From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 908A9D6ACF0 for ; Wed, 27 Nov 2024 15:52:51 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 0F9066B007B; Wed, 27 Nov 2024 10:52:51 -0500 (EST) Received: by kanga.kvack.org (Postfix, from userid 40) id 0A91E6B0083; Wed, 27 Nov 2024 10:52:51 -0500 (EST) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id EB47C6B0088; Wed, 27 Nov 2024 10:52:50 -0500 (EST) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0016.hostedemail.com [216.40.44.16]) by kanga.kvack.org (Postfix) with ESMTP id D3A986B007B for ; Wed, 27 Nov 2024 10:52:50 -0500 (EST) Received: from smtpin09.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay05.hostedemail.com (Postfix) with ESMTP id 6283B418B0 for ; Wed, 27 Nov 2024 15:52:50 +0000 (UTC) X-FDA: 82832317722.09.E8D6E0D Received: from mail-ed1-f46.google.com (mail-ed1-f46.google.com [209.85.208.46]) by imf22.hostedemail.com (Postfix) with ESMTP id 61474C0013 for ; Wed, 27 Nov 2024 15:52:41 +0000 (UTC) Authentication-Results: imf22.hostedemail.com; dkim=pass header.d=google.com header.s=20230601 header.b=HFzNGmwf; spf=pass (imf22.hostedemail.com: domain of jannh@google.com designates 209.85.208.46 as permitted sender) smtp.mailfrom=jannh@google.com; dmarc=pass (policy=reject) header.from=google.com ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1732722765; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=8/NtU0l0FRQQbt2Knk7s8zJ9lWXoHwoocpt9wyTKe8c=; b=QjU4rwIhVg6h3WI13eJjYEwu9JLP2kihcQsudg2qxSIJLMeb63gedxHr5awC8wDpbE47+M sZrAfEhYCGu+DclywqA+0Gm4NXCVnbFNvAs0xLYbE+Hw1reDOAZ15GCbI3ZWsNgX2sm/Mj EpBNbuYyUivVfu44gW2oScSfY7COMvg= ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1732722765; a=rsa-sha256; cv=none; b=xZfLa7vQAIrPZcf8mtrpzNNmlUP/PfaJMGHxYpAM1Ibkj1ShuB00jH9ghpU1bUcHfaeN8t L3CGp0Weg2Rc1Mze4aMsVMpNTcebRNni2XNvt1XG8hCKTu6hQGU5BkgmFaUjRLvLD1X/qo kWl37miZ//uf2CZM1oolDJWkSNLyIP0= ARC-Authentication-Results: i=1; imf22.hostedemail.com; dkim=pass header.d=google.com header.s=20230601 header.b=HFzNGmwf; spf=pass (imf22.hostedemail.com: domain of jannh@google.com designates 209.85.208.46 as permitted sender) smtp.mailfrom=jannh@google.com; dmarc=pass (policy=reject) header.from=google.com Received: by mail-ed1-f46.google.com with SMTP id 4fb4d7f45d1cf-5d027dc53ccso9790a12.1 for ; Wed, 27 Nov 2024 07:52:48 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20230601; t=1732722767; x=1733327567; darn=kvack.org; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=8/NtU0l0FRQQbt2Knk7s8zJ9lWXoHwoocpt9wyTKe8c=; b=HFzNGmwfyS6QvqcAqn5jICc0h7u0165QGimRJqXOBm0hBm1jWkxm9D1R+epuWziRu0 no4KmS8UkYO20Z8FFvAPaUwNAEOh4Qm4DyIbvQx5WBGJ5XrDEHGNswm1YjquYD/0wMk0 2rZlN62YmKKuh66nGQ8VksA9+t/76mIoiwmqYgbnqRPchOhJweOPSwsrh5kqzBUcCxlR 8AyHwzhJA8IuwnTF4AMLFP7pBeqAXFteKmzqDJFT1Z7WXiXEnr3jEXwUB0UoNvQXNy5l GdqDezDvncpPmEmYCahPZOV80QXkqwtuRqYqH3OjADQG0N2JAenURhmqkOUZkuRpM6Xt IhAQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1732722767; x=1733327567; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=8/NtU0l0FRQQbt2Knk7s8zJ9lWXoHwoocpt9wyTKe8c=; b=VsEDB73P2co688wvgC9Scick61XPHXl1RhxIBQdS3tZAeYg7yjGDTI/0HC973jpDdl BcMm8QYxd4xnwBgTjEWktYriW7hz0MzcEatdhcJuwkG2zen+zQrJJvIGLIQbnX476vKf J5wYoLInzPFeCeXkS1qUDWFXvdHUs2EWiiNPu4XxYQoTPZmI9eZaVBrPXqQ5qa19IU8b jbRy9AZEQ9bqamGYslaVsjUemRwwulDZuDeby/0I3eKGOKlhhL5XcrUzaqB9ufJ2JXQt Y14RbNIk0QyOZmWAhohgpUnxInUVjtcpeWUZII4kw6w0b0JclyIlPcTnGWUme1xVp8Nm uHRQ== X-Forwarded-Encrypted: i=1; AJvYcCUKo2cwyNLlsyWVnkWkBEe+daRzGrULWqoCn2DWqt2wkCnUlt/fGEpphXv510RqGKZxSKBlh20V+Q==@kvack.org X-Gm-Message-State: AOJu0Yx2+2gV/dpMFra/H89RQ4FiGwNpKBPNbTLfh2cTIkkFeL1SCpTL X9cIGu3yImrBILtuXVqt+DyxvJE+gh9D+VTARs+tV2F8bW4XQohHQCjEXHY616tX5PpeBEqlA67 5B5PTfUPC3UHc8fOAlGVV65nJ6kgDK2jDJcxD X-Gm-Gg: ASbGnctdk/AqOyxlAX5EI2qgQuGZSxBacH6BMXjknNMaDSAGNPIB9jb+D7rGXc9A4vq Jhkj+8YD4/yH7rde+AzAKvofBFIP0LLz4ibD5Sj6kLT/jl7TS99niojeGpls= X-Google-Smtp-Source: AGHT+IGTPN4/S8TASU18K7Bf2qjUWSo8zdU4Y5Icg5MBDnyn6tZHZNZ7ool61CiwqTxfrkdgE/GvaQL4yeeJvOCrMtI= X-Received: by 2002:aa7:c74d:0:b0:5d0:3dcc:16bb with SMTP id 4fb4d7f45d1cf-5d0819a44fcmr82630a12.4.1732722766657; Wed, 27 Nov 2024 07:52:46 -0800 (PST) MIME-Version: 1.0 References: <20241122-vma-v9-0-7127bfcdd54e@google.com> <20241122-vma-v9-8-7127bfcdd54e@google.com> In-Reply-To: From: Jann Horn Date: Wed, 27 Nov 2024 16:52:10 +0100 Message-ID: Subject: Re: [PATCH v9 8/8] task: rust: rework how current is accessed To: Alice Ryhl Cc: Miguel Ojeda , Matthew Wilcox , Lorenzo Stoakes , Vlastimil Babka , John Hubbard , "Liam R. Howlett" , Andrew Morton , Greg Kroah-Hartman , Arnd Bergmann , Christian Brauner , Suren Baghdasaryan , Alex Gaynor , Boqun Feng , Gary Guo , =?UTF-8?Q?Bj=C3=B6rn_Roy_Baron?= , Benno Lossin , linux-kernel@vger.kernel.org, linux-mm@kvack.org, rust-for-linux@vger.kernel.org, Andreas Hindborg Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Rspamd-Server: rspam10 X-Rspamd-Queue-Id: 61474C0013 X-Stat-Signature: wy4shjttrxfa65877gcfbfynf4k8n9nk X-Rspam-User: X-HE-Tag: 1732722761-530750 X-HE-Meta: U2FsdGVkX18Jmn7gMCs30F0OGjXLT7L4nSPvTbMHA+faFhEraT5IsIqZbNnXKlm/UJAqCSennHiy1CyjRi7+8UAsAPFOkQqYLowfE4DDRunqGHGowqrOp8AQx8C/O4gQ/kwkUUZtws9kLE31BYIt8sJsouMG1kbCbr4wv2N9Huygc+lotu8Ys3FhHc597USHNDYvh7aTME+tSxnZRIfchAcokcmbSfjF22Rrb0+hXuPu+KqYxlYC1k2rjLGj4EmD80k6lofc5m9hGsVt7SHt0NqXWxHxhV05yYDMtFVZdbEflkcAZccbg8Orgcn9Nf+ZawFqnvA60E1Ial5sao0u0c4T+eWVW0LShiQSO5hOs+9fFJBIZAoHXc7v7ZTghvifAfcWsVpR+9xeLu/1rd1HDLSldfnELP+lDXFVobtsv0owms2Gwm0O/Oo55OZhi9vYLAVbOoV8k9dlgqcAuUppJzDN6+kxjuxU+vSzGyUWUg3g4FgfpALCj7MOMfCPps4Jf1UQUHyXbaMQBplBaPDsTCIBIzJ6IcmvGC4csCY9d1jlRAypojJT4fla496nJrNzeG85hepihTIS4Ew4mGE04wpGQ4tU/oiXdURgb5pXfllVFibryYq6BNICjb+6Ag0Hd1pyvHTlB81HyspUsA2FwA4CiVZsG1M81s9sVvPh2kFrw8HxeQUVlrG4oMusIJOwConkhncdHnFCrAxvk0igzkeQpANZr7VgxvZZY6W+p9NlSnQ4sVqIuQDYCTfg8ieP8Rh3UR3dnIwa+bCattmEohuLYhiv5W+O0mU3NOcf7rc7XtuFrseRSO1a4tPIOZovd+Bf/FiZGvZzaU0mNU9ZB7MULk7zwd6Ipk90IAiAvw9VrkgMOod0S+YghhtO+BU57o5kSw8Fb/YbRsMQlIXNJi2mZFIsYaznGeFA/C2E6Lw4/HrGnMK5TJ9btfAhVCJWiHf4xeUEi0lN8hBOIa+ y0fNJ3Q7 FNg6SXI47nqC36L47H4iVqdInCtoneYCZ5sbWtiQuWiMCAJ2rcVcemsTCEIXK8o752A5w4QNph0ZvP4LK8ByyO/8WqXDqohdiG6SytA6gumr57xAJGeJQ1XlTiNCkB0YbTS7XOQ9kWQHMrS/OIJ8WJHdOEt995BvMsiOJBhw5r5fQOj0ZiI4CBSNfU4PZN1TRDQXDJ868YmXOn5+lBtNzPLGtPzZY8WW9O3dOogRt5AJb00vXlZDpY9yUyx+hjfvG7NJ1LbGjUoTTFab+Yi0UhbfNyDB5AVpPFL1gOR7saaJr+jgXnzLZCmqw48g117sioWA6SiRxfH3WaTY= X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: List-Subscribe: List-Unsubscribe: On Wed, Nov 27, 2024 at 1:36=E2=80=AFPM Alice Ryhl w= rote: > On Tue, Nov 26, 2024 at 6:15=E2=80=AFPM Jann Horn wrot= e: > > > > On Fri, Nov 22, 2024 at 4:41=E2=80=AFPM Alice Ryhl wrote: > > > +impl CurrentTask { > > > + /// Access the address space of this task. > > > + /// > > > + /// To increment the refcount of the referenced `mm`, you can us= e `ARef::from`. > > > + #[inline] > > > + pub fn mm(&self) -> Option<&MmWithUser> { > > > + let mm =3D unsafe { (*self.as_ptr()).mm }; > > > + > > > + if mm.is_null() { > > > + None > > > + } else { > > > + // SAFETY: If `current->mm` is non-null, then it referen= ces a valid mm with a non-zero > > > + // value of `mm_users`. The returned `&MmWithUser` borro= ws from `CurrentTask`, so the > > > + // `&MmWithUser` cannot escape the current task, meaning= `mm_users` can't reach zero > > > + // while the reference is still live. > > > + Some(unsafe { MmWithUser::from_raw(mm) }) > > > > Maybe also add safety comments for these nitpicky details: > > > > kthreads can use kthread_use_mm()/kthread_unuse_mm() to change > > current->mm (which allows kthreads to access arbitrary userspace > > address spaces with copy_from_user/copy_to_user), but as long as you > > can't call into kthread_use_mm()/kthread_unuse_mm() from Rust code, > > this should be correct. If you do want to allow calls into > > kthread_use_mm()/kthread_unuse_mm() later on, you might have to gate > > this on a check for PF_KTHREAD, or something like that. > > Huh ... is it possible to use kthread_use_mm() to create a situation > where current->mm has mm_users equal to zero? If not, then I don't > think it's a problem. Ah, no, I don't think so. I think the only problematic scenario would be if rust code created a borrow of current->mm, then called kthread_unuse_mm() and dropped the reference that was held on the MM, and then accessed the borrowed old mm_struct. Which isn't possible unless a Rust binding is created for kthread_use_mm()/kthread_unuse_mm(). > > Binary formats' .load_binary implementations can change current->mm by > > calling begin_new_exec(), but that's not an issue as long as no binary > > format loaders are implemented in Rust. > > I think we can allow such loaders by having them involve an unsafe > operation asserting that you're not holding any references into > current when you start the new process. Sounds reasonable.