From: sashiko-bot@kernel.org
To: "Danilo Krummrich" <dakr@kernel.org>
Cc: linux-pci@vger.kernel.org, ojeda@kernel.org
Subject: Re: [PATCH REF v3 24/27] gpu: nova-core: use lifetime for Bar
Date: Sun, 17 May 2026 00:58:07 +0000 [thread overview]
Message-ID: <20260517005807.EDD9DC19425@smtp.kernel.org> (raw)
In-Reply-To: <20260517000149.3226762-25-dakr@kernel.org>
Thank you for your contribution! Sashiko AI review found 2 potential issue(s) to consider:
- [High] Teardown order inversion causes Use-After-Free of PCI BAR during auxiliary device unbind
- [Low] Incorrect safety comment regarding `try_pin_init!` evaluation order contradicts the struct definition
--
commit a3050bb7eec253af2f0de783f6b97a3dcbc7b499
Author: Danilo Krummrich <dakr@kernel.org>
gpu: nova-core: use lifetime for Bar
Take advantage of the lifetime-parameterized pci::Bar<'bound> to hold
the BAR mapping directly in NovaCore<'bound>, and pass a borrowed
reference to Gpu<'bound>. This eliminates the Arc<Devres<Bar0>> indirection
and simplifies Gpu::unbind().
> diff --git a/drivers/gpu/nova-core/driver.rs b/drivers/gpu/nova-core/driver.rs
> index 3f6d8cedf5abc..fb52d21a7d927 100644
> --- a/drivers/gpu/nova-core/driver.rs
> +++ b/drivers/gpu/nova-core/driver.rs
> @@ -30,9 +27,10 @@
> static AUXILIARY_ID_COUNTER: Atomic<u32> = Atomic::new(0);
>
> #[pin_data]
> -pub(crate) struct NovaCore {
> +pub(crate) struct NovaCore<'bound> {
> #[pin]
> - pub(crate) gpu: Gpu,
> + pub(crate) gpu: Gpu<'bound>,
> + bar: pci::Bar<'bound, BAR0_SIZE>,
> #[allow(clippy::type_complexity)]
> _reg: Devres<auxiliary::Registration<ForLt!(())>>,
> }
[ ... ]
> @@ -94,14 +94,14 @@ fn probe<'bound>(
> // other threads of execution.
> unsafe { pdev.dma_set_mask_and_coherent(DmaMask::new::<GPU_DMA_BITS>())? };
>
> - let bar = Arc::new(
> - pdev.iomap_region_sized::<BAR0_SIZE>(0, c"nova-core/bar0")?
> - .into_devres()?,
> - GFP_KERNEL,
> - )?;
> -
> - Ok(try_pin_init!(Self {
> - gpu <- Gpu::new(pdev, bar.clone(), bar.access(pdev.as_ref())?),
> + Ok(try_pin_init!(NovaCore {
> + bar: pdev.iomap_region_sized::<BAR0_SIZE>(0, c"nova-core/bar0")?,
Can this teardown order inversion cause a use-after-free of the PCI BAR
during the auxiliary device unbind process?
Since bar is now placed directly in NovaCore while _reg is still managed
by devres via .into_devres()?, driver data (NovaCore) drops before
devres_release_all() is executed.
This means bar will be dropped and the MMIO region unmapped when NovaCore
drops, but the auxiliary device (nova-drm) remains registered until the devres
subsystem cleans it up later.
When the auxiliary device eventually unregisters and unbinds, won't it
attempt to access the already unmapped GPU hardware BAR?
Should _reg also be removed from devres and placed as a direct field in
NovaCore? If so, since Rust drops struct fields in declaration order, _reg
would need to be declared before bar to ensure it is dropped first.
> + // TODO: Use `&bar` self-referential pin-init syntax once available.
> + //
> + // SAFETY: `bar` is initialized before this expression is evaluated
> + // (`try_pin_init!()` initializes fields in declaration order), lives at a pinned
> + // stable address, and is dropped after `gpu` (struct field drop order).
This isn't a bug, but is the safety comment regarding the try_pin_init!
evaluation order accurate?
The comment states that try_pin_init! initializes fields in declaration order.
However, in the NovaCore struct definition above, gpu is actually declared
before bar.
