From: Alice Ryhl <aliceryhl@google.com>
To: Jann Horn <jannh@google.com>
Cc: "Miguel Ojeda" <ojeda@kernel.org>,
"Matthew Wilcox" <willy@infradead.org>,
"Lorenzo Stoakes" <lorenzo.stoakes@oracle.com>,
"Vlastimil Babka" <vbabka@suse.cz>,
"John Hubbard" <jhubbard@nvidia.com>,
"Liam R. Howlett" <Liam.Howlett@oracle.com>,
"Andrew Morton" <akpm@linux-foundation.org>,
"Greg Kroah-Hartman" <gregkh@linuxfoundation.org>,
"Arnd Bergmann" <arnd@arndb.de>,
"Christian Brauner" <brauner@kernel.org>,
"Suren Baghdasaryan" <surenb@google.com>,
"Alex Gaynor" <alex.gaynor@gmail.com>,
"Boqun Feng" <boqun.feng@gmail.com>,
"Gary Guo" <gary@garyguo.net>,
"Björn Roy Baron" <bjorn3_gh@protonmail.com>,
"Benno Lossin" <benno.lossin@proton.me>,
linux-kernel@vger.kernel.org, linux-mm@kvack.org,
rust-for-linux@vger.kernel.org,
"Andreas Hindborg" <a.hindborg@kernel.org>
Subject: Re: [PATCH v9 8/8] task: rust: rework how current is accessed
Date: Wed, 27 Nov 2024 16:57:18 +0100 [thread overview]
Message-ID: <CAH5fLgjuKEU8noU5XN_FWEy4wAzJu0aeaURzNsCQrt59a_0gJA@mail.gmail.com> (raw)
In-Reply-To: <CAG48ez3a0vs=LHzkbpOKW753m6_LOtoYyWtjhfYvB48TKsCekQ@mail.gmail.com>
On Wed, Nov 27, 2024 at 4:52 PM Jann Horn <jannh@google.com> wrote:
>
> On Wed, Nov 27, 2024 at 1:36 PM Alice Ryhl <aliceryhl@google.com> wrote:
> > On Tue, Nov 26, 2024 at 6:15 PM Jann Horn <jannh@google.com> wrote:
> > >
> > > On Fri, Nov 22, 2024 at 4:41 PM Alice Ryhl <aliceryhl@google.com> wrote:
> > > > +impl CurrentTask {
> > > > + /// Access the address space of this task.
> > > > + ///
> > > > + /// To increment the refcount of the referenced `mm`, you can use `ARef::from`.
> > > > + #[inline]
> > > > + pub fn mm(&self) -> Option<&MmWithUser> {
> > > > + let mm = unsafe { (*self.as_ptr()).mm };
> > > > +
> > > > + if mm.is_null() {
> > > > + None
> > > > + } else {
> > > > + // SAFETY: If `current->mm` is non-null, then it references a valid mm with a non-zero
> > > > + // value of `mm_users`. The returned `&MmWithUser` borrows from `CurrentTask`, so the
> > > > + // `&MmWithUser` cannot escape the current task, meaning `mm_users` can't reach zero
> > > > + // while the reference is still live.
> > > > + Some(unsafe { MmWithUser::from_raw(mm) })
> > >
> > > Maybe also add safety comments for these nitpicky details:
> > >
> > > kthreads can use kthread_use_mm()/kthread_unuse_mm() to change
> > > current->mm (which allows kthreads to access arbitrary userspace
> > > address spaces with copy_from_user/copy_to_user), but as long as you
> > > can't call into kthread_use_mm()/kthread_unuse_mm() from Rust code,
> > > this should be correct. If you do want to allow calls into
> > > kthread_use_mm()/kthread_unuse_mm() later on, you might have to gate
> > > this on a check for PF_KTHREAD, or something like that.
> >
> > Huh ... is it possible to use kthread_use_mm() to create a situation
> > where current->mm has mm_users equal to zero? If not, then I don't
> > think it's a problem.
>
> Ah, no, I don't think so. I think the only problematic scenario would
> be if rust code created a borrow of current->mm, then called
> kthread_unuse_mm() and dropped the reference that was held on the MM,
> and then accessed the borrowed old mm_struct. Which isn't possible
> unless a Rust binding is created for
> kthread_use_mm()/kthread_unuse_mm().
Ah, ok.
The way that the current abstraction works is that it enforces that
the current pointer cannot escape the scope you were in when you
obtained it. If we enforce that kthread_use_mm() and
kthread_unuse_mm() involve a scope, then that should solve that.
Alice
next prev parent reply other threads:[~2024-11-27 15:57 UTC|newest]
Thread overview: 38+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-11-22 15:40 [PATCH v9 0/8] Rust support for mm_struct, vm_area_struct, and mmap Alice Ryhl
2024-11-22 15:40 ` [PATCH v9 1/8] mm: rust: add abstraction for struct mm_struct Alice Ryhl
2024-11-22 17:27 ` Lorenzo Stoakes
2024-11-22 15:40 ` [PATCH v9 2/8] mm: rust: add vm_area_struct methods that require read access Alice Ryhl
2024-11-26 22:09 ` Jann Horn
2024-11-27 12:01 ` Alice Ryhl
2024-11-27 15:40 ` Jann Horn
2024-11-27 15:45 ` Alice Ryhl
2024-11-27 16:16 ` Jann Horn
2024-11-29 11:44 ` Alice Ryhl
2024-11-29 11:58 ` Lorenzo Stoakes
2024-11-22 15:40 ` [PATCH v9 3/8] mm: rust: add vm_insert_page Alice Ryhl
2024-11-22 15:40 ` [PATCH v9 4/8] mm: rust: add lock_vma_under_rcu Alice Ryhl
2024-11-26 21:50 ` Jann Horn
2024-11-22 15:40 ` [PATCH v9 5/8] mm: rust: add mmput_async support Alice Ryhl
2024-11-22 15:40 ` [PATCH v9 6/8] mm: rust: add VmAreaNew for f_ops->mmap() Alice Ryhl
2024-11-22 17:33 ` Lorenzo Stoakes
2024-11-26 21:29 ` Jann Horn
2024-11-27 12:38 ` Alice Ryhl
2024-11-27 16:19 ` Jann Horn
2024-11-22 15:40 ` [PATCH v9 7/8] rust: miscdevice: add mmap support Alice Ryhl
2024-11-22 15:40 ` [PATCH v9 8/8] task: rust: rework how current is accessed Alice Ryhl
2024-11-22 15:53 ` Alice Ryhl
2024-11-22 17:34 ` Lorenzo Stoakes
2024-11-22 17:54 ` Lorenzo Stoakes
2024-11-22 18:51 ` Alice Ryhl
2024-11-22 18:03 ` Boqun Feng
2024-11-22 18:48 ` Alice Ryhl
2024-11-22 19:17 ` Boqun Feng
2024-11-22 19:30 ` Matthew Wilcox
2024-11-22 19:43 ` Alice Ryhl
2024-11-22 19:54 ` Matthew Wilcox
2024-11-22 20:16 ` Alice Ryhl
2024-11-26 17:14 ` Jann Horn
2024-11-27 12:35 ` Alice Ryhl
2024-11-27 15:52 ` Jann Horn
2024-11-27 15:57 ` Alice Ryhl [this message]
2024-11-27 16:18 ` Jann Horn
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CAH5fLgjuKEU8noU5XN_FWEy4wAzJu0aeaURzNsCQrt59a_0gJA@mail.gmail.com \
--to=aliceryhl@google.com \
--cc=Liam.Howlett@oracle.com \
--cc=a.hindborg@kernel.org \
--cc=akpm@linux-foundation.org \
--cc=alex.gaynor@gmail.com \
--cc=arnd@arndb.de \
--cc=benno.lossin@proton.me \
--cc=bjorn3_gh@protonmail.com \
--cc=boqun.feng@gmail.com \
--cc=brauner@kernel.org \
--cc=gary@garyguo.net \
--cc=gregkh@linuxfoundation.org \
--cc=jannh@google.com \
--cc=jhubbard@nvidia.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=lorenzo.stoakes@oracle.com \
--cc=ojeda@kernel.org \
--cc=rust-for-linux@vger.kernel.org \
--cc=surenb@google.com \
--cc=vbabka@suse.cz \
--cc=willy@infradead.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox