| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <aJn9M3WPcI_ZGems@Mac.home>
Date: Mon, 11 Aug 2025 07:24:51 -0700
From: Boqun Feng <boqun.feng@...il.com>
To: Alice Ryhl <aliceryhl@...gle.com>
Cc: Daniel Almeida <daniel.almeida@...labora.com>,
Miguel Ojeda <ojeda@...nel.org>, Gary Guo <gary@...yguo.net>,
Björn Roy Baron <bjorn3_gh@...tonmail.com>,
Andreas Hindborg <a.hindborg@...nel.org>,
Trevor Gross <tmgross@...ch.edu>,
Danilo Krummrich <dakr@...nel.org>,
Greg Kroah-Hartman <gregkh@...uxfoundation.org>,
"Rafael J. Wysocki" <rafael@...nel.org>,
Thomas Gleixner <tglx@...utronix.de>,
Bjorn Helgaas <bhelgaas@...gle.com>,
Krzysztof Wilczy´nski <kwilczynski@...nel.org>,
Benno Lossin <lossin@...nel.org>, Dirk Behme <dirk.behme@...il.com>,
linux-kernel@...r.kernel.org, rust-for-linux@...r.kernel.org,
linux-pci@...r.kernel.org
Subject: Re: [PATCH v2] rust: irq: add &Device<Bound> argument to irq
callbacks
On Mon, Aug 11, 2025 at 04:05:31PM +0200, Alice Ryhl wrote:
> On Mon, Aug 11, 2025 at 3:56 PM Boqun Feng <boqun.feng@...il.com> wrote:
> >
> > On Mon, Aug 11, 2025 at 12:33:51PM +0000, Alice Ryhl wrote:
> > [...]
> > > @@ -207,8 +207,8 @@ pub fn new<'a>(
> > > inner <- Devres::new(
> > > request.dev,
> > > try_pin_init!(RegistrationInner {
> > > - // SAFETY: `this` is a valid pointer to the `Registration` instance
> > > - cookie: unsafe { &raw mut (*this.as_ptr()).handler }.cast(),
> > > + // INVARIANT: `this` is a valid pointer to the `Registration` instance
> > > + cookie: this.as_ptr().cast::<c_void>(),
> >
> > At this moment the `Regstration` is not fully initialized...
> >
> > > irq: {
> > > // SAFETY:
> > > // - The callbacks are valid for use with request_irq.
> > > @@ -221,7 +221,7 @@ pub fn new<'a>(
> > > Some(handle_irq_callback::<T>),
> > > flags.into_inner(),
> > > name.as_char_ptr(),
> > > - (&raw mut (*this.as_ptr()).handler).cast(),
> > > + this.as_ptr().cast::<c_void>(),
> > > )
> >
> > ... and interrupt can happen right after request_irq() ...
> >
> > > })?;
> > > request.irq
> > > @@ -258,9 +258,13 @@ pub fn synchronize(&self, dev: &Device<Bound>) -> Result {
> > > ///
> > > /// This function should be only used as the callback in `request_irq`.
> > > unsafe extern "C" fn handle_irq_callback<T: Handler>(_irq: i32, ptr: *mut c_void) -> c_uint {
> > > - // SAFETY: `ptr` is a pointer to T set in `Registration::new`
> > > - let handler = unsafe { &*(ptr as *const T) };
> > > - T::handle(handler) as c_uint
> > > + // SAFETY: `ptr` is a pointer to `Registration<T>` set in `Registration::new`
> > > + let registration = unsafe { &*(ptr as *const Registration<T>) };
> >
> > ... hence it's not correct to construct a reference to `Registration`
> > here, but yes, both `handler` and the `device` part of `inner` has been
> > properly initialized. So
> >
> > let registration = ptr.cast::<Registration<T>>();
> >
> > // SAFETY: The `data` part of `Devres` is `Opaque` and here we
> > // only access `.device()`, which has been properly initialized
> > // before `request_irq()`.
> > let device = unsafe { (*registration).inner.device() };
> >
> > // SAFETY: The irq callback is removed before the device is
> > // unbound, so the fact that the irq callback is running implies
> > // that the device has not yet been unbound.
> > let device = unsafe { device.as_bound() };
> >
> > // SAFETY: `.handler` has been properly initialized before
> > // `request_irq()`.
> > T::handle(unsafe { &(*registration).handler }, device) as c_uint
> >
> > Thoughts? Similar for the threaded one.
>
> This code is no different. It creates a reference to `inner` before
> the `irq` field is written. Of course, it's also no different in that
> since data of a `Devres` is in `Opaque`, this is not actually UB.
>
Well, I think we need at least mentioning that it's safe because we
don't access .inner.inner here, but..
> What I can offer you is to use the closure form of pin-init to call
> request_irq after initialization has fully completed.
>
.. now you mention this, I think we can just move the `request_irq()`
to the initializer of `_pin`:
------>8
diff --git a/rust/kernel/irq/request.rs b/rust/kernel/irq/request.rs
index ae5d967fb9d6..3343964fc1ab 100644
--- a/rust/kernel/irq/request.rs
+++ b/rust/kernel/irq/request.rs
@@ -209,26 +209,26 @@ pub fn new<'a>(
try_pin_init!(RegistrationInner {
// INVARIANT: `this` is a valid pointer to the `Registration` instance
cookie: this.as_ptr().cast::<c_void>(),
- irq: {
- // SAFETY:
- // - The callbacks are valid for use with request_irq.
- // - If this succeeds, the slot is guaranteed to be valid until the
- // destructor of Self runs, which will deregister the callbacks
- // before the memory location becomes invalid.
- to_result(unsafe {
- bindings::request_irq(
- request.irq,
- Some(handle_irq_callback::<T>),
- flags.into_inner(),
- name.as_char_ptr(),
- this.as_ptr().cast::<c_void>(),
- )
- })?;
- request.irq
- }
+ irq: request.irq
})
),
- _pin: PhantomPinned,
+ _pin: {
+ // SAFETY:
+ // - The callbacks are valid for use with request_irq.
+ // - If this succeeds, the slot is guaranteed to be valid until the
+ // destructor of Self runs, which will deregister the callbacks
+ // before the memory location becomes invalid.
+ to_result(unsafe {
+ bindings::request_irq(
+ request.irq,
+ Some(handle_irq_callback::<T>),
+ flags.into_inner(),
+ name.as_char_ptr(),
+ this.as_ptr().cast::<c_void>(),
+ )
+ })?;
+ PhantomPinned
+ },
})
}
Thoughts?
Regards,
Boqun
Powered by blists - more mailing lists