From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <owner-linux-mm@kvack.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 03753C02181
	for <linux-mm@archiver.kernel.org>; Mon, 20 Jan 2025 13:59:17 +0000 (UTC)
Received: by kanga.kvack.org (Postfix)
	id 92C70280008; Mon, 20 Jan 2025 08:59:16 -0500 (EST)
Received: by kanga.kvack.org (Postfix, from userid 40)
	id 8B33C280002; Mon, 20 Jan 2025 08:59:16 -0500 (EST)
X-Delivered-To: int-list-linux-mm@kvack.org
Received: by kanga.kvack.org (Postfix, from userid 63042)
	id 77ABC280008; Mon, 20 Jan 2025 08:59:16 -0500 (EST)
X-Delivered-To: linux-mm@kvack.org
Received: from relay.hostedemail.com (smtprelay0010.hostedemail.com [216.40.44.10])
	by kanga.kvack.org (Postfix) with ESMTP id 5782C280002
	for <linux-mm@kvack.org>; Mon, 20 Jan 2025 08:59:16 -0500 (EST)
Received: from smtpin25.hostedemail.com (a10.router.float.18 [10.200.18.1])
	by unirelay10.hostedemail.com (Postfix) with ESMTP id 094B7C0148
	for <linux-mm@kvack.org>; Mon, 20 Jan 2025 13:59:16 +0000 (UTC)
X-FDA: 83027987112.25.5F0B489
Received: from dfw.source.kernel.org (dfw.source.kernel.org [139.178.84.217])
	by imf21.hostedemail.com (Postfix) with ESMTP id 5AD991C0005
	for <linux-mm@kvack.org>; Mon, 20 Jan 2025 13:59:14 +0000 (UTC)
Authentication-Results: imf21.hostedemail.com;
	dkim=pass header.d=kernel.org header.s=k20201202 header.b=OOe43vZ7;
	spf=pass (imf21.hostedemail.com: domain of a.hindborg@kernel.org designates 139.178.84.217 as permitted sender) smtp.mailfrom=a.hindborg@kernel.org;
	dmarc=pass (policy=quarantine) header.from=kernel.org
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com;
	s=arc-20220608; t=1737381554;
	h=from:from:sender:reply-to:subject:subject:date:date:
	 message-id:message-id:to:to:cc:cc:mime-version:mime-version:
	 content-type:content-type:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references:dkim-signature;
	bh=KX+rhanhzQET5Pwh8fZsIVQC1pY9IIFSSncxvdXjCzM=;
	b=1AUqqsYj3UjLqVIJQf4y74RZed5f94Tr3eGKTQjhDStpJJkYmUCzJSIVWWJS4FsVAisCjV
	zRgq14KmqNQroZ/NLJrabI7G3+xvxwhPPFRY+RVI5RBDCCASw7i7auIPR0a0oEy9grwLHM
	kTlW1W+enm66wwQyzhgH+YYk70ULd9E=
ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1737381554; a=rsa-sha256;
	cv=none;
	b=bqVXIuJJlWCmaVy0cGhAjLTvg6RcraKSreUMbnqfPyUo/0wbJioa5UQAud2vWYCXip75zq
	sjSV6UiUJq41TFVNKFGsY+yL0E9UuVavBH1ozhtT+kO5s3TvgeaUlXHNXHBzNDSeHy4M6x
	RTMCRYM3AiATMVUnrpQk04zi5QqL3Gw=
ARC-Authentication-Results: i=1;
	imf21.hostedemail.com;
	dkim=pass header.d=kernel.org header.s=k20201202 header.b=OOe43vZ7;
	spf=pass (imf21.hostedemail.com: domain of a.hindborg@kernel.org designates 139.178.84.217 as permitted sender) smtp.mailfrom=a.hindborg@kernel.org;
	dmarc=pass (policy=quarantine) header.from=kernel.org
Received: from smtp.kernel.org (transwarp.subspace.kernel.org [100.75.92.58])
	by dfw.source.kernel.org (Postfix) with ESMTP id F07095C5BB5;
	Mon, 20 Jan 2025 13:58:32 +0000 (UTC)
Received: by smtp.kernel.org (Postfix) with ESMTPSA id 4CFBCC4CEDD;
	Mon, 20 Jan 2025 13:59:09 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org;
	s=k20201202; t=1737381553;
	bh=xX8Fslu/iNqWzv4/ioO5CGh56VQd2iiseKcRaRQi8os=;
	h=From:To:Cc:Subject:In-Reply-To:References:Date:From;
	b=OOe43vZ7mFmDOAtiU2TnshDSYqFVWoSsWtzLRhFxHaSiqwFxln+v6jhxBrPvoC7jZ
	 bTGpOf7M/wEWwTdtE1vunAbturi/2gKamuZtCPUtX7N8kYnt2fLbn4rWjWPRGS8jSP
	 m94fuzFClUEoa40zS2en2gSqZ5Q/5wcYeeIMUj5xHlzsjbr7VZ26XFppnoofqaEG3m
	 psPSGxLruWC2K36nkTvkVSbjIebvbXFY6ZFm8AxnzWwDuPNeyCwG+oDerhnuVR3Hc7
	 ow+5uEgQGGEjoTsiBTOxj4kcdc2t2Ul2xbdZktG0EDPrD1GTEuECj+5/XIKpr3ffbX
	 ZWxfs0aqBswxQ==
From: Andreas Hindborg <a.hindborg@kernel.org>
To: "Alice Ryhl" <aliceryhl@google.com>
Cc: "Miguel Ojeda" <ojeda@kernel.org>,  "Matthew Wilcox"
 <willy@infradead.org>,  "Lorenzo Stoakes" <lorenzo.stoakes@oracle.com>,
  "Vlastimil Babka" <vbabka@suse.cz>,  "John Hubbard"
 <jhubbard@nvidia.com>,  "Liam R. Howlett" <Liam.Howlett@oracle.com>,
  "Andrew Morton" <akpm@linux-foundation.org>,  "Greg Kroah-Hartman"
 <gregkh@linuxfoundation.org>,  "Arnd Bergmann" <arnd@arndb.de>,  "Jann
 Horn" <jannh@google.com>,  "Suren Baghdasaryan" <surenb@google.com>,
  "Alex Gaynor" <alex.gaynor@gmail.com>,  "Boqun Feng"
 <boqun.feng@gmail.com>,  "Gary Guo" <gary@garyguo.net>,  =?utf-8?Q?Bj?=
 =?utf-8?Q?=C3=B6rn?= Roy Baron
 <bjorn3_gh@protonmail.com>,  "Benno Lossin" <benno.lossin@proton.me>,
  "Trevor Gross" <tmgross@umich.edu>,  <linux-kernel@vger.kernel.org>,
  <linux-mm@kvack.org>,  <rust-for-linux@vger.kernel.org>
Subject: Re: [PATCH v12 8/8] task: rust: rework how current is accessed
In-Reply-To: <20250115-vma-v12-8-375099ae017a@google.com> (Alice Ryhl's
	message of "Wed, 15 Jan 2025 13:35:11 +0000")
References: <20250115-vma-v12-0-375099ae017a@google.com>
	<o9ZXQ40pZdDgfHHs1Le4Hz0NBb3Uwq9hJftjOGYIF9So3PWCUILYzHzbVUEBnyaSaYBubVRAGmImTjqaZ6BRLw==@protonmail.internalid>
	<20250115-vma-v12-8-375099ae017a@google.com>
User-Agent: mu4e 1.12.7; emacs 29.4
Date: Mon, 20 Jan 2025 14:58:18 +0100
Message-ID: <87cyghd1tx.fsf@kernel.org>
MIME-Version: 1.0
Content-Type: text/plain
X-Rspamd-Queue-Id: 5AD991C0005
X-Stat-Signature: ou4j4qdrsr6shta9dr7k1ix34q8aywuf
X-Rspam-User: 
X-Rspamd-Server: rspam12
X-HE-Tag: 1737381554-373575
X-HE-Meta: U2FsdGVkX18fOv+qdqor4bMAqBx/wTez1MS4QpfifSEi3Wj7tAAGg8CCso2QuDPMjiiQRMSE++QrMkg4E6Nvxb44GqhmpyrRScaOkwPYTOIxax8YPdMyWYa7DduS/yTLL35KDcYXhASVwYmOYWDBuF6fkOln56TcYyC4Nv4MMQU4u4RYTNmNORrHMoOM56uq6qqbK1AqeZSZggKd3FZjpUOTblvBxw8O4wPrKAQjVYN4aQs2ACS1flxZaRLLlFSm1Fd0eUttyxPkYGIA7PHzh6cQihz738u28gB/hXorIgD2aFHefvW4jxermq6D2h3Swpd4lyqgyNTpLVxP/k9RPRo1aa/5eeL7JE1ZrUagjAxMzwGJEaSSBnEBM2azKRgDFXyIWVwf3HUfugbsBWxGZrrHO3xOvTLweSL6sN8/kuGriB+66F2QgYXsi1FeR8LGp/xjp2Nl3TxDLAQsnsXi4JXaazdW9l9Qq447UJrZqNYfoxeiZaMiEq2at87Tpzbx/un/35/g95memAH41WP1+Wvk8PajRNoWkfNPpkuayW6xT5v3VCVAYXKJ9FPwg/rbq4568agdMkEgZK+C3hSi9/PJyE9uVuJN+L/LsIsRYbtFhkqK721Caag+nGjJ7d8tCywSucnU+R2cwxGrkxyiYvjsF9f0Ac2xoY5jNndnU6PiZJuciqjq8yUYYyK5oRmqUqGaFrIcaKpFnUC5qvp6yRiazdt9JchvwjU5Bd3twL4KoT0DRrjSVA1f9iEvaD3LKJ1j00COjx6AaUphc9jWiB8mBLbfr0hYVx6V9wrWNBImpl9eIYZklsjwXbcelLmni6HdTwpE49xAL2Ewc70hYgGtMSz0ZdoaxVHwvGP7E2hn59uterjTjPs13zmH9LlWdyaBp2PKLHChQiSCA+Dmzr2Md/XNzi5WElFCN8KgIg8XffhzIGvbqW6smRk+JtAOL8GfoEzzySVe2X+fTV9
 ByWJUs5v
 I0LE0/Z1liOK1Gl0S8VE8SUV21XZyNeU8RByNc4YhplYAka+njIvI5e198mTKVGvK/vT0lHJNWyYzYXEgAHfUg0czk3DwaoajxXWoEMUp+WqlVHJA+WWSc3nN+2NAiiVlLtZbFCFr/flDE2lA9ZV/1kQuOzbQUZaKq4ozXrSj8RndhARC24GjkeDTHAIXgWypWAPxOWZ90JoKFGNaSlhPSuDWA9bQlJJ2PIpw0b/00HY/7mCiLdQ2+d4EzGl9Z22XDdO9hcy2BATsvXUn5o3ImNjsYC6zq4fyt8iGFUcpgY4nngiot8Ix5y0HVg==
X-Bogosity: Ham, tests=bogofilter, spamicity=0.330142, version=1.2.4
Sender: owner-linux-mm@kvack.org
Precedence: bulk
X-Loop: owner-majordomo@kvack.org
List-ID: <linux-mm.kvack.org>
List-Subscribe: <mailto:majordomo@kvack.org>
List-Unsubscribe: <mailto:majordomo@kvack.org>

"Alice Ryhl" <aliceryhl@google.com> writes:

> Introduce a new type called `CurrentTask` that lets you perform various
> operations that are only safe on the `current` task. Use the new type to
> provide a way to access the current mm without incrementing its
> refcount.
>
> With this change, you can write stuff such as
>
> 	let vma = current!().mm().lock_vma_under_rcu(addr);
>
> without incrementing any refcounts.
>
> This replaces the existing abstractions for accessing the current pid
> namespace. With the old approach, every field access to current involves
> both a macro and a unsafe helper function. The new approach simplifies
> that to a single safe function on the `CurrentTask` type. This makes it
> less heavy-weight to add additional current accessors in the future.
>
> That said, creating a `CurrentTask` type like the one in this patch
> requires that we are careful to ensure that it cannot escape the current
> task or otherwise access things after they are freed. To do this, I
> declared that it cannot escape the current "task context" where I
> defined a "task context" as essentially the region in which `current`
> remains unchanged. So e.g., release_task() or begin_new_exec() would
> leave the task context.
>
> If a userspace thread returns to userspace and later makes another
> syscall, then I consider the two syscalls to be different task contexts.
> This allows values stored in that task to be modified between syscalls,
> even if they're guaranteed to be immutable during a syscall.
>
> Ensuring correctness of `CurrentTask` is slightly tricky if we also want
> the ability to have a safe `kthread_use_mm()` implementation in Rust. To
> support that safely, there are two patterns we need to ensure are safe:
>
> 	// Case 1: current!() called inside the scope.
> 	let mm;
> 	kthread_use_mm(some_mm, || {
> 	    mm = current!().mm();
> 	});
> 	drop(some_mm);
> 	mm.do_something(); // UAF
>
> and:
>
> 	// Case 2: current!() called before the scope.
> 	let mm;
> 	let task = current!();
> 	kthread_use_mm(some_mm, || {
> 	    mm = task.mm();
> 	});
> 	drop(some_mm);
> 	mm.do_something(); // UAF
>
> The existing `current!()` abstraction already natively prevents the
> first case: The `&CurrentTask` would be tied to the inner scope, so the
> borrow-checker ensures that no reference derived from it can escape the
> scope.
>
> Fixing the second case is a bit more tricky. The solution is to
> essentially pretend that the contents of the scope execute on an
> different thread, which means that only thread-safe types can cross the
> boundary. Since `CurrentTask` is marked `NotThreadSafe`, attempts to
> move it to another thread will fail, and this includes our fake pretend
> thread boundary.
>
> This has the disadvantage that other types that aren't thread-safe for
> reasons unrelated to `current` also cannot be moved across the
> `kthread_use_mm()` boundary. I consider this an acceptable tradeoff.
>
> Reviewed-by: Boqun Feng <boqun.feng@gmail.com>
> Signed-off-by: Alice Ryhl <aliceryhl@google.com>

Reviewed-by: Andreas Hindborg <a.hindborg@kernel.org>


Best regards,
Andreas Hindborg