 33+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-18 17:03 [PATCH 00/10] rust: driver: use pointers instead of indices for ID info Gary Guo
2026-06-18 17:03 ` Gary Guo
2026-06-18 17:03 ` [PATCH 01/10] rust: driver: remove `IdTable::id` Gary Guo
2026-06-18 17:03 ` Gary Guo
2026-06-19 17:05 ` sashiko-bot
2026-06-18 17:03 ` [PATCH 02/10] rust: driver: simplify `IdArray::new_without_index` Gary Guo
2026-06-18 17:03 ` Gary Guo
2026-06-19 17:05 ` sashiko-bot
2026-06-18 17:03 ` [PATCH 03/10] rust: pci: use `Option<&IdInfo>` for device ID info Gary Guo
2026-06-18 17:03 ` Gary Guo
2026-06-19 17:05 ` sashiko-bot [this message]
2026-06-18 17:03 ` [PATCH 04/10] rust: net/phy: remove expansion from doc Gary Guo
2026-06-18 17:03 ` Gary Guo
2026-06-19 17:05 ` sashiko-bot
2026-06-18 17:03 ` [PATCH 05/10] rust: driver: centralize device ID handling Gary Guo
2026-06-18 17:03 ` Gary Guo
2026-06-19 17:05 ` sashiko-bot
2026-06-18 17:03 ` [PATCH 06/10] rust: driver: remove `$module_table_name` from `module_device_table` Gary Guo
2026-06-18 17:03 ` Gary Guo
2026-06-19 17:05 ` sashiko-bot
2026-06-18 17:03 ` [PATCH 07/10] rust: driver: store pointers in `DeviceId` Gary Guo
2026-06-18 17:03 ` Gary Guo
2026-06-19 17:05 ` sashiko-bot
2026-06-19 17:12 ` Gary Guo
2026-06-18 17:03 ` [PATCH 08/10] rust: driver: remove open-coded matching logic Gary Guo
2026-06-18 17:03 ` Gary Guo
2026-06-19 17:05 ` sashiko-bot
2026-06-18 17:03 ` [PATCH 09/10] rust: driver: remove duplicate ID table Gary Guo
2026-06-18 17:03 ` Gary Guo
2026-06-19 17:05 ` sashiko-bot
2026-06-18 17:03 ` [PATCH 10/10] RFC: rust: driver: support map-like syntax for " Gary Guo
2026-06-18 17:03 ` Gary Guo
2026-06-19 17:05 ` sashiko-bot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260619170503.518F61F00A3A@smtp.kernel.org \
--to=sashiko-bot@kernel.org \
--cc=acourbot@nvidia.com \
--cc=conor+dt@kernel.org \
--cc=dakr@kernel.org \
--cc=devicetree@vger.kernel.org \
--cc=dri-devel@lists.freedesktop.org \
--cc=gary@garyguo.net \
--cc=linux-pci@vger.kernel.org \
--cc=ojeda@kernel.org \
--cc=robh@kernel.org \
--cc=sashiko-reviews@lists.linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.