Received: by 2002:a05:7412:b10a:b0:f3:1519:9f41 with SMTP id az10csp930715rdb; Fri, 1 Dec 2023 02:27:56 -0800 (PST) X-Google-Smtp-Source: AGHT+IFEc5OhVrt3RHWtoCdTTgfd1+N3QPRguOS0uQzOUzd44x5WJb4DIxB44gMnfSmhOUXcHeFT X-Received: by 2002:a05:6a21:998e:b0:18c:a9d3:4f96 with SMTP id ve14-20020a056a21998e00b0018ca9d34f96mr18763475pzb.32.1701426476420; Fri, 01 Dec 2023 02:27:56 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1701426476; cv=none; d=google.com; s=arc-20160816; b=oh72MGT5ItDYEQnfbHpcuoWISK3fSO8dMghsnFmHmkfJZzY6QDZCVuWUTcND9wk4uW BR+G4YcN++J4XEYDUt5yJZ8tPoEhWP2DKUIRmDeU1l1PLO3WRRJdmN4iIbiNDzFXePN5 U/7NA5Es6s4uTm9eX/U5mZe3wqvtMhT1yb5RCQI8Efe6HjbzVvL2K14jj4L1JX9q4mzG wos2F6qNzXC8KRsi+6tfo7/kQtFTftufZPdxMFfFzExJLUQ5v93dZXLGQvp84pD0aaJl BmLsSG8niik6P/98LVTm0ZamCMsDSz5ApzeBIwwuuL/TSdrFImIRS7NroTYIybTtXxeb HKaA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:in-reply-to:content-disposition:mime-version :references:message-id:subject:cc:to:from:date:dkim-signature; bh=bqTU5F0oK2kTZiddAR6EZTGc+cn0NSPA4aU0nhHEBq4=; fh=L7FifM+H8BULbe5xNsK93EPCcD24Z4KxxxKhV8K7MvY=; b=QZZVMEuFxb/eyyo/NQSRdOrhLoDO649vxgCZyX3U4wP48GFXH72u2hXyEZzcugUTEm 6jpq57pVdscIXEyN5zCKTwQS+8Rmc5+FnjKcNzZ6wjTlFqad5Ej/D50pTPgH9D5sxKzX 36gD90ryRrptn6Or4/nFPvXDAMISFn3Ty1DR77o6GHSkMV8DJ6iON8FNPS6IYezUtom1 4NgxT2WE47Mh7W3j2ODLFf9fVBpUKQKocf7i1wK5afS/Mqla0pN/Ibq1cgjWYkKi1WjV G3mdih3uEyVpdN/oelsUDnFQK/76EdnT+CgARUhsggKaYOF2dWvFu+YAbV71NIN1iX6g WfHA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=Vu1qqeD+; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:1 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from morse.vger.email (morse.vger.email. [2620:137:e000::3:1]) by mx.google.com with ESMTPS id j3-20020a170902da8300b001d0029879dcsi197839plx.213.2023.12.01.02.27.55 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 01 Dec 2023 02:27:56 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:1 as permitted sender) client-ip=2620:137:e000::3:1; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=Vu1qqeD+; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:1 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: from out1.vger.email (depot.vger.email [IPv6:2620:137:e000::3:0]) by morse.vger.email (Postfix) with ESMTP id 03767833E1D3; Fri, 1 Dec 2023 02:27:54 -0800 (PST) X-Virus-Status: Clean X-Virus-Scanned: clamav-milter 0.103.11 at morse.vger.email Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1378258AbjLAK1g (ORCPT + 99 others); Fri, 1 Dec 2023 05:27:36 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:46650 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1378226AbjLAK1f (ORCPT ); Fri, 1 Dec 2023 05:27:35 -0500 Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 70781DC for ; Fri, 1 Dec 2023 02:27:42 -0800 (PST) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 5A8C3C433C9; Fri, 1 Dec 2023 10:27:36 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1701426462; bh=2fsxldjXdLT1vLmTSL0O0eM3f9o5dOmCk2EixIWt25Q=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=Vu1qqeD+amM3RPPGUCpm0/0tkYu09IWWI/UVpYypRMBc8k7lcceWL9aT+Anhls2Nb H84Zcoh4dRCJkFiHHMhr7IrK9+NOhaELc7Y6EpSJX28BEtbjnNImbKm5+IIpBGU+zO ahPXK/We8kIRq5PjejjUVsAsV1u0y8cRPpcq+rpEvsFAM4aA+L/PXC4cD450NjojqV 31bUqzomYoF1WEN99f6GzfkrJQJL5OKsyoJCRn0UNEJuCzuMiNpxg32vf62cvjyonk qLJ+d8RxAPLu7xU/yCmxqxXB+B5tBG7QXBDFML1BIauaHVIpZTYYKEuGbrFS1ZF+TA EiSyG+oS1Vwfw== Date: Fri, 1 Dec 2023 11:27:33 +0100 From: Christian Brauner To: Alice Ryhl Cc: benno.lossin@proton.me, a.hindborg@samsung.com, alex.gaynor@gmail.com, arve@android.com, bjorn3_gh@protonmail.com, boqun.feng@gmail.com, cmllamas@google.com, dan.j.williams@intel.com, dxu@dxuuu.xyz, gary@garyguo.net, gregkh@linuxfoundation.org, joel@joelfernandes.org, keescook@chromium.org, linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org, maco@android.com, ojeda@kernel.org, peterz@infradead.org, rust-for-linux@vger.kernel.org, surenb@google.com, tglx@linutronix.de, tkjos@android.com, viro@zeniv.linux.org.uk, wedsonaf@gmail.com, willy@infradead.org Subject: Re: [PATCH 2/7] rust: cred: add Rust abstraction for `struct cred` Message-ID: <20231201-zacken-gewachsen-73fe323b067b@brauner> References: <20231201090636.2179663-1-aliceryhl@google.com> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline In-Reply-To: <20231201090636.2179663-1-aliceryhl@google.com> X-Spam-Status: No, score=-1.2 required=5.0 tests=DKIMWL_WL_HIGH,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,MAILING_LIST_MULTI, SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on morse.vger.email Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.6.4 (morse.vger.email [0.0.0.0]); Fri, 01 Dec 2023 02:27:54 -0800 (PST) On Fri, Dec 01, 2023 at 09:06:35AM +0000, Alice Ryhl wrote: > Benno Lossin writes: > > On 11/29/23 13:51, Alice Ryhl wrote: > >> + /// Returns the credentials of the task that originally opened the file. > >> + pub fn cred(&self) -> &Credential { > >> + // This `read_volatile` is intended to correspond to a READ_ONCE call. > >> + // > >> + // SAFETY: The file is valid because the shared reference guarantees a nonzero refcount. > >> + // > >> + // TODO: Replace with `read_once` when available on the Rust side. > >> + let ptr = unsafe { core::ptr::addr_of!((*self.0.get()).f_cred).read_volatile() }; > >> + > >> + // SAFETY: The signature of this function ensures that the caller will only access the > >> + // returned credential while the file is still valid, and the credential must stay valid > >> + // while the file is valid. > > > > About the last part of this safety comment, is this a guarantee from the > > C side? If yes, then I would phrase it that way: > > > > ... while the file is still valid, and the C side ensures that the > > credentials stay valid while the file is valid. > > Yes, that's my intention with this code. > > But I guess this is a good question for Christian Brauner to confirm: > > If I read the credential from the `f_cred` field, is it guaranteed that > the pointer remains valid for at least as long as the file? > > Or should I do some dance along the lines of "lock file, increment > refcount on credential, unlock file"? The lifetime of the f_cred reference is at least as long as the lifetime of the file: // file not yet visible anywhere some_file = alloc_file*() -> init_file() { file->f_cred = get_cred(cred /* usually current_cred() */) } // install into fd_table -> irreversible, thing visible, possibly shared fd_install(1234, some_file) // last fput fput() // atomic_dec_and_test() dance: -> file_free() // either "delayed" through task work, workqueue, or // sometimes freed right away if file hasn't been opened, // i.e., if fd_install() wasn't called -> put_cred(file->f_cred) In order to access anything you must hold a reference to the file or files->file_lock. IOW, no poking around in f->f_cred or any field for that matter just under rcu_read_lock() for example. Because files are SLAB_TYPESAFE_BY_RCU. You might be poking in someone else's creds then.