From: Boqun Feng <boqun@kernel.org>
To: Danilo Krummrich <dakr@kernel.org>
Cc: lossin@kernel.org, gary@garyguo.net, ojeda@kernel.org,
bjorn3_gh@protonmail.com, a.hindborg@kernel.org,
aliceryhl@google.com, tmgross@umich.edu,
daniel.almeida@collabora.com, tamird@kernel.org,
acourbot@nvidia.com, work@onurozkan.dev, lyude@redhat.com,
deborah.brouwer@collabora.com, rust-for-linux@vger.kernel.org,
driver-core@lists.linux.dev, stable@vger.kernel.org,
Sashiko <sashiko-bot@kernel.org>
Subject: Re: [PATCH 2/2] rust: revocable: fix race between concurrent revokers
Date: Thu, 18 Jun 2026 14:35:25 -0700 [thread overview]
Message-ID: <ajRknQIsXaHtDzzJ@MacBook-0RXW5> (raw)
In-Reply-To: <20260618193951.601239-3-dakr@kernel.org>
On Thu, Jun 18, 2026 at 09:32:59PM +0200, Danilo Krummrich wrote:
> There is a potential race condition when two paths try to revoke a
> Revocable concurrently.
>
> It can happen with e.g. Devres, where the driver core's
> devres_release_all() calls Revocable::revoke() via the devres callback,
> while Devres::drop() calls revoke_nosync() on another CPU.
>
> The revoker that does not claim the is_available swap returns
> immediately, but the revoker that did may still be executing
> drop_in_place() on the inner data. This can cause a use-after-free when
> the other revoker's caller proceeds to drop adjacent resources that
> drop_in_place() still references (e.g., Devres<DmaMappedSgt> racing with
> SGTable freeing the backing sg_table and pages).
>
> Fix this by adding a Completion to Revocable. The revoker that claims
> the swap signals the Completion after drop_in_place() finishes, and any
> concurrent revoker waits for it before returning. This ensures the
> wrapped object is fully torn down before either path continues.
>
I'm not sure this issue is a Revocable issue or even Devres issue,
because normally if you have a
struct Foo {
revoke: Revocable<T>
data: U
}
and if `revoke` referenced `data`, then `T` will have a refcount on `U`
(of course this requires `U` to be a `Arc` or `ARef`, not very
effecient, but correct). And we won't have this issue because either
revoker will be responsible for the finally drop.
This issue happens particularly when we want to save the extra refcount
(and indirect reference), and I think this is the issue that `Foo`
should handle instead of `Revocable`. So maybe we should move the fix
into `Devres` layer? Thoughts?
(I'm still hoping there could be some lightweight usage of Revocable
other than Devres, hence the ask.)
Regards,
Boqun
> If needed, a revoke_no_wait() variant that does not wait for concurrent
> revocations to complete can be added in the future.
>
> Cc: stable@vger.kernel.org
> Reported-by: Sashiko <sashiko-bot@kernel.org>
> Closes: https://lore.kernel.org/dri-devel/20260612202841.2577C1F000E9@smtp.kernel.org/
> Suggested-by: Gary Guo <gary@garyguo.net>
> Fixes: 05aa6fb1c21d ("rust: scatterlist: Add abstraction for sg_table")
> Signed-off-by: Danilo Krummrich <dakr@kernel.org>
> ---
[...]
next prev parent reply other threads:[~2026-06-18 21:35 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-18 19:32 [PATCH 0/2] rust: revocable: fix potential race between concurrent revokers Danilo Krummrich
2026-06-18 19:32 ` [PATCH 1/2] pin-init: add PinInit::map_err() for error type conversion Danilo Krummrich
2026-06-18 19:32 ` [PATCH 2/2] rust: revocable: fix race between concurrent revokers Danilo Krummrich
2026-06-18 21:35 ` Boqun Feng [this message]
2026-06-18 22:24 ` Danilo Krummrich
2026-06-18 22:28 ` Boqun Feng
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=ajRknQIsXaHtDzzJ@MacBook-0RXW5 \
--to=boqun@kernel.org \
--cc=a.hindborg@kernel.org \
--cc=acourbot@nvidia.com \
--cc=aliceryhl@google.com \
--cc=bjorn3_gh@protonmail.com \
--cc=dakr@kernel.org \
--cc=daniel.almeida@collabora.com \
--cc=deborah.brouwer@collabora.com \
--cc=driver-core@lists.linux.dev \
--cc=gary@garyguo.net \
--cc=lossin@kernel.org \
--cc=lyude@redhat.com \
--cc=ojeda@kernel.org \
--cc=rust-for-linux@vger.kernel.org \
--cc=sashiko-bot@kernel.org \
--cc=stable@vger.kernel.org \
--cc=tamird@kernel.org \
--cc=tmgross@umich.edu \
--cc=work@onurozkan.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox