Re: [PATCH v2 4/4] rust: devres: implement register_release()

From: Benno Lossin
Date: Mon Jun 23 2025 - 09:46:04 EST

Next message: Christopher Snowhill: "Re: [RFC PATCH] drm/amdgpu: Enable async flip for cursor planes"
Previous message: Lifeng Zheng: "[PATCH 6/7] cpufreq: Refactor code about starting governor in cpufreq_set_policy()"
In reply to: Danilo Krummrich: "Re: [PATCH v2 4/4] rust: devres: implement register_release()"
Next in thread: Danilo Krummrich: "Re: [PATCH v2 4/4] rust: devres: implement register_release()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Mon Jun 23, 2025 at 2:51 PM CEST, Danilo Krummrich wrote:
> On Mon, Jun 23, 2025 at 12:01:14PM +0000, Alice Ryhl wrote:
>> On Sun, Jun 22, 2025 at 06:40:41PM +0200, Danilo Krummrich wrote:
>> > +pub fn register_release<P>(dev: &Device<Bound>, data: P) -> Result
>> > +where
>> > + P: ForeignOwnable,
>> > + for<'a> P::Borrowed<'a>: Release,
>>
>> I think we need where P: ForeignOwnable + 'static too.
>>
>> otherwise I can pass something with a reference that expires before the
>> device is unbound and access it in the devm callback as a UAF.
>
> I can't really come up with an example for such a case, mind providing one? :)

{
let local = MyLocalData { /* ... */ };
let data = Arc::new(Data { r: &local });
devres::register_release(dev, data)?;
}
// devres still holds onto `data`, but that points at `MyLocalData`
// which is on the stack and freed here...

---
Cheers,
Benno

Next message: Christopher Snowhill: "Re: [RFC PATCH] drm/amdgpu: Enable async flip for cursor planes"
Previous message: Lifeng Zheng: "[PATCH 6/7] cpufreq: Refactor code about starting governor in cpufreq_set_policy()"
In reply to: Danilo Krummrich: "Re: [PATCH v2 4/4] rust: devres: implement register_release()"
Next in thread: Danilo Krummrich: "Re: [PATCH v2 4/4] rust: devres: implement register_release()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]