From: sashiko-bot@kernel.org
To: "Chen Pei" <cp0613@linux.alibaba.com>
Cc: linux-cxl@vger.kernel.org, linux-pci@vger.kernel.org
Subject: Re: [PATCH] ACPI: PCI: Clear driver_data on all error paths in acpi_pci_root_add()
Date: Tue, 07 Jul 2026 12:25:49 +0000 [thread overview]
Message-ID: <20260707122549.C01DC1F00A3A@smtp.kernel.org> (raw)
In-Reply-To: <20260707121258.11640-1-cp0613@linux.alibaba.com>
Thank you for your contribution! Sashiko AI review found 2 potential issue(s) to consider:
Pre-existing issues:
- [High] The acpi_pci_root_remove() function frees the acpi_pci_root object but fails to clear device->driver_data, leaving a dangling pointer.
- [High] Lockless access to `device->driver_data` causes a TOCTOU Use-After-Free race during hot-add failure and hot-remove.
--
--- Patch [1]: [PATCH] ACPI: PCI: Clear driver_data on all error paths in acpi_pci_root_add() ---
commit 9ff3c7d0724a7259ad865b11b68825024947383a
Author: Chen Pei <cp0613@linux.alibaba.com>
ACPI: PCI: Clear driver_data on all error paths in acpi_pci_root_add()
This commit addresses a dangling pointer issue in acpi_pci_root_add() by
ensuring device->driver_data is set to NULL on all error paths before
freeing the root object. This prevents use-after-free conditions during a
failed hot-add operation.
Link: https://sashiko.dev/#/patchset/20260526025118.38935-1-cp0613@linux.alibaba.com
> diff --git a/drivers/acpi/pci_root.c b/drivers/acpi/pci_root.c
> index 4c06c3ffd0cbb..f6cddd11075cb 100644
> --- a/drivers/acpi/pci_root.c
> +++ b/drivers/acpi/pci_root.c
[ ... ]
> @@ -765,6 +764,7 @@ static int acpi_pci_root_add(struct acpi_device *device,
> if (hotadd)
> dmar_device_remove(handle);
> end:
> + device->driver_data = NULL;
> kfree(root);
[Severity: High]
This isn't a bug introduced by this patch, but does this lockless cleanup
introduce a use-after-free race with concurrent readers?
If acpi_pci_root_add() publishes the root pointer early:
device->driver_data = root;
and a concurrent thread (e.g., AER or CXL probe) calls
acpi_pci_find_root() and locklessly reads this pointer:
drivers/acpi/pci_root.c:acpi_pci_find_root() {
...
root = acpi_driver_data(device);
...
}
Could that concurrent reader dereference a freed pointer if
acpi_pci_root_add() subsequently encounters an error, clears
device->driver_data, and executes kfree(root) here without an RCU
grace period or locking to synchronize the read and the free?
[Severity: High]
This is also a pre-existing issue, but while we are fixing the error paths
here, does acpi_pci_root_remove() have the same dangling pointer
vulnerability that this patch fixes for the add path?
Looking at acpi_pci_root_remove(), it appears to free the acpi_pci_root
object but fails to clear device->driver_data:
drivers/acpi/pci_root.c:acpi_pci_root_remove() {
...
kfree(root);
...
}
If a PCI root bridge is hot-removed and another subsystem later calls
acpi_pci_find_root(), could it locklessly read the dangling pointer
and dereference it?
> return result;
> }
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260707121258.11640-1-cp0613@linux.alibaba.com?part=1
prev parent reply other threads:[~2026-07-07 12:25 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-07-07 12:12 [PATCH] ACPI: PCI: Clear driver_data on all error paths in acpi_pci_root_add() Chen Pei
2026-07-07 12:25 ` sashiko-bot [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260707122549.C01DC1F00A3A@smtp.kernel.org \
--to=sashiko-bot@kernel.org \
--cc=cp0613@linux.alibaba.com \
--cc=linux-cxl@vger.kernel.org \
--cc=linux-pci@vger.kernel.org \
--cc=sashiko-reviews@lists.linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox