* [PATCH 0/2] rust: lockdep: Fix soundness issue affecting LockClassKeys
@ 2024-10-04 22:01 Mitchell Levy via B4 Relay
2024-10-04 22:01 ` [PATCH 1/2] rust: lockdep: Remove support for dynamically allocated LockClassKeys Mitchell Levy via B4 Relay
2024-10-04 22:01 ` [PATCH 2/2] rust: lockdep: Use Pin for all LockClassKey usages Mitchell Levy via B4 Relay
0 siblings, 2 replies; 4+ messages in thread
From: Mitchell Levy via B4 Relay @ 2024-10-04 22:01 UTC (permalink / raw)
To: Boqun Feng, Miguel Ojeda, Alex Gaynor, Wedson Almeida Filho,
Gary Guo, Björn Roy Baron, Benno Lossin, Alice Ryhl,
Trevor Gross, Andreas Hindborg, Andreas Hindborg
Cc: linux-block, rust-for-linux, linux-kernel, stable, Mitchell Levy
This series is aimed at fixing a soundness issue with how dynamically
allocated LockClassKeys are handled. Currently, LockClassKeys can be
used without being Pin'd, which can break lockdep since it relies on
address stability. Similarly, these keys are not automatically
(de)registered with lockdep.
At the suggestion of Alice Ryhl, this series includes a patch for
-stable kernels that disables dynamically allocated keys. This prevents
backported patches from using the unsound implementation.
Currently, this series requires that all dynamically allocated
LockClassKeys have a lifetime of 'static (i.e., they must be leaked
after allocation). This is because Lock does not currently keep a
reference to the LockClassKey, instead passing it to C via FFI. This
causes a problem because the rust compiler would allow creating a
'static Lock with a 'a LockClassKey (with 'a < 'static) while C would
expect the LockClassKey to live as long as the lock. This problem
represents an avenue for future work.
---
Changes from RFC:
- Split into two commits so that dynamically allocated LockClassKeys are
removed from stable kernels. (Thanks Alice Ryhl)
- Extract calls to C lockdep functions into helpers so things build
properly when LOCKDEP=n. (Thanks Benno Lossin)
- Remove extraneous `get_ref()` calls. (Thanks Benno Lossin)
- Provide better documentation for `new_dynamic()`. (Thanks Benno
Lossin)
- Ran rustfmt to fix formatting and some extraneous changes. (Thanks
Alice Ryhl and Benno Lossin)
- Link to RFC: https://lore.kernel.org/r/20240905-rust-lockdep-v1-1-d2c9c21aa8b2@gmail.com
---
Mitchell Levy (2):
rust: lockdep: Remove support for dynamically allocated LockClassKeys
rust: lockdep: Use Pin for all LockClassKey usages
rust/helpers/helpers.c | 1 +
rust/helpers/sync.c | 13 +++++++++++++
rust/kernel/lib.rs | 2 +-
rust/kernel/sync.rs | 34 ++++++++++++++++++++++++----------
rust/kernel/sync/condvar.rs | 11 +++++++----
rust/kernel/sync/lock.rs | 4 ++--
rust/kernel/workqueue.rs | 2 +-
7 files changed, 49 insertions(+), 18 deletions(-)
---
base-commit: 9852d85ec9d492ebef56dc5f229416c925758edc
change-id: 20240905-rust-lockdep-d3e30521c8ba
Best regards,
--
Mitchell Levy <levymitchell0@gmail.com>
^ permalink raw reply [flat|nested] 4+ messages in thread
* [PATCH 1/2] rust: lockdep: Remove support for dynamically allocated LockClassKeys
2024-10-04 22:01 [PATCH 0/2] rust: lockdep: Fix soundness issue affecting LockClassKeys Mitchell Levy via B4 Relay
@ 2024-10-04 22:01 ` Mitchell Levy via B4 Relay
2024-10-05 6:10 ` Dirk Behme
2024-10-04 22:01 ` [PATCH 2/2] rust: lockdep: Use Pin for all LockClassKey usages Mitchell Levy via B4 Relay
1 sibling, 1 reply; 4+ messages in thread
From: Mitchell Levy via B4 Relay @ 2024-10-04 22:01 UTC (permalink / raw)
To: Boqun Feng, Miguel Ojeda, Alex Gaynor, Wedson Almeida Filho,
Gary Guo, Björn Roy Baron, Benno Lossin, Alice Ryhl,
Trevor Gross, Andreas Hindborg, Andreas Hindborg
Cc: linux-block, rust-for-linux, linux-kernel, stable, Mitchell Levy
From: Mitchell Levy <levymitchell0@gmail.com>
Currently, dynamically allocated LockCLassKeys can be used from the Rust
side without having them registered. This is a soundness issue, so
remove them.
Suggested-by: Alice Ryhl <aliceryhl@google.com>
Link: https://lore.kernel.org/rust-for-linux/20240815074519.2684107-3-nmi@metaspace.dk/
Cc: stable@vger.kernel.org
Signed-off-by: Mitchell Levy <levymitchell0@gmail.com>
---
rust/kernel/lib.rs | 2 +-
rust/kernel/sync.rs | 14 ++------------
2 files changed, 3 insertions(+), 13 deletions(-)
diff --git a/rust/kernel/lib.rs b/rust/kernel/lib.rs
index 22a3bfa5a9e9..b5f4b3ce6b48 100644
--- a/rust/kernel/lib.rs
+++ b/rust/kernel/lib.rs
@@ -44,8 +44,8 @@
pub mod page;
pub mod prelude;
pub mod print;
-pub mod sizes;
pub mod rbtree;
+pub mod sizes;
mod static_assert;
#[doc(hidden)]
pub mod std_vendor;
diff --git a/rust/kernel/sync.rs b/rust/kernel/sync.rs
index 0ab20975a3b5..d270db9b9894 100644
--- a/rust/kernel/sync.rs
+++ b/rust/kernel/sync.rs
@@ -27,28 +27,18 @@
unsafe impl Sync for LockClassKey {}
impl LockClassKey {
- /// Creates a new lock class key.
- pub const fn new() -> Self {
- Self(Opaque::uninit())
- }
-
pub(crate) fn as_ptr(&self) -> *mut bindings::lock_class_key {
self.0.get()
}
}
-impl Default for LockClassKey {
- fn default() -> Self {
- Self::new()
- }
-}
-
/// Defines a new static lock class and returns a pointer to it.
#[doc(hidden)]
#[macro_export]
macro_rules! static_lock_class {
() => {{
- static CLASS: $crate::sync::LockClassKey = $crate::sync::LockClassKey::new();
+ static CLASS: $crate::sync::LockClassKey =
+ unsafe { ::core::mem::MaybeUninit::uninit().assume_init() };
&CLASS
}};
}
--
2.34.1
^ permalink raw reply related [flat|nested] 4+ messages in thread
* [PATCH 2/2] rust: lockdep: Use Pin for all LockClassKey usages
2024-10-04 22:01 [PATCH 0/2] rust: lockdep: Fix soundness issue affecting LockClassKeys Mitchell Levy via B4 Relay
2024-10-04 22:01 ` [PATCH 1/2] rust: lockdep: Remove support for dynamically allocated LockClassKeys Mitchell Levy via B4 Relay
@ 2024-10-04 22:01 ` Mitchell Levy via B4 Relay
1 sibling, 0 replies; 4+ messages in thread
From: Mitchell Levy via B4 Relay @ 2024-10-04 22:01 UTC (permalink / raw)
To: Boqun Feng, Miguel Ojeda, Alex Gaynor, Wedson Almeida Filho,
Gary Guo, Björn Roy Baron, Benno Lossin, Alice Ryhl,
Trevor Gross, Andreas Hindborg, Andreas Hindborg
Cc: linux-block, rust-for-linux, linux-kernel, Mitchell Levy
From: Mitchell Levy <levymitchell0@gmail.com>
Reintroduce dynamically-allocated LockClassKeys such that they are
automatically (de)registered. Require that all usages of LockClassKeys
ensure that they are Pin'd.
Link: https://lore.kernel.org/rust-for-linux/20240815074519.2684107-1-nmi@metaspace.dk/
Suggested-by: Benno Lossin <benno.lossin@proton.me>
Suggested-by: Boqun Feng <boqun.feng@gmail.com>
Signed-off-by: Mitchell Levy <levymitchell0@gmail.com>
---
rust/helpers/helpers.c | 1 +
rust/helpers/sync.c | 13 +++++++++++++
rust/kernel/sync.rs | 30 +++++++++++++++++++++++++++---
rust/kernel/sync/condvar.rs | 11 +++++++----
rust/kernel/sync/lock.rs | 4 ++--
rust/kernel/workqueue.rs | 2 +-
6 files changed, 51 insertions(+), 10 deletions(-)
diff --git a/rust/helpers/helpers.c b/rust/helpers/helpers.c
index 30f40149f3a9..2e8a2abfca33 100644
--- a/rust/helpers/helpers.c
+++ b/rust/helpers/helpers.c
@@ -20,6 +20,7 @@
#include "signal.c"
#include "slab.c"
#include "spinlock.c"
+#include "sync.c"
#include "task.c"
#include "uaccess.c"
#include "wait.c"
diff --git a/rust/helpers/sync.c b/rust/helpers/sync.c
new file mode 100644
index 000000000000..ff7e68b48810
--- /dev/null
+++ b/rust/helpers/sync.c
@@ -0,0 +1,13 @@
+// SPDX-License-Identifier: GPL-2.0
+
+#include <linux/lockdep.h>
+
+void rust_helper_lockdep_register_key(struct lock_class_key *k)
+{
+ lockdep_register_key(k);
+}
+
+void rust_helper_lockdep_unregister_key(struct lock_class_key *k)
+{
+ lockdep_unregister_key(k);
+}
diff --git a/rust/kernel/sync.rs b/rust/kernel/sync.rs
index d270db9b9894..3903573143b3 100644
--- a/rust/kernel/sync.rs
+++ b/rust/kernel/sync.rs
@@ -5,6 +5,8 @@
//! This module contains the kernel APIs related to synchronisation that have been ported or
//! wrapped for usage by Rust code in the kernel.
+use crate::pin_init;
+use crate::prelude::*;
use crate::types::Opaque;
mod arc;
@@ -20,15 +22,35 @@
/// Represents a lockdep class. It's a wrapper around C's `lock_class_key`.
#[repr(transparent)]
-pub struct LockClassKey(Opaque<bindings::lock_class_key>);
+#[pin_data(PinnedDrop)]
+pub struct LockClassKey {
+ #[pin]
+ inner: Opaque<bindings::lock_class_key>,
+}
// SAFETY: `bindings::lock_class_key` is designed to be used concurrently from multiple threads and
// provides its own synchronization.
unsafe impl Sync for LockClassKey {}
impl LockClassKey {
+ /// Initializes a dynamically allocated lock class key. In the common case of using a
+ /// statically allocated lock class key, the static_lock_class! macro should be used instead.
