From: Boqun Feng <boqun.feng@gmail.com>
To: Mitchell Levy <levymitchell0@gmail.com>
Cc: "Miguel Ojeda" <ojeda@kernel.org>,
"Alex Gaynor" <alex.gaynor@gmail.com>,
"Wedson Almeida Filho" <wedsonaf@gmail.com>,
"Gary Guo" <gary@garyguo.net>,
"Björn Roy Baron" <bjorn3_gh@protonmail.com>,
"Benno Lossin" <benno.lossin@proton.me>,
"Alice Ryhl" <aliceryhl@google.com>,
"Trevor Gross" <tmgross@umich.edu>,
"Andreas Hindborg" <a.hindborg@kernel.org>,
linux-block@vger.kernel.org, rust-for-linux@vger.kernel.org,
linux-kernel@vger.kernel.org, stable@vger.kernel.org
Subject: Re: [PATCH v2 0/2] rust: lockdep: Fix soundness issue affecting LockClassKeys
Date: Fri, 10 Jan 2025 06:12:34 -0800 [thread overview]
Message-ID: <Z4Eq0qoZaIt7j9zW@boqun-archlinux> (raw)
In-Reply-To: <20241219-rust-lockdep-v2-0-f65308fbc5ca@gmail.com>
On Thu, Dec 19, 2024 at 12:58:54PM -0800, Mitchell Levy wrote:
> This series is aimed at fixing a soundness issue with how dynamically
> allocated LockClassKeys are handled. Currently, LockClassKeys can be
> used without being Pin'd, which can break lockdep since it relies on
> address stability. Similarly, these keys are not automatically
> (de)registered with lockdep.
>
> At the suggestion of Alice Ryhl, this series includes a patch for
> -stable kernels that disables dynamically allocated keys. This prevents
> backported patches from using the unsound implementation.
>
> Currently, this series requires that all dynamically allocated
> LockClassKeys have a lifetime of 'static (i.e., they must be leaked
> after allocation). This is because Lock does not currently keep a
> reference to the LockClassKey, instead passing it to C via FFI. This
> causes a problem because the rust compiler would allow creating a
> 'static Lock with a 'a LockClassKey (with 'a < 'static) while C would
> expect the LockClassKey to live as long as the lock. This problem
> represents an avenue for future work.
>
Thanks for doing this! I found some clippy warnings with the current
version, but overall it looks good to me. That said, appreciate it if
patch #2 gets more reviews on the interface changes, thanks!
Regards,
Boqun
> ---
> Changes from RFC:
> - Split into two commits so that dynamically allocated LockClassKeys are
> removed from stable kernels. (Thanks Alice Ryhl)
> - Extract calls to C lockdep functions into helpers so things build
> properly when LOCKDEP=n. (Thanks Benno Lossin)
> - Remove extraneous `get_ref()` calls. (Thanks Benno Lossin)
> - Provide better documentation for `new_dynamic()`. (Thanks Benno
> Lossin)
> - Ran rustfmt to fix formatting and some extraneous changes. (Thanks
> Alice Ryhl and Benno Lossin)
> - Link to RFC: https://lore.kernel.org/r/20240905-rust-lockdep-v1-1-d2c9c21aa8b2@gmail.com
>
> ---
> Changes in v2:
> - Dropped formatting change that's already fixed upstream (Thanks Dirk
> Behme).
> - Moved safety comment to the right point in the patch series (Thanks
> Dirk Behme and Boqun Feng).
> - Added an example of dynamic LockClassKey usage (Thanks Boqun Feng).
> - Link to v1: https://lore.kernel.org/r/20241004-rust-lockdep-v1-0-e9a5c45721fc@gmail.com
>
> ---
> Mitchell Levy (2):
> rust: lockdep: Remove support for dynamically allocated LockClassKeys
> rust: lockdep: Use Pin for all LockClassKey usages
>
> rust/helpers/helpers.c | 1 +
> rust/helpers/sync.c | 13 +++++++++
> rust/kernel/sync.rs | 63 ++++++++++++++++++++++++++++++++++-------
> rust/kernel/sync/condvar.rs | 5 ++--
> rust/kernel/sync/lock.rs | 9 ++----
> rust/kernel/sync/lock/global.rs | 5 ++--
> rust/kernel/sync/poll.rs | 2 +-
> rust/kernel/workqueue.rs | 3 +-
> 8 files changed, 78 insertions(+), 23 deletions(-)
> ---
> base-commit: 0c5928deada15a8d075516e6e0d9ee19011bb000
> change-id: 20240905-rust-lockdep-d3e30521c8ba
>
> Best regards,
> --
> Mitchell Levy <levymitchell0@gmail.com>
>
prev parent reply other threads:[~2025-01-10 14:13 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-12-19 20:58 [PATCH v2 0/2] rust: lockdep: Fix soundness issue affecting LockClassKeys Mitchell Levy
2024-12-19 20:58 ` [PATCH v2 1/2] rust: lockdep: Remove support for dynamically allocated LockClassKeys Mitchell Levy
2024-12-25 7:09 ` kernel test robot
2025-01-10 14:01 ` Boqun Feng
2024-12-19 20:58 ` [PATCH v2 2/2] rust: lockdep: Use Pin for all LockClassKey usages Mitchell Levy
2025-01-10 14:09 ` Boqun Feng
2025-01-10 14:12 ` Boqun Feng [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=Z4Eq0qoZaIt7j9zW@boqun-archlinux \
--to=boqun.feng@gmail.com \
--cc=a.hindborg@kernel.org \
--cc=alex.gaynor@gmail.com \
--cc=aliceryhl@google.com \
--cc=benno.lossin@proton.me \
--cc=bjorn3_gh@protonmail.com \
--cc=gary@garyguo.net \
--cc=levymitchell0@gmail.com \
--cc=linux-block@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=ojeda@kernel.org \
--cc=rust-for-linux@vger.kernel.org \
--cc=stable@vger.kernel.org \
--cc=tmgross@umich.edu \
--cc=wedsonaf@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox