Received: by 2002:ab2:3c46:0:b0:1f5:f2ab:c469 with SMTP id x6csp98471lqf; Fri, 26 Apr 2024 00:14:21 -0700 (PDT) X-Forwarded-Encrypted: i=3; AJvYcCUSlqxqBULkHGCGEkDViM0/Yp5hD/NcRcySXN7lbf4IXDcvh2CpGRit3wdSr7dozIvLjfi7Xh0u0/YsLitCNf9D5r+bZw0TLy69Vzeeew== X-Google-Smtp-Source: AGHT+IEBVwJcXH2CYNX2KgEONg4OmZzhmNWk/H8vqw0Z2AE3ioIn2tkgH5a4CWxSrkVaqqhrecE7 X-Received: by 2002:a9d:4804:0:b0:6ea:30b9:b30d with SMTP id c4-20020a9d4804000000b006ea30b9b30dmr1762906otf.8.1714115661556; Fri, 26 Apr 2024 00:14:21 -0700 (PDT) ARC-Seal: i=2; a=rsa-sha256; t=1714115661; cv=pass; d=google.com; s=arc-20160816; b=s9I7Qu7GZsIBIoUotcsp3Qx6+qRJL++1YzM4224M3IKQUkDN4Y1j6Fbf/pNOt+nP/0 88wtDTqCWHWrdS+BZNS/zbFrHHMdgbv5J8WYhzkbF2NgT9dLoCrsHA9dhyBk4t/+8a+d QzjI1fFvW9yxuYhXZBkELTFrkBxEcDaRZHDiFfvjJVp6XfOWmLkwue28S/poqhwwZBtW t6kqv9ZsnmWmCiItVr5qIJ/0eOknsjEj52Xq8GVZBV2Mz0DkMms4LaWvrO3H10WgkFXX J5izTgh4pwQI1URnGN5jo7XAyjwWKDPjDcWeVUky6FYUYU0cI04rhY04iNsMSyc/RM3S kAZQ== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:list-unsubscribe:list-subscribe :list-id:precedence:dkim-signature; bh=PteTKUkLdI4YjMSnQZKKT6B1AyC9xLcHreBvLXZqBtc=; fh=mr9/dzokAwrywE6yrB9Ib8hTbf1/CBA24Q3Z0s8nN1Q=; b=GmaliR7WTap0n8+5EM5eLe964Z8Hg45mgUXXIrb4CWFTsqZnEbCs0mHUb4hrteqxjE MdCZzy5l0udyW1oTn5jfYsaJ4FqkIo9xdGhocyjHPZ8xKdX51qjqnqI3kctEzeai5PB7 TpKBLPH4v+Pq5jEnCt0Q96NKc+zcigszo1skDIKDGuQ+2BHitTviunJFKtymlu/UMrup Hf7AJizS4zVIoN4bE1cMIeVmOCKDriA6yEMgiD1LddymKhqY70+5YJ1rk4BH+wedroxD xVRydLylhvQKvPKZG6ONZ398iwVFSGiVcfD+uVJeSTz0O5QggXo1IVjd3QOzbQ3sor7v OTMA==; dara=google.com ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@google.com header.s=20230601 header.b=ttPfssHo; arc=pass (i=1 spf=pass spfdomain=google.com dkim=pass dkdomain=google.com dmarc=pass fromdomain=google.com); spf=pass (google.com: domain of linux-kernel+bounces-159620-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45e3:2400::1 as permitted sender) smtp.mailfrom="linux-kernel+bounces-159620-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from sv.mirrors.kernel.org (sv.mirrors.kernel.org. [2604:1380:45e3:2400::1]) by mx.google.com with ESMTPS id j190-20020a638bc7000000b005fd6e8bc0d4si10079720pge.418.2024.04.26.00.14.21 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 26 Apr 2024 00:14:21 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel+bounces-159620-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45e3:2400::1 as permitted sender) client-ip=2604:1380:45e3:2400::1; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20230601 header.b=ttPfssHo; arc=pass (i=1 spf=pass spfdomain=google.com dkim=pass dkdomain=google.com dmarc=pass fromdomain=google.com); spf=pass (google.com: domain of linux-kernel+bounces-159620-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45e3:2400::1 as permitted sender) smtp.mailfrom="linux-kernel+bounces-159620-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by sv.mirrors.kernel.org (Postfix) with ESMTPS id A57C0281B44 for ; Fri, 26 Apr 2024 07:14:00 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 36AF013C3DB; Fri, 26 Apr 2024 07:13:33 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="ttPfssHo" Received: from mail-ua1-f54.google.com (mail-ua1-f54.google.com [209.85.222.54]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id BC2A613BC14 for ; Fri, 26 Apr 2024 07:13:30 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.222.54 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1714115612; cv=none; b=fSl8UsY//zqBtQGMSUorg49XlfV5GxQn2512i6n/CNBleeeVthOW8/DMyjhbJ0RhNwM+F6YP7OlWwVP1UE8OswjXVvxuz7Vfmlqp5+qDaWpwTrEBpCpwlFCyWdFgkD1jSuSt+JeI5MgioLg25VpOxucjgiFBeU7hYRk1MAQYnv0= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1714115612; c=relaxed/simple; bh=k+NB7JMmOJfVGxCrRyXHvyTuixX/Pa9rlRYhz6PsS38=; h=MIME-Version:References:In-Reply-To:From:Date:Message-ID:Subject: To:Cc:Content-Type; b=VW+BapWBfw1E85kdSU9W3aWDZbFnmEIZCAFxciBwn/Z/S5vlSujXWP4N/TxZYqX7pfQC9t+qpSZ04gPlMDZFtANSRZXgVMXCXTY/8vq3qaySyknYr8WPxV6dAs1xguKI/J9q+rc3oStrBWNmc2Uk0he6frC4Ure5J6y4irMvr1Y= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com; spf=pass smtp.mailfrom=google.com; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b=ttPfssHo; arc=none smtp.client-ip=209.85.222.54 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=google.com Received: by mail-ua1-f54.google.com with SMTP id a1e0cc1a2514c-7ed6cf3e7f8so683933241.2 for ; Fri, 26 Apr 2024 00:13:30 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20230601; t=1714115609; x=1714720409; darn=vger.kernel.org; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=PteTKUkLdI4YjMSnQZKKT6B1AyC9xLcHreBvLXZqBtc=; b=ttPfssHodpNnFSOAG610UTxAbpTX/WGrAZErlEBtJfgnKCB2nM+kZj5QoBn6kZ+YpR xnBeh88saSs49nB4QFZ2U3ZXd7QwnD0/SGSQL4kjQWHa4BMZYwQVq75NVUAWxBruUVjO 5oKFc3Jr4G2qqi7Zv2SGyuEmWN1dPqXPEuW8XWKJ1RqFtMX5vWW3jECh+1r0ulcS715F BmKbJb6zoQfJFKVc4l1H8JnG6Cg0g31ubkeoRg2o5R3BYkimwLspXKkf5yOL8MSOqktr Rvsollo1Mbw0kGncke8VyJglURojXw7JuU4PRAS22k8O/rRHfLyTIVcgwjR1pZ65KRHD NJuA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1714115609; x=1714720409; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=PteTKUkLdI4YjMSnQZKKT6B1AyC9xLcHreBvLXZqBtc=; b=LPkHvm6WshfBH/I3YIPO81rzcBDqKoSM7YpwCpMrZMz7GWaBWJSShMgOk5HRF1C4Yd nzruSojcK8csZNF64TK3LdNC6rqQD+Eu/0Ij3wR0HtaaCMhSD3MZRxlDfNyk/l6faeGA 5FqcGtLRmTw7kWw91SnuXnVy6gBHCYS+tNk6xXqvqT35xDVNQfVl9MFTuh9V9Y6a7IFy 2OLcN2ujKfbdyAsbf8CZG/JKREWNt8EnQmBPkizJAfl70Y/e4LgreEgpQVhk6o3R7O9o S9nzVH/5gF3QIIL8p7KVZfKU1F8SuvfKeRXZSAk54HypEQoVneps+snETA297gRRy7bc T5OQ== X-Forwarded-Encrypted: i=1; AJvYcCUe/MxmJmAbFqljgktM3by04Z73CeyDHp/jRfTMygF/eTuld9QhH5obetam/rip9W6sDFvvCaqaED5Xa/UqAUCAxObr56WnGmFjYXB4 X-Gm-Message-State: AOJu0Yz6Z2H0T7REFjBW9iFUd4IQ0z5mDEPo9txgoF5yuO71LMsar1nu 9dQrqj2Ut7p/w7Zeo0Ymr8uFQtc/o9fnhRvnNthXyh8Jqt93tGRpYY5pJ9pytZX/gstOM7o25Zw 4qbk3GGGeYe06FV5QLsgUu/8lP3RiSt9FZp0y X-Received: by 2002:a05:6102:457:b0:47b:614e:cbd with SMTP id e23-20020a056102045700b0047b614e0cbdmr1763298vsq.31.1714115609277; Fri, 26 Apr 2024 00:13:29 -0700 (PDT) Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 References: <20240418-alice-mm-v6-0-cb8f3e5d688f@google.com> <20240418-alice-mm-v6-3-cb8f3e5d688f@google.com> <20240425171358.54dc96e4@eugeo> In-Reply-To: <20240425171358.54dc96e4@eugeo> From: Alice Ryhl Date: Fri, 26 Apr 2024 09:13:18 +0200 Message-ID: Subject: Re: [PATCH v6 3/4] rust: uaccess: add typed accessors for userspace pointers To: Gary Guo Cc: Miguel Ojeda , Matthew Wilcox , Al Viro , Andrew Morton , Kees Cook , Alex Gaynor , Wedson Almeida Filho , Boqun Feng , =?UTF-8?Q?Bj=C3=B6rn_Roy_Baron?= , Benno Lossin , Andreas Hindborg , Greg Kroah-Hartman , =?UTF-8?B?QXJ2ZSBIasO4bm5ldsOlZw==?= , Todd Kjos , Martijn Coenen , Joel Fernandes , Carlos Llamas , Suren Baghdasaryan , Arnd Bergmann , Trevor Gross , linux-mm@kvack.org, linux-kernel@vger.kernel.org, rust-for-linux@vger.kernel.org, Christian Brauner Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable On Thu, Apr 25, 2024 at 6:14=E2=80=AFPM Gary Guo wrote: > > On Thu, 18 Apr 2024 08:59:19 +0000 > Alice Ryhl wrote: > > > Add safe methods for reading and writing Rust values to and from > > userspace pointers. > > > > The C methods for copying to/from userspace use a function called > > `check_object_size` to verify that the kernel pointer is not dangling. > > However, this check is skipped when the length is a compile-time > > constant, with