+ pub fn new_dynamic() -> impl PinInit<Self> {
+ pin_init!(Self {
+ // SAFETY: lockdep_register_key expects an uninitialized block of memory
+ inner <- Opaque::ffi_init(|slot| unsafe { bindings::lockdep_register_key(slot) })
+ })
+ }
+
pub(crate) fn as_ptr(&self) -> *mut bindings::lock_class_key {
- self.0.get()
+ self.inner.get()
+ }
+}
+
+#[pinned_drop]
+impl PinnedDrop for LockClassKey {
+ fn drop(self: Pin<&mut Self>) {
+ unsafe { bindings::lockdep_unregister_key(self.as_ptr()) }
}
}
@@ -37,9 +59,11 @@ pub(crate) fn as_ptr(&self) -> *mut bindings::lock_class_key {
#[macro_export]
macro_rules! static_lock_class {
() => {{
+ // SAFETY: lockdep expects uninitialized memory when it's handed a statically allocated
+ // lock_class_key
static CLASS: $crate::sync::LockClassKey =
unsafe { ::core::mem::MaybeUninit::uninit().assume_init() };
- &CLASS
+ $crate::prelude::Pin::static_ref(&CLASS)
}};
}
diff --git a/rust/kernel/sync/condvar.rs b/rust/kernel/sync/condvar.rs
index 2b306afbe56d..0469a9d81b7e 100644
--- a/rust/kernel/sync/condvar.rs
+++ b/rust/kernel/sync/condvar.rs
@@ -14,9 +14,12 @@
time::Jiffies,
types::Opaque,
};
-use core::ffi::{c_int, c_long};
-use core::marker::PhantomPinned;
-use core::ptr;
+use core::{
+ ffi::{c_int, c_long},
+ marker::PhantomPinned,
+ pin::Pin,
+ ptr,
+};
use macros::pin_data;
/// Creates a [`CondVar`] initialiser with the given name and a newly-created lock class.
@@ -102,7 +105,7 @@ unsafe impl Sync for CondVar {}
impl CondVar {
/// Constructs a new condvar initialiser.
- pub fn new(name: &'static CStr, key: &'static LockClassKey) -> impl PinInit<Self> {
+ pub fn new(name: &'static CStr, key: Pin<&'static LockClassKey>) -> impl PinInit<Self> {
pin_init!(Self {
_pin: PhantomPinned,
// SAFETY: `slot` is valid while the closure is called and both `name` and `key` have
diff --git a/rust/kernel/sync/lock.rs b/rust/kernel/sync/lock.rs
index f6c34ca4d819..305c41321369 100644
--- a/rust/kernel/sync/lock.rs
+++ b/rust/kernel/sync/lock.rs
@@ -7,7 +7,7 @@
use super::LockClassKey;
use crate::{init::PinInit, pin_init, str::CStr, types::Opaque, types::ScopeGuard};
-use core::{cell::UnsafeCell, marker::PhantomData, marker::PhantomPinned};
+use core::{cell::UnsafeCell, marker::PhantomData, marker::PhantomPinned, pin::Pin};
use macros::pin_data;
pub mod mutex;
@@ -106,7 +106,7 @@ unsafe impl<T: ?Sized + Send, B: Backend> Sync for Lock<T, B> {}
impl<T, B: Backend> Lock<T, B> {
/// Constructs a new lock initialiser.
- pub fn new(t: T, name: &'static CStr, key: &'static LockClassKey) -> impl PinInit<Self> {
+ pub fn new(t: T, name: &'static CStr, key: Pin<&'static LockClassKey>) -> impl PinInit<Self> {
pin_init!(Self {
data: UnsafeCell::new(t),
_pin: PhantomPinned,
diff --git a/rust/kernel/workqueue.rs b/rust/kernel/workqueue.rs
index 553a5cba2adc..1720a99f53be 100644
--- a/rust/kernel/workqueue.rs
+++ b/rust/kernel/workqueue.rs
@@ -367,7 +367,7 @@ impl<T: ?Sized, const ID: u64> Work<T, ID> {
/// Creates a new instance of [`Work`].
