From: sashiko-bot@kernel.org
To: "Danilo Krummrich" <dakr@kernel.org>
Cc: "Alexandre Courbot" <acourbot@nvidia.com>,
ojeda@kernel.org, dri-devel@lists.freedesktop.org
Subject: Re: [PATCH v4 14/16] rust: drm: Add RegistrationData to drm::Driver
Date: Sat, 20 Jun 2026 19:06:47 +0000 [thread overview]
Message-ID: <20260620190648.2E9F61F000E9@smtp.kernel.org> (raw)
In-Reply-To: <20260620184924.2247517-15-dakr@kernel.org>
Thank you for your contribution! Sashiko AI review found 2 potential issue(s) to consider:
- [Critical] Unsound lifetime shortening of `RegistrationData` allows safe code to trigger a use-after-free.
- [High] Data race and use-after-free on `RegistrationData` when `drm_dev_register()` fails.
--
commit 4c4fafa27855b4e677d80a9c3bf6cb9acd303180
Author: Danilo Krummrich <dakr@kernel.org>
rust: drm: Add RegistrationData to drm::Driver
This patch introduces a RegistrationData associated type for drm::Driver
whose lifetime is tied to the parent bus device. It manages the registration
scope and provides safe access to this data within a RegistrationGuard.
> diff --git a/rust/kernel/drm/device.rs b/rust/kernel/drm/device.rs
> index 8f63276c9b62f..fc79f90a197d9 100644
> --- a/rust/kernel/drm/device.rs
> +++ b/rust/kernel/drm/device.rs
[ ... ]
> + #[inline]
> + unsafe fn registration_data_unchecked(&self) -> &<T::RegistrationData as ForLt>::Of<'_> {
> + // SAFETY:
> + // - Caller guarantees the parent bus device is bound, hence the pointer is valid.
> + // - The pointer cast from `Of<'static>` to `Of<'_>` is layout-compatible since lifetimes
> + // are erased at runtime.
> + // - Caller guarantees the reference is only used behind an HRTB, making the lifetime
> + // shortening sound regardless of variance.
> + unsafe { (*self.registration_data.get()).cast::<_>().as_ref() }
> + }
[ ... ]
> + pub fn registration_data_with<R, F>(&self, f: F) -> R
> + where
> + F: for<'a> FnOnce(&'a <T::RegistrationData as ForLt>::Of<'a>) -> R,
> + {
> + // SAFETY: `Registered` guarantees the device is registered and the parent bus device is
> + // bound. The closure's HRTB `for<'a>` prevents the caller from smuggling in references
> + // with a concrete short lifetime, satisfying the lifetime requirement of
> + // `registration_data_unchecked`.
> + f(unsafe { self.registration_data_unchecked() })
> + }
[Severity: Critical]
Does this lifetime shortening cast violate soundness if the Of<'a> type is
invariant (e.g., Cell<&'a u32> or Mutex<Option<&'a u32>>)?
Even with the HRTB bound in registration_data_with(), safe driver code could
do something like device.registration_data_with(|data| data.set(&local_var))
where local_var outlives the closure but not the device's 'bound lifetime.
Because the lifetime of the invariant container was shortened to the closure's
scope, the compiler will accept this and allow writing a short-lived reference
into it.
When the function returns and local_var is dropped, the physical
RegistrationData container living in the device will hold a dangling pointer,
leading to a use-after-free when the data is accessed again.
> diff --git a/rust/kernel/drm/driver.rs b/rust/kernel/drm/driver.rs
> index ceb2829985c78..e42b48e5cad28 100644
> --- a/rust/kernel/drm/driver.rs
> +++ b/rust/kernel/drm/driver.rs
[ ... ]
> + // SAFETY: `drm` is a valid, initialized but not yet registered DRM device.
> + let ret = unsafe { bindings::drm_dev_register(drm.as_raw(), flags) };
> + if let Err(e) = to_result(ret) {
> + // SAFETY: No concurrent access; registration failed.
> + unsafe { *drm.registration_data.get() = NonNull::dangling() };
> + return Err(e);
> + }
[Severity: High]
Can this error path trigger a use-after-free if drm_dev_register() fails
partway through its initialization?
