From: "Danilo Krummrich" <dakr@kernel.org>
To: "Gary Guo" <gary@garyguo.net>
Cc: "Bjorn Helgaas" <bhelgaas@google.com>,
"Zhenzhong Duan" <zhenzhong.duan@gmail.com>,
"Greg Kroah-Hartman" <gregkh@linuxfoundation.org>,
"Rafael J. Wysocki" <rafael@kernel.org>,
"Damien Le Moal" <dlemoal@kernel.org>,
"Niklas Cassel" <cassel@kernel.org>,
"GOTO Masanori" <gotom@debian.or.jp>,
"YOKOTA Hiroshi" <yokota@netlab.is.tsukuba.ac.jp>,
"James E.J. Bottomley" <James.Bottomley@HansenPartnership.com>,
"Martin K. Petersen" <martin.petersen@oracle.com>,
"Vaibhav Gupta" <vaibhavgupta40@gmail.com>,
"Jens Taprogge" <jens.taprogge@taprogge.org>,
"Ido Schimmel" <idosch@nvidia.com>,
"Petr Machata" <petrm@nvidia.com>,
"Andrew Lunn" <andrew+netdev@lunn.ch>,
"David S. Miller" <davem@davemloft.net>,
"Eric Dumazet" <edumazet@google.com>,
"Jakub Kicinski" <kuba@kernel.org>,
"Paolo Abeni" <pabeni@redhat.com>, <linux-pci@vger.kernel.org>,
<driver-core@lists.linux.dev>, <linux-kernel@vger.kernel.org>,
<linux-ide@vger.kernel.org>, <linux-scsi@vger.kernel.org>,
<industrypack-devel@lists.sourceforge.net>,
<netdev@vger.kernel.org>, "Sashiko" <sashiko-bot@kernel.org>
Subject: Re: [PATCH v2 7/7] pci: fix UAF when probe runs concurrent to dyn ID removal
Date: Tue, 30 Jun 2026 22:25:51 +0200 [thread overview]
Message-ID: <DJMNZJZYZGAW.2VLN3VNNOH03L@kernel.org> (raw)
In-Reply-To: <20260630-pci_id_fix-v2-7-b834a98c0af2@garyguo.net>
On Tue Jun 30, 2026 at 1:09 PM CEST, Gary Guo wrote:
> -static const struct pci_device_id *pci_match_device(struct pci_driver *drv,
> - struct pci_dev *dev)
> +static bool pci_match_device(struct pci_driver *drv,
> + struct pci_dev *dev,
> + struct pci_device_id *id)
> {
> struct pci_dynid *dynid;
> const struct pci_device_id *found_id = NULL;
> @@ -196,30 +198,33 @@ static const struct pci_device_id *pci_match_device(struct pci_driver *drv,
> /* When driver_override is set, only bind to the matching driver */
> ret = device_match_driver_override(&dev->dev, &drv->driver);
> if (ret == 0)
> - return NULL;
> + return false;
>
> dev_id = pci_id_from_device(dev);
> /* Look at the dynamic ids first, before the static ones */
> - spin_lock(&drv->dynids.lock);
> - list_for_each_entry(dynid, &drv->dynids.list, node) {
> - if (pci_match_one_id(&dynid->id, &dev_id)) {
> - found_id = &dynid->id;
> - break;
> + {
> + guard(spinlock)(&drv->dynids.lock);
> + list_for_each_entry(dynid, &drv->dynids.list, node) {
> + if (pci_match_one_id(&dynid->id, &dev_id)) {
> + *id = dynid->id;
> + return true;
> + }
> }
> }
Should be scoped_guard(spinlock, &drv->dynids.lock). It also looks like dynid
could be moved into the scoped_guard().
prev parent reply other threads:[~2026-06-30 20:25 UTC|newest]
Thread overview: 18+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-30 11:09 [PATCH v2 0/7] pci: fix UAF and TOCTOU related to dynamic ID Gary Guo
2026-06-30 11:09 ` [PATCH v2 1/7] ata: don't keep pci_device_id Gary Guo
2026-06-30 11:59 ` Niklas Cassel
2026-06-30 12:41 ` Gary Guo
2026-06-30 19:46 ` Danilo Krummrich
2026-06-30 11:09 ` [PATCH v2 2/7] nsp32: " Gary Guo
2026-06-30 19:46 ` Danilo Krummrich
2026-06-30 11:09 ` [PATCH v2 3/7] ipack: tpci200: " Gary Guo
2026-06-30 19:47 ` Danilo Krummrich
2026-06-30 11:09 ` [PATCH v2 4/7] mlxsw: " Gary Guo
2026-06-30 19:48 ` Danilo Krummrich
2026-07-01 13:57 ` Petr Machata
2026-06-30 11:09 ` [PATCH v2 5/7] pci: make pci_match_one_device match on ID instead of device Gary Guo
2026-06-30 20:04 ` Danilo Krummrich
2026-06-30 11:09 ` [PATCH v2 6/7] pci: fix dyn_id add TOCTOU Gary Guo
2026-06-30 20:16 ` Danilo Krummrich
2026-06-30 11:09 ` [PATCH v2 7/7] pci: fix UAF when probe runs concurrent to dyn ID removal Gary Guo
2026-06-30 20:25 ` Danilo Krummrich [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=DJMNZJZYZGAW.2VLN3VNNOH03L@kernel.org \
--to=dakr@kernel.org \
--cc=James.Bottomley@HansenPartnership.com \
--cc=andrew+netdev@lunn.ch \
--cc=bhelgaas@google.com \
--cc=cassel@kernel.org \
--cc=davem@davemloft.net \
--cc=dlemoal@kernel.org \
--cc=driver-core@lists.linux.dev \
--cc=edumazet@google.com \
--cc=gary@garyguo.net \
--cc=gotom@debian.or.jp \
--cc=gregkh@linuxfoundation.org \
--cc=idosch@nvidia.com \
--cc=industrypack-devel@lists.sourceforge.net \
--cc=jens.taprogge@taprogge.org \
--cc=kuba@kernel.org \
--cc=linux-ide@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-pci@vger.kernel.org \
--cc=linux-scsi@vger.kernel.org \
--cc=martin.petersen@oracle.com \
--cc=netdev@vger.kernel.org \
--cc=pabeni@redhat.com \
--cc=petrm@nvidia.com \
--cc=rafael@kernel.org \
--cc=sashiko-bot@kernel.org \
--cc=vaibhavgupta40@gmail.com \
--cc=yokota@netlab.is.tsukuba.ac.jp \
--cc=zhenzhong.duan@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox