Re: [PATCH v4 5/7] rust: devres: add DevresLt for ForLt-aware device resource access

All of lore.kernel.org
 help / color / mirror / Atom feed

From: sashiko-bot@kernel.org
To: "Danilo Krummrich" <dakr@kernel.org>
Cc: ojeda@kernel.org, dri-devel@lists.freedesktop.org,
	"Alexandre Courbot" <acourbot@nvidia.com>
Subject: Re: [PATCH v4 5/7] rust: devres: add DevresLt for ForLt-aware device resource access
Date: Fri, 26 Jun 2026 18:50:54 +0000	[thread overview]
Message-ID: <20260626185055.7CA331F000E9@smtp.kernel.org> (raw)
In-Reply-To: <20260626183630.2585057-6-dakr@kernel.org>

Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:
- [High] `DevresGuard` implements `Deref` tying the returned reference's inner lifetime to the `DevresLt` borrow rather than the guard itself, allowing references to escape the RCU read-side lock and causing a use-after-free.
--

commit 62b48d10ff277ed9a20edb541dfb07cf0af74ca2
Author: Danilo Krummrich <dakr@kernel.org>

rust: devres: add DevresLt for ForLt-aware device resource access

This commit introduces DevresLt, a wrapper around Devres that safely shortens
the synthetic 'static lifetime of stored resources to the caller's borrow
lifetime. It provides both direct-reference accessors for CovariantForLt types
and closure-based accessors for plain ForLt types.

> diff --git a/rust/kernel/devres.rs b/rust/kernel/devres.rs
> index 11ce500e9b76f..b7c075a39ba47 100644
> --- a/rust/kernel/devres.rs
> +++ b/rust/kernel/devres.rs

[ ... ]

> @@ -365,6 +367,110 @@ fn drop(&mut self) {
>      }
>  }
>  
> +/// Guard returned by [`DevresLt::try_access`].
> +///
> +/// Dereferences to `F::Of<'a>`, shortening the lifetime of the stored data to the guard's borrow
> +/// lifetime.
> +pub struct DevresGuard<'a, F: CovariantForLt>(RevocableGuard<'a, F::Of<'static>>);
> +
> +impl<'a, F: CovariantForLt> core::ops::Deref for DevresGuard<'a, F> {
> +    type Target = F::Of<'a>;
> +
> +    #[inline]
> +    fn deref(&self) -> &Self::Target {
> +        F::cast_ref(&*self.0)
> +    }
> +}

[Severity: High]
Does this allow references to escape the RCU read-side lock and cause a
use-after-free?

Because Target is F::Of<'a>, the inner lifetime of the returned type is tied
to the DevresLt borrow ('a) rather than the guard itself. If a caller extracts
a reference from the returned type, it will have the lifetime 'a.

The caller can then drop the guard, releasing the RCU read lock, and the
device could unbind. This would free the devres allocation while the extracted
reference remains alive in safe Rust for the duration of 'a.

[ ... ]

> +impl<F: CovariantForLt> DevresLt<F>
> +where
> +    for<'a> F::Of<'a>: Send,
> +{

[ ... ]

> +    /// [`DevresLt`] accessor for [`Revocable::try_access`].
> +    #[inline]
> +    pub fn try_access(&self) -> Option<DevresGuard<'_, F>> {
> +        self.0.data().try_access().map(DevresGuard)
> +    }
> +}

[Severity: High]
Does this accessor create a guard that enables the lifetime escape mentioned
above?

By parameterizing DevresGuard with the DevresLt borrow lifetime ('_), this
sets up the condition where inner references can outlive the guard itself.

-- 
Sashiko AI review · https://sashiko.dev/#/patchset/20260626183630.2585057-1-dakr@kernel.org?part=5

next prev parent reply	other threads:[~2026-06-26 18:50 UTC|newest]

Thread overview: 10+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-06-26 18:36 [PATCH v4 0/7] ForLt/CovariantForLt split, auxiliary closure API and DevresLt Danilo Krummrich
2026-06-26 18:36 ` [PATCH v4 1/7] rust: types: rename ForLt to CovariantForLt Danilo Krummrich
2026-06-26 18:36 ` [PATCH v4 2/7] rust: types: introduce ForLt base trait for CovariantForLt Danilo Krummrich
2026-06-26 18:36 ` [PATCH v4 3/7] rust: auxiliary: add registration_data_with() for ForLt types Danilo Krummrich
2026-06-26 18:36 ` [PATCH v4 4/7] rust: auxiliary: sample: demonstrate ForLt with invariant Mutex type Danilo Krummrich
2026-06-26 18:36 ` [PATCH v4 5/7] rust: devres: add DevresLt for ForLt-aware device resource access Danilo Krummrich
2026-06-26 18:50   ` sashiko-bot [this message]
2026-06-26 18:36 ` [PATCH v4 6/7] rust: pci: return DevresLt from Bar::into_devres() Danilo Krummrich
2026-06-26 18:46   ` sashiko-bot
2026-06-26 18:36 ` [PATCH v4 7/7] rust: io: mem: return DevresLt from IoMem/ExclusiveIoMem::into_devres() Danilo Krummrich

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20260626185055.7CA331F000E9@smtp.kernel.org \
    --to=sashiko-bot@kernel.org \
    --cc=acourbot@nvidia.com \
    --cc=dakr@kernel.org \
    --cc=dri-devel@lists.freedesktop.org \
    --cc=ojeda@kernel.org \
    --cc=sashiko-reviews@lists.linux.dev \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.