From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 99750C4345F for ; Wed, 17 Apr 2024 14:40:23 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 051496B0098; Wed, 17 Apr 2024 10:40:23 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id F41FD6B009A; Wed, 17 Apr 2024 10:40:22 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id E09106B009B; Wed, 17 Apr 2024 10:40:22 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0010.hostedemail.com [216.40.44.10]) by kanga.kvack.org (Postfix) with ESMTP id C4F386B0098 for ; Wed, 17 Apr 2024 10:40:22 -0400 (EDT) Received: from smtpin22.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay07.hostedemail.com (Postfix) with ESMTP id 824EB160655 for ; Wed, 17 Apr 2024 14:40:22 +0000 (UTC) X-FDA: 82019284284.22.99860CB Received: from mail-ua1-f50.google.com (mail-ua1-f50.google.com [209.85.222.50]) by imf27.hostedemail.com (Postfix) with ESMTP id BE6FD40005 for ; Wed, 17 Apr 2024 14:40:19 +0000 (UTC) Authentication-Results: imf27.hostedemail.com; dkim=pass header.d=google.com header.s=20230601 header.b=k92iwmXO; spf=pass (imf27.hostedemail.com: domain of aliceryhl@google.com designates 209.85.222.50 as permitted sender) smtp.mailfrom=aliceryhl@google.com; dmarc=pass (policy=reject) header.from=google.com ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1713364819; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=9STrnlwuu+n4JzHQ1nF68oOe1/KL3VmX4gpavyNIyiA=; b=R6dkMVg4XUFTDraQkovGgXTXBMPAI8Aq1bitGjItCqqp+nDth29/cYYtQgFGrt3/8x9Hs8 Jbs3U53L325VHMI2DOjdP6MdhGouu3rC1yoMvxo2VJ501E0ie4m09I4NIvIYg/xemDnlV7 w5xMLCQUHRc24Eb+dL+heQt3rTuqD5g= ARC-Authentication-Results: i=1; imf27.hostedemail.com; dkim=pass header.d=google.com header.s=20230601 header.b=k92iwmXO; spf=pass (imf27.hostedemail.com: domain of aliceryhl@google.com designates 209.85.222.50 as permitted sender) smtp.mailfrom=aliceryhl@google.com; dmarc=pass (policy=reject) header.from=google.com ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1713364819; a=rsa-sha256; cv=none; b=Kbd9kpv+VhcL+5fGWhyIcE2DPeVH32bSqai+6BiZ8aWxSkeHGMZuOOM/+xwxcO7Ql5jP4v +dIMiatn+o/x7bKO0eRIohp1LEKsgzVWGrT4WWdl94QI9aijetxbdmVPS+AwZGeWdpsmBh BixRXgXvk/TCRpQ1JwtJs84dMMC74l8= Received: by mail-ua1-f50.google.com with SMTP id a1e0cc1a2514c-7eb89aa9176so426220241.3 for ; Wed, 17 Apr 2024 07:40:19 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20230601; t=1713364819; x=1713969619; darn=kvack.org; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=9STrnlwuu+n4JzHQ1nF68oOe1/KL3VmX4gpavyNIyiA=; b=k92iwmXOorRJfN0RiYH1P6dN0tRPgUYp94HDrs1EF9FQhKKW6RV4e+ACORg9Tt2J4D 4XGPt8i9LsJ0tIollBi5o2lTzh7GRT3HsC0BfoLsNm7EoL5dgrKi9gUU9WHiHKyJVE1A /N2o+TdRww6ugR5Cw/SG3SPKu9HAjeK4aSjl4n+QdnCWFUUzs43h89IIPbOpeEankMQA VV+ltdASnYwr9LrWDKYaP6zsiv6rnBbI7DnYz+LE3lK1wN9Yj+tP5LXqhfgIwn5aNB9x Z8sswzBd8TqzVq5s5XH6VPvz6FM8AkfcK5X+rt7sNeAYQ3RvoWZDJScMSH4YVapHjyI0 fotg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1713364819; x=1713969619; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=9STrnlwuu+n4JzHQ1nF68oOe1/KL3VmX4gpavyNIyiA=; b=A8MrvYDZyRRSNABMqzlrPTThXw67YN8irACuol7XpVL+JmojPvuUdmRgmB4E3kxZSA 7AiGW1ft7R9+7MtGsV179X6cKDmM6kHrRpt4cH77hiCHndz1WV/QfbxfozuKo2e4nXQC 5+plLsyN00oNrZp1+TKn54loes3qlztePuVtUNqttnt8VFw0RWBIHKLFnaiE7zuK1h9v VX4KUf8ZvRv/uy0KBgbn5of4twaRvg43jEnw6hK4j1DlL/wchYceL3g+suiPTAA0/xxe h6JWpiFOXbn05yvhQqgVVCfwOVzqZePF6ofqd9RVqUjbe+AHbBqW2729JSqQFd99nljC Lh2A== X-Forwarded-Encrypted: i=1; AJvYcCU6SQMd1EQ/mflxXH77biolFR4JemILtTgosCVVf4e6w3s9eQam10NfDHNAFRxD+jyCEqyTKLfHiX+cRtSbqntY/H4= X-Gm-Message-State: AOJu0Yy5YYdqvJGXuiTZrEE3KHIReKK51Si1R3drOA2Ept/zsH0atTFm LZczxMFSatIwPtGbCldssDr4wZNQ8ZsViSAqwYQ04e0agVaYMM/OTiClw6WVZFpVyl3EdQCPw6S