#[inline]
#[allow(clippy::new_ret_no_self)]
- pub fn new(name: &'static CStr, key: &'static LockClassKey) -> impl PinInit<Self>
+ pub fn new(name: &'static CStr, key: Pin<&'static LockClassKey>) -> impl PinInit<Self>
where
T: WorkItem<ID>,
{
--
2.34.1
^ permalink raw reply related [flat|nested] 4+ messages in thread
* Re: [PATCH 1/2] rust: lockdep: Remove support for dynamically allocated LockClassKeys
2024-10-04 22:01 ` [PATCH 1/2] rust: lockdep: Remove support for dynamically allocated LockClassKeys Mitchell Levy via B4 Relay
@ 2024-10-05 6:10 ` Dirk Behme
0 siblings, 0 replies; 4+ messages in thread
From: Dirk Behme @ 2024-10-05 6:10 UTC (permalink / raw)
To: levymitchell0, Boqun Feng, Miguel Ojeda, Alex Gaynor,
Wedson Almeida Filho, Gary Guo, Björn Roy Baron,
Benno Lossin, Alice Ryhl, Trevor Gross, Andreas Hindborg
Cc: linux-block, rust-for-linux, linux-kernel, stable
Am 05.10.24 um 00:01 schrieb Mitchell Levy via B4 Relay:
> From: Mitchell Levy <levymitchell0@gmail.com>
>
> Currently, dynamically allocated LockCLassKeys can be used from the Rust
> side without having them registered. This is a soundness issue, so
> remove them.
>
> Suggested-by: Alice Ryhl <aliceryhl@google.com>
> Link: https://lore.kernel.org/rust-for-linux/20240815074519.2684107-3-nmi@metaspace.dk/
> Cc: stable@vger.kernel.org
> Signed-off-by: Mitchell Levy <levymitchell0@gmail.com>
> ---
> rust/kernel/lib.rs | 2 +-
> rust/kernel/sync.rs | 14 ++------------
> 2 files changed, 3 insertions(+), 13 deletions(-)
>
> diff --git a/rust/kernel/lib.rs b/rust/kernel/lib.rs
> index 22a3bfa5a9e9..b5f4b3ce6b48 100644
> --- a/rust/kernel/lib.rs
> +++ b/rust/kernel/lib.rs
> @@ -44,8 +44,8 @@
> pub mod page;
> pub mod prelude;
> pub mod print;
> -pub mod sizes;
> pub mod rbtree;
> +pub mod sizes;
> mod static_assert;
> #[doc(hidden)]
> pub mod std_vendor;
This is fixed already
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/rust/kernel/lib.rs?id=ece207a83e464af710d641f29e32b7a144c48e79
and can be dropped here.
> diff --git a/rust/kernel/sync.rs b/rust/kernel/sync.rs
> index 0ab20975a3b5..d270db9b9894 100644
> --- a/rust/kernel/sync.rs
> +++ b/rust/kernel/sync.rs
> @@ -27,28 +27,18 @@
> unsafe impl Sync for LockClassKey {}
>
> impl LockClassKey {
> - /// Creates a new lock class key.
> - pub const fn new() -> Self {
> - Self(Opaque::uninit())
> - }
> -
> pub(crate) fn as_ptr(&self) -> *mut bindings::lock_class_key {
> self.0.get()
> }
> }
>
> -impl Default for LockClassKey {
> - fn default() -> Self {
> - Self::new()
> - }
> -}
> -
> /// Defines a new static lock class and returns a pointer to it.
> #[doc(hidden)]
> #[macro_export]
> macro_rules! static_lock_class {
> () => {{
> - static CLASS: $crate::sync::LockClassKey = $crate::sync::LockClassKey::new();
Should the SAFETY comment added in the 2nd patch go to here?
+ // SAFETY: lockdep expects uninitialized memory when it's
handed a statically allocated
+ // lock_class_key
> + static CLASS: $crate::sync::LockClassKey =
> + unsafe { ::core::mem::MaybeUninit::uninit().assume_init() };
> &CLASS
> }};
> }
>
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2024-10-05 6:10 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2024-10-04 22:01 [PATCH 0/2] rust: lockdep: Fix soundness issue affecting LockClassKeys Mitchell Levy via B4 Relay
2024-10-04 22:01 ` [PATCH 1/2] rust: lockdep: Remove support for dynamically allocated LockClassKeys Mitchell Levy via B4 Relay
2024-10-05 6:10 ` Dirk Behme
2024-10-04 22:01 ` [PATCH 2/2] rust: lockdep: Use Pin for all LockClassKey usages Mitchell Levy via B4 Relay
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).