Re: [PATCH v2 2/2] rust: miscdevice: access the `struct miscdevice` from fops->open()

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Danilo Krummrich <dakr@kernel.org>
To: Alice Ryhl <aliceryhl@google.com>
Cc: "Greg Kroah-Hartman" <gregkh@linuxfoundation.org>,
	"Arnd Bergmann" <arnd@arndb.de>,
	"Alexander Viro" <viro@zeniv.linux.org.uk>,
	"Christian Brauner" <brauner@kernel.org>,
	"Jan Kara" <jack@suse.cz>, "Miguel Ojeda" <ojeda@kernel.org>,
	"Alex Gaynor" <alex.gaynor@gmail.com>,
	"Boqun Feng" <boqun.feng@gmail.com>,
	"Gary Guo" <gary@garyguo.net>,
	"Björn Roy Baron" <bjorn3_gh@protonmail.com>,
	"Benno Lossin" <benno.lossin@proton.me>,
	"Andreas Hindborg" <a.hindborg@kernel.org>,
	"Trevor Gross" <tmgross@umich.edu>, "Lee Jones" <lee@kernel.org>,
	rust-for-linux@vger.kernel.org, linux-kernel@vger.kernel.org,
	linux-fsdevel@vger.kernel.org
Subject: Re: [PATCH v2 2/2] rust: miscdevice: access the `struct miscdevice` from fops->open()
Date: Mon, 9 Dec 2024 16:11:22 +0100	[thread overview]
Message-ID: <Z1cImntcEwsPHQgO@pollux.localdomain> (raw)
In-Reply-To: <CAH5fLgisVC15muFB0eThiMveFBoauB4jUVwW9Zez3cKT0Q=_iA@mail.gmail.com>

On Mon, Dec 09, 2024 at 04:04:48PM +0100, Alice Ryhl wrote:
> On Mon, Dec 9, 2024 at 4:01 PM Danilo Krummrich <dakr@kernel.org> wrote:
> >
> > On Mon, Dec 09, 2024 at 02:36:31PM +0100, Alice Ryhl wrote:
> > > On Mon, Dec 9, 2024 at 2:13 PM Greg Kroah-Hartman
> > > <gregkh@linuxfoundation.org> wrote:
> > > >
> > > > On Mon, Dec 09, 2024 at 01:53:42PM +0100, Alice Ryhl wrote:
> > > > > On Mon, Dec 9, 2024 at 1:08 PM Greg Kroah-Hartman
> > > > > <gregkh@linuxfoundation.org> wrote:
> > > > > >
> > > > > > On Mon, Dec 09, 2024 at 01:00:05PM +0100, Alice Ryhl wrote:
> > > > > > > On Mon, Dec 9, 2024 at 12:53 PM Greg Kroah-Hartman
> > > > > > > <gregkh@linuxfoundation.org> wrote:
> > > > > > > >
> > > > > > > > On Mon, Dec 09, 2024 at 12:38:32PM +0100, Alice Ryhl wrote:
> > > > > > > > > On Mon, Dec 9, 2024 at 12:10 PM Greg Kroah-Hartman
> > > > > > > > > <gregkh@linuxfoundation.org> wrote:
> > > > > > > > > >
> > > > > > > > > > On Mon, Dec 09, 2024 at 11:50:57AM +0100, Alice Ryhl wrote:
> > > > > > > > > > > On Mon, Dec 9, 2024 at 9:48 AM Greg Kroah-Hartman
> > > > > > > > > > > <gregkh@linuxfoundation.org> wrote:
> > > > > > > > > > > >
> > > > > > > > > > > > On Mon, Dec 09, 2024 at 07:27:47AM +0000, Alice Ryhl wrote:
> > > > > > > > > > > > > Providing access to the underlying `struct miscdevice` is useful for
> > > > > > > > > > > > > various reasons. For example, this allows you access the miscdevice's
> > > > > > > > > > > > > internal `struct device` for use with the `dev_*` printing macros.
> > > > > > > > > > > > >
> > > > > > > > > > > > > Note that since the underlying `struct miscdevice` could get freed at
> > > > > > > > > > > > > any point after the fops->open() call, only the open call is given
> > > > > > > > > > > > > access to it. To print from other calls, they should take a refcount on
> > > > > > > > > > > > > the device to keep it alive.
> > > > > > > > > > > >
> > > > > > > > > > > > The lifespan of the miscdevice is at least from open until close, so
> > > > > > > > > > > > it's safe for at least then (i.e. read/write/ioctl/etc.)
> > > > > > > > > > >
> > > > > > > > > > > How is that enforced? What happens if I call misc_deregister while
> > > > > > > > > > > there are open fds?
> > > > > > > > > >
> > > > > > > > > > You shouldn't be able to do that as the code that would be calling
> > > > > > > > > > misc_deregister() (i.e. in a module unload path) would not work because
> > > > > > > > > > the module reference count is incremented at this point in time due to
> > > > > > > > > > the file operation module reference.
> > > > > > > > >
> > > > > > > > > Oh .. so misc_deregister must only be called when the module is being unloaded?
> > > > > > > >
> > > > > > > > Traditionally yes, that's when it is called.  Do you see it happening in
> > > > > > > > any other place in the kernel today?
> > > > > > >
> > > > > > > I had not looked, but I know that Binder allows dynamically creating
> > > > > > > and removing its devices at runtime. It happens to be the case that
> > > > > > > this is only supported when binderfs is used, which is when it doesn't
> > > > > > > use miscdevice, so technically Binder does not call misc_deregister()
> > > > > > > outside of module unload, but following its example it's not hard to
> > > > > > > imagine that such removals could happen.
> > > > > >
> > > > > > That's why those are files and not misc devices :)
> > > > >
> > > > > I grepped for misc_deregister and the first driver I looked at is
> > > > > drivers/misc/bcm-vk which seems to allow dynamic deregistration if the
> > > > > pci device is removed.
> > > >
> > > > Ah, yeah, that's going to get messy and will be a problem if someone has
> > > > the file open then.
> > > >
> > > > > Another tricky path is error cleanup in its probe function.
> > > > > Technically, if probe fails after registering the misc device, there's
> > > > > a brief moment where you could open the miscdevice before it gets
> > > > > removed in the cleanup path, which seems to me that it could lead to
> > > > > UAF?
> > > > >
> > > > > Or is there something I'm missing?
> > > >
> > > > Nope, that too is a window of a problem, luckily you "should" only
> > > > register the misc device after you know the device is safe to use as
> > > > once it is registered, it could be used so it "should" be the last thing
> > > > you do in probe.
> > > >
> > > > So yes, you are right, and we do know about these issues (again see the
> > > > talk I mentioned and some previous ones for many years at plumbers
> > > > conferences by different people.)  It's just up to someone to do the
> > > > work to fix them.
> > > >
> > > > If you think we can prevent the race in the rust side, wonderful, I'm
> > > > all for that being a valid fix.
> > >
> > > The current patch prevents the race by only allowing access to the
> > > `struct miscdevice` in fops->open(). That's safe since
> > > `file->f_op->open` runs with `misc_mtx` held. Do we really need the
> > > miscdevice to stay alive for longer? You can already take a refcount
> > > on `this_device` if you want to keep the device alive for longer for
> > > dev_* printing purposes, but it seems like that is the only field you
> > > really need from the `struct miscdevice` past fops->open()?
> >
> > Good point, I also can't really see anything within struct miscdevice that a
> > driver could need other than `this_device`.
> >
> > How would you provide the `device::Device` within the `MiscDevice` trait
> > functions?
> >
> > If we don't guarantee that the `struct miscdevice` is still alive past open() we
> > need to take a reference on `this_device` in open().
> >
> > I guess the idea would be to let `MiscDeviceRegistration` provide a function to
> > obtain an `ARef<device::Device>`?
> 
> Yes, you take a refcount on the device and store an
> ARef<device::Device> in your own struct. You would need Lee's accessor
> to obtain the device refcount:
> https://lore.kernel.org/all/20241206090515.752267-3-lee@kernel.org/

Sounds good!

> 
> Alice

next prev parent reply	other threads:[~2024-12-09 15:11 UTC|newest]

Thread overview: 24+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2024-12-09  7:27 [PATCH v2 0/2] Additional miscdevice fops parameters Alice Ryhl
2024-12-09  7:27 ` [PATCH v2 1/2] rust: miscdevice: access file in fops Alice Ryhl
2024-12-09  7:27 ` [PATCH v2 2/2] rust: miscdevice: access the `struct miscdevice` from fops->open() Alice Ryhl
2024-12-09  8:48   ` Greg Kroah-Hartman
2024-12-09 10:50     ` Alice Ryhl
2024-12-09 11:09       ` Greg Kroah-Hartman
2024-12-09 11:38         ` Alice Ryhl
2024-12-09 11:53           ` Greg Kroah-Hartman
2024-12-09 12:00             ` Alice Ryhl
2024-12-09 12:08               ` Greg Kroah-Hartman
2024-12-09 12:53                 ` Alice Ryhl
2024-12-09 13:13                   ` Greg Kroah-Hartman
2024-12-09 13:36                     ` Alice Ryhl
2024-12-09 15:01                       ` Danilo Krummrich
2024-12-09 15:04                         ` Alice Ryhl
2024-12-09 15:11                           ` Danilo Krummrich [this message]
2024-12-09 11:07   ` Danilo Krummrich
2024-12-09 11:17     ` Greg Kroah-Hartman
2024-12-09 11:36     ` Alice Ryhl
2024-12-09 14:42   ` kernel test robot
2024-12-09  8:43 ` [PATCH v2 0/2] Additional miscdevice fops parameters Greg Kroah-Hartman
2024-12-09 10:19   ` Miguel Ojeda
2024-12-09 10:44   ` Alice Ryhl
2024-12-09 20:06     ` Konstantin Ryabitsev

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=Z1cImntcEwsPHQgO@pollux.localdomain \
    --to=dakr@kernel.org \
    --cc=a.hindborg@kernel.org \
    --cc=alex.gaynor@gmail.com \
    --cc=aliceryhl@google.com \
    --cc=arnd@arndb.de \
    --cc=benno.lossin@proton.me \
    --cc=bjorn3_gh@protonmail.com \
    --cc=boqun.feng@gmail.com \
    --cc=brauner@kernel.org \
    --cc=gary@garyguo.net \
    --cc=gregkh@linuxfoundation.org \
    --cc=jack@suse.cz \
    --cc=lee@kernel.org \
    --cc=linux-fsdevel@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=ojeda@kernel.org \
    --cc=rust-for-linux@vger.kernel.org \
    --cc=tmgross@umich.edu \
    --cc=viro@zeniv.linux.org.uk \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.