During drm_dev_register(), minor nodes (such as the render node) are
registered sequentially via drm_minor_register(). As soon as a minor node is
registered, userspace can open it and begin executing ioctls. These concurrent
ioctls will successfully enter the RegistrationGuard critical section since
dev->unplugged is false.
If drm_dev_register() subsequently fails on the primary node, it returns an
error without calling drm_dev_unplug() (which would otherwise perform an SRCU
barrier to wait for existing readers). Returning Err(e) here causes the
RegistrationData to be dropped and freed, while a concurrent ioctl still
inside its drm_dev_enter() critical section could access this freed memory.
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260620184924.2247517-1-dakr@kernel.org?part=14
next prev parent reply other threads:[~2026-06-20 19:06 UTC|newest]
Thread overview: 27+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-20 18:47 [PATCH v4 00/16] rust: drm: Higher-Ranked Lifetime private data Danilo Krummrich
2026-06-20 18:47 ` [PATCH v4 01/16] rust: drm: ioctl: fix unbounded lifetimes in ioctl handler arguments Danilo Krummrich
2026-06-20 18:57 ` sashiko-bot
2026-06-20 18:47 ` [PATCH v4 02/16] rust: drm: rename Uninit DeviceContext to Normal Danilo Krummrich
2026-06-20 18:47 ` [PATCH v4 03/16] rust: drm: Add Driver::ParentDevice associated type Danilo Krummrich
2026-06-20 18:47 ` [PATCH v4 04/16] rust: drm: change default DeviceContext to Normal Danilo Krummrich
2026-06-20 18:47 ` [PATCH v4 05/16] rust: drm: restrict AlwaysRefCounted to Normal Device context Danilo Krummrich
2026-06-20 19:03 ` sashiko-bot
2026-06-20 18:47 ` [PATCH v4 06/16] rust: drm: restrict AlwaysRefCounted to Normal GEM Object context Danilo Krummrich
2026-06-20 21:00 ` sashiko-bot
2026-06-20 18:48 ` [PATCH v4 07/16] rust: drm: split Deref for Device context typestates Danilo Krummrich
2026-06-20 18:48 ` [PATCH v4 08/16] rust: drm: pin ioctl Device reference to Normal context Danilo Krummrich
2026-06-20 18:59 ` sashiko-bot
2026-06-20 18:48 ` [PATCH v4 09/16] rust: drm: add Ioctl device context typestate Danilo Krummrich
2026-06-20 18:48 ` [PATCH v4 10/16] rust: drm: Add RegistrationGuard for drm_dev_enter/exit critical sections Danilo Krummrich
2026-06-20 19:03 ` sashiko-bot
2026-06-20 18:48 ` [PATCH v4 11/16] rust: drm: Wrap ioctl dispatch in RegistrationGuard Danilo Krummrich
2026-06-20 18:58 ` sashiko-bot
2026-06-20 18:48 ` [PATCH v4 12/16] rust: drm: return ParentDevice from Device AsRef Danilo Krummrich
2026-06-20 19:01 ` sashiko-bot
2026-06-20 18:48 ` [PATCH v4 13/16] rust: drm: add AsRef<ParentDevice<Bound>> for Device<Registered> Danilo Krummrich
2026-06-20 19:02 ` sashiko-bot
2026-06-20 18:48 ` [PATCH v4 14/16] rust: drm: Add RegistrationData to drm::Driver Danilo Krummrich
2026-06-20 19:06 ` sashiko-bot [this message]
2026-06-20 18:48 ` [PATCH v4 15/16] rust: drm: Pass registration data to ioctl handlers Danilo Krummrich
2026-06-20 19:13 ` sashiko-bot
2026-06-20 18:48 ` [PATCH v4 16/16] drm: nova: Use drm::Device<Registered> to access the parent bus device Danilo Krummrich
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260620190648.2E9F61F000E9@smtp.kernel.org \
--to=sashiko-bot@kernel.org \
--cc=acourbot@nvidia.com \
--cc=dakr@kernel.org \
--cc=dri-devel@lists.freedesktop.org \
--cc=ojeda@kernel.org \
--cc=sashiko-reviews@lists.linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.