| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 7 Jun 2024 13:30:33 +0200
From: Alice Ryhl <aliceryhl@...gle.com>
To: Manos Pitsidianakis <manos.pitsidianakis@...aro.org>
Cc: Viresh Kumar <viresh.kumar@...aro.org>, "Rafael J. Wysocki" <rafael@...nel.org>,
Miguel Ojeda <miguel.ojeda.sandonis@...il.com>, Miguel Ojeda <ojeda@...nel.org>,
Alex Gaynor <alex.gaynor@...il.com>, Wedson Almeida Filho <wedsonaf@...il.com>,
Boqun Feng <boqun.feng@...il.com>, Gary Guo <gary@...yguo.net>,
Bjö rn Roy Baron <bjorn3_gh@...tonmail.com>,
Benno Lossin <benno.lossin@...ton.me>, Andreas Hindborg <a.hindborg@...sung.com>,
linux-pm@...r.kernel.org, Vincent Guittot <vincent.guittot@...aro.org>,
Stephen Boyd <sboyd@...nel.org>, Nishanth Menon <nm@...com>, rust-for-linux@...r.kernel.org,
Erik Schilling <erik.schilling@...aro.org>, Alex Benné e <alex.bennee@...aro.org>,
Joakim Bech <joakim.bech@...aro.org>, Rob Herring <robh@...nel.org>, linux-kernel@...r.kernel.org
Subject: Re: [RFC PATCH V2 1/8] rust: Add initial bindings for OPP framework
On Fri, Jun 7, 2024 at 1:24 PM Manos Pitsidianakis
<manos.pitsidianakis@...aro.org> wrote:
>
> On Fri, 07 Jun 2024 13:51, Alice Ryhl <aliceryhl@...gle.com> wrote:
> >On Fri, Jun 7, 2024 at 11:12 AM Viresh Kumar <viresh.kumar@...aro.org> wrote:
> >>
> >> This commit adds initial Rust bindings for the Operating performance
> >> points (OPP) core. This adds bindings for `struct dev_pm_opp` and
> >> `struct dev_pm_opp_data` to begin with.
> >>
> >> Signed-off-by: Viresh Kumar <viresh.kumar@...aro.org>
> >
> >> +//! Operating performance points.
> >> +//!
> >> +//! This module provides bindings for interacting with the OPP subsystem.
> >> +//!
> >> +//! C header: [`include/linux/pm_opp.h`](../../../../../../include/linux/pm_opp.h)
> >
> >Please use srctree links instead.
> >
> >C header: [`include/linux/pm_opp.h`](srctree/include/linux/pm_opp.h)
> >
> >> +impl OPP {
> >> + /// Creates a reference to a [`OPP`] from a valid pointer.
> >> + ///
> >> + /// # Safety
> >> + ///
> >> + /// The caller must ensure that `ptr` is valid and remains valid for the lifetime of the
> >> + /// returned [`OPP`] reference.
> >> + pub unsafe fn from_ptr_owned(ptr: *mut bindings::dev_pm_opp) -> Result<ARef<Self>> {
> >> + let ptr = ptr::NonNull::new(ptr).ok_or(ENODEV)?;
> >> +
> >> + // SAFETY: The safety requirements guarantee the validity of the pointer.
> >> + //
> >> + // INVARIANT: The refcount is already incremented by the C API that returned the pointer,
> >> + // and we pass ownership of the refcount to the new `ARef<OPP>`.
> >> + Ok(unsafe { ARef::from_raw(ptr.cast()) })
> >> + }
> >> +
> >> + /// Creates a reference to a [`OPP`] from a valid pointer.
> >> + ///
> >> + /// # Safety
> >> + ///
> >> + /// The caller must ensure that `ptr` is valid and remains valid for the lifetime of the
> >> + /// returned [`OPP`] reference.
> >> + pub unsafe fn from_ptr(ptr: *mut bindings::dev_pm_opp) -> Result<ARef<Self>> {
> >> + let opp = unsafe { Self::from_ptr_owned(ptr) }?;
> >> +
> >> + // Take an extra reference to the OPP since the caller didn't take it.
> >> + opp.inc_ref();
> >> +
> >> + Ok(opp)
> >> + }
> >
> >I would recommend a slightly different approach here. You can provide
> >a method called `from_raw_opp` that takes a *mut bindings::dev_pm_opp
> >and returns a &Self. The ARef type provides a method that converts
> >&Self to ARef<Self> by taking a refcount. This way, users would also
> >be able to call OPP methods without giving Rust any refcounts. You can
>
> Wouldn't this allow for use-after-free? What if the refcount drops to 0
> before the method is called?
The method would be unsafe and require the caller to avoid that.
/// Creates a reference to a [`File`] from a valid pointer.
///
/// # Safety
///
/// The caller must ensure that `ptr` points at a valid file and that
/// the file's refcount is positive for the duration of 'a.
pub unsafe fn from_raw_file<'a>(ptr: *const bindings::file) -> &'a File {
// SAFETY: The caller guarantees that the pointer is not dangling
// and stays valid for the duration of 'a. The cast is okay because
// `File` is `repr(transparent)`.
unsafe { &*ptr.cast() }
}
> >As for `from_ptr_owned`, I would probably rename it to
> >`from_raw_opp_owned` or similar. It's often nice to use a more
> >descriptive name than just "ptr".
> >I think most existing examples call this `as_raw` and mark it
> >`#[inline]`.
>
> I think `ptr` is more idiomatic to Rust users, not that your suggestion
> is wrong. from_ptr_owned also implies the function signature.
>
>
> >
> >> + /// Adds an OPP dynamically.
> >> + pub fn add(dev: ARef<Device>, mut data: Data) -> Result<()> {
> >> + // SAFETY: The requirements are satisfied by the existence of `Device` and its safety
> >> + // requirements.
> >> + to_result(unsafe { bindings::dev_pm_opp_add_dynamic(dev.as_raw(), &mut data.0) })
> >> + }
> >> +
> >> + /// Removes a dynamically added OPP.
> >> + pub fn remove(dev: ARef<Device>, freq: u64) {
> >> + // SAFETY: The requirements are satisfied by the existence of `Device` and its safety
> >> + // requirements.
> >> + unsafe { bindings::dev_pm_opp_remove(dev.as_raw(), freq) };
> >> + }
> >
> >Is it intentional that these methods take ownership of a refcount to
> >the device that it then drops after calling the C function?
>
> use-after-free again? Though I'm suggesting this without actually
> examining if it can happen.
Rust references are required to not be dangling, so if you take a
&Device, then the caller promises that they will keep the device alive
for the duration of the call.
Alice
Powered by blists - more mailing lists