lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <0f839f73-400f-47d5-9708-0fa40ed0d4e9@proton.me> Date: Tue, 17 Oct 2023 14:32:07 +0000 From: Benno Lossin <benno.lossin@...ton.me> To: Greg KH <gregkh@...uxfoundation.org> Cc: Andrew Lunn <andrew@...n.ch>, FUJITA Tomonori <fujita.tomonori@...il.com>, netdev@...r.kernel.org, rust-for-linux@...r.kernel.org, miguel.ojeda.sandonis@...il.com, tmgross@...ch.edu, boqun.feng@...il.com, wedsonaf@...il.com Subject: Re: [PATCH net-next v4 1/4] rust: core abstractions for network PHY drivers On 17.10.23 16:21, Greg KH wrote: > On Tue, Oct 17, 2023 at 02:04:33PM +0000, Benno Lossin wrote: >> On 17.10.23 14:38, Andrew Lunn wrote: >>>>> Because set_speed() updates the member in phy_device and read() >>>>> updates the object that phy_device points to? >>>> >>>> `set_speed` is entirely implemented on the Rust side and is not protected >>>> by a lock. >>> >>> With the current driver, all entry points into the driver are called >>> from the phylib core, and the core guarantees that the lock is >>> taken. So it should not matter if its entirely implemented in the Rust >>> side, somewhere up the call stack, the lock was taken. >> >> Sure that might be the case, I am trying to guard against this future >> problem: >> >> fn soft_reset(driver: &mut Driver) -> Result { >> let driver = driver >> thread::scope(|s| { >> let thread_a = s.spawn(|| { >> for _ in 0..100_000_000 { >> driver.set_speed(10); >> } >> }); >> let thread_b = s.spawn(|| { >> for _ in 0..100_000_000 { >> driver.set_speed(10); >> } >> }); >> thread_a.join(); >> thread_b.join(); >> }); >> Ok(()) >> } >> >> This code spawns two new threads both of which can call `set_speed`, >> since it takes `&self`. But this leads to a data race, since those >> accesses are not serialized. I know that this is a very contrived >> example, but you never when this will become reality, so we should >> do the right thing now and just use `&mut self`, since that is exactly >> what it is for. > > Kernel code is written for the use cases today, don't worry about > tomorrow, you can fix the issue tomorrow if you change something that > requires it. The kind of coding style that (mis)-uses interior mutability is not something that we can change over night. We should do it properly to begin with. > And what "race" are you getting here? You don't have threads in the > kernel :) I chose threads, since I am a lot more familiar with that, but the kernel also has workqueues which execute stuff concurrently (if I remember correctly). We also have patches for bindings for the workqueue so they are not that far away. > Also, if two things are setting the speed, wonderful, you get some sort > of value eventually, you have much bigger problems in your code as you > shouldn't have been doing that in the first place. This is not allowed in Rust, it is UB and will lead to bad things. >> Not that we do not even have a way to create threads on the Rust side >> at the moment. > > Which is a good thing :) > >> But we should already be thinking about any possible code pattern. > > Again, no, deal with what we have today, kernel code is NOT > future-proof, that's not how we write this stuff. While I made my argument for future proofing, I think that we should just be using the standard Rust stuff where it applies. When you want to modify something, use `&mut T`, if not then use `&T`. Only deviate from this if you have a good argument. -- Cheers, Benno
Powered by blists - more mailing lists