[PATCH v2 0/7] pci: fix UAF and TOCTOU related to dynamic ID

From: Gary Guo

Date: Tue Jun 30 2026 - 07:19:03 EST


While working on improving the Rust abstractions [1], Sashiko reported that
an existing UAF issue related to dynamic ID, which I find to be genuine.
When taking a look at the code I also find a TOCTOU issue where the
existence check of dynamic ID happens in a separate critical section as the
actual insertion. This series fix both issues.

There are two exported functions "pci_match_id" and "pci_add_dynid" which I
have to tweak to implement this cleanly; I created separate "do_xxx"
functions to keep the existing APIs because they all have multiple users.

There're a few existing users which stores their pci_device_id argument in
probe callback. This is a bad pattern because nothing except driver_data
inside pci_device_id is what they want. Actual ID information can be
retrieved from pci_dev instead. I've used the following coccinelle script
to find the cases where the argument is stored and converted them to stop
storing pci_device_id.

@store@
identifier fn;
identifier id;
expression E;
parameter list[n] ps;
@@
fn(ps, struct pci_device_id *id, ...)
{
...
* E = id
...
}

@cast@
identifier fn;
identifier id;
parameter list[n] ps;
@@
fn(ps, struct pci_device_id *id, ...)
{
...
* (void *)id
...
}

@in_struct@
identifier s, fld;
@@
struct s {
...
* struct pci_device_id *fld;
...
};

Link: https://lore.kernel.org/all/20260618-id_info-v1-0-96af1e559ef9@xxxxxxxxxxx/ [1]
Link: https://lore.kernel.org/all/20260619170503.518F61F00A3A@xxxxxxxxxxxxxxx/ [2]

---
Changes in v2:
- Fix users which store pci_device_id.
- Clarify in probe documentation about the lifetime of pci_device_id
parameter.
- Dynamic ID conflict check now ignores override_only. (Sashiko)
- Link to v1: https://patch.msgid.link/20260626-pci_id_fix-v1-0-a35c803f1b95@xxxxxxxxxxx

---
Gary Guo (7):
ata: don't keep pci_device_id
nsp32: don't keep pci_device_id
ipack: tpci200: don't keep pci_device_id
mlxsw: don't keep pci_device_id
pci: make pci_match_one_device match on ID instead of device
pci: fix dyn_id add TOCTOU
pci: fix UAF when probe runs concurrent to dyn ID removal

drivers/ata/ata_generic.c | 6 +-
drivers/ipack/carriers/tpci200.c | 1 -
drivers/ipack/carriers/tpci200.h | 1 -
drivers/net/ethernet/mellanox/mlxsw/pci.c | 11 +-
drivers/pci/pci-driver.c | 219 ++++++++++++++++--------------
drivers/pci/pci.h | 36 +++--
drivers/pci/search.c | 6 +-
drivers/scsi/nsp32.c | 8 +-
drivers/scsi/nsp32.h | 8 +-
include/linux/pci.h | 1 +
10 files changed, 166 insertions(+), 131 deletions(-)
---
base-commit: dc59e4fea9d83f03bad6bddf3fa2e52491777482
change-id: 20260626-pci_id_fix-83eaec007674

Best regards,
--
Gary Guo <gary@xxxxxxxxxxx>