From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id C5D14C48297 for ; Fri, 9 Feb 2024 17:19:59 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 3A0706B0078; Fri, 9 Feb 2024 12:19:59 -0500 (EST) Received: by kanga.kvack.org (Postfix, from userid 40) id 3511E6B007D; Fri, 9 Feb 2024 12:19:59 -0500 (EST) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 2189A6B007E; Fri, 9 Feb 2024 12:19:59 -0500 (EST) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0016.hostedemail.com [216.40.44.16]) by kanga.kvack.org (Postfix) with ESMTP id 10FD26B0078 for ; Fri, 9 Feb 2024 12:19:59 -0500 (EST) Received: from smtpin13.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay08.hostedemail.com (Postfix) with ESMTP id D188D1410F7 for ; Fri, 9 Feb 2024 17:19:58 +0000 (UTC) X-FDA: 81772928076.13.E2D2DAE Received: from mout.kundenserver.de (mout.kundenserver.de [212.227.126.133]) by imf26.hostedemail.com (Postfix) with ESMTP id B5CC8140012 for ; Fri, 9 Feb 2024 17:19:56 +0000 (UTC) Authentication-Results: imf26.hostedemail.com; dkim=pass header.d=valentinobst.de header.s=s1-ionos header.b=EM0VMRLq; dmarc=none; spf=pass (imf26.hostedemail.com: domain of kernel@valentinobst.de designates 212.227.126.133 as permitted sender) smtp.mailfrom=kernel@valentinobst.de ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1707499197; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-transfer-encoding:in-reply-to:in-reply-to: references:references:dkim-signature; bh=i+OCVG4s23YokrPTMMjHz6IsbfkNeq+64pON97c/i4s=; b=redb9VB+++Fw0rD8tE8b8oOPPn3kI0+asvHf3Q6RPnFuSpY/XAQPcjMhhzOvZVA5HNBKyq eicJziRFOJ/nZ8JYOLisBlEYongRIdpRdyLYJlcpoGDj/K7M7dVAbRMEXBv83meJSYOw2x IaBbY9I9iCZeK5vVU+NP8jetGKav2U0= ARC-Authentication-Results: i=1; imf26.hostedemail.com; dkim=pass header.d=valentinobst.de header.s=s1-ionos header.b=EM0VMRLq; dmarc=none; spf=pass (imf26.hostedemail.com: domain of kernel@valentinobst.de designates 212.227.126.133 as permitted sender) smtp.mailfrom=kernel@valentinobst.de ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1707499197; a=rsa-sha256; cv=none; b=4O5eUDu6pNGafSnkh9jLgHRLBigxPMAJ2p+7/bumddRefDNlEP7+PXv7wrslYUotXRxaAD a4vDqkuNU0oM6ouKJ0IWzpLm9rIo+zFTc4Xeu9zM/PeYCu6TBxawE45gvO6rae/UBkTKH9 AgPeIUvIp6pMAWI8SH7PB1O4PV2IN5g= DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=valentinobst.de; s=s1-ionos; t=1707499187; x=1708103987; i=kernel@valentinobst.de; bh=UsNSt6e4uXXzAf272aBm0wKAn8cU99EE380sIjFDd/E=; h=X-UI-Sender-Class:From:To:Cc:Subject:Date:In-Reply-To: References; b=EM0VMRLqOGOXoL8Qzx04icyqNXHE9PYGwMjCbP/uiZ3pBDdVhnJMlDzFcIwfHvNM XF3/h8l+dCkJKN+7nAV3NDSKQau+r1Ww/TiGKXhpSQYcJu3arSmHKrVIok0g0ZTUI nlw1l+DNLdPEHVK0yRvbB2DZUdVyqqSNa9UHdzopbL51vzm9zK0Zn+m31X+rRUQUT MG+XGT51Uscx5qsQi3XDBfuocO9fuW4c6T55ONQGPxFp0GUUGcx2PE7SZ+730cIPQ Yp/ZOxCRml249a4t8h7SqtHI2nMosIohMYim+/AIfDnTzRyQI29MnLe/PljpZHhFt qbYB7X82AGqLUXErYA== X-UI-Sender-Class: 55c96926-9e95-11ee-ae09-1f7a4046a0f6 Received: from localhost.localdomain ([217.149.163.107]) by mrelayeu.kundenserver.de (mreue012 [213.165.67.97]) with ESMTPSA (Nemesis) id 1M4bd0-1rWpqW4Azu-001kh0; Fri, 09 Feb 2024 18:19:47 +0100 From: Valentin Obst To: aliceryhl@google.com Cc: a.hindborg@samsung.com, akpm@linux-foundation.org, alex.gaynor@gmail.com, arnd@arndb.de, arve@android.com, benno.lossin@proton.me, bjorn3_gh@protonmail.com, boqun.feng@gmail.com, brauner@kernel.org, cmllamas@google.com, gary@garyguo.net, gregkh@linuxfoundation.org, joel@joelfernandes.org, keescook@chromium.org, kernel@valentinobst.de, linux-kernel@vger.kernel.org, linux-mm@kvack.org, maco@android.com, ojeda@kernel.org, rust-for-linux@vger.kernel.org, surenb@google.com, tkjos@android.com, viro@zeniv.linux.org.uk, wedsonaf@gmail.com Subject: Re: [PATCH v2 3/4] rust: uaccess: add typed accessors for userspace pointers Date: Fri, 9 Feb 2024 18:18:41 +0100 Message-ID: <20240209171841.3494-1-kernel@valentinobst.de> X-Mailer: git-send-email 2.43.0 In-Reply-To: References: MIME-Version: 1.0 X-Provags-ID: V03:K1:E/ajS4dEMh4eVMlP+RWn/KBa4oRK8yFyBO8ueV4i6LAUXCIv+RD sZSTvB44KcgMEZqb3bC6CqC5QvYjmCj237ZUb3jDdizWJC6lfT4V3xiGmy7gWzXb4mOThjK 0bACvJzhuqbFJJTJMT16Z9DkUXQi8pQSESrQdKwr8S4J9YWFYLxcurMlooUyZ8C7OWhnuLP F5TxqYREPezYur29PXJng== UI-OutboundReport: notjunk:1;M01:P0:QCECXHsTf48=;+jFxZJXMjw0eAGA9wRyu5fsewLe EApEVcP3wDMOmD5bC6vVvcWnQ4G8rQKoHSInVKTsQRa6EPbeRqqAGRKyi74GC1MV50+2dNby6 uDUQdKK0IkZB7owd5vQybtWZ80NLx1rFRH0x+JPCClic+2XRwPmealUGOTbt88jXQHHcaa7m1 2VAjO7bh0Ipz1luX3eVRr1joEIEsC/B0wqZjteIuO4/EUDmYmXVi4eLTPhZS7/wmSqNhI2fiQ PJieTILebbic/r7w1XwFXJh+mbChBQH0oAZ7lVHTsL5GLECyiqJAc0gOGYDJunN3di91zPQfE CIEpDkyipJcUMoHNeoxQWww4aQnBeWtZuIl0T19pIv43/oKah3p40772Eru+V98PuTxzptGuB PZBWsUo+HC6qkZlEJ62+Lz/REG4DDYOt1UDIQN1o3fhLjp0Aqg2JdkAbhJQIsIdWDIBjICURC CTtRcB4PVi+6OTJn53AdIdcfl99iNlemyPLG15tZAWchAcU9hIISP0BuFHHRmdSHzCUEThVYp hVRkSNuOFolNQI5jhfrAPFUMp0hRdAhDpNMD9YPrnV1iODkHsZFr3cQXhSXLEyumcePPM3xrI C6f74DJCiCM0bYFuB3i2n2D3wkTAYAq55BThRGsunDPx3qpWGot2FG4fF6DrrlkUmFAAlp0sg Hu2SyvenPVIUwLBpae6KUyWpVMUyxxALaHcUgmJ8dJVfVD71JpHZJSpbWEkTg8P85Pfb/bTl6 Pw321gRmZ/mrbq8gtPh4H+P8ZHG3EW2FTvnUCALbo+zj6NV4RAQQ3I= X-Rspam-User: X-Rspamd-Server: rspam12 X-Rspamd-Queue-Id: B5CC8140012 X-Stat-Signature: sybe1cjgep859unte4etxyssnn1y131x X-HE-Tag: 1707499196-573870 X-HE-Meta: U2FsdGVkX18GisCNiwLan7vr3Mgqe7lPMxD8Wp7XCm3LmfxbksgTsid9o6120Gp3371KGDwgPlIeQ/4cQ6500W4hJGlfYhXMJowUfVlh+8KELYtYTRyvYYrJiXtXKyKROgKmmYtY3INIUZ17CSNuyh6l7CY/n60HANaA9+s2MkefP1ckdE3GiIA9RDc/NUfgnyVgrUs0r8iUIHDL+7r9PumuAFPJI9b0c44dMBeqQUjoqwbnnsRMhXeCUcmYRzl9t6Ink/o1spvH8yI6LKu9Lxq88XkbABkQMArAaZjuX+M6FtEDA0wPqkXS1SVZQbTw8Y+tkW2Q9zhjRDbpvMeiJ4TR7mrsZ/+seb3o5kg/w8TfUS1dqBDngrmykkOD11sC8d055SRmqG4utKd8yQWUta/8l2KbN42V0QEWfQkIJ2Kfjo311jtl0mmgmPQ0ce/8EXQHKjCf2yxh3WGnMLhtB7IL2/hcAnInUC8sA3aj30BKE+lq9xaLxlkSWPU4I9Ml0529J4hgk/QwkXiAQMX5ObvUucQphjmaw5Z8eh0j4o0Bq8RhlV/9ypWET+6QC4vvztBNDt6pPFSNDTz0IQw8sX8Z0kN3+xwGzQikQfIcldTXAsmVNVJARMepnNVo4gL2Vt4OAzB4X08Z/c/XPBqZl3cpJzjTeMkCtiLT/qQmvRqbxxs5c6m2eFxt9kAc/9+4p11otOPFXoCnf9xTsHEa8xQjXf3LdpNsUAzfMQH865ysFM75hlz87Cx3h1dIkqYTyMILtckaKvWVg27NomwqQ6pPayCpIaa5K/RcJ4qprPVPhu7Yw+u0PlyGy2Uli+eJG2hCvOB32m5Thxh32v/35EW6m7UqWedA24lWU+wL6vZOJr8fYcFhPwZuKNQpIgB1wU06m2CZLMOxHD9EBO0kbuZqFE0qH4hS4yRXdlo0vg0kQNIZVJmpsjgl/vl95yHZqEogA+uxS80T0EpFfYk