From: Boqun Feng <boqun.feng@gmail.com>
To: Andrew Lunn <andrew@lunn.ch>
Cc: Miguel Ojeda <miguel.ojeda.sandonis@gmail.com>,
Alice Ryhl <aliceryhl@google.com>,
FUJITA Tomonori <fujita.tomonori@gmail.com>,
netdev@vger.kernel.org, rust-for-linux@vger.kernel.org,
hkallweit1@gmail.com, tmgross@umich.edu, ojeda@kernel.org,
alex.gaynor@gmail.com, gary@garyguo.net,
bjorn3_gh@protonmail.com, benno.lossin@proton.me,
a.hindborg@samsung.com, anna-maria@linutronix.de,
frederic@kernel.org, tglx@linutronix.de, arnd@arndb.de,
linux-kernel@vger.kernel.org
Subject: Re: [PATCH net-next v2 5/6] rust: Add read_poll_timeout function
Date: Tue, 8 Oct 2024 15:42:49 -0700 [thread overview]
Message-ID: <ZwW1aUGqEj6i4ywb@boqun-archlinux> (raw)
In-Reply-To: <32e97ba4-a47b-488a-b098-725faae21d7d@lunn.ch>
On Wed, Oct 09, 2024 at 12:26:00AM +0200, Andrew Lunn wrote:
> On Tue, Oct 08, 2024 at 02:53:56PM -0700, Boqun Feng wrote:
> > On Tue, Oct 08, 2024 at 07:16:42PM +0200, Andrew Lunn wrote:
> > > On Tue, Oct 08, 2024 at 03:14:05PM +0200, Miguel Ojeda wrote:
> > > > On Tue, Oct 8, 2024 at 2:13 PM Andrew Lunn <andrew@lunn.ch> wrote:
> > > > >
> > > > > As far as i see, might_sleep() will cause UAF where there is going to
> > > > > be a UAF anyway. If you are using it correctly, it does not cause UAF.
> > > >
> > > > This already implies that it is an unsafe function (in general, i.e.
> > > > modulo klint, or a way to force the user to have to write `unsafe`
> > > > somewhere else, or what I call ASHes -- "acknowledged soundness
> > > > holes").
> > > >
> > > > If we consider as safe functions that, if used correctly, do not cause
> > > > UB, then all functions would be safe.
> > >
> > > From what i hear, klint is still WIP. So we have to accept there will
> > > be bad code out there, which will UAF. We want to find such bad code,
> >
> > If you don't believe in klint
>
> I did not say that. It is WIP, and without it i assume nothing is
> detecting at compile time that the code is broken. Hence we need to
> find the problem at runtime, which is what might_sleep() is all about.
>
> > might_sleep() is useful because it checks preemption count and task
> > state, which is provided by __might_sleep() as well. I don't think
> > causing UAF helps we detect atomic context violation faster than what
> > __might_sleep() already have. Again, could you provide an example that
> > help me understand your reasoning here?
>
> > > while (1) {
> > > <reader> <updater>
> > > rcu_read_lock();
> > > p = rcu_dereference(gp);
> > > mutex_lock(&lock)
> > > a = READ_ONCE(p->a);
> > > mutex_unlock(&lock)
> > > rcu_read_unlock();
> > > }
>
> The mutex lock is likely to be uncontested, so you don't sleep, and so
> don't trigger the UAF. The code is clearly broken, but you survive.
> Until the lock is contested, you do sleep, RCU falls apart, resulting
> in a UAF.
>
> Now if you used might_sleep(), every time you go around that loop you
> do some of the same processing as actually sleeping, so are much more
> likely to trigger the UAF.
>
> might_sleep() as you pointed out, is also active when
> CONFIG_DEBUG_ATOMIC_SLEEP is false. Thus it is also going to trigger
> the broken code to UAF faster. And i expect a lot of testing is done
> without CONFIG_DEBUG_ATOMIC_SLEEP and CONFIG_PROVE_LOCKING.
>
Hmm.. but that means we need to quickly detect UAF and track down to the
source, right? In a build without CONFIG_DEBUG_ATOMIC_SLEEP and
CONFIG_PROVE_LOCKING, may I assume memory sanitizer is also not
available? Then how do we detect UAF relatively quickly? Or memory
sanitizer is in fact relatively cheap, so it can still be enabled,
what's the configuration of netdev CI/testing?
Regards,
Boqun
> Once klint is completed, and detects all these problems at compile
> time, we can then discard all this might_sleep stuff. But until then,
> the faster code explodes, the more likely it is going to be quickly
> and cheaply fixed.