If the macro evaluated fields in declaration order, gpu would be
initialized first, and the unsafe block below would read uninitialized memory.
Doesn't try_pin_init! evaluate initializers in the lexical order they are
written within the macro invocation, which is why bar is safely initialized
first here?
> + gpu <- Gpu::new(pdev, unsafe { &*core::ptr::from_ref(bar) }),
> _reg: auxiliary::Registration::new(
> pdev.as_ref(),
> c"nova-drm",
> AUXILIARY_ID_COUNTER.fetch_add(1, Relaxed),
> )
> .into_devres()?,
> }))
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260517000149.3226762-1-dakr@kernel.org?part=24
next prev parent reply other threads:[~2026-05-17 0:58 UTC|newest]
Thread overview: 98+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-05-17 0:00 [PATCH v3 00/27] rust: device: Higher-Ranked Lifetime Types for device drivers Danilo Krummrich
2026-05-17 0:00 ` [PATCH v3 01/27] rust: alloc: remove `'static` bound on `ForeignOwnable` Danilo Krummrich
2026-05-18 14:42 ` Alexandre Courbot
2026-05-17 0:00 ` [PATCH v3 02/27] rust: driver: move 'static bounds to constructor Danilo Krummrich
2026-05-18 14:42 ` Alexandre Courbot
2026-05-17 0:00 ` [PATCH v3 03/27] rust: driver: decouple driver private data from driver type Danilo Krummrich
2026-05-17 0:19 ` sashiko-bot
2026-05-17 14:32 ` Danilo Krummrich
2026-05-19 12:47 ` Gary Guo
2026-05-18 14:43 ` Alexandre Courbot
2026-05-17 0:00 ` [PATCH v3 04/27] rust: driver core: drop drvdata before devres release Danilo Krummrich
2026-05-17 0:37 ` sashiko-bot
2026-05-18 14:45 ` Alexandre Courbot
2026-05-19 12:47 ` Gary Guo
2026-05-17 0:00 ` [PATCH v3 05/27] rust: pci: implement Sync for Device<Bound> Danilo Krummrich
2026-05-17 0:40 ` sashiko-bot
2026-05-18 14:46 ` Alexandre Courbot
2026-05-19 13:01 ` Gary Guo
2026-05-17 0:00 ` [PATCH v3 06/27] rust: platform: " Danilo Krummrich
2026-05-18 14:46 ` Alexandre Courbot
2026-05-19 13:01 ` Gary Guo
2026-05-17 0:00 ` [PATCH v3 07/27] rust: auxiliary: " Danilo Krummrich
2026-05-17 0:36 ` sashiko-bot
2026-05-18 14:47 ` Alexandre Courbot
2026-05-19 13:02 ` Gary Guo
2026-05-17 0:00 ` [PATCH v3 08/27] rust: usb: " Danilo Krummrich
2026-05-17 0:33 ` sashiko-bot
2026-05-18 14:47 ` Alexandre Courbot
2026-05-19 13:02 ` Gary Guo
2026-05-17 0:00 ` [PATCH v3 09/27] rust: device: " Danilo Krummrich
2026-05-17 0:25 ` sashiko-bot
2026-05-18 14:48 ` Alexandre Courbot
2026-05-19 13:02 ` Gary Guo
2026-05-17 0:00 ` [PATCH v3 10/27] rust: pci: make Driver trait lifetime-parameterized Danilo Krummrich
2026-05-17 0:29 ` sashiko-bot
2026-05-18 14:53 ` Alexandre Courbot
2026-05-18 15:36 ` Gary Guo
2026-05-18 16:10 ` Danilo Krummrich
2026-05-19 4:52 ` Eliot Courtney
2026-05-19 10:39 ` Danilo Krummrich
2026-05-19 11:48 ` Gary Guo
2026-05-19 12:36 ` Danilo Krummrich
2026-05-20 6:14 ` Eliot Courtney
2026-05-17 0:00 ` [PATCH v3 11/27] rust: platform: " Danilo Krummrich
2026-05-18 14:55 ` Alexandre Courbot
2026-05-17 0:01 ` [PATCH v3 12/27] rust: auxiliary: " Danilo Krummrich
2026-05-18 15:39 ` Alexandre Courbot
2026-05-17 0:01 ` [PATCH v3 13/27] rust: usb: " Danilo Krummrich
2026-05-17 0:25 ` sashiko-bot
2026-05-18 15:40 ` Alexandre Courbot
2026-05-17 0:01 ` [PATCH v3 14/27] rust: i2c: " Danilo Krummrich
2026-05-17 0:39 ` sashiko-bot
2026-05-18 15:41 ` Alexandre Courbot
2026-05-17 0:01 ` [PATCH v3 15/27] rust: driver: update module documentation for GAT-based Data type Danilo Krummrich
2026-05-18 15:46 ` Alexandre Courbot
2026-05-17 0:01 ` [PATCH v3 16/27] rust: types: add `ForLt` trait for higher-ranked lifetime support Danilo Krummrich
2026-05-17 0:23 ` sashiko-bot
2026-05-19 6:02 ` Eliot Courtney
2026-05-19 11:23 ` Gary Guo
2026-05-19 11:07 ` Alexandre Courbot
2026-05-19 11:39 ` Gary Guo
2026-05-19 13:03 ` Danilo Krummrich
2026-05-19 13:34 ` Miguel Ojeda
2026-05-17 0:01 ` [PATCH v3 17/27] rust: auxiliary: generalize Registration over ForLt Danilo Krummrich
2026-05-17 0:31 ` sashiko-bot
2026-05-19 7:56 ` Eliot Courtney
2026-05-19 10:39 ` Danilo Krummrich
2026-05-19 11:20 ` Gary Guo
2026-05-19 16:45 ` Gary Guo
2026-05-20 0:33 ` Danilo Krummrich
2026-05-20 9:34 ` Gary Guo
2026-05-17 0:01 ` [PATCH v3 18/27] samples: rust: rust_driver_auxiliary: showcase lifetime-bound registration data Danilo Krummrich
2026-05-19 6:52 ` Eliot Courtney
2026-05-19 15:48 ` Gary Guo
2026-05-17 0:01 ` [PATCH v3 19/27] rust: pci: make Bar lifetime-parameterized Danilo Krummrich
2026-05-17 0:57 ` sashiko-bot
2026-05-19 6:36 ` Eliot Courtney
2026-05-19 16:24 ` Gary Guo
2026-05-19 17:27 ` Danilo Krummrich
2026-05-17 0:01 ` [PATCH v3 20/27] rust: io: make IoMem and ExclusiveIoMem lifetime-parameterized Danilo Krummrich
2026-05-17 1:31 ` sashiko-bot
2026-05-19 6:39 ` Eliot Courtney
2026-05-17 0:01 ` [PATCH v3 21/27] samples: rust: rust_driver_pci: use HRT lifetime for Bar Danilo Krummrich
2026-05-17 0:57 ` sashiko-bot
2026-05-19 6:41 ` Eliot Courtney
2026-05-17 0:01 ` [PATCH v3 22/27] rust: driver-core: rename 'a lifetime to 'bound Danilo Krummrich
2026-05-17 0:31 ` sashiko-bot
2026-05-19 6:42 ` Eliot Courtney
2026-05-19 16:56 ` Gary Guo
2026-05-19 17:23 ` Danilo Krummrich
2026-05-17 0:01 ` [PATCH REF v3 23/27] gpu: nova-core: " Danilo Krummrich
2026-05-17 0:01 ` [PATCH REF v3 24/27] gpu: nova-core: use lifetime for Bar Danilo Krummrich
2026-05-17 0:58 ` sashiko-bot [this message]
2026-05-17 0:01 ` [PATCH REF v3 25/27] gpu: nova-core: unregister sysmem flush page from Drop Danilo Krummrich
2026-05-17 0:50 ` sashiko-bot
2026-05-17 0:01 ` [PATCH REF v3 26/27] gpu: nova-core: replace ARef<Device> with &'bound Device in SysmemFlush Danilo Krummrich
2026-05-17 0:01 ` [PATCH REF v3 27/27] gpu: drm: tyr: use lifetime for IoMem Danilo Krummrich
2026-05-17 0:47 ` sashiko-bot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260517005807.EDD9DC19425@smtp.kernel.org \
--to=sashiko-bot@kernel.org \
--cc=dakr@kernel.org \
--cc=linux-pci@vger.kernel.org \
--cc=ojeda@kernel.org \
--cc=sashiko-reviews@lists.linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox