From: Steven Rostedt <rostedt@goodmis.org>
To: Jason Gunthorpe <jgg@nvidia.com>
Cc: Kees Cook <kees@kernel.org>,
Miguel Ojeda <miguel.ojeda.sandonis@gmail.com>,
Christoph Hellwig <hch@infradead.org>,
rust-for-linux <rust-for-linux@vger.kernel.org>,
Linus Torvalds <torvalds@linux-foundation.org>,
Greg KH <gregkh@linuxfoundation.org>,
David Airlie <airlied@gmail.com>,
linux-kernel@vger.kernel.org, ksummit@lists.linux.dev
Subject: Re: Rust kernel policy
Date: Wed, 19 Feb 2025 15:46:10 -0500 [thread overview]
Message-ID: <20250219154610.30dc6223@gandalf.local.home> (raw)
In-Reply-To: <20250219202751.GA42073@nvidia.com>
On Wed, 19 Feb 2025 16:27:51 -0400
Jason Gunthorpe <jgg@nvidia.com> wrote:
> Can someone do some data mining and share how many "rust
> opportunities" are there per cycle? Ie entirely new drivers introduced
> (maybe bucketed per subsystem) and lines-of-code of C code in those
> drivers.
>
> My gut feeling is that the security argument is not so strong, just
> based on numbers. We will still have so much code flowing in that will
> not be Rust introducing more and more bugs. Even if every new driver
> is Rust the reduction in bugs will be percentage small.
>
> Further, my guess is the majority of new drivers are embedded
> things. I strongly suspect entire use cases, like a hypervisor kernel,
> server, etc, will see no/minimal Rust adoption or security improvement
> at all as there is very little green field / driver work there that
> could be in Rust.
>
> Meaning, if you want to make the security argument strong you must
> also argue for strategically rewriting existing parts of the kernel,
> and significantly expanding the Rust footprint beyond just drivers. ie
> more like binder is doing.
>
> I think this is also part of the social stress here as the benefits of
> Rust are not being evenly distributed across the community.
Drivers is the biggest part of the Linux kernel and has the biggest churn.
A lot of them are "drive by" submissions too (Let's add a driver for our
new device and work on something else). These are written by people that
are not kernel maintainers but just people trying to get their devices
working on Linux. That means they are the ones to introduce the most bugs
that Rust would likely prevent.
I was going through my own bugs to see how much Rust would help, and the
percentage was rather small. I did have a few ref counter bugs. Not the
kind for freeing, but for which left things in a state that the system
couldn't be modified (the ref count was to lock access). I'm not sure Rust
would have solved that.
So most of the bugs were accounting issues. I found a couple that were
memory safety bugs but those are not as common. I guess that's because I do
test with kmemleak which will usually detect that.
Perhaps I wouldn't need to do all the memory tests if I wrote the code in
Rust? But that's not what you are asking. As a maintainer of core code, I
run a lot of tests before sending to Linus. Which I would hope keeps the
number of bugs I introduce to a minimum. But I can't say the same for the
driver code. That's a much different beast, as to test that code, you also
need the hardware that the driver is for.
I do feel that new drivers written in Rust would help with the
vulnerabilities that new drivers usually add to the kernel.
-- Steve
next prev parent reply other threads:[~2025-02-19 20:45 UTC|newest]