MEn6OBnz QSGeZtExySZAzy0DzFvGNMqwUMIYKXMY28r4SLFijzkWsGhndKg3CYGqgmuwmQIAmmAx9eD9ZLG6V6ThFndDFtQYGitkuCqTLulqpxlyhEeYS4/k5NzTEUCr4VWfRHWaC1fDPvWjAPuDUpOgKk8qAaUEqN3+2VIZFlAMFz/0VUHlta6dda0ge2m7vk4KjO+fI52LQUiAMyioEyoFvvVhcn1q4FWhPM64odNaB1AP3kcN1NxMkvTolu/Ng/eAOsmLxghnTNM70MftGpVOTcgbL2Ta0ICYagvOD5v8O+lZQM22UNKBeiUYAZuGj6A== X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: List-Subscribe: List-Unsubscribe: > > > +/// If a struct implements this trait, then it is okay to copy it byte-for-byte > > > +/// to userspace. This means that it should not have any padding, as padding > > > +/// bytes are uninitialized. Reading uninitialized memory is not just undefined > > > +/// behavior, it may even lead to leaking sensitive information on the stack to > > > +/// userspace. > > > > This feels a bit too restrictive to me. Isn't it okay to copy types with > > padding if it is ensured that the padding is always initialized? > > > > I recall that in C one occasionally does a `memset` for structs that are > > copied to user space. I imagine that one could have a Rust > > abstraction/macro that makes it easy to define custom types that can > > always guarantee that all padding bytes are initialized. Such types > > would then qualify for being copied to user space if all field do so as > > well. > > > > This could be a significant quality-of-life improvement for drivers > > as it can be tedious to define struct without padding. > > I don't think we should go that route. For example: > > let struct_1 = ..; > memset(&mut struct_1, 0); > let struct_2 = struct_1; > > Even though struct_1 has its padding zeroed here, that is not the case > for struct_2. When Rust performs a typed copy/move, the padding is not > copied. > > Anyway, there is a work-around. Define your struct with MaybeUninit: > > // INVARIANT: All bytes always initialized. > struct MyWrapper(MaybeUninit); > > impl Default for MyWrapper { > fn default() -> Self { > MyWrapper(MaybeUninit::zeroed()) > } > } > > Unlike the bare struct, things wrapped in MaybeUninit always have > their padding preserved. Then, you can implement the trait for this > wrapper, since its padding is always initialized even if that is not > true for the wrapped struct. Yea, I see the issue posed by moving values around. What I had in mind was some library code that makes achieving the above behavior more ergonomic and semantically clearer (in the sense that without the surrounding comments it might not be immediately clear to someone reading the code why you are doing things that way). My reply was mainly about gauging interest into such a feature. However, this really is independent from this patch and could always be added later. I agree with mentioning padding in the comment and see nothing blocking here. - Best Valentin > > Alice