From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id AA2E7C4345F for ; Tue, 16 Apr 2024 09:53:31 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id F0EAB6B0083; Tue, 16 Apr 2024 05:53:30 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id E96D66B0085; Tue, 16 Apr 2024 05:53:30 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id D37E06B0087; Tue, 16 Apr 2024 05:53:30 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0012.hostedemail.com [216.40.44.12]) by kanga.kvack.org (Postfix) with ESMTP id B4AA56B0083 for ; Tue, 16 Apr 2024 05:53:30 -0400 (EDT) Received: from smtpin21.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay07.hostedemail.com (Postfix) with ESMTP id 64F05160A2C for ; Tue, 16 Apr 2024 09:53:30 +0000 (UTC) X-FDA: 82014932580.21.B55CC3B Received: from mail-lf1-f73.google.com (mail-lf1-f73.google.com [209.85.167.73]) by imf25.hostedemail.com (Postfix) with ESMTP id A897CA0003 for ; Tue, 16 Apr 2024 09:53:28 +0000 (UTC) Authentication-Results: imf25.hostedemail.com; dkim=pass header.d=google.com header.s=20230601 header.b=Kc9h3Enw; dmarc=pass (policy=reject) header.from=google.com; spf=pass (imf25.hostedemail.com: domain of 3lkoeZgkKCNs7IF9BOVEIDLLDIB.9LJIFKRU-JJHS79H.LOD@flex--aliceryhl.bounces.google.com designates 209.85.167.73 as permitted sender) smtp.mailfrom=3lkoeZgkKCNs7IF9BOVEIDLLDIB.9LJIFKRU-JJHS79H.LOD@flex--aliceryhl.bounces.google.com ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1713261208; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=VxdCRYYXGANGytr9D/dXdYZGmP8QPln1sFHz1kYy8RA=; b=kSZaE72ehXjmUKDnZIZXHUxmNoh/MQggENBLSi8cz3xMxxT59MWW90eAZTEQPinH13vLUl 8LClihSfV4Y6XwIGvI6WOrj0KuYXEfVl6Wd+bpe5vh1frDI0ouf79z4dHI88X3C8mjvnUQ khfwkLrJsASN5ldawOpf48Slqkhx/uU= ARC-Authentication-Results: i=1; imf25.hostedemail.com; dkim=pass header.d=google.com header.s=20230601 header.b=Kc9h3Enw; dmarc=pass (policy=reject) header.from=google.com; spf=pass (imf25.hostedemail.com: domain of 3lkoeZgkKCNs7IF9BOVEIDLLDIB.9LJIFKRU-JJHS79H.LOD@flex--aliceryhl.bounces.google.com designates 209.85.167.73 as permitted sender) smtp.mailfrom=3lkoeZgkKCNs7IF9BOVEIDLLDIB.9LJIFKRU-JJHS79H.LOD@flex--aliceryhl.bounces.google.com ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1713261208; a=rsa-sha256; cv=none; b=dj7KdR4gT+BiulgF7Cb2NzCSKnEHAlIB2JJvxp7HE3NJKbZ9yseM07JZOuaFwmVjb9PImU A/6EEBHU5x44IXLVM2NWqN/D6eCnE83+6NcBr4Qnx0rPjzMhj/QAeoCEkfpdMKx7FOD0Hz ber+MLVHJyck3Ep0Wd3TxCcsE9yWJW0= Received: by mail-lf1-f73.google.com with SMTP id 2adb3069b0e04-519296de7cfso355748e87.3 for ; Tue, 16 Apr 2024 02:53:28 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20230601; t=1713261207; x=1713866007; darn=kvack.org; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:from:to:cc:subject:date:message-id:reply-to; bh=VxdCRYYXGANGytr9D/dXdYZGmP8QPln1sFHz1kYy8RA=; b=Kc9h3EnwBhvBEDNb24PNGrmF0oZTW3qowyepVODXXbFB0pNr54AbBXxIsDLZGOGW4/ qzmGgbFG8MwqGtsdm7vO+wdiIhw2QdlaF9emR1/J2Gr5m2isn8sqBTJaf04QX5p65ty8 2wFcJXFZnWQisACoTs4pkvWYaXsouL6tQUIuAoHdsEg84VbSY5ACRrFckJqlpX03GrQj 86ib744Hamk0HGUchrxtdu40/A8fAp4ahi9bbFhR71shoRvXgA64LKmSxUKDWEkrs49d hAMQhoxSmacT/qiy34SquEcHD0deHuMl2zQX6/i5cZDzlBuYT7MLdrAbXavpAE5mDpMW 3CVQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1713261207; x=1713866007; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=VxdCRYYXGANGytr9D/dXdYZGmP8QPln1sFHz1kYy8RA=; b=mSi7zmvdmB4pJlChUUWQk37Lbk/3hTku2kKeN047aJ4tUhKWaA+qap/IPHXYLTT1l2 KmXy5bfd+Tnyc2NSAjQVIyU+YN3e7EOkf4QF+Cs30NxbkMYrvEaQ5skOGEaCtv98wl5h jNE3d7HnLgk3vVYcE6E0kUF6AorsiXBKmLO4bMyjE4qziezFreFEES1Ahcxv3V8TXGnS zrA/UZ9ENE6YkUxsCd94UIHEIrNqk5Hglv1IQFEZ+O2QZCMxiM6Iljy9n89pHFtR0Sfo eqNI0bjU6dzjgJTk0Qt0/JrG8mQJXPOk/2IMEAvGPz6tAFU4UA0IHJLAh3T8Bg6hk8q6 ZeHA== X-Forwarded-Encrypted: i=1; AJvYcCXH5//VG1WQ3kc4LIltGc19cylR07UO0lIJQ7n5FZXSwlSbsJHlBgg51K7ocTL/F+N8Yys2W+ABYnbW22bNB3nSoVw= X-Gm-Message-State: AOJu0Ywqoy6MnpZ1RkCujBEK3iECUr9DPuaZ2iol1ghxX1yPrWO/89MJ rFe2nCxBQT+xtRGcMC2MlLh9xhYAgjk7IymNAv8831Akq/MT5uoBNAaFtiXAbD06ooDNTt5F1QJ OtrlpYV/69BPAWg== X-Google-Smtp-Source: AGHT+IGpPtly0O4lKmm2yAf8fr9xPygMFFUf09ZonUzlU30soeqhDzuRYrLmXwh9qvhO3H43GdRtnBrPRPBC5Kk= X-Received: from aliceryhl2.c.googlers.com ([fda3:e722:ac3:cc00:68:949d:c0a8:572]) (user=aliceryhl job=sendgmr) by 2002:a05:6512:951:b0:518:cc3d:45d1 with SMTP id u17-20020a056512095100b00518cc3d45d1mr6198lft.11.1713261206597; Tue, 16 Apr 2024 02:53:26 -0700 (PDT) Date: Tue, 16 Apr 2024 09:53:23 +0000 In-Reply-To: Mime-Version: 1.0 References: X-Mailer: git-send-email 2.44.0.683.g7961c838ac-goog Message-ID: <20240416095323.1107928-1-aliceryhl@google.com> Subject: Re: [PATCH v5 1/4] rust: uaccess: add userspace pointers From: Alice Ryhl To: boqun.feng@gmail.com Cc: a.hindborg@samsung.com, akpm@linux-foundation.org, alex.gaynor@gmail.com, aliceryhl@google.com, arnd@arndb.de, arve@android.com, benno.lossin@proton.me, bjorn3_gh@protonmail.com, brauner@kernel.org, cmllamas@google.com, gary@garyguo.net, gregkh@linuxfoundation.org, joel@joelfernandes.org, keescook@chromium.org, linux-kernel@vger.kernel.org, linux-mm@kvack.org, maco@android.com, ojeda@kernel.org, rust-for-linux@vger.kernel.org, surenb@google.com, tkjos@android.com, viro@zeniv.linux.org.uk, wedsonaf@gmail.com, willy@infradead.org Content-Type: text/plain; charset="utf-8" X-Rspamd-Queue-Id: A897CA0003 X-Rspam-User: X-Rspamd-Server: rspam04 X-Stat-Signature: nnhofsqcsargse5iiyuydmysj3chgua1 X-HE-Tag: 1713261208-698232 X-HE-Meta: U2FsdGVkX18VodwmY0eX/t/+D7jAgWVFj1hFTMUsmt/Q1O0OS2u0cE/x6k/PYwyF/yUraMgq9MwZBCbJn46FhN4x50dhYv4ZfzG51u9RNF1XZTce3ck/MoCovKusewEkKUMNX/48coh310UvHOo+ZHO/nVHaEstLZiqeS/89ewmb2l8NNnpkNQwNxK2Ef33XlqFzcRVSNMOKcCfjFXUpuQZnlGTUgYwQQMfmDATQZRIDPlWDum3s0cwnSz1fTnBSkCE9O4kSUUSj4qVDlPqUOTJLLFyaRZZaGtBsC3/WVuymvfuAiDEN2XNYxeUIXvsbjDjCm5RfB0Cq3295uF+lv8RCqcKSZuJpMscyFDY0UicT7BTe9b+yJ05vj4VPGfLUWgK2qZpGgb2jr3J0Rdq+e2d1d7K9++d/62Gqv2npLn9yjMxz4HjHZNSZ0Ht++fK873+CrnIqUjNuhlCznbfRbRCF4YU4YTC5nRJJn912R/+11sILMMuRKSqCb3ghVga6vi3T2HzCNtan5DJd1xHQNPy8kaZiRdNiw4OXpVPF56oGFcvGrkker8kw/rsNbcPkDrZQTSptTJ5ETn4thU7cRNtZQkLIzJeH9tgySDmxclMDxsBsir1B3W5lOkYYGx4FfX65vXWhRib6DIfjcid0IETJu/7docmVh/VCnQGwwDMe+C2eEzr4DG0HUL7N64W0UKdgQDX75+t2A7eT6+3Y8pW7eGn9Jv4tj0vpFwGTl3PfKNCtYo9ypkJ66k0E1YcIwiwHV2ld/NCwRbWSTyxwr10wyBy/SXQHO14tvJiMYcTVec9k/IhsviXrF+NoTq2zySC/kQDdrv574cUblp/6tKEwXuJRpqHnz5Ml7dkI6XwxMgeYbkz/H7eF/Y6UBy/FZHRc2raQJgH0CAWwDos95wC001RsCMCEpp3pmHKw8Yd39PhDZe0PUU47oLgx1I8QoJagEr24UlnrlhRSrdN pzUzaHVM bHsygDTD49RC8CYGik+i2FcpGmxCkq9aCrp4Bv9hyRWa99FrGFYAwhxwAHtlj/uRY2sp1y8bJtyx6+UXXMOvHFGDJqcm36mbPCyoHtg0AMdC9Gah6PXNqItMF7ajejtT47+Vv3RjP5bmuzojdLVj8ibRHPEh7b5FNEcKpI7wNMKtaB5js32C2NwSw1fsHRHjAlth9k+XvlqjOoMS+Po20bQx1nBXu+aybkHy3U4Hee1OVhthPFmgzu2Ay3auB5jcoq0v0Ep6/4CgtvN8WdhLkoDNMqvcsuJUCecZUbbUQ4qpbpbBMfchn6UKUtXq3hgi6/uIhv5yYewuTjPTkJXaSuE/x7El4AaUoMY2PIGyigYk+rgnDu3UzlQYiqk+Oh7Ee82gLxbKovcztEb0d9Z7/UApzSB7MC35RLtqzmYhEVtFQ9Tijm+9BLgFxPDdcTNmZXxxE X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: List-Subscribe: List-Unsubscribe: Boqun Feng writes: > On Mon, Apr 15, 2024 at 07:13:53AM +0000, Alice Ryhl wrote: >> From: Wedson Almeida Filho >> >> A pointer to an area in userspace memory, which can be either read-only >> or read-write. >> >> All methods on this struct are safe: attempting to read or write on bad >> addresses (either out of the bound of the slice or unmapped addresses) >> will return `EFAULT`. Concurrent access, *including data races to/from >> userspace memory*, is permitted, because fundamentally another userspace >> thread/process could always be modifying memory at the same time (in the >> same way that userspace Rust's `std::io` permits data races with the >> contents of files on disk). In the presence of a race, the exact byte >> values read/written are unspecified but the operation is well-defined. >> Kernelspace code should validate its copy of data after completing a >> read, and not expect that multiple reads of the same address will return >> the same value. >> >> These APIs are designed to make it difficult to accidentally write >> TOCTOU bugs. Every time you read from a memory location, the pointer is >> advanced by the length so that you cannot use that reader to read the >> same memory location twice. Preventing double-fetches avoids TOCTOU >> bugs. This is accomplished by taking `self` by value to prevent >> obtaining multiple readers on a given `UserSlicePtr`, and the readers >> only permitting forward reads. If double-fetching a memory location is >> necessary for some reason, then that is done by creating multiple >> readers to the same memory location. >> >> Constructing a `UserSlicePtr` performs no checks on the provided >> address and length, it can safely be constructed inside a kernel thread >> with no current userspace process. Reads and writes wrap the kernel APIs >> `copy_from_user` and `copy_to_user`, which check the memory map of the >> current process and enforce that the address range is within the user >> range (no additional calls to `access_ok` are needed). >> >> This code is based on something that was originally written by Wedson on >> the old rust branch. It was modified by Alice by removing the >> `IoBufferReader` and `IoBufferWriter` traits, and various other changes. >> >> Signed-off-by: Wedson Almeida Filho >> Co-developed-by: Alice Ryhl >> Signed-off-by: Alice Ryhl > > Thanks! > > Reviewed-by: Boqun Feng Thanks for taking a look! >> --- >> rust/helpers.c | 14 +++ >> rust/kernel/lib.rs | 1 + >> rust/kernel/uaccess.rs | 304 +++++++++++++++++++++++++++++++++++++++++++++++++ >> 3 files changed, 319 insertions(+) >> > [...] >> + /// Reads raw data from the user slice into a kernel buffer. >> + /// >> + /// Fails with `EFAULT` if the read happens on a bad address. > > ... we probably want to mention that `out` may get modified even in > failure cases. Will do. >> + pub fn read_slice(&mut self, out: &mut [u8]) -> Result { >> + // SAFETY: The types are compatible and `read_raw` doesn't write uninitialized bytes to >> + // `out`. >> + let out = unsafe { &mut *(out as *mut [u8] as *mut [MaybeUninit]) }; >> + self.read_raw(out) >> + } >> + > [...] >> + >> +impl UserSliceWriter { > [...] >> + >> + /// Writes raw data to this user pointer from a kernel buffer. >> + /// >> + /// Fails with `EFAULT` if the write happens on a bad address. > > Same here, probably mention that: the userspace memory may be modified > even in failure cases. Will do. > Anyway, they are not correctness critical, so we can do these in later > patches. It looks like I'll have to send another version anyway due to the conflict with [1], so I can take care of it. Alice [1]: https://lore.kernel.org/rust-for-linux/20240328013603.206764-1-wedsonaf@gmail.com/