| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <DCRXOMQN3Z20.2JCNP4BDEE79T@kernel.org> Date: Sat, 13 Sep 2025 21:53:16 +0200 From: "Danilo Krummrich" <dakr@...nel.org> To: "Joel Fernandes" <joelagnelf@...dia.com> Cc: "Alexandre Courbot" <acourbot@...dia.com>, "Miguel Ojeda" <ojeda@...nel.org>, "Alex Gaynor" <alex.gaynor@...il.com>, "Boqun Feng" <boqun.feng@...il.com>, "Gary Guo" <gary@...yguo.net>, Björn Roy Baron <bjorn3_gh@...tonmail.com>, "Benno Lossin" <lossin@...nel.org>, "Andreas Hindborg" <a.hindborg@...nel.org>, "Alice Ryhl" <aliceryhl@...gle.com>, "Trevor Gross" <tmgross@...ch.edu>, "David Airlie" <airlied@...il.com>, "Simona Vetter" <simona@...ll.ch>, "Maarten Lankhorst" <maarten.lankhorst@...ux.intel.com>, "Maxime Ripard" <mripard@...nel.org>, "Thomas Zimmermann" <tzimmermann@...e.de>, "John Hubbard" <jhubbard@...dia.com>, "Alistair Popple" <apopple@...dia.com>, "Timur Tabi" <ttabi@...dia.com>, <rust-for-linux@...r.kernel.org>, <linux-kernel@...r.kernel.org>, <nouveau@...ts.freedesktop.org>, <dri-devel@...ts.freedesktop.org> Subject: Re: [PATCH v5 02/12] gpu: nova-core: move GSP boot code to a dedicated method On Sat Sep 13, 2025 at 7:13 PM CEST, Joel Fernandes wrote: > On Sat, Sep 13, 2025 at 03:30:31PM +0200, Danilo Krummrich wrote: >> On Sat Sep 13, 2025 at 3:02 AM CEST, Joel Fernandes wrote: >> > Any chance we can initialize the locks later? We don't need locking until >> > after the boot process is completed, and if there's a way we can dynamically >> > "pin", where we hypothetically pin after the boot process completed, that >> > might also work. Though I am not sure if that's something possible in >> > Rust/rust4linux or if it makes sense. >> >> We can't partially initialize structures and then rely on accessing initialized >> data only. > > Yet, that is exactly what the pin initialization sequence block does? The > whole structure is not initialized yet you need access to already initialized > fields. No, having a reference to a partially initialized structure is UB. But of course you can have a reference to already initialized fields within a not yet fully initialized structure. >> This is one of the sources for memory bugs that Rust tries to solve. >> You can wrap fields into Option types and initialize them later, which would >> defer pin-init calls for the price of having Option fields around. > > I am not denying the need for pinning. Also regarding Option, just thinking > out loud but if something is optional temporary, maybe needing a new type > like TempOption, and promote it to a non-option type later, I am not seeing > that as completely outside the world, if there is a legitimate usecase that > needs to be Option temporarily, but not later, what's wrong with that? It is > "Optional" for the timebeing, but not later. That's what MaybeUninit<T> from the core library already does and promoting it to T is fundamentally unsafe for obvious reasons. Drivers should never use that. Having partially initialized structures is a horrible anti-pattern that we see too often in C code (only for convinience reasons) causing real memory bugs. If you run into a case where you want this, 99% of the time you have a design issue that you should fix instead. >> However, we should never do such things. If there's the necessity to do >> something like that, it indicates a design issue. >> >> In this case, there's no problem, we can use pin-init without any issues right >> away, and should do so. >> >> pin-init is going to be an essential part of *every* Rust driver given that a >> lot of the C infrastruture that we abstract requires pinned initialization, such >> as locks and other synchronization primitives. > > To be honest, the pinning concept seems like an after thought for such a > fundamental thing that we need, requiring additional macros, and bandaids on > top of the language itself, to make it work for the kernel. I am not alone in > that opinion. This should be first-class in a (systems) language, built into > the language itself? I am talking about the whole pin initialization, > accessing fields dances, etc. Yes, that's exactly why people (Benno) are already working on making this a language feature (here's a first step in this direction [1]). Benno should have more details on this. [1] https://github.com/rust-lang/rust/pull/146307 > Also I am concerned that overusage of pinning defeats a lot of optimizations pin-init does the oposite it allows us to use a single memory allocation where otherwise you would need multiple. Can you please show some optimizations that can not be done in drivers due to pin-init for dynamic allocations? Or in other words, what are the things you want to do with a KBox<T> in drivers that you can't do with a Pin<KBox<T>> in a more optimal way? > that Rust may be able to perform, especially forcefully pinning stuff that > does not need all to be pinned (except to satisfy paranoia), Can you please present some examples where it is a major advantage to be able to move out of a Box in drivers? I think you will have a hard time finding them. In C code, how often do you move fields out of structures that live within a kmalloc() allocation? > thus generating > suboptimal code gen. Not only does it require redesign and concerns over > accesses to un-initialized fields, We're not doing any accesses to uninitialized fields with pin-init, nor do we encourage them. > like we saw in the last 2-3 weeks, it also > forces people into that when maybe there is a chance that underlying > structures do not need to be pinned at all (for some usecases). Again, what are those use-cases where you want to be able to move out of a Box in drivers?
Powered by blists - more mailing lists