the assumption that such cases trivially have a correct > > kernel pointer. > > > > In this patch, we apply the same optimization to the typed accessors. > > For both methods, the size of the operation is known at compile time to > > be size_of of the type being read or written. Since the C side doesn't > > provide a variant that skips only this check, we create custom helpers > > for this purpose. > > > > The majority of reads and writes to userspace pointers in the Rust > > Binder driver uses these accessor methods. Benchmarking has found that > > skipping the `check_object_size` check makes a big difference for the > > cases being skipped here. (And that the check doesn't make a difference > > for the cases that use the raw read/write methods.) > > > > This code is based on something that was originally written by Wedson o= n > > the old rust branch. It was modified by Alice to skip the > > `check_object_size` check, and to update various comments, including th= e > > notes about kernel pointers in `WritableToBytes`. > > > > Co-developed-by: Wedson Almeida Filho > > Signed-off-by: Wedson Almeida Filho > > Reviewed-by: Benno Lossin > > Reviewed-by: Boqun Feng > > Reviewed-by: Trevor Gross > > Signed-off-by: Alice Ryhl > > Reviewed-by: Gary Guo > > > --- > > rust/kernel/types.rs | 64 ++++++++++++++++++++++++++++++++++++++++ > > rust/kernel/uaccess.rs | 79 ++++++++++++++++++++++++++++++++++++++++++= ++++++-- > > 2 files changed, 141 insertions(+), 2 deletions(-) > > > > diff --git a/rust/kernel/types.rs b/rust/kernel/types.rs > > index 8fad61268465..9c57c6c75553 100644 > > --- a/rust/kernel/types.rs > > +++ b/rust/kernel/types.rs > > > > +/// Types that can be viewed as an immutable slice of initialized byte= s. > > +/// > > +/// If a struct implements this trait, then it is okay to copy it byte= -for-byte to userspace. This > > +/// means that it should not have any padding, as padding bytes are un= initialized. Reading > > +/// uninitialized memory is not just undefined behavior, it may even l= ead to leaking sensitive > > +/// information on the stack to userspace. > > +/// > > +/// The struct should also not hold kernel pointers, as kernel pointer= addresses are also considered > > +/// sensitive. However, leaking kernel pointers is not considered unde= fined behavior by Rust, so > > +/// this is a correctness requirement, but not a safety requirement. > > +/// > > +/// # Safety > > +/// > > +/// Values of this type may not contain any uninitialized bytes. This = type must not have interior > > +/// mutability. > > +pub unsafe trait AsBytes {} > > + > > +// SAFETY: Instances of the following types have no uninitialized port= ions. > > +unsafe impl AsBytes for u8 {} > > +unsafe impl AsBytes for u16 {} > > +unsafe impl AsBytes for u32 {} > > +unsafe impl AsBytes for u64 {} > > +unsafe impl AsBytes for usize {} > > +unsafe impl AsBytes for i8 {} > > +unsafe impl AsBytes for i16 {} > > +unsafe impl AsBytes for i32 {} > > +unsafe impl AsBytes for i64 {} > > +unsafe impl AsBytes for isize {} > > +unsafe impl AsBytes for bool {} > > +unsafe impl AsBytes for char {} > > +unsafe impl AsBytes for str {} > > +// SAFETY: If individual values in an array have no uninitialized port= ions, then the array itself > > +// does not have any uninitialized portions either. > > +unsafe impl AsBytes for [T] {} > > nit: I would move `str` to here, since `str` is essentially `[u8]` with > UTF-8 guarantee. > > > +unsafe impl AsBytes for [T; N] {} Yes ... but the safety comment here talks about arrays and their individual values. I don't think it transfers cleanly to str, and that the other safety comment fits str better. Alice