Thread overview: 186+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <CANiq72m-R0tOakf=j7BZ78jDHdy=9-fvZbAT8j91Je2Bxy0sFg@mail.gmail.com>
2025-02-18 16:08 ` Christoph Hellwig
2025-02-18 16:35 ` Jarkko Sakkinen
2025-02-18 16:39 ` Jarkko Sakkinen
2025-02-18 18:08 ` Jarkko Sakkinen
2025-02-18 21:22 ` Boqun Feng
2025-02-19 6:20 ` Jarkko Sakkinen
2025-02-19 6:35 ` Dave Airlie
2025-02-19 11:37 ` Jarkko Sakkinen
2025-02-19 13:25 ` Geert Uytterhoeven
2025-02-19 13:40 ` Jarkko Sakkinen
2025-02-19 7:05 ` Boqun Feng
2025-02-19 11:32 ` Jarkko Sakkinen
2025-02-18 17:36 ` Jiri Kosina
2025-02-20 6:33 ` Christoph Hellwig
2025-02-20 18:40 ` Alexei Starovoitov
2025-02-18 18:46 ` Miguel Ojeda
2025-02-18 21:49 ` H. Peter Anvin
2025-02-18 22:38 ` Dave Airlie
2025-02-18 22:54 ` Miguel Ojeda
2025-02-19 0:58 ` H. Peter Anvin
2025-02-19 3:04 ` Boqun Feng
2025-02-19 5:07 ` NeilBrown
2025-02-19 5:39 ` Greg KH
2025-02-19 15:05 ` Laurent Pinchart
2025-02-20 20:49 ` Lyude Paul
2025-02-21 19:24 ` Laurent Pinchart
2025-02-20 7:03 ` Martin Uecker
2025-02-20 7:10 ` Greg KH
2025-02-20 8:57 ` Martin Uecker
2025-02-20 13:46 ` Dan Carpenter
2025-02-20 14:09 ` Martin Uecker
2025-02-20 14:38 ` H. Peter Anvin
2025-02-20 15:25 ` Dan Carpenter
2025-02-20 15:49 ` Willy Tarreau
2025-02-22 15:30 ` Kent Overstreet
2025-02-20 14:53 ` Greg KH
2025-02-20 15:40 ` Martin Uecker
2025-02-21 0:46 ` Miguel Ojeda
2025-02-21 9:48 ` Dan Carpenter
2025-02-21 16:28 ` Martin Uecker
2025-02-21 17:43 ` Steven Rostedt
2025-02-21 18:07 ` Linus Torvalds
2025-02-21 18:19 ` Steven Rostedt
2025-02-21 18:31 ` Martin Uecker
2025-02-21 19:30 ` Linus Torvalds
2025-02-21 19:59 ` Martin Uecker
2025-02-21 20:11 ` Linus Torvalds
2025-02-22 7:20 ` Martin Uecker
2025-02-21 22:24 ` Steven Rostedt
2025-02-21 23:04 ` Linus Torvalds
2025-02-22 17:53 ` Kent Overstreet
2025-02-22 18:44 ` Linus Torvalds
2025-02-23 16:42 ` David Laight
2025-02-21 23:37 ` Martin Uecker
2025-02-25 22:49 ` David Laight
2025-02-22 18:42 ` Linus Torvalds
2025-02-22 9:45 ` Dan Carpenter
2025-02-22 10:25 ` Martin Uecker
2025-02-22 11:07 ` Greg KH
2025-02-21 18:23 ` Martin Uecker
2025-02-21 22:14 ` Steven Rostedt
2025-03-01 13:22 ` Askar Safin
2025-03-01 13:55 ` Martin Uecker
2025-03-02 6:50 ` Kees Cook
2025-02-21 18:11 ` Theodore Ts'o
2025-02-24 8:12 ` Dan Carpenter
2025-02-20 22:08 ` Paul E. McKenney
2025-02-22 23:42 ` Piotr Masłowski
2025-02-23 8:10 ` Martin Uecker
2025-02-23 23:31 ` comex
2025-02-24 9:08 ` Ventura Jack
2025-02-24 18:03 ` Martin Uecker
2025-02-20 12:28 ` Jan Engelhardt
2025-02-20 12:37 ` Greg KH
2025-02-20 13:23 ` H. Peter Anvin
2025-02-20 13:51 ` Willy Tarreau
2025-02-20 15:17 ` C aggregate passing (Rust kernel policy) Jan Engelhardt
2025-02-20 16:46 ` Linus Torvalds
2025-02-20 20:34 ` H. Peter Anvin
2025-02-21 8:31 ` HUANG Zhaobin
2025-02-21 18:34 ` David Laight
2025-02-21 19:12 ` Linus Torvalds
2025-02-21 20:07 ` comex
2025-02-21 21:45 ` David Laight
2025-02-22 6:32 ` Willy Tarreau
2025-02-22 6:37 ` Willy Tarreau
2025-02-22 8:41 ` David Laight
2025-02-22 9:11 ` Willy Tarreau
2025-02-21 20:06 ` Jan Engelhardt
2025-02-21 20:23 ` Laurent Pinchart
2025-02-21 20:24 ` Laurent Pinchart
2025-02-21 22:02 ` David Laight
2025-02-21 22:13 ` Bart Van Assche
2025-02-22 5:56 ` comex
2025-02-21 20:26 ` Linus Torvalds
2025-02-21 22:19 ` henrychurchill
2025-02-21 22:52 ` henrychurchill
2025-02-20 22:13 ` Rust kernel policy Paul E. McKenney
2025-02-21 5:19 ` Felipe Contreras
2025-02-21 5:36 ` Boqun Feng
2025-02-21 5:59 ` Felipe Contreras
2025-02-21 7:04 ` Dave Airlie
2025-02-24 20:27 ` Felipe Contreras
2025-02-24 20:37 ` Boqun Feng
2025-02-26 2:42 ` Felipe Contreras
2025-02-22 16:04 ` Kent Overstreet
2025-02-22 17:10 ` Ventura Jack
2025-02-22 17:34 ` Kent Overstreet
2025-02-23 2:08 ` Bart Van Assche
2025-02-19 5:53 ` Alexey Dobriyan
2025-02-19 5:59 ` Dave Airlie
2025-02-22 18:46 ` Kent Overstreet
2025-02-19 12:37 ` Miguel Ojeda
2025-02-20 11:26 ` Askar Safin
2025-02-20 12:33 ` vpotach
2025-02-19 18:52 ` Kees Cook
2025-02-19 19:08 ` Steven Rostedt
2025-02-19 19:17 ` Kees Cook
2025-02-19 20:27 ` Jason Gunthorpe
2025-02-19 20:46 ` Steven Rostedt [this message]
2025-02-19 20:52 ` Bart Van Assche
2025-02-19 21:07 ` Steven Rostedt
2025-02-20 16:05 ` Jason Gunthorpe
2025-02-20 8:13 ` Jarkko Sakkinen
2025-02-20 8:16 ` Jarkko Sakkinen
2025-02-20 11:57 ` Fiona Behrens
2025-02-20 14:07 ` Jarkko Sakkinen
2025-02-21 10:19 ` Jarkko Sakkinen
2025-02-22 12:10 ` Miguel Ojeda
2025-03-04 11:17 ` Fiona Behrens
2025-03-04 17:48 ` Jarkko Sakkinen
2025-02-20 9:55 ` Leon Romanovsky
2025-02-19 19:33 ` H. Peter Anvin
2025-02-20 6:32 ` Alexey Dobriyan
2025-02-20 6:53 ` Greg KH
2025-02-20 8:44 ` Alexey Dobriyan
2025-02-20 13:53 ` Willy Tarreau
2025-02-20 16:04 ` Jason Gunthorpe
2025-02-20 12:01 ` H. Peter Anvin
2025-02-20 12:13 ` H. Peter Anvin
2025-02-20 23:42 ` Miguel Ojeda
2025-02-22 15:21 ` Kent Overstreet
2025-02-20 6:42 ` Christoph Hellwig
2025-02-20 23:44 ` Miguel Ojeda
2025-02-21 15:24 ` Simona Vetter
2025-02-22 12:10 ` Miguel Ojeda
2025-02-26 13:17 ` Fiona Behrens
2025-02-21 0:39 ` Linus Torvalds
2025-02-21 12:16 ` Danilo Krummrich
2025-02-21 15:59 ` Steven Rostedt
2025-02-23 18:03 ` Laurent Pinchart
2025-02-23 18:31 ` Linus Torvalds
2025-02-26 16:05 ` Jason Gunthorpe
2025-02-26 19:32 ` Linus Torvalds
2025-02-19 8:05 ` Dan Carpenter
2025-02-19 14:14 ` James Bottomley
2025-02-19 14:30 ` Geert Uytterhoeven
2025-02-19 14:46 ` Martin K. Petersen
2025-02-19 14:51 ` Bartosz Golaszewski
2025-02-19 15:15 ` James Bottomley
2025-02-19 15:33 ` Willy Tarreau
2025-02-19 15:45 ` Laurent Pinchart
2025-02-19 15:46 ` James Bottomley
2025-02-19 15:56 ` Willy Tarreau
2025-02-19 16:07 ` Laurent Pinchart
2025-02-19 16:15 ` Willy Tarreau
2025-02-19 16:32 ` Laurent Pinchart
2025-02-19 16:34 ` Willy Tarreau
2025-02-19 16:33 ` Steven Rostedt
2025-02-19 16:47 ` Andrew Lunn
2025-02-19 18:22 ` Jarkko Sakkinen
2025-02-20 6:26 ` Alexey Dobriyan
2025-02-20 15:37 ` Steven Rostedt
2025-02-19 17:00 ` Martin K. Petersen
2025-02-19 15:13 ` Steven Rostedt
2025-02-19 14:05 ` James Bottomley
2025-02-19 15:08 ` Miguel Ojeda
2025-02-19 16:03 ` James Bottomley
2025-02-19 16:44 ` Miguel Ojeda
2025-02-19 17:06 ` Theodore Ts'o
2025-02-20 23:40 ` Miguel Ojeda
2025-02-22 15:03 ` Kent Overstreet
2025-02-20 16:03 ` James Bottomley
2025-02-20 23:47 ` Miguel Ojeda
2025-02-20 6:48 ` Christoph Hellwig
2025-02-20 12:56 ` James Bottomley
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20250219154610.30dc6223@gandalf.local.home \
--to=rostedt@goodmis.org \
--cc=airlied@gmail.com \
--cc=gregkh@linuxfoundation.org \
--cc=hch@infradead.org \
--cc=jgg@nvidia.com \
--cc=kees@kernel.org \
--cc=ksummit@lists.linux.dev \
--cc=linux-kernel@vger.kernel.org \
--cc=miguel.ojeda.sandonis@gmail.com \
--cc=rust-for-linux@vger.kernel.org \
--cc=torvalds@linux-foundation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox