| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <hkhgihg4fjkg7zleqnumuj65dfvmxa5rzawkiafrf4kn5ss6nw@o7kc6xe2bmuj> Date: Tue, 4 Mar 2025 19:24:11 -0800 From: Boqun Feng <boqun.feng@...il.com> To: comex <comexk@...il.com> Cc: Ralf Jung <post@...fj.de>, Andreas Hindborg <a.hindborg@...nel.org>, Alice Ryhl <aliceryhl@...gle.com>, Daniel Almeida <daniel.almeida@...labora.com>, Benno Lossin <benno.lossin@...ton.me>, Abdiel Janulgue <abdiel.janulgue@...il.com>, dakr@...nel.org, robin.murphy@....com, rust-for-linux@...r.kernel.org, Miguel Ojeda <ojeda@...nel.org>, Alex Gaynor <alex.gaynor@...il.com>, Gary Guo <gary@...yguo.net>, Björn Roy Baron <bjorn3_gh@...tonmail.com>, Trevor Gross <tmgross@...ch.edu>, Valentin Obst <kernel@...entinobst.de>, linux-kernel@...r.kernel.org, Christoph Hellwig <hch@....de>, Marek Szyprowski <m.szyprowski@...sung.com>, airlied@...hat.com, iommu@...ts.linux.dev, lkmm@...ts.linux.dev Subject: Re: Allow data races on some read/write operations On Tue, Mar 04, 2025 at 12:18:28PM -0800, comex wrote: > > > On Mar 4, 2025, at 11:03 AM, Ralf Jung <post@...fj.de> wrote: > > > > Those already exist in Rust, albeit only unstably: > > <https://doc.rust-lang.org/nightly/std/intrinsics/fn.volatile_copy_memory.html>. > > However, I am not sure how you'd even generate such a call in C? The > > standard memcpy function is not doing volatile accesses, to my > > knowledge. > > The actual memcpy symbol that exists at runtime is written in > assembly, and should be valid to treat as performing volatile > accesses. > > But both GCC and Clang special-case the memcpy function. For example, > if you call memcpy with a small constant as the size, the optimizer > will transform the call into one or more regular loads/stores, which > can then be optimized mostly like any other loads/stores (except for > opting out of alignment and type-based aliasing assumptions). Even if > the call isn’t transformed, the optimizer will still make assumptions. > LLVM will automatically mark memcpy `nosync`, which makes it undefined > behavior if the function “communicate[s] (synchronize[s]) with another > thread”, including through “volatile accesses”. [1] > > However, these optimizations should rarely trigger misbehavior in > practice, so I wouldn’t be surprised if Linux had some code that > expected memcpy to act volatile… > Also in this particular case we are discussing [1], it's a memcpy (from or to) a DMA buffer, which means the device can also read or write the memory, therefore the content of the memory may be altered outside the program (the kernel), so we cannot use copy_nonoverlapping() I believe. [1]: https://lore.kernel.org/rust-for-linux/87bjuil15w.fsf@kernel.org/ Regards, Boqun > But I’m not familiar enough with the codebase to know whether such > code actually exists, or where. > > (Incidentally, there is a compiler flag to turn the memcpy > special-casing off, -fno-builtin. I pretty much expected that Linux > used it. But I just checked, and it doesn’t.) > > For Rust, I don’t know why we haven’t exposed volatile_copy_memory > yet. All I can find are some years-old discussions with no obvious > blockers. I guess nobody has cared enough. There is also a somewhat > stagnant RFC for *atomic* memcpy. [2] > > [1] https://llvm.org/docs/LangRef.html, search for 'nosync' > [2] https://github.com/rust-lang/rfcs/pull/3301 >
Powered by blists - more mailing lists