Thank you for your contribution! Sashiko AI review found 1 potential issue(s) 
to consider:

Pre-existing issues:
- [High] The `declare_drm_ioctls!` macro is unsound because it allows type 
inference to dictate the generic `Driver` type for `Device` and `File`, 
enabling potential cross-type downcasts (type confusion).
--

commit 541a4b9cfa288156f9ba5c6b0436d72c3dc130fe
Author: Danilo Krummrich <[email protected]>

rust: drm: ioctl: fix unbounded lifetimes in ioctl handler arguments

This commit fixes unbounded lifetimes created by unsafe pointer dereferences
in the declare_drm_ioctls! macro. It introduces a higher-ranked function
pointer coercion to ensure that handlers accept universally quantified
lifetimes, preventing them from improperly demanding static references.

Closes: https://lore.kernel.org/all/[email protected]/

> diff --git a/rust/kernel/drm/ioctl.rs b/rust/kernel/drm/ioctl.rs
> index cf328101dde4e..ccf4150d83b69 100644
> --- a/rust/kernel/drm/ioctl.rs
> +++ b/rust/kernel/drm/ioctl.rs
> @@ -135,6 +135,12 @@ macro_rules! declare_drm_ioctls {
>                              // dev/file match the current driver these 
> ioctls are being declared
>                              // for, and it's not clear how to enforce this 
> within the type system.
>                              let dev = 
> $crate::drm::device::Device::from_raw(raw_dev);

[Severity: High]
This is a pre-existing issue, but does this instantiation of
Device::from_raw() leave the generic driver type parameter unbounded?

Since type inference can dictate the generic driver type for the device based
on the handler's signature, is it possible for a handler expecting
&Device<DriverB> to be passed for an IOCTL declared in DriverA?

If that happens, type inference might instantiate Device::from_raw<DriverB>.
The DRM core would later pass a DriverA device, but the safe handler might
access it assuming DriverB's layout, potentially causing type confusion.

Is there a way to strictly bind the driver type in the macro so we prevent
potential cross-type downcasts?

> +
> +                            // Enforce that the handler accepts higher-ranked
> +                            // lifetimes, preventing it from requiring 
> 'static
> +                            // references that could escape this scope.
> +                            let _: for<'a> fn(&'a _, &'a mut _, &'a _) -> _ 
> = $func;
> +
>                              // SAFETY: The ioctl argument has size 
> `_IOC_SIZE(cmd)`, which we
>                              // asserted above matches the size of this type, 
> and all bit patterns of
>                              // UAPI structs must be valid.

-- 
Sashiko AI review ยท 
https://sashiko.dev/#/patchset/[email protected]?part=1

Reply via email to