From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 08D26C48260 for ; Thu, 8 Feb 2024 12:20:42 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 2D8E66B0071; Thu, 8 Feb 2024 07:20:42 -0500 (EST) Received: by kanga.kvack.org (Postfix, from userid 40) id 260DD6B0074; Thu, 8 Feb 2024 07:20:42 -0500 (EST) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 0DB336B0075; Thu, 8 Feb 2024 07:20:42 -0500 (EST) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0013.hostedemail.com [216.40.44.13]) by kanga.kvack.org (Postfix) with ESMTP id EB8706B0071 for ; Thu, 8 Feb 2024 07:20:41 -0500 (EST) Received: from smtpin29.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay08.hostedemail.com (Postfix) with ESMTP id 93D3D1402BA for ; Thu, 8 Feb 2024 12:20:41 +0000 (UTC) X-FDA: 81768545082.29.8A2144A Received: from mail-ua1-f54.google.com (mail-ua1-f54.google.com [209.85.222.54]) by imf03.hostedemail.com (Postfix) with ESMTP id C7AA620010 for ; Thu, 8 Feb 2024 12:20:39 +0000 (UTC) Authentication-Results: imf03.hostedemail.com; dkim=pass header.d=google.com header.s=20230601 header.b=0apQjDeU; dmarc=pass (policy=reject) header.from=google.com; spf=pass (imf03.hostedemail.com: domain of aliceryhl@google.com designates 209.85.222.54 as permitted sender) smtp.mailfrom=aliceryhl@google.com ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1707394839; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=Bf7m/USDjz7kE2FE9CQHR/aM8ZK7eKAJ6zNf2AmjvPo=; b=l4iGw9J2mJvveKpvivwJqd/u7oUYAoVado9o8WweWRei9TSs6kzIkxScvAgoz2gxv5X/h6 GANJ3QbkZ34rVt2j/RsvWdTX+w24lLWhGr0ZizQoSIwp+g1crx5o9Y+Sk6lCo4C19Fcovc PPoO85eMn/PAnRKV+AvPnMzOp4oIEWM= ARC-Authentication-Results: i=1; imf03.hostedemail.com; dkim=pass header.d=google.com header.s=20230601 header.b=0apQjDeU; dmarc=pass (policy=reject) header.from=google.com; spf=pass (imf03.hostedemail.com: domain of aliceryhl@google.com designates 209.85.222.54 as permitted sender) smtp.mailfrom=aliceryhl@google.com ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1707394839; a=rsa-sha256; cv=none; b=uwr5mP9UH18NrOjp5U3u2TzcomOKzzfmdPVI/WomIyi/kCrTFzFJYhR1fRBye0V2jWt6ep 7eBahWITSleDFnFUjHjXC/XNVE3d+oUwA7XXgWE594vOlkRpsrvmjYBXbn0SR78+qCxF0J En6tA3Er+74ssRlXuN9XMdxo4iiRhDI= Received: by mail-ua1-f54.google.com with SMTP id a1e0cc1a2514c-7d625a3ace6so513863241.0 for ; Thu, 08 Feb 2024 04:20:39 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20230601; t=1707394839; x=1707999639; darn=kvack.org; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=Bf7m/USDjz7kE2FE9CQHR/aM8ZK7eKAJ6zNf2AmjvPo=; b=0apQjDeUkpMJ9PhrkNK3mtXRjqfwNR2cnUEiIcH309U3urnSPExSN3HZUHT9Kko5Ox yxB3pceG6TBC8hS2yNr79q/7T6IPa9/mHtY1DbX4Nj0OoSpq1jAmkEnGAOa0rWoxwU7s KsEW4Fs2iqoiYYOU3Fl+8HCttJAuOl2avnRaoOOh9MVYbzPo76Xn8t+C4AKxfxsOpGEx T5W5+aDJSpGY0CQsqxjdM+jmTxsCMc5GE6OM+l4anlTReOHYwyWqG4ZncZE6lBCda4Rc 5ZgvlIhZXDwfndc/nAXsLnF9AoQLVd2UT2bb2ETVtgW4skf4XBeksCAV9e35ru/XT9x/ HQ3A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1707394839; x=1707999639; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=Bf7m/USDjz7kE2FE9CQHR/aM8ZK7eKAJ6zNf2AmjvPo=; b=vSWqQwNzbJOBQFTmUNlwUQG480qXP+9P2pnD7bQMFGmui836LCxx+mnPi/i105zLZL 4R+OnFdCilhSKVxyzHJ7ijqmIcDQukuHLVVgNKfcK5eJClEr4yWE6ycMiP0Ru56MKH0S ta9u7D5lO07H9BWLO10dpYe8nhRjon0oqr87BUqyOTLY5AfIITXQr9DSGHsOAgM/88Ce S240rs858S37OUWa+9wMB7ePdlOwUTlCMpfp8xngG2oFkpn9DtzSu9HFeBVjvXGGOL9E t7DFVz96j9dyiK5Kc9y8msH2ToXD/Scdhu98aABKZR2w3bIoSw/x5hSpcGz1gNc/JGdG uz4g== X-Forwarded-Encrypted: i=1; AJvYcCVjL4ztCsYn8H2FWR3OWWmnh7DpaYT2Y5Y5zzIoRhbplI6v5L4Feg4Tfjl0kgzUq56g8dLYe5Glp33BTsky8Ev7stg= X-Gm-Message-State: AOJu0YyVMXmqrUYZUYYvFHT2haGMi3Ue/p99lMyh6Q3Zq7/WKSpLgXjG ucaA8juLUOojxLP2l3dkb4aYu1my01zAgQLrmSH0fD+8bdeDg7VlufBWBsj+Q6HopJO9eNe8eKN OS5LSCzHkPnUOzr7J5o9ScwvqVYX0TLwt4b7o X-Google-Smtp-Source: AGHT+IGlL86D1Ci5269kTzm8XhRyortv2UdzEszE/4vmPzP7uLriXUhvD14B2r1rBQ/5VXy4f5o9FdDQRR6VTHNU/Uo= X-Received: by 2002:a05:6122:1c86:b0:4c0:3929:2748 with SMTP id eu6-20020a0561221c8600b004c039292748mr1987582vkb.7.1707394838719; Thu, 08 Feb 2024 04:20:38 -0800 (PST) MIME-Version: 1.0 References: <20240124-alice-mm-v1-1-d1abcec83c44@google.com> <20240124231235.6183-1-kernel@valentinobst.de> In-Reply-To: <20240124231235.6183-1-kernel@valentinobst.de> From: Alice Ryhl Date: Thu, 8 Feb 2024 13:20:28 +0100 Message-ID: Subject: Re: [PATCH 1/3] rust: add userspace pointers To: Valentin Obst Cc: a.hindborg@samsung.com, akpm@linux-foundation.org, alex.gaynor@gmail.com, arnd@arndb.de, arve@android.com, benno.lossin@proton.me, bjorn3_gh@protonmail.com, boqun.feng@gmail.com, brauner@kernel.org, cmllamas@google.com, gary@garyguo.net, gregkh@linuxfoundation.org, joel@joelfernandes.org, keescook@chromium.org, linux-kernel@vger.kernel.org, linux-mm@kvack.org, maco@android.com, ojeda@kernel.org, rust-for-linux@vger.kernel.org, surenb@google.com, tkjos@android.com, viro@zeniv.linux.org.uk, wedsonaf@gmail.com Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Rspamd-Queue-Id: C7AA620010 X-Rspam-User: X-Rspamd-Server: rspam05 X-Stat-Signature: tewn15n9wktepnn69hnh8xs1axezuii5 X-HE-Tag: 1707394839-354677 X-HE-Meta: U2FsdGVkX19t0UvCfNm+1QyQouqtdFgHq/m0BToHSiw2XQgAu8QeASCe8GPvw4FuRKataxLCoSdZS0JuGjoV275rvaZiF8/Yd1jMGrQ+aqhqoihNnX590MxKa5KNReBeH69+7ZRbehpZd7OIu7zQW+MhK6QsmomL4vGP/MJswCiwbmLLjSWYVL07hSu2McVzwJiO68hAxgfV2Cx4RoKEip3zdnmsloA+68qgTyjAYxNj8RXSiVjuSN7kxX4Oo/fe05cbdJdZ9dLP1Sa45JLafLt3vPxqzOnU+yI/MWOUpIJhYdPLBXHv1dEJtG5Scz77nVW565TzfPaKn4J/fI2KfoLJmLloHPD3/XvG70zvDEeMqTqT+sG8l2EenagDYmN9+WNI4IlRs8tQC8pCzqWTs8bBN0pcl2BHiBqv2bUrDdy1jXeyogvPQnYY4yi0BTJW69kRXKBN3yL2uECSe9mDD20kuou36RXd+NpSb6l8AO2/m39mkrHHBeMBPUgPlJPeXy+kl+Xbk/SLW1UhRPWf5V8GxVmyXZCHpv2JXfSev9CnYjIK2cBr4Sd0MZ3X0y9AggBnx9gkBR8Lp6J8NXVEfxO+CIJmP5ArnQ6cYTMcaLKzLMQlj78TFiPnD2j6v4/K+ztj55twBb8hpTxXWbhJeW2iggX3g9cTo59WH5ax1cn+Uqdx7umcYNq1uKLMXuzAfkAkhyrCTZUPdtadgjRuaguQH5ahZyvvditldbkH6y2sQ3x7ieIiSHNO1YoHpdz1n6vMOiLSYtbU8iPizr1gdp6NvHYHY7eFCp/70rc1DdVgip9y25I2C0oTcslc/2hAgRm853ERhq9mgsvTL+X9gv/F2/Wr4e2XbPsFUBjCaMES0AXkE35DXrnwphdSxuQyccOKW/Oo3gBQ9T7p+K4yZK+S3KfILsL0oNbGUL1bLr1DNdZt9z4XXBc7Kjm7DWwa15HHjV0EkSuKh8Gk43U