From: sashiko-bot@kernel.org
To: "Gary Guo" <gary@garyguo.net>
Cc: linux-pci@vger.kernel.org
Subject: Re: [PATCH 2/3] pci: fix dyn_id add TOCTOU
Date: Fri, 26 Jun 2026 20:02:10 +0000 [thread overview]
Message-ID: <20260626200211.47B531F000E9@smtp.kernel.org> (raw)
In-Reply-To: <20260626-pci_id_fix-v1-2-a35c803f1b95@garyguo.net>
Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:
- [High] new_id_store unconditionally rejects dynamic IDs that overlap with override_only static IDs (e.g., in vfio-pci), breaking device assignment.
--
commit 65f57bc2128a4f1b44e3036aee55956006935cca
Author: Gary Guo <gary@garyguo.net>
pci: fix dyn_id add TOCTOU
This patch fixes a TOCTOU issue in new_id_store() by moving the duplicate
dynamic ID check inside do_pci_add_dynid() under the lock. It also replaces
the dummy pci_dev allocation and pci_match_device() call in new_id_store()
with a direct call to do_pci_match_id() against the static table.
> diff --git a/drivers/pci/pci-driver.c b/drivers/pci/pci-driver.c
> --- a/drivers/pci/pci-driver.c
> +++ b/drivers/pci/pci-driver.c
[ ... ]
> @@ -215,38 +244,22 @@ static ssize_t new_id_store(struct device_driver *driver, const char *buf,
[ ... ]
> if (fields != 7) {
> - struct pci_dev *pdev = kzalloc_obj(*pdev);
[ ... ]
> - if (pci_match_device(pdrv, pdev))
> - retval = -EEXIST;
> -
> - put_device(&pdev->dev);
> -
> - if (retval)
> - return retval;
> + if (do_pci_match_id(pdrv->id_table, &id))
> + return -EEXIST;
> }
[Severity: High]
Does this change break dynamic ID insertion for drivers that rely on
override_only static IDs (like vfio-pci)?
Previously, pci_match_device() was used, which explicitly checks the
override_only flag:
for (ids = drv->id_table; (found_id = do_pci_match_id(ids, &dev_id));
ids = found_id + 1) {
if (!found_id->override_only || ret > 0) {
*id = *found_id;
return true;
}
}
By directly calling do_pci_match_id(), which performs purely structural
matching and ignores the override_only flag, it seems like new_id_store()
will now unconditionally reject dynamic IDs for drivers whose static table
contains a catch-all override_only entry, returning -EEXIST instead of
allowing the assignment.
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260626-pci_id_fix-v1-0-a35c803f1b95@garyguo.net?part=2
next prev parent reply other threads:[~2026-06-26 20:02 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-26 19:49 [PATCH 0/3] pci: fix UAF and TOCTOU related to dynamic ID Gary Guo
2026-06-26 19:49 ` [PATCH 1/3] pci: make pci_match_one_device match on ID instead of device Gary Guo
2026-06-26 19:56 ` sashiko-bot
2026-06-26 19:49 ` [PATCH 2/3] pci: fix dyn_id add TOCTOU Gary Guo
2026-06-26 20:02 ` sashiko-bot [this message]
2026-06-26 19:49 ` [PATCH 3/3] pci: fix UAF when probe runs concurrent to dyn ID removal Gary Guo
2026-06-26 20:00 ` sashiko-bot
2026-06-26 21:55 ` Gary Guo
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260626200211.47B531F000E9@smtp.kernel.org \
--to=sashiko-bot@kernel.org \
--cc=gary@garyguo.net \
--cc=linux-pci@vger.kernel.org \
--cc=sashiko-reviews@lists.linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.