From: Jason Gunthorpe <jgg@nvidia.com>
To: Danilo Krummrich <dakr@kernel.org>
Cc: "Abdiel Janulgue" <abdiel.janulgue@gmail.com>,
aliceryhl@google.com, robin.murphy@arm.com,
daniel.almeida@collabora.com, rust-for-linux@vger.kernel.org,
"Miguel Ojeda" <ojeda@kernel.org>,
"Alex Gaynor" <alex.gaynor@gmail.com>,
"Boqun Feng" <boqun.feng@gmail.com>,
"Gary Guo" <gary@garyguo.net>,
"Björn Roy Baron" <bjorn3_gh@protonmail.com>,
"Benno Lossin" <benno.lossin@proton.me>,
"Andreas Hindborg" <a.hindborg@kernel.org>,
"Trevor Gross" <tmgross@umich.edu>,
"Valentin Obst" <kernel@valentinobst.de>,
"open list" <linux-kernel@vger.kernel.org>,
"Christoph Hellwig" <hch@lst.de>,
"Marek Szyprowski" <m.szyprowski@samsung.com>,
airlied@redhat.com,
"open list:DMA MAPPING HELPERS" <iommu@lists.linux.dev>
Subject: Re: [PATCH v12 2/3] rust: add dma coherent allocator abstraction.
Date: Fri, 7 Mar 2025 08:48:09 -0400 [thread overview]
Message-ID: <20250307124809.GL354511@nvidia.com> (raw)
In-Reply-To: <Z8qzP3CR8Quhp87Z@pollux>
On Fri, Mar 07, 2025 at 09:50:07AM +0100, Danilo Krummrich wrote:
> > Technically it is unsafe and oopsable to call the allocation API as
> > well on a device that has no driver. This issue is also ignored in
> > these bindings and cannot be solved with revoke.
>
> This is correct, and I am well aware of it. I brought this up once when working
> on the initial device / driver, devres and I/O abstractions.
Yes it is also incorrect to call any devm function on an unprobed
driver.
> It's on my list to make the creation of the Devres container fallible in this
> aspect, which would prevent this issue.
I expect that will require new locking.
> > The actual critical region extends into the HW itself, it is not
> > simple to model this with a pure SW construct of bracketing some
> > allocation. You need to bracket the *entire lifecycle* of the
> > dma_addr_t that has been returned and passed into HW, until the
> > dma_addr_t is removed from HW.
>
> Devres callbacks run after remove(). It's the drivers job to stop operating the
> device latest in remove(). Which means that the design is correct.
It could be the drivers job to unmap the dma as well if you take that
logic.
You still didn't answer the question, what is the critical region of
the DevRes for a dma_alloc_coherent() actually going to protect?
You also have to urgently fix the synchronize_rcu() repitition of you
plan to do this.
> Now, you ask for a step further, i.e. make it that we can enforce that a driver
> actually stopped the device in remove().
So where do you draw the line on bugs Rust should prevent and bugs
Rust requires the programmer to fix?
Allow UAF from forgetting to shutdown DMA, but try to mitigate UAF
from failing to call a dma unmap function. It is the *very same*
driver bug: incorrect shutdown of DMA activity.
I said this for MMIO, and I say it more strongly here. The correct
thing is to throw a warning if the driver has malfunctioned and leaked
a DMA Mapping. This indicates a driver bug. Silently fixing the issue
does nothing to help driver writers make correct drivers. It may even
confuse authors as to what their responsiblities are since so much is
handled "magically".
> Having that said, it doesn't need to be an "all or nothing", let's catch the
> ones we can actually catch.
Well, that's refreshing. Maybe it would be nice to have an agreed
binding design policy on what is wortwhile to catch with runtime
overhead and what is not.
