Netdev List
 help / color / mirror / Atom feed
From: "Gary Guo" <gary@garyguo.net>
To: "Niklas Cassel" <cassel@kernel.org>, "Gary Guo" <gary@garyguo.net>
Cc: "Bjorn Helgaas" <bhelgaas@google.com>,
	"Zhenzhong Duan" <zhenzhong.duan@gmail.com>,
	"Greg Kroah-Hartman" <gregkh@linuxfoundation.org>,
	"Rafael J. Wysocki" <rafael@kernel.org>,
	"Danilo Krummrich" <dakr@kernel.org>,
	"Damien Le Moal" <dlemoal@kernel.org>,
	"GOTO Masanori" <gotom@debian.or.jp>,
	"YOKOTA Hiroshi" <yokota@netlab.is.tsukuba.ac.jp>,
	"James E.J. Bottomley" <James.Bottomley@hansenpartnership.com>,
	"Martin K. Petersen" <martin.petersen@oracle.com>,
	"Vaibhav Gupta" <vaibhavgupta40@gmail.com>,
	"Jens Taprogge" <jens.taprogge@taprogge.org>,
	"Ido Schimmel" <idosch@nvidia.com>,
	"Petr Machata" <petrm@nvidia.com>,
	"Andrew Lunn" <andrew+netdev@lunn.ch>,
	"David S. Miller" <davem@davemloft.net>,
	"Eric Dumazet" <edumazet@google.com>,
	"Jakub Kicinski" <kuba@kernel.org>,
	"Paolo Abeni" <pabeni@redhat.com>, <linux-pci@vger.kernel.org>,
	<driver-core@lists.linux.dev>, <linux-kernel@vger.kernel.org>,
	<linux-ide@vger.kernel.org>, <linux-scsi@vger.kernel.org>,
	<industrypack-devel@lists.sourceforge.net>,
	<netdev@vger.kernel.org>
Subject: Re: [PATCH v2 1/7] ata: don't keep pci_device_id
Date: Tue, 30 Jun 2026 13:41:44 +0100	[thread overview]
Message-ID: <DJME47JZ4KWH.2S9HL3IL5FBK2@garyguo.net> (raw)
In-Reply-To: <akOvhr-X1Wp9iNd8@ryzen>

On Tue Jun 30, 2026 at 12:59 PM BST, Niklas Cassel wrote:
> Hello Gary,
>
> On Tue, Jun 30, 2026 at 12:09:01PM +0100, Gary Guo wrote:
>> pci_device_id is not guaranteed to live longer than probe due to presence
>> of dynamic ID. All information apart from driver_data can be easily
>> retrieved from pci_dev, so just store driver_data.
>> 
>> Signed-off-by: Gary Guo <gary@garyguo.net>
>
> Please write a proper commit message.
>
> The commit message should be detailed enough for someone to realize what
> is going on without reading your cover-letter (as information in the cover
> letter in not part of the accepted commit).
>
> 1) Explain how to reproduce.
>
> 2) Explain the problem.
>
> 3) Explain the consequences of the problem. UAF? Crash?
>
> 4) Explain how you fix it.

Hi Niklas,

I see this as a contract mismatch between pci core and drivers, hence the commit
message just mentions the problem (lifetime of pci_device_id pointer is
restricted to probe only) and the fix (don't store it).

Currently as you said, the way that this becomes a problem is when dynamic ID is
involved. So the following sequence will cause issue:

    echo "vendor device" > /sys/bus/pci/drivers/your_driver/new_id
    # PCI core calls probe which stores the ID (e.g. ata)
    echo "vendor device" > /sys/bus/pci/drivers/your_driver/remove_id
    # Driver uses the stored ID (UAF)

However, the gist here is that due to the presence of dynamic ID, pci_device_id
in probe is not guaranteed to live longer than the probe function (in fact, it
currently is not guaranteed to be alive at all, which is what this series is
trying to address).

Exactly how long the ID is going to live should be up to the PCI core and be
transparent to drivers, so I intentionally left this out from driver fix
patches, this should be implementation detail of PCI core. In fact, in patch 7
I changed to be unconditionally invalid upon return regardless if it is dynamic
ID or not.

At the end of this series I changed the documentation to explicitly state this
contract. So even without having the reproducer, the commit message still makes
sense because it fixes a contract violation and reader can connect it with the
documentation.

Best,
Gary

>
>
> AFAICT, this is somehow related to pci_add_dynid(), which is called when
> user-space is doing something like:
>
> $ echo "vendor device" > /sys/bus/pci/drivers/your_driver/new_id
>
>
> Kind regards,
> Niklas

  reply	other threads:[~2026-06-30 12:41 UTC|newest]

Thread overview: 17+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-06-30 11:09 [PATCH v2 0/7] pci: fix UAF and TOCTOU related to dynamic ID Gary Guo
2026-06-30 11:09 ` [PATCH v2 1/7] ata: don't keep pci_device_id Gary Guo
2026-06-30 11:59   ` Niklas Cassel
2026-06-30 12:41     ` Gary Guo [this message]
2026-06-30 19:46   ` Danilo Krummrich
2026-06-30 11:09 ` [PATCH v2 2/7] nsp32: " Gary Guo
2026-06-30 19:46   ` Danilo Krummrich
2026-06-30 11:09 ` [PATCH v2 3/7] ipack: tpci200: " Gary Guo
2026-06-30 19:47   ` Danilo Krummrich
2026-06-30 11:09 ` [PATCH v2 4/7] mlxsw: " Gary Guo
2026-06-30 19:48   ` Danilo Krummrich
2026-06-30 11:09 ` [PATCH v2 5/7] pci: make pci_match_one_device match on ID instead of device Gary Guo
2026-06-30 20:04   ` Danilo Krummrich
2026-06-30 11:09 ` [PATCH v2 6/7] pci: fix dyn_id add TOCTOU Gary Guo
2026-06-30 20:16   ` Danilo Krummrich
2026-06-30 11:09 ` [PATCH v2 7/7] pci: fix UAF when probe runs concurrent to dyn ID removal Gary Guo
2026-06-30 20:25   ` Danilo Krummrich

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=DJME47JZ4KWH.2S9HL3IL5FBK2@garyguo.net \
    --to=gary@garyguo.net \
    --cc=James.Bottomley@hansenpartnership.com \
    --cc=andrew+netdev@lunn.ch \
    --cc=bhelgaas@google.com \
    --cc=cassel@kernel.org \
    --cc=dakr@kernel.org \
    --cc=davem@davemloft.net \
    --cc=dlemoal@kernel.org \
    --cc=driver-core@lists.linux.dev \
    --cc=edumazet@google.com \
    --cc=gotom@debian.or.jp \
    --cc=gregkh@linuxfoundation.org \
    --cc=idosch@nvidia.com \
    --cc=industrypack-devel@lists.sourceforge.net \
    --cc=jens.taprogge@taprogge.org \
    --cc=kuba@kernel.org \
    --cc=linux-ide@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-pci@vger.kernel.org \
    --cc=linux-scsi@vger.kernel.org \
    --cc=martin.petersen@oracle.com \
    --cc=netdev@vger.kernel.org \
    --cc=pabeni@redhat.com \
    --cc=petrm@nvidia.com \
    --cc=rafael@kernel.org \
    --cc=vaibhavgupta40@gmail.com \
    --cc=yokota@netlab.is.tsukuba.ac.jp \
    --cc=zhenzhong.duan@gmail.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox