From: sashiko-bot@kernel.org
To: "Danilo Krummrich" <dakr@kernel.org>
Cc: "Alexandre Courbot" <acourbot@nvidia.com>,
dri-devel@lists.freedesktop.org, ojeda@kernel.org
Subject: Re: [PATCH v5 18/19] rust: drm: Pass registration data to ioctl handlers
Date: Sun, 28 Jun 2026 15:13:17 +0000 [thread overview]
Message-ID: <20260628151317.7C76C1F000E9@smtp.kernel.org> (raw)
In-Reply-To: <20260628145406.2107056-19-dakr@kernel.org>
Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:
- [Critical] Unsound lifetime shortening of the associated type `RegistrationData<'a>` allows safe code to cause a use-after-free.
--
commit b0c6a9cfef59ba2cf3ed097deb2601fbd756cc0d
Author: Danilo Krummrich <dakr@kernel.org>
rust: drm: Pass registration data to ioctl handlers
This commit updates the DRM ioctl macro to pass registration data to the ioctl
handlers using a closure-based HRTB pattern.
> diff --git a/rust/kernel/drm/ioctl.rs b/rust/kernel/drm/ioctl.rs
> index f24cf7b146a8e..9b45b741db1b9 100644
> --- a/rust/kernel/drm/ioctl.rs
> +++ b/rust/kernel/drm/ioctl.rs
[ ... ]
> @@ -193,7 +195,9 @@ macro_rules! declare_drm_ioctls {
> // SAFETY: This is just the DRM file structure
> let file = unsafe { $crate::drm::File::from_raw(raw_file) };
>
> - match $func(&*guard, data, file) {
> + match guard.registration_data_with(|reg_data| {
> + $func(&*guard, reg_data, data, file)
> + }) {
[Severity: Critical]
Does this HRTB closure pattern safely handle invariant types for
RegistrationData<'a>?
The commit message states that the HRTB ties the lifetime to the closure scope
and the internal pointer cast shortens it from 'static. However, if a driver
uses an invariant type for RegistrationData<'a> (for example, something like
Mutex<Option<&'a mut SomeStruct>>), couldn't this allow safe code to store the
short-lived `data` or `file` reference into the underlying 'static
registration data?
While the HRTB prevents references from returning out of the closure, it
might not prevent storing external, longer-lived references into an invariant
type provided by the closure. Once the ioctl returns and the local variable is
dropped, the 'static registration data could still hold a dangling pointer to
it, potentially leading to a use-after-free.
> Err(e) => e.to_errno(),
> Ok(i) => i.try_into()
> .unwrap_or($crate::error::code::ERANGE.to_errno()),
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260628145406.2107056-1-dakr@kernel.org?part=18
next prev parent reply other threads:[~2026-06-28 15:13 UTC|newest]
Thread overview: 28+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-28 14:53 [PATCH v5 00/19] rust: drm: Higher-Ranked Lifetime private data Danilo Krummrich
2026-06-28 14:53 ` [PATCH v5 01/19] rust: drm: ioctl: fix unbounded lifetimes in ioctl handler arguments Danilo Krummrich
2026-06-28 15:03 ` sashiko-bot
2026-06-28 14:53 ` [PATCH v5 02/19] rust: drm: rename Uninit DeviceContext to Normal Danilo Krummrich
2026-06-28 14:53 ` [PATCH v5 03/19] rust: faux: add Device type with AsBusDevice support Danilo Krummrich
2026-06-28 15:05 ` sashiko-bot
2026-06-28 14:53 ` [PATCH v5 04/19] rust: drm: Add Driver::ParentDevice associated type Danilo Krummrich
2026-06-28 14:53 ` [PATCH v5 05/19] rust: drm: change default DeviceContext to Normal Danilo Krummrich
2026-06-28 14:53 ` [PATCH v5 06/19] rust: drm: restrict AlwaysRefCounted to Normal Device context Danilo Krummrich
2026-06-28 14:53 ` [PATCH v5 07/19] rust: drm: restrict AlwaysRefCounted to Normal GEM Object context Danilo Krummrich
2026-06-28 15:13 ` sashiko-bot
2026-06-28 14:53 ` [PATCH v5 08/19] rust: drm/gem: remove DeviceContext from shmem::Object Danilo Krummrich
2026-06-28 14:53 ` [PATCH v5 09/19] rust: drm: split Deref for Device context typestates Danilo Krummrich
2026-06-28 14:53 ` [PATCH v5 10/19] rust: drm: pin ioctl Device reference to Normal context Danilo Krummrich
2026-06-28 15:05 ` sashiko-bot
2026-06-28 14:53 ` [PATCH v5 11/19] rust: drm: add Ioctl device context typestate Danilo Krummrich
2026-06-28 14:53 ` [PATCH v5 12/19] rust: drm: Add RegistrationGuard for drm_dev_enter/exit critical sections Danilo Krummrich
2026-06-28 15:06 ` sashiko-bot
2026-06-28 14:53 ` [PATCH v5 13/19] rust: drm: Wrap ioctl dispatch in RegistrationGuard Danilo Krummrich
2026-06-28 15:11 ` sashiko-bot
2026-06-28 14:53 ` [PATCH v5 14/19] rust: drm: return ParentDevice from Device AsRef Danilo Krummrich
2026-06-28 14:53 ` [PATCH v5 15/19] rust: drm: add AsRef<ParentDevice<Bound>> for Device<Registered> Danilo Krummrich
2026-06-28 14:53 ` [PATCH v5 16/19] drm: fix race between partial drm_dev_register() failure and ioctl Danilo Krummrich
2026-06-28 15:14 ` sashiko-bot
2026-06-28 14:53 ` [PATCH v5 17/19] rust: drm: Add RegistrationData to drm::Driver Danilo Krummrich
2026-06-28 14:53 ` [PATCH v5 18/19] rust: drm: Pass registration data to ioctl handlers Danilo Krummrich
2026-06-28 15:13 ` sashiko-bot [this message]
2026-06-28 14:53 ` [PATCH v5 19/19] drm: nova: Use drm::Device<Registered> to access the parent bus device Danilo Krummrich
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260628151317.7C76C1F000E9@smtp.kernel.org \
--to=sashiko-bot@kernel.org \
--cc=acourbot@nvidia.com \
--cc=dakr@kernel.org \
--cc=dri-devel@lists.freedesktop.org \
--cc=ojeda@kernel.org \
--cc=sashiko-reviews@lists.linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.