rMAr3yGSR70U3ypzQGUJxuoj6xdAZLwBf/WWQ X-Google-Smtp-Source: AGHT+IEAhdkE9/+u7jKI1qVzSkpiUAFnT/Mz0cfCADATqN+blmQ68F1aCON7VI4CU5CS05totk8sdgrrvWMi3cB58MI= X-Received: by 2002:a05:6122:882:b0:4c8:90e5:6792 with SMTP id 2-20020a056122088200b004c890e56792mr16551902vkf.7.1713364818511; Wed, 17 Apr 2024 07:40:18 -0700 (PDT) MIME-Version: 1.0 References: <20240415-alice-mm-v5-0-6f55e4d8ef51@google.com> <20240415-alice-mm-v5-1-6f55e4d8ef51@google.com> <20240417152802.6b7a7384@eugeo> In-Reply-To: <20240417152802.6b7a7384@eugeo> From: Alice Ryhl Date: Wed, 17 Apr 2024 16:40:07 +0200 Message-ID: Subject: Re: [PATCH v5 1/4] rust: uaccess: add userspace pointers To: Gary Guo Cc: Miguel Ojeda , Matthew Wilcox , Al Viro , Andrew Morton , Kees Cook , Alex Gaynor , Wedson Almeida Filho , Boqun Feng , =?UTF-8?Q?Bj=C3=B6rn_Roy_Baron?= , Benno Lossin , Andreas Hindborg , Greg Kroah-Hartman , =?UTF-8?B?QXJ2ZSBIasO4bm5ldsOlZw==?= , Todd Kjos , Martijn Coenen , Joel Fernandes , Carlos Llamas , Suren Baghdasaryan , Arnd Bergmann , linux-mm@kvack.org, linux-kernel@vger.kernel.org, rust-for-linux@vger.kernel.org, Christian Brauner Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Rspamd-Queue-Id: BE6FD40005 X-Stat-Signature: 6igeakj9s13dtjcz6po95sibgjw61oux X-Rspam-User: X-Rspamd-Server: rspam07 X-HE-Tag: 1713364819-621993 X-HE-Meta: U2FsdGVkX1/8hbVBiPBZ6EZrloR7+rv53HtG67KjJCMJoTVlsO9l0wBhcO9kCZFc2JQ2G+E9DC3NppIpNn0iIVJyKyGjerkQo5HAZAGSziWTNUIzsV84dDChFz9szk77J4ncyjP8EKV1HErZZ5tRcBdqsWwTVMT34AQv6Kz1tELfD28qhsp3Uir3Jt6zF/nTOScmugnNl4oDRgKT3ac/eDM6LIT+Hzh1xdtfHwu6zUoBKj4XsoVyB1+SwWbUUjTayqmZqM8Bg0AJIYbeIwkLWrpJiIuKWLkRT18fLyAXAskrww+pufuKGIP5ujPOmpgev46Dgp9rCgLF2/NbXP9IO33omgY8dJZ8nBlJZSUwAF7vf6YAF7t201eacyN1J+ogsius9w6bNqUV5lnWlfUfxpChqja/Wf2T8QoMwrI2dji+z5yjb6wg1pX3hT8f2/rHhtN9VLucSrsDjCxwwxCCT51hckgXZIrHVeZe1hI/hfacpKrXi/vSz904oK+l2fO5wP+P3MtTItN7+R4R5ZS78bT07amX0suvC9MrMxpMdAkxeuU6B/PABIVmeFzYuswquKO2VX+EAP1mbhtoHu14jNBHeScs8Yev5mpGQI5qrT3kFN6S3hoDDBIHhnLug3mw86hgJowGRQyIgWgWW9ox0+4TESyJ4/Po/UBumtiBuDebCp4NQaf9bd5MFPPIyWlazop5qxlEPNHtaoEKaPW/JFS9B5Il3Ms5BdiU2vAtxSIK7Zhs2+lFgGucMkqoHcCOG3nDhkAE2LP5GpljKhvbDR39Adl5TbK3rWRCxv13gCAnjNUAuu6pUapXXwIUk88KQTKEfwbVMu4LXmsWHVzIbBU4Di6RH1EITdKK+GXY3ePElqe9bbwdrUUYqWL87xg4Qux6XLO1eihiyImgIVMUb+TG+WyV/37T8DfJy3tB7Y3lfkpFNIHSENxGNYn+NT87n+sgnOKh0qumecRcIvP mOxXiQg1 dSBgIRnYan9OFY6mrUEIFPmW6E7/HBt7IRQQo78L7g2SNvdHpTKz9xQjv5bAhrq7KXxJU9sMVzpoI+YQo1t/02gQE/7oZgLFoNHSOMAAU7IrUjrMkEnMAs06VgF7k9F/OFyqr/Z9UPAGF0MG/VkW7lpDmbX3yXRNkNw3mLCGsLQkgv6LuKaTXcYhrqP6XDtKSbBUeXebM7e3u5c23d1APUcuVfpYMGiFZ381lTEj78oe7vFKgV3StcVCoeZ2aVwNovvlb7S99S8hV+69fT+jM2ffmyafr3BjwBYeK1IrbM8DJdQmlK1dVx2ZM2hGlI0BI6Wz52vXl1LMEz2Ir4zIkr6nVpdsyHHDApvrdZXCToZE7uvIKX72k5TwsxIjH0Z7riRh4arfi+Tfs30oD4aFzRvERMUEHu0gRWx0KTOlxzaqxw0SvgU97gUXPFjVxmw8gdCFm9SoPMbUb8hG/X2SMxhtGGA== X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: List-Subscribe: List-Unsubscribe: On Wed, Apr 17, 2024 at 4:28=E2=80=AFPM Gary Guo wrote: > > On Mon, 15 Apr 2024 07:13:53 +0000 > Alice Ryhl wrote: > > > From: Wedson Almeida Filho > > > > A pointer to an area in userspace memory, which can be either read-only > > or read-write. > > > > All methods on this struct are safe: attempting to read or write on bad > > addresses (either out of the bound of the slice or unmapped addresses) > > will return `EFAULT`. Concurrent access, *including data races to/from > > userspace memory*, is permitted, because fundamentally another userspac= e > > thread/process could always be modifying memory at the same time (in th= e > > same way that userspace Rust's `std::io` permits data races with the > > contents of files on disk). In the presence of a race, the exact byte > > values read/written are unspecified but the operation is well-defined. > > Kernelspace code should validate its copy of data after completing a > > read, and not expect that multiple reads of the same address will retur= n > > the same value. > > > > These APIs are designed to make it difficult to accidentally write > > TOCTOU bugs. Every time you read from a memory location, the pointer is > > advanced by the length so that you cannot use that reader to read the > > same memory location twice. Preventing double-fetches avoids TOCTOU > > bugs. This is accomplished by taking `self` by value to prevent > > obtaining multiple readers on a given `UserSlicePtr`, and the readers > > only permitting forward reads. If double-fetching a memory location is > > necessary for some reason, then that is done by creating multiple > > readers to the same memory location. > > > > Constructing a `UserSlicePtr` performs no checks on the provided > > address and length, it can safely be constructed inside a kernel thread > > with no current userspace process. Reads and writes wrap the kernel API= s > > `copy_from_user` and `copy_to_user`, which check the memory map of the > > current process and enforce that the address range is within the user > > range (no additional calls to `access_ok` are needed). > > > > This code is based on something that was originally written by Wedson o= n > > the old rust branch. It was modified by Alice by removing the > > `IoBufferReader` and `IoBufferWriter` traits, and various other changes= . > > > > Signed-off-by: Wedson Almeida Filho > > Co-developed-by: Alice Ryhl > > Signed-off-by: Alice Ryhl > > --- > > rust/helpers.c | 14 +++ > > rust/kernel/lib.rs | 1 + > > rust/kernel/uaccess.rs | 304 +++++++++++++++++++++++++++++++++++++++++= ++++++++ > > 3 files changed, 319 insertions(+) > > > > diff --git a/rust/kernel/uaccess.rs b/rust/kernel/uaccess.rs > > > +/// [`std::io`]: https://doc.rust-lang.org/std/io/index.html > > +/// [`clone_reader`]: UserSliceReader::clone_reader > > +pub struct UserSlice { > > + ptr: *mut c_void, > > + length: usize, > > +} > > How useful is the `c_void` in the struct and new signature? They tend > to not be very useful in Rust. Given that provenance doesn't matter > for userspace pointers, could this be `usize` simply? > > I think `*mut u8` or `*mut ()` makes more sense than `*mut c_void` for > Rust code even if we don't want to use `usize`. I don't have a strong opinion here. I suppose a usize could make sense. But I also think c_void is fine, and I lean towards not changing it. :) > Some thinking aloud and brainstorming bits about the API. > > I wonder if it make sense to have `User<[u8]>` instead of `UserSlice`? > The `User` type can be defined like this: > > ```rust > struct User { > ptr: *mut T, > } > ``` > > and this allows arbitrary T as long as it's POD. So we could have > `User<[u8]>`, `User`, `User`. I imagine the > `User<[u8]>` would be the general usage and the latter ones can be > especially helpful if you are trying to implement ioctl and need to > copy fixed size data structs from userspace. Hmm, we have to be careful here. Generally, when you get a user slice via an ioctl, you should make sure to use the length you get from userspace. In binder, it looks like this: let user_slice =3D UserSlice::new(arg, _IOC_SIZE(cmd)); so whichever API we use, we must make sure to get the length as an argument in bytes. What should we do if the length is not a multiple of size_of(T)? Another issue is that there's no stable way to get the length from a `*mut [T]` without creating a reference, which is not okay for a user slice. Alice