From: sashiko-bot@kernel.org
To: "Chen Pei" <cp0613@linux.alibaba.com>
Cc: linux-cxl@vger.kernel.org, linux-pci@vger.kernel.org
Subject: Re: [PATCH] ACPI: PCI: Clear driver_data on all error paths in acpi_pci_root_add()
Date: Tue, 07 Jul 2026 12:25:49 +0000 [thread overview]
Message-ID: <20260707122549.C01DC1F00A3A@smtp.kernel.org> (raw)
In-Reply-To: <20260707121258.11640-1-cp0613@linux.alibaba.com>
Thank you for your contribution! Sashiko AI review found 2 potential issue(s) to consider:
Pre-existing issues:
- [High] The acpi_pci_root_remove() function frees the acpi_pci_root object but fails to clear device->driver_data, leaving a dangling pointer.
- [High] Lockless access to `device->driver_data` causes a TOCTOU Use-After-Free race during hot-add failure and hot-remove.
--
--- Patch [1]: [PATCH] ACPI: PCI: Clear driver_data on all error paths in acpi_pci_root_add() ---
commit 9ff3c7d0724a7259ad865b11b68825024947383a
Author: Chen Pei <cp0613@linux.alibaba.com>
ACPI: PCI: Clear driver_data on all error paths in acpi_pci_root_add()
This commit addresses a dangling pointer issue in acpi_pci_root_add() by
ensuring device->driver_data is set to NULL on all error paths before
freeing the root object. This prevents use-after-free conditions during a
failed hot-add operation.
Link: https://sashiko.dev/#/patchset/20260526025118.38935-1-cp0613@linux.alibaba.com
> diff --git a/drivers/acpi/pci_root.c b/drivers/acpi/pci_root.c
> index 4c06c3ffd0cbb..f6cddd11075cb 100644
> --- a/drivers/acpi/pci_root.c
> +++ b/drivers/acpi/pci_root.c
[ ... ]
> @@ -765,6 +764,7 @@ static int acpi_pci_root_add(struct acpi_device *device,
> if (hotadd)
> dmar_device_remove(handle);
> end:
> + device->driver_data = NULL;
> kfree(root);
[Severity: High]
This isn't a bug introduced by this patch, but does this lockless cleanup
introduce a use-after-free race with concurrent readers?
If acpi_pci_root_add() publishes the root pointer early:
device->driver_data = root;
and a concurrent thread (e.g., AER or CXL probe) calls
acpi_pci_find_root() and locklessly reads this pointer:
drivers/acpi/pci_root.c:acpi_pci_find_root() {
...
root = acpi_driver_data(device);
...
}
Could that concurrent reader dereference a freed pointer if
acpi_pci_root_add() subsequently encounters an error, clears
device->driver_data, and executes kfree(root) here without an RCU
grace period or locking to synchronize the read and the free?
[Severity: High]
This is also a pre-existing issue, but while we are fixing the error paths
here, does acpi_pci_root_remove() have the same dangling pointer
vulnerability that this patch fixes for the add path?
Looking at acpi_pci_root_remove(), it appears to free the acpi_pci_root
object but fails to clear device->driver_data:
drivers/acpi/pci_root.c:acpi_pci_root_remove() {
...
kfree(root);
...
}
If a PCI root bridge is hot-removed and another subsystem later calls
acpi_pci_find_root(), could it locklessly read the dangling pointer
and dereference it?
> return result;
> }
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260707121258.11640-1-cp0613@linux.alibaba.com?part=1
prev parent reply other threads:[~2026-07-07 12:25 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-07-07 12:12 [PATCH] ACPI: PCI: Clear driver_data on all error paths in acpi_pci_root_add() Chen Pei
2026-07-07 12:25 ` sashiko-bot [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260707122549.C01DC1F00A3A@smtp.kernel.org \
--to=sashiko-bot@kernel.org \
--cc=cp0613@linux.alibaba.com \
--cc=linux-cxl@vger.kernel.org \
--cc=linux-pci@vger.kernel.org \
--cc=sashiko-reviews@lists.linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.