From: sashiko-bot@kernel.org
To: "Gary Guo" <gary@garyguo.net>
Cc: linux-pci@vger.kernel.org
Subject: Re: [PATCH 2/3] pci: fix dyn_id add TOCTOU
Date: Fri, 26 Jun 2026 20:02:10 +0000 [thread overview]
Message-ID: <20260626200211.47B531F000E9@smtp.kernel.org> (raw)
In-Reply-To: <20260626-pci_id_fix-v1-2-a35c803f1b95@garyguo.net>
Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:
- [High] new_id_store unconditionally rejects dynamic IDs that overlap with override_only static IDs (e.g., in vfio-pci), breaking device assignment.
--
commit 65f57bc2128a4f1b44e3036aee55956006935cca
Author: Gary Guo <gary@garyguo.net>
pci: fix dyn_id add TOCTOU
This patch fixes a TOCTOU issue in new_id_store() by moving the duplicate
dynamic ID check inside do_pci_add_dynid() under the lock. It also replaces
the dummy pci_dev allocation and pci_match_device() call in new_id_store()
with a direct call to do_pci_match_id() against the static table.
> diff --git a/drivers/pci/pci-driver.c b/drivers/pci/pci-driver.c
> --- a/drivers/pci/pci-driver.c
> +++ b/drivers/pci/pci-driver.c
[ ... ]
> @@ -215,38 +244,22 @@ static ssize_t new_id_store(struct device_driver *driver, const char *buf,
[ ... ]
> if (fields != 7) {
> - struct pci_dev *pdev = kzalloc_obj(*pdev);
[ ... ]
> - if (pci_match_device(pdrv, pdev))
> - retval = -EEXIST;
> -
> - put_device(&pdev->dev);
> -
> - if (retval)
> - return retval;
> + if (do_pci_match_id(pdrv->id_table, &id))
> + return -EEXIST;
> }
[Severity: High]
Does this change break dynamic ID insertion for drivers that rely on
override_only static IDs (like vfio-pci)?
Previously, pci_match_device() was used, which explicitly checks the
override_only flag:
for (ids = drv->id_table; (found_id = do_pci_match_id(ids, &dev_id));
ids = found_id + 1) {
if (!found_id->override_only || ret > 0) {
*id = *found_id;
return true;
}
}
By directly calling do_pci_match_id(), which performs purely structural
matching and ignores the override_only flag, it seems like new_id_store()
will now unconditionally reject dynamic IDs for drivers whose static table
contains a catch-all override_only entry, returning -EEXIST instead of
allowing the assignment.
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260626-pci_id_fix-v1-0-a35c803f1b95@garyguo.net?part=2
next prev parent reply other threads:[~2026-06-26 20:02 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-26 19:49 [PATCH 0/3] pci: fix UAF and TOCTOU related to dynamic ID Gary Guo
2026-06-26 19:49 ` [PATCH 1/3] pci: make pci_match_one_device match on ID instead of device Gary Guo
2026-06-26 19:56 ` sashiko-bot
2026-06-26 19:49 ` [PATCH 2/3] pci: fix dyn_id add TOCTOU Gary Guo
2026-06-26 20:02 ` sashiko-bot [this message]
2026-06-26 19:49 ` [PATCH 3/3] pci: fix UAF when probe runs concurrent to dyn ID removal Gary Guo
2026-06-26 20:00 ` sashiko-bot
2026-06-26 21:55 ` Gary Guo
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260626200211.47B531F000E9@smtp.kernel.org \
--to=sashiko-bot@kernel.org \
--cc=gary@garyguo.net \
--cc=linux-pci@vger.kernel.org \
--cc=sashiko-reviews@lists.linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox