From: "Krzysztof Wilczyński" <kwilczynski@kernel.org>
To: sashiko-reviews@lists.linux.dev
Cc: linux-pci@vger.kernel.org
Subject: Re: [PATCH v2] PCI/proc: Fix race between pci_proc_init() and pci_bus_add_device()
Date: Sun, 7 Jun 2026 05:19:37 +0900 [thread overview]
Message-ID: <20260606201458.GA1442288@rocinante> (raw)
In-Reply-To: <20260606172056.DADBA1F00893@smtp.kernel.org>
Hello,
> > + bus->procdir = proc_mkdir(name, proc_bus_pci_dir);
> > + if (!bus->procdir)
> > + return -ENOMEM;
>
> [Severity: High]
> Can this direct assignment overwrite a valid pointer with NULL if a concurrent
> creation fails?
>
> If an asynchronous probe runs concurrently without holding
> pci_rescan_remove_lock(), two threads might both observe bus->procdir as
> NULL. If one successfully creates the entry, the second could fail due to a
> name collision and return NULL, unconditionally overwriting the valid
> bus->procdir.
>
> Could this cause subsequent child devices to erroneously create their proc
> files in the root of /proc?
[...]
> > sprintf(name, "%02x.%x", PCI_SLOT(dev->devfn), PCI_FUNC(dev->devfn));
> > - e = proc_create_data(name, S_IFREG | S_IRUGO | S_IWUSR, bus->procdir,
> > - &proc_bus_pci_ops, dev);
> > - if (!e)
> > + dev->procent = proc_create_data(name, S_IFREG | S_IRUGO | S_IWUSR,
> > + dev->bus->procdir, &proc_bus_pci_ops,
> > + dev);
> > + if (!dev->procent)
> > return -ENOMEM;
>
> [Severity: High]
> Does this assignment introduce a risk of a use-after-free and resource leak?
>
> Similar to the bus directory, if concurrent threads call
> pci_proc_attach_device() for the same device, one might overwrite a
> valid dev->procent with NULL when proc_create_data() fails.
>
> Later, pci_proc_detach_device() would call proc_remove(NULL) which does
> nothing. The procfs file would be leaked, and because the file's data points
> to the freed pci_dev struct, subsequent reads from userspace could trigger a
> use-after-free.
I will send another revision to address this feedback.
Thank you!
Krzysztof
prev parent reply other threads:[~2026-06-06 20:19 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-06 17:01 [PATCH v2] PCI/proc: Fix race between pci_proc_init() and pci_bus_add_device() Krzysztof Wilczyński
2026-06-06 17:20 ` sashiko-bot
2026-06-06 20:19 ` Krzysztof Wilczyński [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260606201458.GA1442288@rocinante \
--to=kwilczynski@kernel.org \
--cc=linux-pci@vger.kernel.org \
--cc=sashiko-reviews@lists.linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox