| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20260123231230.248500-3-lyude@redhat.com>
Date: Fri, 23 Jan 2026 18:10:14 -0500
From: Lyude Paul <lyude@...hat.com>
To: linux-kernel@...r.kernel.org,
dri-devel@...ts.freedesktop.org,
rust-for-linux@...r.kernel.org,
Danilo Krummrich <dakr@...nel.org>
Cc: nouveau@...ts.freedesktop.org,
"Miguel Ojeda" <ojeda@...nel.org>,
"Simona Vetter" <simona@...ll.ch>,
"Alice Ryhl" <aliceryhl@...gle.com>,
"Shankari Anand" <shankari.ak0208@...il.com>,
"David Airlie" <airlied@...il.com>,
"Benno Lossin" <lossin@...nel.org>,
"Asahi Lina" <lina+kernel@...hilina.net>,
"Daniel Almeida" <daniel.almeida@...labora.com>,
"Lyude Paul" <lyude@...hat.com>
Subject: [PATCH v4 2/3] rust/drm: Don't setup private driver data until registration
Now that we have a DeviceContext that we can use to represent whether a
Device is known to have been registered, we can make it so that drivers can
create their Devices but wait until the registration phase to assign their
private data to the Device. This is desirable as some drivers need to make
use of the DRM device early on before finalizing their private driver data.
As such, this change makes it so that the driver's private data can
currently only be accessed through Device<T, Registered> types and not
Device<T, Uninit>.
Signed-off-by: Lyude Paul <lyude@...hat.com>
---
V4:
* Remove accidental double-aliasing &mut in Device::release()
---
drivers/gpu/drm/nova/driver.rs | 4 +--
drivers/gpu/drm/tyr/driver.rs | 4 +--
rust/kernel/drm/device.rs | 64 +++++++++++++++++++++-------------
rust/kernel/drm/driver.rs | 19 ++++++++--
4 files changed, 59 insertions(+), 32 deletions(-)
diff --git a/drivers/gpu/drm/nova/driver.rs b/drivers/gpu/drm/nova/driver.rs
index 99d6841b69cbc..8cea5f68c3b04 100644
--- a/drivers/gpu/drm/nova/driver.rs
+++ b/drivers/gpu/drm/nova/driver.rs
@@ -56,8 +56,8 @@ impl auxiliary::Driver for NovaDriver {
fn probe(adev: &auxiliary::Device<Core>, _info: &Self::IdInfo) -> impl PinInit<Self, Error> {
let data = try_pin_init!(NovaData { adev: adev.into() });
- let drm = drm::UnregisteredDevice::<Self>::new(adev.as_ref(), data)?;
- let drm = drm::Registration::new_foreign_owned(drm, adev.as_ref(), 0)?;
+ let drm = drm::UnregisteredDevice::<Self>::new(adev.as_ref())?;
+ let drm = drm::Registration::new_foreign_owned(drm, adev.as_ref(), data, 0)?;
Ok(Self { drm: drm.into() })
}
diff --git a/drivers/gpu/drm/tyr/driver.rs b/drivers/gpu/drm/tyr/driver.rs
index 0d479b5d7bd62..b574ee1c24587 100644
--- a/drivers/gpu/drm/tyr/driver.rs
+++ b/drivers/gpu/drm/tyr/driver.rs
@@ -133,8 +133,8 @@ fn probe(
gpu_info,
});
- let tdev = drm::UnregisteredDevice::<Self>::new(pdev.as_ref(), data)?;
- let tdev = drm::driver::Registration::new_foreign_owned(tdev, pdev.as_ref(), 0)?;
+ let tdev = drm::UnregisteredDevice::<Self>::new(pdev.as_ref())?;
+ let tdev = drm::driver::Registration::new_foreign_owned(tdev, pdev.as_ref(), data, 0)?;
let driver = TyrDriver {
_device: tdev.into(),
diff --git a/rust/kernel/drm/device.rs b/rust/kernel/drm/device.rs
index 8f1780b8f0196..a1d9b0e92f3fd 100644
--- a/rust/kernel/drm/device.rs
+++ b/rust/kernel/drm/device.rs
@@ -26,13 +26,15 @@
};
use core::{
alloc::Layout,
+ cell::UnsafeCell,
marker::PhantomData,
- mem,
- ops::Deref,
- ptr::{
+ mem::{
self,
- NonNull, //
+ MaybeUninit, //
},
+ ops::Deref,
+ ptr::NonNull,
+ sync::atomic::*,
};
#[cfg(CONFIG_DRM_LEGACY)]
@@ -141,7 +143,7 @@ impl DeviceContext for Uninit {}
///
/// The device in `self.0` is guaranteed to be a newly created [`Device`] that has not yet been
/// registered with userspace until this type is dropped.
-pub struct UnregisteredDevice<T: drm::Driver>(ARef<Device<T, Uninit>>, NotThreadSafe);
+pub struct UnregisteredDevice<T: drm::Driver>(pub(crate) ARef<Device<T, Uninit>>, NotThreadSafe);
impl<T: drm::Driver> Deref for UnregisteredDevice<T> {
type Target = Device<T, Uninit>;
@@ -188,7 +190,7 @@ impl<T: drm::Driver> UnregisteredDevice<T> {
/// Create a new `UnregisteredDevice` for a `drm::Driver`.
///
/// This can be used to create a [`Registration`](kernel::drm::Registration).
- pub fn new(dev: &device::Device, data: impl PinInit<T::Data, Error>) -> Result<Self> {
+ pub fn new(dev: &device::Device) -> Result<Self> {
// `__drm_dev_alloc` uses `kmalloc()` to allocate memory, hence ensure a `kmalloc()`
// compatible `Layout`.
let layout = Kmalloc::aligned_layout(Layout::new::<Self>());
@@ -207,22 +209,6 @@ pub fn new(dev: &device::Device, data: impl PinInit<T::Data, Error>) -> Result<S
.cast();
let raw_drm = NonNull::new(from_err_ptr(raw_drm)?).ok_or(ENOMEM)?;
- // SAFETY: `raw_drm` is a valid pointer to `Self`.
- let raw_data = unsafe { ptr::addr_of_mut!((*raw_drm.as_ptr()).data) };
-
- // SAFETY:
- // - `raw_data` is a valid pointer to uninitialized memory.
- // - `raw_data` will not move until it is dropped.
- unsafe { data.__pinned_init(raw_data) }.inspect_err(|_| {
- // SAFETY: `raw_drm` is a valid pointer to `Self`, given that `__drm_dev_alloc` was
- // successful.
- let drm_dev = unsafe { Device::into_drm_device(raw_drm) };
-
- // SAFETY: `__drm_dev_alloc()` was successful, hence `drm_dev` must be valid and the
- // refcount must be non-zero.
- unsafe { bindings::drm_dev_put(drm_dev) };
- })?;
-
// SAFETY: The reference count is one, and now we take ownership of that reference as a
// `drm::Device`.
// INVARIANT: We just created the device above, but have yet to call `drm_dev_register`.
@@ -253,7 +239,15 @@ pub fn new(dev: &device::Device, data: impl PinInit<T::Data, Error>) -> Result<S
#[repr(C)]
pub struct Device<T: drm::Driver, C: DeviceContext = Registered> {
dev: Opaque<bindings::drm_device>,
- data: T::Data,
+
+ /// Keeps track of whether we've initialized the device data yet.
+ pub(crate) data_is_init: AtomicBool,
+
+ /// The Driver's private data.
+ ///
+ /// This must only be written to from [`drm::Registration::new`].
+ pub(crate) data: UnsafeCell<MaybeUninit<T::Data>>,
+
_ctx: PhantomData<C>,
}
@@ -304,6 +298,22 @@ extern "C" fn release(ptr: *mut bindings::drm_device) {
// SAFETY: `ptr` is a valid pointer to a `struct drm_device` and embedded in `Self`.
let this = unsafe { Self::from_drm_device(ptr) };
+ // SAFETY:
+ // - Since we are in release(), we are guaranteed that no one else has access to `this`.
+ // - We confirmed above that `this` is a valid pointer to an initialized `Self`.
+ let is_init = unsafe { &*this }.data_is_init.load(Ordering::Relaxed);
+ if is_init {
+ // SAFETY:
+ // - We confirmed we have unique access to this above.
+ // - We confirmed that `data` is initialized above.
+ let data_ptr = unsafe { &mut (*this).data };
+
+ // SAFETY:
+ // - We checked that the data is initialized above.
+ // - We do not use `data` any point after calling this function.
+ unsafe { data_ptr.get_mut().assume_init_drop() };
+ }
+
// SAFETY:
// - When `release` runs it is guaranteed that there is no further access to `this`.
// - `this` is valid for dropping.
@@ -322,11 +332,15 @@ pub(crate) unsafe fn assume_ctx<NewCtx: DeviceContext>(&self) -> &Device<T, NewC
}
}
-impl<T: drm::Driver, C: DeviceContext> Deref for Device<T, C> {
+impl<T: drm::Driver> Deref for Device<T, Registered> {
type Target = T::Data;
fn deref(&self) -> &Self::Target {
- &self.data
+ // SAFETY:
+ // - `data` is initialized before any `Device`s with the `Registered` context are available
+ // to the user.
+ // - `data` is only written to once in `Registration::new()`, so this read will never race.
+ unsafe { (&*self.data.get()).assume_init_ref() }
}
}
diff --git a/rust/kernel/drm/driver.rs b/rust/kernel/drm/driver.rs
index 55b01ee088548..cfb8884ece700 100644
--- a/rust/kernel/drm/driver.rs
+++ b/rust/kernel/drm/driver.rs
@@ -15,7 +15,8 @@
};
use core::{
mem,
- ptr::NonNull, //
+ ptr::NonNull,
+ sync::atomic::*, //
};
/// Driver use the GEM memory manager. This should be set for all modern drivers.
@@ -127,7 +128,18 @@ pub trait Driver {
pub struct Registration<T: Driver>(ARef<drm::Device<T>>);
impl<T: Driver> Registration<T> {
- fn new(drm: drm::UnregisteredDevice<T>, flags: usize) -> Result<Self> {
+ fn new(
+ drm: drm::UnregisteredDevice<T>,
+ data: impl PinInit<T::Data, Error>,
+ flags: usize,
+ ) -> Result<Self> {
+ // SAFETY:
+ // - `raw_data` is a valid pointer to uninitialized memory.
+ // - `raw_data` will not move until it is dropped.
+ unsafe { data.__pinned_init(drm.0.data.get().cast()) }?;
+
+ drm.data_is_init.store(true, Ordering::Relaxed);
+
// SAFETY: `drm.as_raw()` is valid by the invariants of `drm::Device`.
to_result(unsafe { bindings::drm_dev_register(drm.as_raw(), flags) })?;
@@ -150,6 +162,7 @@ fn new(drm: drm::UnregisteredDevice<T>, flags: usize) -> Result<Self> {
pub fn new_foreign_owned<'a>(
drm: drm::UnregisteredDevice<T>,
dev: &'a device::Device<device::Bound>,
+ data: impl PinInit<T::Data, Error>,
flags: usize,
) -> Result<&'a drm::Device<T>>
where
@@ -159,7 +172,7 @@ pub fn new_foreign_owned<'a>(
return Err(EINVAL);
}
- let reg = Registration::<T>::new(drm, flags)?;
+ let reg = Registration::<T>::new(drm, data, flags)?;
let drm = NonNull::from(reg.device());
devres::register(dev, reg, GFP_KERNEL)?;
--
2.52.0
Powered by blists - more mailing lists