Received: by 2002:a05:7412:8d10:b0:f3:1519:9f41 with SMTP id bj16csp2453786rdb; Fri, 8 Dec 2023 08:32:19 -0800 (PST) X-Google-Smtp-Source: AGHT+IFprp85jJWJXyf09cWKwPGCzJmCkUxTAsok2QXTlTF11QiLL3r5/tHcbnB8yhgzQGzivlTB X-Received: by 2002:a05:6a21:604:b0:18f:ea5b:6825 with SMTP id ll4-20020a056a21060400b0018fea5b6825mr237431pzb.117.1702053139320; Fri, 08 Dec 2023 08:32:19 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1702053139; cv=none; d=google.com; s=arc-20160816; b=OgJCI4kGm2uBG/LDAq3Q3KiETjvGS65k5Wh73z9yEU5ANsKJgfnKOvCyocWgnaSUEG Vxz+/3NUHoS91YDpJJXxOqJa/u65KWTSrxcwTEvl+dSLMxlSn5nzbn4UVCbTbgp2Yrpq XZM1gN9Ler6d1tXbwgtR0ysMvRGtb3sb10hZikTGoPNvgo1g7r+V3FNKt7U7nq2dlEBF X1IEuCX5KLx6chZy5vuEwy6UNTgjlLOlV+x4kLoThzvU3yuQtGE/ukVtbNUhfEJr0cR6 41cyw6kdDUgtHnnIgthN4WcwD0D66PUxfIADPy1HykWXZdRcKczglq2tyKoHlOJ4SGoh dhbQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:cc:to:subject :message-id:date:from:in-reply-to:references:mime-version :dkim-signature; bh=GcWDWrxJKJsDNQlJWfAvkrUSeWhVHUneuN6r9y2FUNo=; fh=5ViiMsHZUI4NbhjB2QLlnjeqIgfrzAanGQ29Zn4TFKQ=; b=FvjYzAkHBqkuVTAVwfbdUITyjTvzXmWB2keLJec1PCMZN5YJbVPttIn6xfCWYgmcxg tTy9E8BxRk9vSLZ66fVF2qutn5/LLa9i+5i3e3Hw/ohDqF84Zfjo/siak9KIGV7ivNNB CXDLrCAeImmDvrc8/3QYPR77eiSKGHfhsr7pJoUpAwdKvLQB5O+mqNmEH+IfH4NGRLKg ApTgVxDtWnN6T+8zzYptswnVAHuKDlX3Q9axfA8vo9tcUjgh/tqUTBRYnrwLGSPYA3wW eO9Vyp8axekcPLG7E0zYA2OYJ9tCGuc6Ca7W0599Jy5NSBtgtQNA8QVFZ/wjhxYPRJzM 2V8g== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20230601 header.b="Au/CKWaN"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.37 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from snail.vger.email (snail.vger.email. [23.128.96.37]) by mx.google.com with ESMTPS id z10-20020a056a00240a00b006ce7e1a786fsi1757813pfh.169.2023.12.08.08.32.18 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 08 Dec 2023 08:32:19 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.37 as permitted sender) client-ip=23.128.96.37; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20230601 header.b="Au/CKWaN"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.37 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: from out1.vger.email (depot.vger.email [IPv6:2620:137:e000::3:0]) by snail.vger.email (Postfix) with ESMTP id D5F4E80FC709; Fri, 8 Dec 2023 08:32:17 -0800 (PST) X-Virus-Status: Clean X-Virus-Scanned: clamav-milter 0.103.11 at snail.vger.email Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1574128AbjLHQcG (ORCPT + 99 others); Fri, 8 Dec 2023 11:32:06 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:58318 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1574107AbjLHQcF (ORCPT ); Fri, 8 Dec 2023 11:32:05 -0500 Received: from mail-yb1-xb30.google.com (mail-yb1-xb30.google.com [IPv6:2607:f8b0:4864:20::b30]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 74503199E; Fri, 8 Dec 2023 08:32:11 -0800 (PST) Received: by mail-yb1-xb30.google.com with SMTP id 3f1490d57ef6-db53f8cf4afso2306184276.3; Fri, 08 Dec 2023 08:32:11 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1702053130; x=1702657930; darn=vger.kernel.org; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=GcWDWrxJKJsDNQlJWfAvkrUSeWhVHUneuN6r9y2FUNo=; b=Au/CKWaNPQXK0UEONl/OOaLok1zy17F1B4d/3rfxhKwHeTZ3nGtNCIJTfp/p5auCw+ 1nyZPZ2uOB4/PFqGpssbv3f54eeC64MNr8kAGmmjpaY2Z/e3q9d1VMSkFKXdSYWI18OW BlMLSBhzVMLyUceY9Kf7hsWRR2gfbnjO5NuSJyBB4eUDwbIu9hG6+4eMb8CLDO9MR6/e +JvbEu4EMXLC2qY9iiOfWNgDr/GHGHGnub9Wl4VIsm65/yEc2mf3mRoHJlhAZ1alVgoS SrFXsodEPsGsbJfbgA637KBuZZqSWx+wUzUmLRQib+FjujBskUlnUxhidItJ+mEbovMW gnOQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1702053130; x=1702657930; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=GcWDWrxJKJsDNQlJWfAvkrUSeWhVHUneuN6r9y2FUNo=; b=ALAKpn5PZQWgO+UdnkfMvhzSsc4JBZ/kSxht9jT2/BPjlOVf+sIfmwZBm/Y75Fgan1 KOj6FGK4zZkLtvhupqM9r5HB04DyMWghmamgpr1I8ofAHYFhPI4+D7ymTfFHmR/bnkIB wQEr18Ol0aOXakNDMo6wdJStPX8gR7KyLEXV44YjHw9pqa5ILZtY18FBHmkrrDkztnBA P+OXzEfqgMHDz4IiMZb3PAa7aMpsNXFb7TRltm7lvA1o+FzjXu5Io/KL1x8jn2KTmxrp np1Ixxso6UnBi6OdCN4cTsTrEuso4dPMAoxr7q9lcM4F/VtnPB0JPpX7/w8MU2f6fwjB 3Uow== X-Gm-Message-State: AOJu0Yzc48mCzX3zYCehglY0qpK4QUl6P2yF6CNT1aF2eB+Mh+bIkSF/ /VCJXR4i5iaScHo7AKal3/o+gDsg0LOnBHjxf48= X-Received: by 2002:a05:6902:1b13:b0:db8:c416:5281 with SMTP id eh19-20020a0569021b1300b00db8c4165281mr216466ybb.23.1702053130681; Fri, 08 Dec 2023 08:32:10 -0800 (PST) MIME-Version: 1.0 References: <20231206-alice-file-v2-0-af617c0d9d94@google.com> <20231206-alice-file-v2-5-af617c0d9d94@google.com> <20231206123402.GE30174@noisy.programming.kicks-ass.net> <20231206134041.GG30174@noisy.programming.kicks-ass.net> In-Reply-To: <20231206134041.GG30174@noisy.programming.kicks-ass.net> From: Miguel Ojeda Date: Fri, 8 Dec 2023 17:31:59 +0100 Message-ID: Subject: Re: [PATCH v2 5/7] rust: file: add `Kuid` wrapper To: Peter Zijlstra Cc: Alice Ryhl , Miguel Ojeda , Alex Gaynor , Wedson Almeida Filho , Boqun Feng , Gary Guo , =?UTF-8?Q?Bj=C3=B6rn_Roy_Baron?= , Benno Lossin , Andreas Hindborg , Alexander Viro , Christian Brauner , Greg Kroah-Hartman , =?UTF-8?B?QXJ2ZSBIasO4bm5ldsOlZw==?= , Todd Kjos , Martijn Coenen , Joel Fernandes , Carlos Llamas , Suren Baghdasaryan , Dan Williams , Kees Cook , Matthew Wilcox , Thomas Gleixner , Daniel Xu , linux-kernel@vger.kernel.org, rust-for-linux@vger.kernel.org, linux-fsdevel@vger.kernel.org Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_FROM, RCVD_IN_DNSWL_BLOCKED,SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.6.4 (snail.vger.email [0.0.0.0]); Fri, 08 Dec 2023 08:32:18 -0800 (PST) On Wed, Dec 6, 2023 at 2:41=E2=80=AFPM Peter Zijlstra wrote: > > Anywhoo, the longer a function is, the harder it becomes, since you need > to deal with everything a function does and consider the specuation > window length. So trivial functions like the above that do an immediate > dereference and are (and must be) a valid indirect target (because > EXPORT) are ideal. We discussed this in our weekly meeting, and we would like to ask a few questions: - Could you please describe an example attack that you are thinking of? (i.e. a "full" attack, rather than just Spectre itself). For instance, would it rely on other vulnerabilities? - Is this a kernel rule everybody should follow now? i.e. "no (new?) short, exported symbols that just dereference their pointer args". If so, could this please be documented? Or is it already somewhere? - Are we checking for this in some way already, e.g. via `objtool`? Especially if this is a rule, then it would be nice to have a way to double-check if we are getting rid of (most of) these "dangerous" symbols (or at least not introduce new ones, and not just in Rust but C too). Thanks Peter! > That would be good, but how are you going to do that without duplicating > the horror that is struct task_struct ? As Alice pointed out, `bindgen` "solves" that, but it is nevertheless extra maintenance effort. > Well, I really wish the Rust community would address the C > interoperability in a hurry. Basically make it a requirement for > in-kernel Rust. Yeah, some of us have advocated for more integrated C support within Rust (or within `rustc` at least). > I mean, how hard can it be to have clang parse the C headers and inject > them into the Rust IR as if they're external FFI things. That is what `bindgen` does (it uses Clang as a library), except it does not create Rust IR, it outputs normal Rust code, i.e. similar to C declarations. But note that using Clang does not solve the issue of `#define`s in the general case. That is why we would still need "helpers" like these so that the compiler knows how to expand the macro in a C context, which then can be inlined as LLVM IR or similar (which is what I suspect you were actually thinking about, rather than "Rust IR"?). That "mix the LLVM IRs from Clang and `rustc`" ("local LTO hack") approach is something we have been discussing in the past for performance reasons (i.e. to inline these small C functions that Rust needs, cross-language, even in non-LTO builds). And if it helps to avoid certain attacks around speculation, then even better. So if the LLVM folks do not have any major concerns about it, then I think we should go ahead with that (please see also my reply to comex). GCC is still a question mark, though. Cheers, Miguel