From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mail-ej1-f74.google.com (mail-ej1-f74.google.com [209.85.218.74]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 47F4D367296 for ; Thu, 2 Jul 2026 10:33:45 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.218.74 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1782988426; cv=none; b=ppTmG0s1Q0r1PtLIwm7HDj+JgzuEHmi9beCVjM0OmGTaJrZLiPcxCieqf3xMjY0zA9A+qaY/7L5BGpqGFLJcYnQVtb7svnph94jFVN8L74Cf4D2Vl3sbTWCemJmhF2RKE+SBnYZsQ6fht40idRrEtwDwvUyZAXniAqcI2YX+9cQ= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1782988426; c=relaxed/simple; bh=dU/JhXcw9C+3bxVyhCk433RwAWlu/+DSj3wRiplg67w=; h=Date:In-Reply-To:Mime-Version:References:Message-ID:Subject:From: To:Cc:Content-Type; b=sYlIe18u/sPxBafkbKsFGubZ7+rZo6TbP2/w/blcM6Mv3wX9FOK/RMNePZpoArOZ8JNHAke8BXPG5/TZHX2Yhn5UsJcS/IZTyXrFlnrIvXZwu1cGikq99LGhWo41KTdxFYGriP//SNZl1JqB0lEXFHA8lwcX+ueOeqTPePa50Ck= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com; spf=pass smtp.mailfrom=flex--aliceryhl.bounces.google.com; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b=DlnyGN6g; arc=none smtp.client-ip=209.85.218.74 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=flex--aliceryhl.bounces.google.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="DlnyGN6g" Received: by mail-ej1-f74.google.com with SMTP id a640c23a62f3a-c126f9928f6so171565266b.0 for ; Thu, 02 Jul 2026 03:33:45 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20251104; t=1782988424; x=1783593224; darn=vger.kernel.org; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:from:to:cc:subject:date:message-id:reply-to; bh=lSBXWVP6cFuS41+bLzi/68MzajKJS5Rgon/65yIMPQ4=; b=DlnyGN6g9tvWkuWfVDZzKtjbR/v7hFljcRPYucvfsFeS/1S1Zb5obZF5Xb5+oDWTwl C397p2jqUlXd/Mef+brDL/Psj8y/SVLrXOBuEDb0hg09TbCJZ2MKv049uKx/miy/3V3s 2ArJzxPRicgaPH9jU2B0xN+JYZEHPUzu/9EtGkkSqxB6AvGpAiTHUJR39BGpJSiIn8Xu smM/UK3gk5wQQ0h/j61wgZqkoEu2JYwn8dodsHae+LitBGqF5kmQWYh+NQC+mV5G9tJJ zsG5rKoiA7+1dBg1eJ0Zuv6Ol3RhIYE4Sfonz1uRrFSvhDywrVW3oYMwUcDH8yPhWuUN QKUg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1782988424; x=1783593224; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=lSBXWVP6cFuS41+bLzi/68MzajKJS5Rgon/65yIMPQ4=; b=gKEIFiqTiLWY+xkxJzobNUKzEvzaz+kEF4yUdtHgJitZjQocG9Baym0CI4mb8LiF5l fQblntqTnnqIexqS6r3+6WPhwXD/wiw5EfAxSOhV3vdw3Kg/g2MM7/ATGK6GbnotvdLH YGuDF527gXlqq1fPjO0Ll8MPll4DqWSJQxWOkl0jHgUQzSq3b2MdhaEdgppBifLri00K la/IlHLryWHmp92oKm9kal9Ngxq9lLlV30cV3LPHQa/MbQFvtzBwkr8g+fRSweRuTsom zfXxaTKejMFTdtJdNMKcg9O3Wn1SZcg+P4TkEA9nOZXzZ4BJohAONlun53Eabj+V+nPz c1qQ== X-Forwarded-Encrypted: i=1; AHgh+RovW961jMKkXjpKXWaDvQyyuYinlOV7d7gRu4FQzEwHeHoN4ZI7114Y845nE2QunUOCr31ap8mnOSMrWjU=@vger.kernel.org X-Gm-Message-State: AOJu0Yx1+Uhdz8HnnArjXn8VJapInqC0l1XA69Ou3bK/MIMaFbAgpP2U TsIOoOA4Nr4vOLKMUIDaZhmsBnPZZ5Mw+SNOBB8dZlro9aE031KYNChwKnKbR4OoLmoR/uxDM9o /1Q2Zis0LaJs5+yGUPw== X-Received: from ejsc14.prod.google.com ([2002:a17:906:694e:b0:c12:4bb6:ec57]) (user=aliceryhl job=prod-delivery.src-stubby-dispatcher) by 2002:a17:907:3f85:b0:c12:add7:b97b with SMTP id a640c23a62f3a-c12add7bc23mr240698066b.29.1782988423378; Thu, 02 Jul 2026 03:33:43 -0700 (PDT) Date: Thu, 2 Jul 2026 10:33:42 +0000 In-Reply-To: <20260628174451.2275679-1-dakr@kernel.org> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: Mime-Version: 1.0 References: <20260628174451.2275679-1-dakr@kernel.org> Message-ID: Subject: Re: [PATCH] rust: devres: fix race between concurrent revokers From: Alice Ryhl To: Danilo Krummrich Cc: gregkh@linuxfoundation.org, rafael@kernel.org, ojeda@kernel.org, boqun@kernel.org, gary@garyguo.net, bjorn3_gh@protonmail.com, a.hindborg@kernel.org, tmgross@umich.edu, daniel.almeida@collabora.com, tamird@kernel.org, acourbot@nvidia.com, work@onurozkan.dev, lyude@redhat.com, driver-core@lists.linux.dev, linux-kernel@vger.kernel.org, rust-for-linux@vger.kernel.org, stable@vger.kernel.org, Sashiko Content-Type: text/plain; charset="utf-8" On Sun, Jun 28, 2026 at 07:44:38PM +0200, Danilo Krummrich wrote: > There is a potential race condition when two paths try to revoke a > Devres concurrently. > > The driver core's devres_release_all() calls Revocable::revoke() via the > release callback, while Devres::drop() calls revoke_nosync() on another > CPU. > > The revoker that does not claim the is_available swap returns > immediately, but the revoker that did may still be executing > drop_in_place() on the inner data. This can cause a use-after-free when > the other revoker's caller proceeds to drop adjacent resources that > drop_in_place() still references (e.g., Devres racing with > SGTable freeing the backing sg_table and pages). > > Fix this by adding a Completion. The release callback signals the > Completion after revoke() finishes, and Devres::drop() waits for it when > it loses the is_available swap. This ensures the wrapped object is fully > torn down before Devres::drop() returns. > > Cc: stable@vger.kernel.org > Reported-by: Sashiko > Closes: https://lore.kernel.org/dri-devel/20260612202841.2577C1F000E9@smtp.kernel.org/ > Fixes: 05aa6fb1c21d ("rust: scatterlist: Add abstraction for sg_table") > Signed-off-by: Danilo Krummrich Reviewed-by: Alice Ryhl