lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <CAH5fLgg+1FtiHkXOzKLHFP-gRrq1Dq8yUO4RmyE7tM4aSDYioA@mail.gmail.com>
Date: Mon, 11 Aug 2025 16:25:50 +0200
From: Alice Ryhl <aliceryhl@...gle.com>
To: Boqun Feng <boqun.feng@...il.com>
Cc: Daniel Almeida <daniel.almeida@...labora.com>, Miguel Ojeda <ojeda@...nel.org>, 
	Gary Guo <gary@...yguo.net>, Björn Roy Baron <bjorn3_gh@...tonmail.com>, 
	Andreas Hindborg <a.hindborg@...nel.org>, Trevor Gross <tmgross@...ch.edu>, 
	Danilo Krummrich <dakr@...nel.org>, Greg Kroah-Hartman <gregkh@...uxfoundation.org>, 
	"Rafael J. Wysocki" <rafael@...nel.org>, Thomas Gleixner <tglx@...utronix.de>, 
	Bjorn Helgaas <bhelgaas@...gle.com>, Krzysztof Wilczy´nski <kwilczynski@...nel.org>, 
	Benno Lossin <lossin@...nel.org>, Dirk Behme <dirk.behme@...il.com>, linux-kernel@...r.kernel.org, 
	rust-for-linux@...r.kernel.org, linux-pci@...r.kernel.org
Subject: Re: [PATCH v2] rust: irq: add &Device<Bound> argument to irq callbacks

On Mon, Aug 11, 2025 at 4:24 PM Boqun Feng <boqun.feng@...il.com> wrote:
>
> On Mon, Aug 11, 2025 at 04:05:31PM +0200, Alice Ryhl wrote:
> > On Mon, Aug 11, 2025 at 3:56 PM Boqun Feng <boqun.feng@...il.com> wrote:
> > >
> > > On Mon, Aug 11, 2025 at 12:33:51PM +0000, Alice Ryhl wrote:
> > > [...]
> > > > @@ -207,8 +207,8 @@ pub fn new<'a>(
> > > >              inner <- Devres::new(
> > > >                  request.dev,
> > > >                  try_pin_init!(RegistrationInner {
> > > > -                    // SAFETY: `this` is a valid pointer to the `Registration` instance
> > > > -                    cookie: unsafe { &raw mut (*this.as_ptr()).handler }.cast(),
> > > > +                    // INVARIANT: `this` is a valid pointer to the `Registration` instance
> > > > +                    cookie: this.as_ptr().cast::<c_void>(),
> > >
> > > At this moment the `Regstration` is not fully initialized...
> > >
> > > >                      irq: {
> > > >                          // SAFETY:
> > > >                          // - The callbacks are valid for use with request_irq.
> > > > @@ -221,7 +221,7 @@ pub fn new<'a>(
> > > >                                  Some(handle_irq_callback::<T>),
> > > >                                  flags.into_inner(),
> > > >                                  name.as_char_ptr(),
> > > > -                                (&raw mut (*this.as_ptr()).handler).cast(),
> > > > +                                this.as_ptr().cast::<c_void>(),
> > > >                              )
> > >
> > > ... and interrupt can happen right after request_irq() ...
> > >
> > > >                          })?;
> > > >                          request.irq
> > > > @@ -258,9 +258,13 @@ pub fn synchronize(&self, dev: &Device<Bound>) -> Result {
> > > >  ///
> > > >  /// This function should be only used as the callback in `request_irq`.
> > > >  unsafe extern "C" fn handle_irq_callback<T: Handler>(_irq: i32, ptr: *mut c_void) -> c_uint {
> > > > -    // SAFETY: `ptr` is a pointer to T set in `Registration::new`
> > > > -    let handler = unsafe { &*(ptr as *const T) };
> > > > -    T::handle(handler) as c_uint
> > > > +    // SAFETY: `ptr` is a pointer to `Registration<T>` set in `Registration::new`
> > > > +    let registration = unsafe { &*(ptr as *const Registration<T>) };
> > >
> > > ... hence it's not correct to construct a reference to `Registration`
> > > here, but yes, both `handler` and the `device` part of `inner` has been
> > > properly initialized. So
> > >
> > >         let registration = ptr.cast::<Registration<T>>();
> > >
> > >         // SAFETY: The `data` part of `Devres` is `Opaque` and here we
> > >         // only access `.device()`, which has been properly initialized
> > >         // before `request_irq()`.
> > >         let device = unsafe { (*registration).inner.device() };
> > >
> > >         // SAFETY: The irq callback is removed before the device is
> > >         // unbound, so the fact that the irq callback is running implies
> > >         // that the device has not yet been unbound.
> > >         let device = unsafe { device.as_bound() };
> > >
> > >         // SAFETY: `.handler` has been properly initialized before
> > >         // `request_irq()`.
> > >         T::handle(unsafe { &(*registration).handler }, device) as c_uint
> > >
> > > Thoughts? Similar for the threaded one.
> >
> > This code is no different. It creates a reference to `inner` before
> > the `irq` field is written. Of course, it's also no different in that
> > since data of a `Devres` is in `Opaque`, this is not actually UB.
> >
>
> Well, I think we need at least mentioning that it's safe because we
> don't access .inner.inner here, but..
>
> > What I can offer you is to use the closure form of pin-init to call
> > request_irq after initialization has fully completed.
> >
>
> .. now you mention this, I think we can just move the `request_irq()`
> to the initializer of `_pin`:
>
> ------>8
> diff --git a/rust/kernel/irq/request.rs b/rust/kernel/irq/request.rs
> index ae5d967fb9d6..3343964fc1ab 100644
> --- a/rust/kernel/irq/request.rs
> +++ b/rust/kernel/irq/request.rs
> @@ -209,26 +209,26 @@ pub fn new<'a>(
>                  try_pin_init!(RegistrationInner {
>                      // INVARIANT: `this` is a valid pointer to the `Registration` instance
>                      cookie: this.as_ptr().cast::<c_void>(),
> -                    irq: {
> -                        // SAFETY:
> -                        // - The callbacks are valid for use with request_irq.
> -                        // - If this succeeds, the slot is guaranteed to be valid until the
> -                        //   destructor of Self runs, which will deregister the callbacks
> -                        //   before the memory location becomes invalid.
> -                        to_result(unsafe {
> -                            bindings::request_irq(
> -                                request.irq,
> -                                Some(handle_irq_callback::<T>),
> -                                flags.into_inner(),
> -                                name.as_char_ptr(),
> -                                this.as_ptr().cast::<c_void>(),
> -                            )
> -                        })?;
> -                        request.irq
> -                    }
> +                    irq: request.irq
>                  })
>              ),
> -            _pin: PhantomPinned,
> +            _pin: {
> +                // SAFETY:
> +                // - The callbacks are valid for use with request_irq.
> +                // - If this succeeds, the slot is guaranteed to be valid until the
> +                //   destructor of Self runs, which will deregister the callbacks
> +                //   before the memory location becomes invalid.
> +                to_result(unsafe {
> +                    bindings::request_irq(
> +                        request.irq,
> +                        Some(handle_irq_callback::<T>),
> +                        flags.into_inner(),
> +                        name.as_char_ptr(),
> +                        this.as_ptr().cast::<c_void>(),
> +                    )
> +                })?;
> +                PhantomPinned
> +            },
>          })
>      }
>
>
> Thoughts?

That calls free_irq if request_irq fails, which is illegal.

Alice

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