LvKtRPVU zXq1AKdFyjW8QWrdhM+8wRhv1J/VV2L+h9gWoU/GLTckYKKTIUb49qFsFHBevDZR5PwywvFuA3ZMQHO3eavbWTAsKrpJmWc3WRZ9JM7ZaWAStM/WXyBniaA2y1nFmJ4X6Jxi5M2le0JGqmPwk5GRu0Nu4q7EaF0K06lgYgzjC8KrjiWiTZSvakbXuQbr5xK/wFNxTNeyt0WzsLQnThTWOKAIGaac/XR9GWuHH7fnnmBvTKADVYx70qVsqZLOYMH1pC9VyzjvETWP9tTXLleg9Zmj4ZSeJt/wmqpbxUH0yrbYUiXCRYiYvV9eCmBom83VWC49K2GHjKwAEPpvjch+yjLw5qVwV8EGercZcWrZ1HYKke5P5dnQj429oKDTaCb9qcLPWSMdnkTdppsmYZnaNsfxbBQ== X-Bogosity: Ham, tests=bogofilter, spamicity=0.000004, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: List-Subscribe: List-Unsubscribe: On Thu, Jan 25, 2024 at 12:13=E2=80=AFAM Valentin Obst wrote: > > > +//! User pointers. > > +//! > > +//! C header: [`include/linux/uaccess.h`](../../../../include/linux/ua= ccess.h) > > + > > nit: could this be using srctree-relative links? > > > +/// The maximum length of a operation using `copy_[from|to]_user`. > > nit: 'a' -> 'an' > > > +/// > > +/// If a usize is not greater than this constant, then casting it to `= c_ulong` > > +/// is guaranteed to be lossless. > > nit: could this be `usize` or [`usize`]. Maybe would also be clearer to > say "... a value of type [`usize`] is smaller than ..." > > > +/// > > +/// These APIs are designed to make it difficult to accidentally write= TOCTOU > > +/// bugs. Every time you read from a memory location, the pointer is a= dvanced by > > Maybe makes sense to also introduce the abbreviation TOCTOU in the type > documentation when it is first used. > > > + /// Reads the entirety of the user slice. > > + /// > > + /// Returns `EFAULT` if the address does not currently point to > > + /// mapped, readable memory. > > + pub fn read_all(self) -> Result> { > > + self.reader().read_all() > > + } > > If I understand it correctly, the function will return `EFAULT` if _any_ > address in the interval `[self.0, self.0 + self.1)` does not point to > mapped, readable memory. Maybe the docs could be more explicit. > > > + // Since this is not a pointer to a valid object in our progra= m, > > + // we cannot use `add`, which has C-style rules for defined > > + // behavior. > > + self.0 =3D self.0.wrapping_add(len); > > If I understand it correctly, you are using 'valid object' to refer to > an 'allocated object' [1] as this is what the `add` method's docs > refer to [2]. In that case it might be better to use the latter term as > it has a defined meaning. Also see [3] and [4] which are about making it > more precise. > > [1]: https://doc.rust-lang.org/core/ptr/index.html#allocated-object > [2]: https://doc.rust-lang.org/core/primitive.pointer.html#method.add > [3]: https://github.com/rust-lang/rust/pull/116675 > [4]: https://github.com/rust-lang/unsafe-code-guidelines/issues/465 Thanks. I'll include all of your suggestions in my next version. Alice