From nobody Sat Oct 11 12:06:58 2025 Received: from mail-ed1-f46.google.com (mail-ed1-f46.google.com [209.85.208.46]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 66824265CA0; Tue, 10 Jun 2025 20:28:04 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.208.46 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1749587286; cv=none; b=E5dlDaEAkBMpk4ljDczP7Cj3utZO0p0w+xX89Pe5KyCNxC/MPwrkv4/z7KMe026EPTqTtCGfFXwixfir11/We9hpsuQToi6IczEPiyOr85lXMzV7INwpFH9cu+ytHKQFgzRRUvMPUfD0KLqsMjvjVClhLU6umOuq++2livBGg5I= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1749587286; c=relaxed/simple; bh=K4RhgZE/wYQmP+QbXOufjRK7BPcv3S+aCV2ZQpi/RyI=; h=From:Date:Subject:MIME-Version:Content-Type:Message-Id:References: In-Reply-To:To:Cc; b=DfSzxU7zWsBJEIDPMMzNdLSXfO87kAcgb/DmP15ZY9/BofQam9CoCugtUytmV9j2Fd5cavi4EES3eiS100kt2LOqNI+0cwgcqTSF17QL3MoKbXAkSrXqUw1kz9tS1E59BmbcVKv6/5NlGORZZKwToJOPlcQzKwxrC2bFUzeZGek= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=Z7TY/HhP; arc=none smtp.client-ip=209.85.208.46 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="Z7TY/HhP" Received: by mail-ed1-f46.google.com with SMTP id 4fb4d7f45d1cf-6077dea37easo7286661a12.3; Tue, 10 Jun 2025 13:28:04 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1749587283; x=1750192083; darn=vger.kernel.org; h=cc:to:in-reply-to:references:message-id:content-transfer-encoding :mime-version:subject:date:from:from:to:cc:subject:date:message-id :reply-to; bh=ByIM0SqwrqaZQqOesQau4CN4JmNVKP7t3Qu2vIl6D+M=; b=Z7TY/HhPUBlqv1UYwuuQujjy9hsy6suREh0VinWXpOyNZaYwL+xK2coIEioJjNPHjo 1IbaI3uMQP5brIIYfPzS5qLiEs0CdqwvGMKTxJD73E4OJQOGBVopRd3WbmpnE0U7z9um deNNuvm4yzdWITPmcX7Gupo7b5BJZQZ+yrllVZEMbDdEGjLqxQtsKwEuKayE3MMW3hpp z9B2qmOz4UHPdZ8WwXCGrx1apB9/tt6ZQOtVSPn1hePb27Ze/yiNhkNBLiE1e7v68QEF eDys7VV3l4eiX+IltJTNQNjtLV0hCxrc3qFDRNC1Cf5PhgCbtQ2ybrKrQ0+vWoSrqyJy +gvg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1749587283; x=1750192083; h=cc:to:in-reply-to:references:message-id:content-transfer-encoding :mime-version:subject:date:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=ByIM0SqwrqaZQqOesQau4CN4JmNVKP7t3Qu2vIl6D+M=; b=GO9FL2VoGxdwu1jUtK76slntL9jaOb9cnxJ+LRpcVFlX62/oyFLqY/K/sDcA297ugd oNB7F/Zw2pYmuwJNw3WH4S0shmOX1fXekBxCfx/46LAXC6yGl9ilLgLRHeNNc3+2wq08 mDtEfKAi/QZkJY3/xZYBG05H1Pd6w7Fkz+4hjGqrhlYEzxBCJFo8hAFumeqFBeTjmDTv TeRtCInE/x5tnmedqTQrYohjUW4l4CMEaBzO1XMxTvD8kxZnP52aGhIxqALEMsvQXQmk l4pDWhNUTzq9clPc+GfVy/7l+rwSjVUyAn02pDErJqjc2lbJdrxQDy4Rvy+21rgZ/Qxj rAeQ== X-Forwarded-Encrypted: i=1; AJvYcCUzEHgQQuz7wO3AfVtCuQPLcQ0lsLwuOdfYTBAcjKLT2kpUYwJRSPoomw6l3q24KngnlUIy4EllFT1mAYE=@vger.kernel.org, AJvYcCXWuXYDT/pKtz5r7JZ3/e47fPBgpnyEchvF1AzXYbTjvGEaNzuQR9Mrnz1pC1Uv01MOE6vbYqht52Uts/jYB6I=@vger.kernel.org X-Gm-Message-State: AOJu0YxhYh0ei/QMzief5SM5ZD6CFQH0Ljq/vll9u4Xb0GVMmaejqG/L BsrJEVs4bCzdCBa+PNS3X66yKle/BOYDVak1biT5lmxWGH4amGSTxu35 X-Gm-Gg: ASbGncvX2OAtyqMnpViha3Zk/yipKCvZ7kS3KKTvgLJB8+1DJi1Zoi+AfDg/5wjpeDh nvVYwXhgJuOwkOtSbAumAcDPVuUxcT233fcBZgdFp6DqnzYqP97ukxlhmZ/MnLmQTrS/blqVRjr BGm27QjAOHoBH2mvdusZkT0EgDnJrVc/getV/VN9Ia9dEjtWe+Jftq0IISVJ6i/1l+D5VPfnUda e8EYziGaYLDSZC2+/oLkCFErepKHs6fit8DAjbaUHJ2LPboOgyzgg96/VPTyhkQAJOanFSHU3bR lOHmD0f6/6fMPMVIm8q06+NFfVGbBOlQfYjxF8OwU8OOt6PlDreKUJ/3fJymn6Id0421wEE= X-Google-Smtp-Source: AGHT+IGr77VP/Ma9Z1hcbN/HIgnqWYmRyulvY+7lK2QE/njA2IDND7OEc/5wwflwbu3he4cH/ycIuw== X-Received: by 2002:a05:6402:524c:b0:602:e46:638 with SMTP id 4fb4d7f45d1cf-60846cf0c7emr449756a12.26.1749587282265; Tue, 10 Jun 2025 13:28:02 -0700 (PDT) Received: from [10.5.1.156] ([193.170.134.247]) by smtp.googlemail.com with ESMTPSA id 4fb4d7f45d1cf-607783e67efsm6552678a12.78.2025.06.10.13.28.01 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 10 Jun 2025 13:28:02 -0700 (PDT) From: Christian Schrefl Date: Tue, 10 Jun 2025 22:27:56 +0200 Subject: [PATCH v6 2/3] rust: miscdevice: add additional data to `MiscDeviceRegistration` Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Message-Id: <20250610-b4-rust_miscdevice_registrationdata-v6-2-b03f5dfce998@gmail.com> References: <20250610-b4-rust_miscdevice_registrationdata-v6-0-b03f5dfce998@gmail.com> In-Reply-To: <20250610-b4-rust_miscdevice_registrationdata-v6-0-b03f5dfce998@gmail.com> To: Miguel Ojeda , Danilo Krummrich , Alex Gaynor , Boqun Feng , Gary Guo , =?utf-8?q?Bj=C3=B6rn_Roy_Baron?= , Andreas Hindborg , Alice Ryhl , Trevor Gross , Arnd Bergmann , Greg Kroah-Hartman , Lee Jones , Daniel Almeida , Benno Lossin , Benno Lossin Cc: =?utf-8?q?Gerald_Wisb=C3=B6ck?= , rust-for-linux@vger.kernel.org, linux-kernel@vger.kernel.org, Christian Schrefl X-Mailer: b4 0.14.2 X-Developer-Signature: v=1; a=ed25519-sha256; t=1749587279; l=12398; i=chrisi.schrefl@gmail.com; s=20250119; h=from:subject:message-id; bh=K4RhgZE/wYQmP+QbXOufjRK7BPcv3S+aCV2ZQpi/RyI=; b=VvGfVxZJKhKHRjSP9TQtrKEirJgNsguVLWOtcQPxFV3ypHVQjzyd7875kJwU8b/YSwyTH4ewA BrBuced3blCB1oYrz0coPQuqFHa6Q7yEcC9wlXTATYthrb+9+JDXU7Q X-Developer-Key: i=chrisi.schrefl@gmail.com; a=ed25519; pk=EIyitYCrzxWlybrqoGqiL2jyvO7Vp9X40n0dQ6HE4oU= When using the Rust miscdevice bindings, you generally embed the `MiscDeviceRegistration` within another struct: struct MyDriverData { data: SomeOtherData, misc: MiscDeviceRegistration } In the `fops->open` callback of the miscdevice, you are given a reference to the registration, which allows you to access its fields. For example, as of commit 284ae0be4dca ("rust: miscdevice: Provide accessor to pull out miscdevice::this_device") you can access the internal `struct device`. However, there is still no way to access the `data` field in the above example, because you only have a reference to the registration. Using `container_of` is also not possible to do safely. For example, if the destructor of `MyDriverData` runs, then the destructor of `data` would run before the miscdevice is deregistered, so using `container_of` to access `data` from `fops->open` could result in a UAF. A similar problem can happen on initialization if `misc` is not the last field to be initialized. To provide a safe way to access user-defined data stored next to the `struct miscdevice`, make `MiscDeviceRegistration` into a container that can store a user-provided piece of data. This way, `fops->open` can access that data via the registration, since the data is stored inside the registration. The container enforces that the additional user data is initialized before the miscdevice is registered, and that the miscdevice is deregistered before the user data is destroyed. This ensures that access to the userdata is safe. For the same reasons as in commit 88441d5c6d17 ("rust: miscdevice: access the `struct miscdevice` from fops->open()"), you cannot access the user data in any other fops callback than open. This is because a miscdevice can be deregistered while there are still open files. A situation where this user data might be required is when a platform driver acquires a resource in `probe` and wants to use this resource in the `fops` implementation of a `MiscDevice`. This solution is similar to the approach used by the initial downstream Rust-for-Linux/Rust branch [0]. Link: https://github.com/Rust-for-Linux/linux/blob/rust/rust/kernel/miscdev= .rs#L108 [0] Suggested-by: Alice Ryhl Reviewed-by: Alice Ryhl Signed-off-by: Christian Schrefl --- rust/kernel/miscdevice.rs | 104 +++++++++++++++++++++++++++++------= ---- samples/rust/rust_misc_device.rs | 4 +- 2 files changed, 82 insertions(+), 26 deletions(-) diff --git a/rust/kernel/miscdevice.rs b/rust/kernel/miscdevice.rs index 939278bc7b03489a647b697012e09223871c90cd..8daf3724b75068c998cb361eac3= 8f43a39884b0c 100644 --- a/rust/kernel/miscdevice.rs +++ b/rust/kernel/miscdevice.rs @@ -9,7 +9,7 @@ //! Reference: =20 use crate::{ - bindings, + bindings, container_of, device::Device, error::{to_result, Error, Result, VTABLE_DEFAULT_ERROR}, ffi::{c_int, c_long, c_uint, c_ulong}, @@ -21,6 +21,7 @@ types::{ForeignOwnable, Opaque}, }; use core::{marker::PhantomData, mem::MaybeUninit, pin::Pin}; +use pin_init::Wrapper; =20 /// Options for creating a misc device. #[derive(Copy, Clone)] @@ -31,7 +32,10 @@ pub struct MiscDeviceOptions { =20 impl MiscDeviceOptions { /// Create a raw `struct miscdev` ready for registration. - pub const fn into_raw(self) -> bindings::miscdevice { + pub const fn into_raw(self) -> bindings::miscdevice + where + T::Data: Sync, + { // SAFETY: All zeros is valid for this C type. let mut result: bindings::miscdevice =3D unsafe { MaybeUninit::zer= oed().assume_init() }; result.minor =3D bindings::MISC_DYNAMIC_MINOR as _; @@ -45,38 +49,55 @@ pub const fn into_raw(self) -> bindings:= :miscdevice { /// /// # Invariants /// -/// `inner` is a registered misc device. -#[repr(transparent)] +/// - `inner` is a registered misc device. +/// - `data` contains a valid `T::Data` for the whole lifetime of [`MiscDe= viceRegistration`] +/// - `data` must be valid until `misc_deregister` (called when dropped) h= as returned. +/// - no mutable references to `data` may be created. #[pin_data(PinnedDrop)] -pub struct MiscDeviceRegistration { +pub struct MiscDeviceRegistration { #[pin] inner: Opaque, - _t: PhantomData, + #[pin] + data: Opaque, } =20 -// SAFETY: It is allowed to call `misc_deregister` on a different thread f= rom where you called -// `misc_register`. -unsafe impl Send for MiscDeviceRegistration {} -// SAFETY: All `&self` methods on this type are written to ensure that it = is safe to call them in -// parallel. -unsafe impl Sync for MiscDeviceRegistration {} +// SAFETY: +// - It is allowed to call `misc_deregister` on a different thread from wh= ere you called +// `misc_register`. +// - Only implements `Send` if `MiscDevice::Data` is also `Send`. +unsafe impl Send for MiscDeviceRegistration where T::Dat= a: Send {} + +// SAFETY: +// - All `&self` methods on this type are written to ensure that it is saf= e to call them in +// parallel. +// - Only implements `Sync` if `MiscDevice::Data` is also `Sync`. +unsafe impl Sync for MiscDeviceRegistration where T::Dat= a: Sync {} =20 impl MiscDeviceRegistration { /// Register a misc device. - pub fn register(opts: MiscDeviceOptions) -> impl PinInit { + pub fn register( + opts: MiscDeviceOptions, + data: impl PinInit, + ) -> impl PinInit + where + T::Data: Sync, + { try_pin_init!(Self { + data <- Opaque::pin_init(data), inner <- Opaque::try_ffi_init(move |slot: *mut bindings::miscd= evice| { // SAFETY: The initializer can write to the provided `slot= `. unsafe { slot.write(opts.into_raw::()) }; =20 - // SAFETY: We just wrote the misc device options to the sl= ot. The miscdevice will - // get unregistered before `slot` is deallocated because t= he memory is pinned and - // the destructor of this type deallocates the memory. + // SAFETY: + // * We just wrote the misc device options to the slot. Th= e miscdevice will + // get unregistered before `slot` is deallocated because= the memory is pinned and + // the destructor of this type deallocates the memory. + // * `data` is Initialized before `misc_register` so no ra= ce with `fops->open()` + // is possible. // INVARIANT: If this returns `Ok(())`, then the `slot` wi= ll contain a registered // misc device. to_result(unsafe { bindings::misc_register(slot) }) }), - _t: PhantomData, }) } =20 @@ -94,13 +115,24 @@ pub fn device(&self) -> &Device { // before the underlying `struct miscdevice` is destroyed. unsafe { Device::as_ref((*self.as_raw()).this_device) } } + + /// Access the additional data stored in this registration. + pub fn data(&self) -> &T::Data { + // SAFETY: + // * No mutable reference to the value contained by `self.data` ca= n ever be created. + // * The value contained by `self.data` is valid for the entire li= fetime of `&self`. + unsafe { &*self.data.get() } + } } =20 #[pinned_drop] -impl PinnedDrop for MiscDeviceRegistration { +impl PinnedDrop for MiscDeviceRegistration { fn drop(self: Pin<&mut Self>) { // SAFETY: We know that the device is registered by the type invar= iants. unsafe { bindings::misc_deregister(self.inner.get()) }; + + // SAFETY: `self.data` contains a valid `Data` and does not need t= o be valid anymore. + unsafe { core::ptr::drop_in_place(self.data.get()) }; } } =20 @@ -110,6 +142,13 @@ pub trait MiscDevice: Sized { /// What kind of pointer should `Self` be wrapped in. type Ptr: ForeignOwnable + Send + Sync; =20 + /// Additional data carried by the [`MiscDeviceRegistration`] for this= [`MiscDevice`]. + /// If no additional data is required than the unit type `()` should b= e used. + /// + /// This can be accessed in [`MiscDevice::open()`] using + /// [`MiscDeviceRegistration::data()`]. + type Data; + /// Called when the misc device is opened. /// /// The returned pointer will be stored as the private data for the fi= le. @@ -180,7 +219,10 @@ fn show_fdinfo( /// A vtable for the file operations of a Rust miscdevice. struct MiscdeviceVTable(PhantomData); =20 -impl MiscdeviceVTable { +impl MiscdeviceVTable +where + T::Data: Sync, +{ /// # Safety /// /// `file` and `inode` must be the file and inode for a file that is u= ndergoing initialization. @@ -195,18 +237,30 @@ impl MiscdeviceVTable { // SAFETY: The open call of a file can access the private data. let misc_ptr =3D unsafe { (*raw_file).private_data }; =20 - // SAFETY: This is a miscdevice, so `misc_open()` set the private = data to a pointer to the - // associated `struct miscdevice` before calling into this method.= Furthermore, - // `misc_open()` ensures that the miscdevice can't be unregistered= and freed during this - // call to `fops_open`. - let misc =3D unsafe { &*misc_ptr.cast::>= () }; + // This is a miscdevice, so `misc_open()` sets the private data to= a pointer to the + // associated `struct miscdevice` before calling into this method. + let misc_ptr =3D misc_ptr.cast::>(); + + // SAFETY: + // * `misc_open()` ensures that the `struct miscdevice` can't be u= nregistered and freed + // during this call to `fops_open`. + // * The `misc_ptr` always points to the `inner` field of a `MiscD= eviceRegistration`. + // * The `MiscDeviceRegistration` is valid until the `struct mi= scdevice` was + // unregistered. + // * `MiscDeviceRegistration` is `Send` since `MiscDeviceRegist= ration::register` has a + // `T::Data: Sync` bound, `MiscDeviceRegistration` is Send i= f `T::Data: Sync` and is + // the only way to create a `MiscDeviceRegistration`. This means= that a reference to it + // can be shared between contexts. + // TODO: add `assert_sync` for `MiscDeviceRegistration` and + // `MiscDeviceRegistration::Data`. + let registration =3D unsafe { &*container_of!(misc_ptr, MiscDevice= Registration, inner) }; =20 // SAFETY: // * This underlying file is valid for (much longer than) the dura= tion of `T::open`. // * There is no active fdget_pos region on the file on this threa= d. let file =3D unsafe { File::from_raw_file(raw_file) }; =20 - let ptr =3D match T::open(file, misc) { + let ptr =3D match T::open(file, registration) { Ok(ptr) =3D> ptr, Err(err) =3D> return err.to_errno(), }; diff --git a/samples/rust/rust_misc_device.rs b/samples/rust/rust_misc_devi= ce.rs index c881fd6dbd08cf4308fe1bd37d11d28374c1f034..c0b912920d6c4b60e747d9d2989= 00ad64df67339 100644 --- a/samples/rust/rust_misc_device.rs +++ b/samples/rust/rust_misc_device.rs @@ -137,7 +137,7 @@ fn init(_module: &'static ThisModule) -> impl PinInit { }; =20 try_pin_init!(Self { - _miscdev <- MiscDeviceRegistration::register(options), + _miscdev <- MiscDeviceRegistration::register(options, ()), }) } } @@ -157,6 +157,8 @@ struct RustMiscDevice { impl MiscDevice for RustMiscDevice { type Ptr =3D Pin>; =20 + type Data =3D (); + fn open(_file: &File, misc: &MiscDeviceRegistration) -> Result>> { let dev =3D ARef::from(misc.device()); =20 --=20 2.49.0