Jason
next prev parent reply other threads:[~2025-03-07 12:48 UTC|newest]
Thread overview: 70+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-02-24 11:49 [PATCH v12 0/3] rust: add dma coherent allocator abstraction Abdiel Janulgue
2025-02-24 11:49 ` [PATCH v12 1/3] rust: error: Add EOVERFLOW Abdiel Janulgue
2025-02-24 13:11 ` Andreas Hindborg
2025-02-24 11:49 ` [PATCH v12 2/3] rust: add dma coherent allocator abstraction Abdiel Janulgue
2025-02-24 13:21 ` Alice Ryhl
2025-02-24 16:27 ` Abdiel Janulgue
2025-02-24 13:30 ` QUENTIN BOYER
2025-02-24 16:30 ` Abdiel Janulgue
2025-02-24 14:40 ` Andreas Hindborg
2025-02-24 16:27 ` Abdiel Janulgue
2025-02-24 22:35 ` Daniel Almeida
2025-02-28 8:35 ` Alexandre Courbot
2025-02-28 10:01 ` Danilo Krummrich
2025-02-24 20:07 ` Benno Lossin
2025-02-24 21:40 ` Miguel Ojeda
2025-02-24 23:12 ` Daniel Almeida
2025-03-03 13:00 ` Andreas Hindborg
2025-03-03 13:13 ` Alice Ryhl
2025-03-03 15:21 ` Andreas Hindborg
2025-03-03 15:44 ` Alice Ryhl
2025-03-03 18:45 ` Andreas Hindborg
2025-03-03 19:00 ` Allow data races on some read/write operations Andreas Hindborg
2025-03-03 20:08 ` Boqun Feng
2025-03-04 19:03 ` Ralf Jung
2025-03-04 20:18 ` comex
2025-03-05 3:24 ` Boqun Feng
2025-03-05 13:10 ` Ralf Jung
2025-03-05 13:23 ` Alice Ryhl
2025-03-05 13:27 ` Ralf Jung
2025-03-05 14:40 ` Robin Murphy
2025-03-05 18:43 ` Andreas Hindborg
2025-03-05 19:30 ` Alan Stern
2025-03-05 19:42 ` Ralf Jung
2025-03-05 21:26 ` Andreas Hindborg
2025-03-05 21:53 ` Ralf Jung
2025-03-07 8:43 ` Andreas Hindborg
2025-03-18 14:44 ` Ralf Jung
2025-03-05 18:41 ` Andreas Hindborg
2025-03-05 14:25 ` Daniel Almeida
2025-03-05 18:38 ` Andreas Hindborg
2025-03-05 22:01 ` Ralf Jung
2025-03-04 8:28 ` [PATCH v12 2/3] rust: add dma coherent allocator abstraction Abdiel Janulgue
2025-02-25 8:15 ` Abdiel Janulgue
2025-02-25 9:09 ` Alice Ryhl
2025-02-24 22:05 ` Miguel Ojeda
2025-02-25 8:15 ` Abdiel Janulgue
2025-03-03 11:30 ` Andreas Hindborg
2025-03-04 8:58 ` Abdiel Janulgue
2025-03-03 13:08 ` Robin Murphy
2025-03-05 17:41 ` Jason Gunthorpe
2025-03-06 13:37 ` Danilo Krummrich
2025-03-06 15:21 ` Simona Vetter
2025-03-06 15:49 ` Danilo Krummrich
2025-03-06 15:54 ` Danilo Krummrich
2025-03-06 16:18 ` Jason Gunthorpe
2025-03-06 16:34 ` Danilo Krummrich
2025-03-07 10:20 ` Simona Vetter
2025-03-06 16:09 ` Jason Gunthorpe
2025-03-07 8:50 ` Danilo Krummrich
2025-03-07 10:18 ` Simona Vetter
2025-03-07 12:48 ` Jason Gunthorpe [this message]
2025-03-07 13:16 ` Simona Vetter
2025-03-07 14:38 ` Jason Gunthorpe
2025-03-07 17:30 ` Danilo Krummrich
2025-03-07 18:02 ` Greg Kroah-Hartman
2025-03-07 16:09 ` Danilo Krummrich
2025-03-07 16:57 ` Jason Gunthorpe
2025-03-07 19:03 ` Danilo Krummrich
2025-02-24 11:49 ` [PATCH v12 3/3] MAINTAINERS: add entry for Rust dma mapping helpers device driver API Abdiel Janulgue
2025-02-24 13:10 ` Andreas Hindborg
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20250307124809.GL354511@nvidia.com \
--to=jgg@nvidia.com \
--cc=a.hindborg@kernel.org \
--cc=abdiel.janulgue@gmail.com \
--cc=airlied@redhat.com \
--cc=alex.gaynor@gmail.com \
--cc=aliceryhl@google.com \
--cc=benno.lossin@proton.me \
--cc=bjorn3_gh@protonmail.com \
--cc=boqun.feng@gmail.com \
--cc=dakr@kernel.org \
--cc=daniel.almeida@collabora.com \
--cc=gary@garyguo.net \
--cc=hch@lst.de \
--cc=iommu@lists.linux.dev \
--cc=kernel@valentinobst.de \
--cc=linux-kernel@vger.kernel.org \
--cc=m.szyprowski@samsung.com \
--cc=ojeda@kernel.org \
--cc=robin.murphy@arm.com \
--cc=rust-for-linux@vger.kernel.org \
--cc=tmgross@umich.edu \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox