From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 1E817C54E58 for ; Mon, 18 Mar 2024 18:59:36 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 5BB426B0082; Mon, 18 Mar 2024 14:59:36 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id 56CC46B0085; Mon, 18 Mar 2024 14:59:36 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 3E4E26B0087; Mon, 18 Mar 2024 14:59:36 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0010.hostedemail.com [216.40.44.10]) by kanga.kvack.org (Postfix) with ESMTP id 2AEA36B0082 for ; Mon, 18 Mar 2024 14:59:36 -0400 (EDT) Received: from smtpin18.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay06.hostedemail.com (Postfix) with ESMTP id 9A41DA10A0 for ; Mon, 18 Mar 2024 18:59:35 +0000 (UTC) X-FDA: 81911073510.18.3FBD2FD Received: from mail-qv1-f42.google.com (mail-qv1-f42.google.com [209.85.219.42]) by imf22.hostedemail.com (Postfix) with ESMTP id 65459C0018 for ; Mon, 18 Mar 2024 18:59:33 +0000 (UTC) Authentication-Results: imf22.hostedemail.com; dkim=pass header.d=gmail.com header.s=20230601 header.b=RA4QzgbJ; dmarc=pass (policy=none) header.from=gmail.com; spf=pass (imf22.hostedemail.com: domain of boqun.feng@gmail.com designates 209.85.219.42 as permitted sender) smtp.mailfrom=boqun.feng@gmail.com ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1710788373; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=7h7+2OWF6v/Pkb4i25rctRGD7lK8C3lTs+tkkbaSwa4=; b=ERSyYbqYKoMVIWt6Vni5foZwXAieYUOQTllsZwdMLICNylFSpEPNnc3zB+Z593pH/dfUxv nx+X5BWTsuHpTgUweogNSBZ8ho7vFu3KHplUq4J8tTlE176208WVS6kx6pgy020rKeWD0m qes9H4PuvXnRASzelDK8Hok7izK3ufI= ARC-Authentication-Results: i=1; imf22.hostedemail.com; dkim=pass header.d=gmail.com header.s=20230601 header.b=RA4QzgbJ; dmarc=pass (policy=none) header.from=gmail.com; spf=pass (imf22.hostedemail.com: domain of boqun.feng@gmail.com designates 209.85.219.42 as permitted sender) smtp.mailfrom=boqun.feng@gmail.com ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1710788373; a=rsa-sha256; cv=none; b=4HckRkDoTVRrphHKf5A1fov31JGJ9HrBk1KzcKtgX4IiYvRRHbTNxsb79T1ACLfmEklcGw +aG88zWDPCRR/+HBBbdCDiDTYBPeDJul5IkAGcRNz0UF+7gvnvG93FIeVZ7XFTmINlU9XQ JaRs4szfXpmVvk66j1tUZR5E0WKuR20= Received: by mail-qv1-f42.google.com with SMTP id 6a1803df08f44-690b100da62so31080906d6.1 for ; Mon, 18 Mar 2024 11:59:33 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1710788372; x=1711393172; darn=kvack.org; h=in-reply-to:content-disposition:mime-version:references:message-id :subject:cc:to:from:date:feedback-id:from:to:cc:subject:date :message-id:reply-to; bh=7h7+2OWF6v/Pkb4i25rctRGD7lK8C3lTs+tkkbaSwa4=; b=RA4QzgbJyaHLgecAJ3JiK1fH433qzZePc0SYG19CtSqWZR/QAxU7CGuLvtza86xaHC QSx68Hx18ROnvQfd5nAZSYqgwvcc1KwHAUyqCpXQZR6jWQECBsNhFORUtic1Lf+bieFP PTC6kSD+XRzXQa+V2XfI5i4nmDy+5P+mG05CAqMiCjDPgc80TD2knAKYpBZ+O4TOg+FJ g9jKU3+qbLUYV+r4jhiexHHZNW543JV9vRg33nn4l3EOI2X82nR3EqApo6P+Zwomkl9q 2v6CPYF3wS6bVOOTe3UB1DXLft6a3FG1/kxS33mkBklOtOTTEHhQfMzgX/ES+yuBKXSs t+3w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1710788372; x=1711393172; h=in-reply-to:content-disposition:mime-version:references:message-id :subject:cc:to:from:date:feedback-id:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=7h7+2OWF6v/Pkb4i25rctRGD7lK8C3lTs+tkkbaSwa4=; b=KKRY3GF7zXFvzRPkIzJvudP/N1WAK4gw2AiecCophh4ARSjV83JoBw4uqO1coOpSQX 4dkpxtBSWliMJU5L1GuvO0wioDtsmxYRvRRUW721QiG1xvJNr8umi5t+eeA1S6NJnh+s VWNbWpPmq5YtDwPFwu7NADgyqDrLZCpPk7EGIFJnbKeSHfyezCgbCbeUWaosXXj8hzxu U/aT26y0LLu6LCweKNlpQcEGlPbY03LO4p9vkOne3BnfkRq+ZRrGcg2SoFzmbxUh+VI1 0wA2U0GAGCib6OIj1yDXIrDRqZjULTZpkOPRmcWM8ThY8xP1auRQEuLANY0otqMuiMuA g4WA== X-Forwarded-Encrypted: i=1; AJvYcCV7xUAIeS7hFz9z+VvkPBJK8/Ty0oUYj73iHgRp3+zmzbE5+DIkqWr1qGoL6qH8At6vGWEBk7lwHBmzinFkYoepIMU= X-Gm-Message-State: AOJu0Yzq6CsuAdwxPEBX9fk3YgeKGtLf1amxT8JovLsCNfGC84IQbg73 8GOm/Yy3npkIEUeunM5oSgteQhXy1a6jUd4nb4gEdydV9QbQ0spE X-Google-Smtp-Source: AGHT+IFJ+deQPfORoCfSt7LaRwTfKef28eErqe6B6pNphIrPzybCAUbOKyybda1jxKsb8KNqouAViA== X-Received: by 2002:a05:6214:8e7:b0:690:a862:9444 with SMTP id dr7-20020a05621408e700b00690a8629444mr263495qvb.47.1710788372450; Mon, 18 Mar 2024 11:59:32 -0700 (PDT) Received: from fauth2-smtp.messagingengine.com (fauth2-smtp.messagingengine.com. [103.168.172.201]) by smtp.gmail.com with ESMTPSA id pn4-20020a056214130400b006961c1d2b6fsm1521540qvb.80.2024.03.18.11.59.31 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 18 Mar 2024 11:59:31 -0700 (PDT) Received: from compute7.internal (compute7.nyi.internal [10.202.2.48]) by mailfauth.nyi.internal (Postfix) with ESMTP id 4A78B1200032; Mon, 18 Mar 2024 14:59:30 -0400 (EDT) Received: from mailfrontend2 ([10.202.2.163]) by compute7.internal (MEProxy); Mon, 18 Mar 2024 14:59:30 -0400 X-ME-Sender: X-ME-Received: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedvledrkeejgdduudelucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen uceurghilhhouhhtmecufedttdenucesvcftvggtihhpihgvnhhtshculddquddttddmne cujfgurhepfffhvfevuffkfhggtggujgesthdtredttddtvdenucfhrhhomhepuehoqhhu nhcuhfgvnhhguceosghoqhhunhdrfhgvnhhgsehgmhgrihhlrdgtohhmqeenucggtffrrg htthgvrhhnpedvhedtgfefgfffvdffgfetheehtdfhfeekveelieeiudegheehleelteef gfefffenucffohhmrghinhepshhprghrvggptggrphgrtghithihpghmuhhtrdgrshenuc evlhhushhtvghrufhiiigvpedtnecurfgrrhgrmhepmhgrihhlfhhrohhmpegsohhquhhn odhmvghsmhhtphgruhhthhhpvghrshhonhgrlhhithihqdeiledvgeehtdeigedqudejje ekheehhedvqdgsohhquhhnrdhfvghngheppehgmhgrihhlrdgtohhmsehfihigmhgvrdhn rghmvg X-ME-Proxy: Feedback-ID: iad51458e:Fastmail Received: by mail.messagingengine.com (Postfix) with ESMTPA; Mon, 18 Mar 2024 14:59:29 -0400 (EDT) Date: Mon, 18 Mar 2024 11:59:19 -0700 From: Boqun Feng To: Alice Ryhl Cc: Miguel Ojeda , Matthew Wilcox , Al Viro , Andrew Morton , Kees Cook , Alex Gaynor , Wedson Almeida Filho , Gary Guo , =?iso-8859-1?Q?Bj=F6rn?= Roy Baron , Benno Lossin , Andreas Hindborg , Greg Kroah-Hartman , Arve =?iso-8859-1?B?SGr4bm5lduVn?= , Todd Kjos , Martijn Coenen , Joel Fernandes , Carlos Llamas , Suren Baghdasaryan , Arnd Bergmann , linux-mm@kvack.org, linux-kernel@vger.kernel.org, rust-for-linux@vger.kernel.org, Christian Brauner Subject: Re: [PATCH v3 1/4] rust: uaccess: add userspace pointers Message-ID: References: <20240311-alice-mm-v3-0-cdf7b3a2049c@google.com> <20240311-alice-mm-v3-1-cdf7b3a2049c@google.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20240311-alice-mm-v3-1-cdf7b3a2049c@google.com> X-Rspam-User: X-Rspamd-Server: rspam12 X-Rspamd-Queue-Id: 65459C0018 X-Stat-Signature: corrppu4ihab15nd9ogxb7qq3c8ji6hm X-HE-Tag: 1710788373-901857 X-HE-Meta: U2FsdGVkX1/kefn/HfhMQm4KE2XAOC/LGJuFyp0KRvBoCrAHFxvahnaeZAHPMqKF/9nGlYq0eNE0BIlSVyjP+Hu0LyVYTVvSmqZpWKJrpwHU2sfyWXeX7vNaaNI+1ZAY827sTwo15ZeEAldVd+rd0V2Pu8dGz3Aj0NI+UgnFzwVztyTgrHuxeJlilUS64zKJbifdWzEZ0fNHY6h59ZK1IvMa4pT/8cjw6vHjEARlyUlrUfGpve8yj0KLWEBNtW7H2mUasqN6F4PycIuxBQE6Tj0TcKwpIuI5o+n9Uiof2RLqjvuQHjrnx78FZG/Q3BkF56LNXtbUIHpU+VQsZEIqK1GTcFDpSynNuNxFRhiRjxLV83Pg6PyDUkXLFvInkF5YWOrZSB29j4b0qxPLAH5hUYuvxe7KTAXHkHajx5c0Pno1/m6wTZ24PA1r9XuFWpir75acdaRJfdnpDp1iFoha/pGYjakHXP4g9tJYK5V7JPdbWSHwwebd7utRQ92HGA5ZheqWl9sEjqmb/qnAjKb5pV+fHGzEPURCbMZupA2nyQVuErkm+FF5nfudMGJxIF3jYhkuRbQssEnK+OoKRI+/E1i0pK+J6mATXjyqgT6c5TZV6xQgCrAfEdJsC9Gtv+OimOTUD97jP1awtzLD0kFwpX4qgPfmPHV48DYMM1c7ItBn4pNL0O2aaDxq/yppwDDVKHIAIFVUw1/1RHjFmzJa/BWuePKoxwUpjBHVMBneJoLMpqXr+2FyWGprpkaOHdiGrhsL9hSSL4OfhMovTOsiACnAGZw8l+rHlFJet0mRh41jLFwqqbOi+20utDGtHHjIwJH9NgavrV8qTLs/gjZYuu9s+2p8zLgbMLxhkUmghaIS741+xNYMB2eDD2TZ2RlltkdlmM791LjvoMLgktqkL9tIlfVKh7t2nC18liNLhcPAs92j9UhvGY2mhhjLfB4tkGML0iaGJ6BXgSRkTjt dWEndbSe 4/YG4D6uIr4jbNgL7Mu6EVAnIE/qAXDmTHwyPJT3VK75BWnw5vGUfNZF/0ZNrjkDzBzf3ctbXMAUHiK1SwWO5KIIHSc/4jsS1gE9s8qAT5Nd3OR7SfgDIwPyOcbtxUq7bpSv5+PGMFdP7Ni+jg69t0A5se4ALDfau64snUl0dav198oXZTCmjAF5vJJ8SWmy0OP6fBANdgVI/ickG38alCe6/fKBNDr215zSLClTAapWj1fQ7h24dJyjswKJl2ynRjwnI2MdbJhbjiUp39GNsPYEqT6O8VpdCqzTf6xB2cMwfhF2XDwOhwqW81uDvpbHu1f6oP4rRf7f9sgsClgBlhry7lBbn148dZHcJ5AasiKVaZXhMPgf41Ry36W+X9VoOpQU7wspMTLh6CDHcMnWliaNpFZ6RV7RnH1MaBw1n/7jQs5ycWLftdNI2PI6zHeKjGkuY5lafFysd6T4cL9MG+3gg4zNwIP7XVkB0A8GTDalB3PxEtrPc+j/v1B+V40EkrhRAdnWKgI2tsDDUPjQZ5W0VvGS13eGsZ13h X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: List-Subscribe: List-Unsubscribe: On Mon, Mar 11, 2024 at 10:47:13AM +0000, Alice Ryhl wrote: > From: Wedson Almeida Filho > [...] > + > +/// A reader for [`UserSlice`]. > +/// > +/// Used to incrementally read from the user slice. > +pub struct UserSliceReader { > + ptr: *mut c_void, > + length: usize, > +} > + > +impl UserSliceReader { [...] > + > + /// Reads raw data from the user slice into a raw kernel buffer. > + /// > + /// Fails with `EFAULT` if the read encounters a page fault. > + /// > + /// # Safety > + /// > + /// The `out` pointer must be valid for writing `len` bytes. > + pub unsafe fn read_raw(&mut self, out: *mut u8, len: usize) -> Result { I don't think we want to promote the pub usage of this unsafe function, right? We can provide a safe version: pub fn read_slice(&mut self, to: &[u8]) -> Result and all users can just use the safe version (with the help of slice::from_raw_parts_mut() if necessary). > + if len > self.length { > + return Err(EFAULT); > + } > + let Ok(len_ulong) = c_ulong::try_from(len) else { > + return Err(EFAULT); > + }; > + // SAFETY: The caller promises that `out` is valid for writing `len` bytes. > + let res = unsafe { bindings::copy_from_user(out.cast::(), self.ptr, len_ulong) }; > + if res != 0 { > + return Err(EFAULT); > + } > + // Userspace pointers are not directly dereferencable by the kernel, so > + // we cannot use `add`, which has C-style rules for defined behavior. > + self.ptr = self.ptr.wrapping_byte_add(len); > + self.length -= len; > + Ok(()) > + } > + > + /// Reads the entirety of the user slice, appending it to the end of the > + /// provided buffer. > + /// > + /// Fails with `EFAULT` if the read encounters a page fault. > + pub fn read_all(mut self, buf: &mut Vec) -> Result { > + let len = self.length; > + buf.try_reserve(len)?; > + > + // SAFETY: The call to `try_reserve` was successful, so the spare > + // capacity is at least `len` bytes long. > + unsafe { self.read_raw(buf.spare_capacity_mut().as_mut_ptr().cast(), len)? }; > + > + // SAFETY: Since the call to `read_raw` was successful, so the next > + // `len` bytes of the vector have been initialized. > + unsafe { buf.set_len(buf.len() + len) }; > + Ok(()) > + } > +} > + > +/// A writer for [`UserSlice`]. > +/// > +/// Used to incrementally write into the user slice. > +pub struct UserSliceWriter { > + ptr: *mut c_void, > + length: usize, > +} > + > +impl UserSliceWriter { > + /// Returns the amount of space remaining in this buffer. > + /// > + /// Note that even writing less than this number of bytes may fail. > + pub fn len(&self) -> usize { > + self.length > + } > + > + /// Returns `true` if no more data can be written to this buffer. > + pub fn is_empty(&self) -> bool { > + self.length == 0 > + } > + > + /// Writes raw data to this user pointer from a raw kernel buffer. > + /// > + /// Fails with `EFAULT` if the write encounters a page fault. > + /// > + /// # Safety > + /// > + /// The `data` pointer must be valid for reading `len` bytes. > + pub unsafe fn write_raw(&mut self, data: *const u8, len: usize) -> Result { Same here, just remove the `pub`, and users should use write_slice() (with the help of slice::from_raw_parts() if necessary). Regards, Boqun > + if len > self.length { > + return Err(EFAULT); > + } > + let Ok(len_ulong) = c_ulong::try_from(len) else { > + return Err(EFAULT); > + }; > + let res = unsafe { bindings::copy_to_user(self.ptr, data.cast::(), len_ulong) }; > + if res != 0 { > + return Err(EFAULT); > + } > + // Userspace pointers are not directly dereferencable by the kernel, so > + // we cannot use `add`, which has C-style rules for defined behavior. > + self.ptr = self.ptr.wrapping_byte_add(len); > + self.length -= len; > + Ok(()) > + } > + > + /// Writes the provided slice to this user pointer. > + /// > + /// Fails with `EFAULT` if the write encounters a page fault. > + pub fn write_slice(&mut self, data: &[u8]) -> Result { > + let len = data.len(); > + let ptr = data.as_ptr(); > + // SAFETY: The pointer originates from a reference to a slice of length > + // `len`, so the pointer is valid for reading `len` bytes. > + unsafe { self.write_raw(ptr, len) } > + } > +} > > -- > 2.44.0.278.ge034bb2e1d-goog >