[PATCH 0/3] pci: fix UAF and TOCTOU related to dynamic ID

Next message: Gary Guo: "[PATCH 1/3] pci: make pci_match_one_device match on ID instead of device"
Previous message: David Thompson: "RE: [PATCH] net: lan743x: Initialize eth_syslock spinlock before use"
Next in thread: Gary Guo: "[PATCH 2/3] pci: fix dyn_id add TOCTOU"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Gary Guo

Date: Fri Jun 26 2026 - 15:51:16 EST

While working on improving the Rust abstractions [1], Sashiko reported that
an existing UAF issue related to dynamic ID, which I find to be genuine.
When taking a look at the code I also find a TOCTOU issue where the
existence check of dynamic ID happens in a separate critical section as the
actual insertion. This series fix both issues.

There are two exported functions "pci_match_id" and "pci_add_dynid" which I
have to tweak to implement this cleanly; I created separate "do_xxx"
functions to keep the existing APIs because they all have multiple users.

Link: https://lore.kernel.org/all/20260618-id_info-v1-0-96af1e559ef9@xxxxxxxxxxx/ [1]
Link: https://lore.kernel.org/all/20260619170503.518F61F00A3A@xxxxxxxxxxxxxxx/ [2]

Signed-off-by: Gary Guo <gary@xxxxxxxxxxx>
---
Gary Guo (3):
pci: make pci_match_one_device match on ID instead of device
pci: fix dyn_id add TOCTOU
pci: fix UAF when probe runs concurrent to dyn ID removal

drivers/pci/pci-driver.c | 208 ++++++++++++++++++++++++++---------------------
drivers/pci/pci.h | 36 +++++---
drivers/pci/search.c | 6 +-
3 files changed, 147 insertions(+), 103 deletions(-)
---
base-commit: 6c94b38b83a04c43ea49004275f0391404051093
change-id: 20260626-pci_id_fix-83eaec007674

Best regards,
--
Gary Guo <gary@xxxxxxxxxxx>