>
> Andrew
next prev parent reply other threads:[~2024-10-08 22:44 UTC|newest]
Thread overview: 63+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-10-05 12:25 [PATCH net-next v2 0/6] rust: Add IO polling FUJITA Tomonori
2024-10-05 12:25 ` [PATCH net-next v2 1/6] rust: time: Implement PartialEq and PartialOrd for Ktime FUJITA Tomonori
2024-10-06 10:28 ` Fiona Behrens
2024-10-07 5:37 ` FUJITA Tomonori
2024-10-07 8:28 ` Fiona Behrens
2024-10-07 8:41 ` Alice Ryhl
2024-10-07 9:29 ` FUJITA Tomonori
2024-10-07 13:15 ` Andrew Lunn
2024-10-07 13:59 ` Alice Ryhl
2024-10-05 12:25 ` [PATCH net-next v2 2/6] rust: time: Introduce Delta type FUJITA Tomonori
2024-10-05 18:02 ` Andrew Lunn
2024-10-05 18:16 ` Miguel Ojeda
2024-10-07 6:01 ` FUJITA Tomonori
2024-10-07 13:33 ` Andrew Lunn
2024-10-09 14:00 ` FUJITA Tomonori
2024-10-12 18:56 ` Gary Guo
2024-10-13 0:48 ` FUJITA Tomonori
2024-10-15 12:12 ` FUJITA Tomonori
2024-10-05 21:09 ` Andrew Lunn
2024-10-05 12:25 ` [PATCH net-next v2 3/6] rust: time: Implement addition of Ktime and Delta FUJITA Tomonori
2024-10-05 18:07 ` Andrew Lunn
2024-10-06 10:45 ` Fiona Behrens
2024-10-07 6:06 ` FUJITA Tomonori
2024-10-05 18:36 ` Miguel Ojeda
2024-10-07 6:17 ` FUJITA Tomonori
2024-10-07 14:24 ` Alice Ryhl
2024-10-09 12:50 ` FUJITA Tomonori
2024-10-05 12:25 ` [PATCH net-next v2 4/6] rust: time: add wrapper for fsleep function FUJITA Tomonori
2024-10-07 12:24 ` Alice Ryhl
2024-10-09 13:28 ` FUJITA Tomonori
2024-10-05 12:25 ` [PATCH net-next v2 5/6] rust: Add read_poll_timeout function FUJITA Tomonori
2024-10-05 18:32 ` Andrew Lunn
2024-10-05 22:22 ` Boqun Feng
2024-10-06 14:45 ` Andrew Lunn
2024-10-07 6:24 ` FUJITA Tomonori
2024-10-07 12:28 ` Boqun Feng
2024-10-07 13:48 ` Andrew Lunn
2024-10-07 14:06 ` Boqun Feng
2024-10-07 14:08 ` Alice Ryhl
2024-10-07 14:13 ` Boqun Feng
2024-10-07 14:16 ` Alice Ryhl
2024-10-07 14:19 ` Boqun Feng
2024-10-07 14:38 ` Boqun Feng
2024-10-07 17:13 ` Andrew Lunn
2024-10-07 23:12 ` Boqun Feng
2024-10-08 12:12 ` Andrew Lunn
2024-10-08 12:48 ` Boqun Feng
2024-10-08 13:14 ` Miguel Ojeda
2024-10-08 17:16 ` Andrew Lunn
2024-10-08 21:53 ` Boqun Feng
2024-10-08 21:57 ` Boqun Feng
2024-10-08 22:26 ` Andrew Lunn
2024-10-08 22:42 ` Boqun Feng [this message]
2024-10-15 3:36 ` FUJITA Tomonori
2024-10-05 12:25 ` [PATCH net-next v2 6/6] net: phy: qt2025: wait until PHY becomes ready FUJITA Tomonori
2024-10-12 15:29 ` [PATCH net-next v2 0/6] rust: Add IO polling Boqun Feng
2024-10-13 1:15 ` FUJITA Tomonori
2024-10-13 2:50 ` FUJITA Tomonori
2024-10-13 3:16 ` Boqun Feng
2024-10-13 5:15 ` FUJITA Tomonori
2024-10-13 9:48 ` Miguel Ojeda
2024-10-14 21:18 ` Boqun Feng
2024-10-15 3:16 ` FUJITA Tomonori
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=ZwW1aUGqEj6i4ywb@boqun-archlinux \
--to=boqun.feng@gmail.com \
--cc=a.hindborg@samsung.com \
--cc=alex.gaynor@gmail.com \
--cc=aliceryhl@google.com \
--cc=andrew@lunn.ch \
--cc=anna-maria@linutronix.de \
--cc=arnd@arndb.de \
--cc=benno.lossin@proton.me \
--cc=bjorn3_gh@protonmail.com \
--cc=frederic@kernel.org \
--cc=fujita.tomonori@gmail.com \
--cc=gary@garyguo.net \
--cc=hkallweit1@gmail.com \
--cc=linux-kernel@vger.kernel.org \
--cc=miguel.ojeda.sandonis@gmail.com \
--cc=netdev@vger.kernel.org \
--cc=ojeda@kernel.org \
--cc=rust-for-linux@vger.kernel.org \
--cc=tglx@linutronix.de \
--cc=tmgross@umich.edu \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).