Received: by 2002:ab2:69cc:0:b0:1f4:be93:e15a with SMTP id n12csp1951248lqp; Tue, 16 Apr 2024 02:53:40 -0700 (PDT) X-Forwarded-Encrypted: i=3; AJvYcCUzVvaHcLFgq71sdwBYZccoEkoEqoeJMHNPJdJfdveASO2N8s87TtpfLhMqup87PD4UMB4++aZeFxLtPXkCQFCEVnBRMXVkvsx5KtJLwQ== X-Google-Smtp-Source: AGHT+IFz8Kb/t4uPuuV413cWjgXXbde0LQcNEIFTrzTLG5fT4bV8m/w1h1EaMTnwueou3VriO9Iq X-Received: by 2002:a05:6a21:3996:b0:1aa:2285:2cd0 with SMTP id ad22-20020a056a21399600b001aa22852cd0mr5267923pzc.23.1713261219932; Tue, 16 Apr 2024 02:53:39 -0700 (PDT) ARC-Seal: i=2; a=rsa-sha256; t=1713261219; cv=pass; d=google.com; s=arc-20160816; b=LYmjoD8lMRDd7RSXnlvO+HvIjZRhdovBxRDDzF80b7nvqU6D2j9eTgH9kx7wuWfHob eKSck1JvUjMp0g5e+jeH/dJjmp5zFdybboenl5FWNJciT4JnYcAAHq70F0EB42kHFUKI 2eSZBzSK1wxPEJFckVj2aQV6a386WtT3JGv5CUdDhnVrzrwIDclZXP3AK/TzVnFx03P6 SmZx6e8iiEj0oPfJXg/hGQbNi23lYak6meC2AW16bNPENAroqp2LmE/hLxPlTNkSFRn4 M9O2oOs/15MfyDzLB1rVQVq9NGDfrQsf3AUqbmajZEYNB1fu43zTqLVgv+bD2DmUbUSa kbVw== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=cc:to:from:subject:message-id:references:mime-version :list-unsubscribe:list-subscribe:list-id:precedence:in-reply-to:date :dkim-signature; bh=VxdCRYYXGANGytr9D/dXdYZGmP8QPln1sFHz1kYy8RA=; fh=V5l5EPfzAuomc/+mbgIwmQy4b1A9AGNbzAP+/qiqFqQ=; b=rs2Tol+BcmNaribLurF+LaxV6IlpXVUY8oqfp0HiwuX05zBjASi7nx0/jxG1f96JNN lCOQF+wX/pIJoWa02jTfuZ6SALfIvVJrOXhaJfqM3T7/c0xWFIbjxdb8/U6xlTbtfF7c RjRjR/uVIWV5eA9eMoewpYo6lSJQo3/lNZkU0ayFcF4c0JMr7QBrdWwMAUHs+WZeKzEW Ah9bQuQtt1t05DamnrjjfsNPSuEQ9QcqSMIMvy9deCy5Pk2NEmHEGJsRM9d1wy9hJq4P f/Ki2ZLTwyGCkY5xPxxcpuaoA/8fzHYc1OpD8j1CsnlJg9TGULbEYVZgX/2azDz2nol3 NFCw==; dara=google.com ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@google.com header.s=20230601 header.b=j2FfJYFS; arc=pass (i=1 spf=pass spfdomain=flex--aliceryhl.bounces.google.com dkim=pass dkdomain=google.com dmarc=pass fromdomain=google.com); spf=pass (google.com: domain of linux-kernel+bounces-146574-linux.lists.archive=gmail.com@vger.kernel.org designates 139.178.88.99 as permitted sender) smtp.mailfrom="linux-kernel+bounces-146574-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from sv.mirrors.kernel.org (sv.mirrors.kernel.org. [139.178.88.99]) by mx.google.com with ESMTPS id b11-20020a631b4b000000b005d8bb0cd282si9366998pgm.126.2024.04.16.02.53.39 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 16 Apr 2024 02:53:39 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel+bounces-146574-linux.lists.archive=gmail.com@vger.kernel.org designates 139.178.88.99 as permitted sender) client-ip=139.178.88.99; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20230601 header.b=j2FfJYFS; arc=pass (i=1 spf=pass spfdomain=flex--aliceryhl.bounces.google.com dkim=pass dkdomain=google.com dmarc=pass fromdomain=google.com); spf=pass (google.com: domain of linux-kernel+bounces-146574-linux.lists.archive=gmail.com@vger.kernel.org designates 139.178.88.99 as permitted sender) smtp.mailfrom="linux-kernel+bounces-146574-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by sv.mirrors.kernel.org (Postfix) with ESMTPS id 9717828180F for ; Tue, 16 Apr 2024 09:53:39 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 63B7F8626F; Tue, 16 Apr 2024 09:53:31 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="j2FfJYFS" Received: from mail-lf1-f74.google.com (mail-lf1-f74.google.com [209.85.167.74]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id BF63B85C76 for ; Tue, 16 Apr 2024 09:53:28 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.167.74 