| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <aFfyRuYPxUfc7TM-@pollux>
Date: Sun, 22 Jun 2025 14:08:38 +0200
From: Danilo Krummrich <dakr@...nel.org>
To: Benno Lossin <lossin@...nel.org>
Cc: gregkh@...uxfoundation.org, rafael@...nel.org, ojeda@...nel.org,
alex.gaynor@...il.com, boqun.feng@...il.com, gary@...yguo.net,
bjorn3_gh@...tonmail.com, benno.lossin@...ton.me,
a.hindborg@...nel.org, aliceryhl@...gle.com, tmgross@...ch.edu,
rust-for-linux@...r.kernel.org, linux-kernel@...r.kernel.org
Subject: Re: [PATCH 3/4] rust: devres: get rid of Devres' inner Arc
On Sun, Jun 22, 2025 at 09:05:51AM +0200, Benno Lossin wrote:
> On Thu Jun 12, 2025 at 4:51 PM CEST, Danilo Krummrich wrote:
> > +#[pin_data(PinnedDrop)]
> > +pub struct Devres<T> {
> > + dev: ARef<Device>,
> > + callback: unsafe extern "C" fn(*mut c_void),
>
> Do I remember correctly that we at some point talked about adding a
> comment here for why this is needed? (ie it's needed, because
> `Self::callback` might return different addresses?)
Correct -- thanks for reminding me of that. Will add the corresponding comment.
> > + #[pin]
> > + data: Revocable<T>,
> > + #[pin]
> > + devm: Completion,
> > + #[pin]
> > + revoke: Completion,
>
> Probably a good idea to add some doc comments explaining what these two
> completions track.
>
> (feel free to do these in another patch or in a follow-up)
No, I think it'd be good to do it right away -- will add them.
> > +#[pinned_drop]
> > +impl<T> PinnedDrop for Devres<T> {
> > + fn drop(self: Pin<&mut Self>) {
> > // SAFETY: When `drop` runs, it is guaranteed that nobody is accessing the revocable data
> > // anymore, hence it is safe not to wait for the grace period to finish.
> > - if unsafe { self.0.data.revoke_nosync() } {
> > - // We revoked `self.0.data` before the devres action did, hence try to remove it.
> > - if !DevresInner::remove_action(&self.0) {
> > + if unsafe { self.data.revoke_nosync() } {
> > + // We revoked `self.data` before the devres action did, hence try to remove it.
> > + if !self.remove_action() {
> > // We could not remove the devres action, which means that it now runs concurrently,
> > - // hence signal that `self.0.data` has been revoked successfully.
> > - self.0.revoke.complete_all();
> > + // hence signal that `self.data` has been revoked by us successfully.
> > + self.revoke.complete_all();
> > +
> > + // Wait for `Self::devres_callback` to be done using this object.
> > + self.devm.wait_for_completion();
> > }
> > + } else {
> > + // `Self::devres_callback` revokes `self.data` for us, hence wait for it to be done
> > + // using this object.
> > + self.devm.wait_for_completion();
>
> I don't understand this change, maybe it's best to move that into a
> separate commit?
We can't do that, without this change the code would be incorrect.
What happens here is that, if drop() races with devres_callback() we have to
make drop() wait until devres_callback() is completed, because otherwise
devres_callback() might experience a use-after-free.
Previoulsly this has been taken care of by Arc<DevresInner>, which C devres held
a reference of.
Powered by blists - more mailing lists