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1713261210; cv=none; b=sZxWU9+P6oQb+Nh/ksLNeVxn2UmqGHE1StYND/CPNplPHz+HxbPDwNqq0F2jsfiVNMSDvo/T6xFlgpqniGX0r7CdRM65jgxZZ0wuK29f2dvA42MFLm6GKQWKaGe2XfizKXOsMbYbJhbeW9u3rBXOUzPNh7DHG4Jt10Y0HDSSt3U= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1713261210; c=relaxed/simple; bh=+ks73W1omqYfmJvTwfhN753jtSbBbxFN221Kk1utxwY=; h=Date:In-Reply-To:Mime-Version:References:Message-ID:Subject:From: To:Cc:Content-Type; b=BmL12tqHPgNXuZdNED40jkkIFlhGGC8NBlRR4aHYVJYPZkoeMi36ECiNLLVGLa8xQBZb/uk8xye6yFFVzjpGksWAIowuNVuBaC1O29BBtGN6aIQChSo+K2sCIqRGk7WiSDLChAad3haXR8j9NiHsZ6ZGdJBWbVYWpmYprUqp4qo= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com; spf=pass smtp.mailfrom=flex--aliceryhl.bounces.google.com; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b=j2FfJYFS; arc=none smtp.client-ip=209.85.167.74 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=flex--aliceryhl.bounces.google.com Received: by mail-lf1-f74.google.com with SMTP id 2adb3069b0e04-516d2c322d5so3943491e87.0 for ; Tue, 16 Apr 2024 02:53:28 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20230601; t=1713261207; x=1713866007; darn=vger.kernel.org; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:from:to:cc:subject:date:message-id:reply-to; bh=VxdCRYYXGANGytr9D/dXdYZGmP8QPln1sFHz1kYy8RA=; b=j2FfJYFSSK+ZhF2A6r10hk8CLu9maZpWXEf1Fep1M6Ge9H52RIftK0aErA4aaKkQBT DF8x2qw+jdxo/RZzs2APKyhYwy8Aouzf5dad1lsdBbGahgprnckkCSr8FnPAOB6TiTTB B5uiyCXklB5GrnzZVYy5x3pc+gFwQ3hQ32w4TtVF+HX+XAQbaaoowcpGXAQI3c3RBmWq FQuLr14m37mxduyNzVJCby4kHL4f+A/EM8g5PiHG7uem2L2Q1q580PCzzVomy5PwUn5/ nOLoUCP29I8DBtBY+kumpfiKsIsGybfw0CYf+hixf8Jjx1trH2qkvt66U0eWMFSUtwg0 yEZQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1713261207; x=1713866007; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=VxdCRYYXGANGytr9D/dXdYZGmP8QPln1sFHz1kYy8RA=; b=Ukeg7hDL2bFalajPGYj6uRF4NMuIMSRqkIRpf5afihFass2z/LJgtP6IViM/IDMbSt T5bftwr9Q1znTIstPpRfNYygQxEfIu7pXUwPvaTVjg5zUi/NdCSZkO0091QTRCKKz2tF KFPBjD79ZKk2OhQrsQ/909R+RXcuT/3BerndqVCX4NhVdXyGahhOMaJDVAi2RdoqOkWf /fdynEPPGlUhe0Fm0tTxtDEA1VN9a1MkWeieZT1y50y38eBNpd8QBGnIRe6FaB+2VJG9 gE2KC0zBngcw3nbrWCliMYYHq9PMMGtq3YBgjgFZM+BV/6qY88TWyXkhWuETuZkuSlSf 0E+A== X-Forwarded-Encrypted: i=1; AJvYcCVaR/cB3ok3L6Wd57AmsOTuisrdcz7Ji//ecWCqCO3yG8QFYBWj2Br0K1Oh+1n4n7KflQrqcc+0hTwJNH7GmvgEUOSertN/j6XMcNTn X-Gm-Message-State: AOJu0YxLKRt7VWKc+xNeDWmzv7YE/qqUcW3b2TOvrVx1+c0aFskR/b/e 1LfRd2MnPEgc+MtpJdNPR4GKzEcxI7Cd2XY/Xs1fM2NGx8gYt4sqzaL3F3ndfB6eKAq2x1GzbvY c0HgvMcBwuvYSLA== X-Received: from aliceryhl2.c.googlers.com ([fda3:e722:ac3:cc00:68:949d:c0a8:572]) (user=aliceryhl job=sendgmr) by 2002:a05:6512:951:b0:518:cc3d:45d1 with SMTP id u17-20020a056512095100b00518cc3d45d1mr6198lft.11.1713261206597; Tue, 16 Apr 2024 02:53:26 -0700 (PDT) Date: Tue, 16 Apr 2024 09:53:23 +0000 In-Reply-To: Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: Mime-Version: 1.0 References: X-Mailer: git-send-email 2.44.0.683.g7961c838ac-goog Message-ID: <20240416095323.1107928-1-aliceryhl@google.com> Subject: Re: [PATCH v5 1/4] rust: uaccess: add userspace pointers From: Alice Ryhl To: boqun.feng@gmail.com Cc: a.hindborg@samsung.com, akpm@linux-foundation.org, alex.gaynor@gmail.com, aliceryhl@google.com, arnd@arndb.de, arve@android.com, benno.lossin@proton.me, bjorn3_gh@protonmail.com, brauner@kernel.org, cmllamas@google.com, gary@garyguo.net, gregkh@linuxfoundation.org, joel@joelfernandes.org, keescook@chromium.org, linux-kernel@vger.kernel.org, linux-mm@kvack.org, maco@android.com, ojeda@kernel.org, rust-for-linux@vger.kernel.org, surenb@google.com, tkjos@android.com, viro@zeniv.linux.org.uk, wedsonaf@gmail.com, willy@infradead.org Content-Type: text/plain; charset="utf-8" Boqun Feng writes: > On Mon, Apr 15, 2024 at 07:13:53AM +0000, Alice Ryhl wrote: >> From: Wedson Almeida Filho >> >> A pointer to an area in userspace memory, which can be either read-only >> or read-write. >> >> All methods on this struct are safe: attempting to read or write on bad >> addresses (either out of the bound of the slice or unmapped addresses) >> will return `EFAULT`. Concurrent access, *including data races to/from >> userspace memory*, is permitted, because fundamentally another userspace >> thread/process could always be modifying memory at the same time (in the >> same way that userspace Rust's `std::io` permits data races with the >> contents of files on disk). In the presence of a race, the exact byte >> values read/written are unspecified but the operation is well-defined. >> Kernelspace code should validate its copy of data after completing a >> read, and not expect that multiple reads of the same address will return >> the same value. >> >> These APIs are designed to make it difficult to accidentally write >> TOCTOU bugs. Every time you read from a memory location, the pointer is >> advanced by the length so that you cannot use that reader to read the >> same memory location twice. Preventing double-fetches avoids TOCTOU >> bugs. This is accomplished by taking `self` by value to prevent >> obtaining multiple readers on a given `UserSlicePtr`, and the readers >> only permitting forward reads. If double-fetching a memory location is >> necessary for some reason, then that is done by creating multiple >> readers to the same memory location. >> >> Constructing a `UserSlicePtr` performs no checks on the provided >> address and length, it can safely be constructed inside a kernel thread >> with no current userspace process. Reads and writes wrap the kernel APIs >> `copy_from_user` and `copy_to_user`, which check the memory map of the >> current process and enforce that the address range is within the user >> range (no additional calls to `access_ok` are needed). >> >> This code is based on something that was originally written by Wedson on >> the old rust branch. It was modified by Alice by removing the >> `IoBufferReader` and `IoBufferWriter` traits, and various other changes. >> >> Signed-off-by: Wedson Almeida Filho >> Co-developed-by: Alice Ryhl >> Signed-off-by: Alice Ryhl > > Thanks! > > Reviewed-by: Boqun Feng Thanks for taking a look! >> --- >> rust/helpers.c | 14 +++ >> rust/kernel/lib.rs | 1 + >> rust/kernel/uaccess.rs | 304 +++++++++++++++++++++++++++++++++++++++++++++++++ >> 3 files changed, 319 insertions(+) >> > [...] >> + /// Reads raw data from the user slice into a kernel buffer. >> + /// >> + /// Fails with `EFAULT` if the read happens on a bad address. > > ... we probably want to mention that `out` may get modified even in > failure cases. Will do. >> + pub fn read_slice(&mut self, out: &mut [u8]) -> Result { >> + // SAFETY: The types are compatible and `read_raw` doesn't write uninitialized bytes to >> + // `out`. >> + let out = unsafe { &mut *(out as *mut [u8] as *mut [MaybeUninit]) }; >> + self.read_raw(out) >> + } >> + > [...] >> + >> +impl UserSliceWriter { > [...] >> + >> + /// Writes raw data to this user pointer from a kernel buffer. >> + /// >> + /// Fails with `EFAULT` if the write happens on a bad address. > > Same here, probably mention that: the userspace memory may be modified > even in failure cases. Will do. > Anyway, they are not correctness critical, so we can do these in later > patches. It looks like I'll have to send another version anyway due to the conflict with [1], so I can take care of it. Alice [1]: https://lore.kernel.org/rust-for-linux/20240328013603.206764-1-wedsonaf@gmail.com/