From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 9E000C6FD1F for ; Wed, 20 Mar 2024 18:39:55 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 169966B0088; Wed, 20 Mar 2024 14:39:55 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id 11A0A6B0092; Wed, 20 Mar 2024 14:39:55 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id ED5F56B0099; Wed, 20 Mar 2024 14:39:54 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0017.hostedemail.com [216.40.44.17]) by kanga.kvack.org (Postfix) with ESMTP id DF4606B0088 for ; Wed, 20 Mar 2024 14:39:54 -0400 (EDT) Received: from smtpin09.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay01.hostedemail.com (Postfix) with ESMTP id AFE161C11F1 for ; Wed, 20 Mar 2024 18:39:54 +0000 (UTC) X-FDA: 81918281508.09.0784BAF Received: from mail-qt1-f173.google.com (mail-qt1-f173.google.com [209.85.160.173]) by imf20.hostedemail.com (Postfix) with ESMTP id B03C11C0015 for ; Wed, 20 Mar 2024 18:39:52 +0000 (UTC) Authentication-Results: imf20.hostedemail.com; dkim=pass header.d=gmail.com header.s=20230601 header.b=a1LfAJTR; spf=pass (imf20.hostedemail.com: domain of boqun.feng@gmail.com designates 209.85.160.173 as permitted sender) smtp.mailfrom=boqun.feng@gmail.com; dmarc=pass (policy=none) header.from=gmail.com ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1710959992; a=rsa-sha256; cv=none; b=bSzqPWWtrYkA+PZCcZPPjCrgJyMOmAK22EosTNrOBpn5WvbFUxmwhXSCPh4MfrCWFmG3mq OLFfQZnEGo5w/qUb/eIFZx0llh77sH1nMc1JffBITzDQm0Yo+bdPBrL4aqpFgP3Uk+/nsw 6cGYNnJ0QtHJ0zKG+wASCoD/oavoGpA= ARC-Authentication-Results: i=1; imf20.hostedemail.com; dkim=pass header.d=gmail.com header.s=20230601 header.b=a1LfAJTR; spf=pass (imf20.hostedemail.com: domain of boqun.feng@gmail.com designates 209.85.160.173 as permitted sender) smtp.mailfrom=boqun.feng@gmail.com; dmarc=pass (policy=none) header.from=gmail.com ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1710959992; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=xWRvU83WE/XxBo1v/F0X5t/KDOzdzaHYVuEHQEDHtYc=; b=B/9FC30Pb0+bpxRqJi9l8ctG7MBSpO+YEIgTZeyHmvSGrRE/2FiwLIow+GU5jT17F4o90j NRUg2HdBQ+0T/o5r4nJ7JpY/xfItC7GcrpUx6lDNtuA64VhBBuWqFxiXUh16m0z6Hw9uYS ++VFSacYC5TUSX4/D5GeOTVTJ4nbrnM= Received: by mail-qt1-f173.google.com with SMTP id d75a77b69052e-42a029c8e76so1293181cf.2 for ; Wed, 20 Mar 2024 11:39:52 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1710959992; x=1711564792; darn=kvack.org; h=in-reply-to:content-disposition:mime-version:references:message-id :subject:cc:to:from:date:feedback-id:from:to:cc:subject:date :message-id:reply-to; bh=xWRvU83WE/XxBo1v/F0X5t/KDOzdzaHYVuEHQEDHtYc=; b=a1LfAJTR/ABYl9jm3EmC+piwMSHj80/df0EMwaJU5MQqf70E6myZh58ho0+GHm7p53 wuZ9Khsw8eNicpl1L8FtQqsN33ZqT7u2eVF0HKWWagb/YrLu8whsEI7gczOtdXH0AI45 f1HL203PAMtUe5PSwh/42EClxZkWatxzhZiIF9Im0C0XNSSKIKykNFt+HQzGTFMgTM+j k3KhCWVV4DCqj5pvAj4u/QjJW3R48WrToV5T+btWFaHq3cmHgBwNoN7FhcGnUYPqYTBp SY/0J0zqBczplYwLcqV5ZHXNidwuJ42xt1ND9fW23x6QAhoE8cWB50RWV7vwDRqQyvzo 34hg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1710959992; x=1711564792; h=in-reply-to:content-disposition:mime-version:references:message-id :subject:cc:to:from:date:feedback-id:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=xWRvU83WE/XxBo1v/F0X5t/KDOzdzaHYVuEHQEDHtYc=; b=Sno1AUrvcXpb1Q6PRVP5uuolUDZ2R/UY6Vv9GOeibMJ8ftTfUOt9aDarFjgDBDmw4i s+Av6QvF7UkH8GYMdMRYve4q+PjoDXIY3Y8pa/ub81+GgHLO7xqyAXV40ZPnAruw/JVS 986cK/mBHeS1zs9kRwsAbDG5tM9AJ07EAzUTuPV/IIpRg8jAT9zwh/OjeUCcfypJ8IP5 0vusDrrvqnz3N++KNQa3rB0/w8a7PxplqbtEGjYsbQtnSwWIqGjsmfKst/s7HrAxLFuB hxxDdXZju/D9An5uC2fVq2JCzVzo+ztShAxx6yL2wAMeV4oTOFo8j1ztN4PTbBdUXEaD pycA== X-Forwarded-Encrypted: i=1; AJvYcCX7CC9Y2O+I+u8eWvYIydNHI9I7kwhqBaOQRqJLMYUhLmFnanbGtz8avZDDRh4iUna4k3QyZY8b58ud/3f29wUAg3M= X-Gm-Message-State: AOJu0YwEQRQSuB6rRavzlherVauNE7HRUL4SmZSacoVe4n8qcBWeuLHa O8+9IQeOhChyqMNCj3ZtsHsVb/wjbBSbEKxrHgPP5d46edJoJ/xK X-Google-Smtp-Source: AGHT+IFS9uSNLSBh1XOFh0ALtqPOKyEM9BMZXRgz5Y/IEkIql9atTB8xsItHCTfp9JxRAMGj2zrWjg== X-Received: by 2002:a05:622a:1804:b0:430:ba7a:fe7b with SMTP id t4-20020a05622a180400b00430ba7afe7bmr14742759qtc.44.1710959991779; Wed, 20 Mar 2024 11:39:51 -0700 (PDT) Received: from fauth2-smtp.messagingengine.com (fauth2-smtp.messagingengine.com. [103.168.172.201]) by smtp.gmail.com with ESMTPSA id fb19-20020a05622a481300b004309cf16815sm4019519qtb.39.2024.03.20.11.39.50 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 20 Mar 2024 11:39:51 -0700 (PDT) Received: from compute2.internal (compute2.nyi.internal [10.202.2.46]) by mailfauth.nyi.internal (Postfix) with ESMTP id A2C461200066; Wed, 20 Mar 2024 14:39:50 -0400 (EDT) Received: from mailfrontend1 ([10.202.2.162]) by compute2.internal (MEProxy); Wed, 20 Mar 2024 14:39:50 -0400 X-ME-Sender: X-ME-Received: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedvledrleeggdduudegucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen uceurghilhhouhhtmecufedttdenucesvcftvggtihhpihgvnhhtshculddquddttddmne cujfgurhepfffhvfevuffkfhggtggujgesthdtredttddtvdenucfhrhhomhepuehoqhhu nhcuhfgvnhhguceosghoqhhunhdrfhgvnhhgsehgmhgrihhlrdgtohhmqeenucggtffrrg htthgvrhhnpeejiefhtdeuvdegvddtudffgfegfeehgfdtiedvveevleevhfekhefftdek ieehvdenucffohhmrghinheprhhushhtqdhlrghnghdrohhrghenucevlhhushhtvghruf hiiigvpedtnecurfgrrhgrmhepmhgrihhlfhhrohhmpegsohhquhhnodhmvghsmhhtphgr uhhthhhpvghrshhonhgrlhhithihqdeiledvgeehtdeigedqudejjeekheehhedvqdgsoh hquhhnrdhfvghngheppehgmhgrihhlrdgtohhmsehfihigmhgvrdhnrghmvg X-ME-Proxy: Feedback-ID: iad51458e:Fastmail Received: by mail.messagingengine.com (Postfix) with ESMTPA; Wed, 20 Mar 2024 14:39:49 -0400 (EDT) Date: Wed, 20 Mar 2024 11:39:33 -0700 From: Boqun Feng To: Alice Ryhl Cc: Miguel Ojeda , Matthew Wilcox , Al Viro , Andrew Morton , Kees Cook , Alex Gaynor , Wedson Almeida Filho , Gary Guo , =?iso-8859-1?Q?Bj=F6rn?= Roy Baron , Benno Lossin , Andreas Hindborg , Greg Kroah-Hartman , Arve =?iso-8859-1?B?SGr4bm5lduVn?= , Todd Kjos , Martijn Coenen , Joel Fernandes , Carlos Llamas , Suren Baghdasaryan , Arnd Bergmann , linux-mm@kvack.org, linux-kernel@vger.kernel.org, rust-for-linux@vger.kernel.org, Christian Brauner Subject: Re: [PATCH v3 1/4] rust: uaccess: add userspace pointers Message-ID: References: <20240311-alice-mm-v3-0-cdf7b3a2049c@google.com> <20240311-alice-mm-v3-1-cdf7b3a2049c@google.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20240311-alice-mm-v3-1-cdf7b3a2049c@google.com> X-Rspamd-Server: rspam08 X-Rspamd-Queue-Id: B03C11C0015 X-Stat-Signature: sxacxa6ewr3rxqs84fpdg38xobw6bfu8 X-Rspam-User: X-HE-Tag: 1710959992-985052 X-HE-Meta: U2FsdGVkX1+RuSjAWuEGj7XImADpqat8uJfW+zvMR/mr9xdCUjjKJIrJHTgMODj64vMEbBQlbWLzaHLFTYO9WAnTtXPCuT3FRpLU7ShiaQAXeD7pSidMoRtXR3Vl12YtJwCKsrJwS9ksFc8qfPqnHlrg2iePwhg6NyBWHZ1V/2wJJSnUzndMU28XYIKiDlThDyxbEtzlP6JKRbhGJ+JC/hmEdjmSnfTNxGgoYAKpUQzhVCWpA+zkb0ch+85H6dDJS77sq31ih5glr+SSvBHHfq+JsSAb5aqXedi5hMl1XEER3RfvUMgZ1x9TXxYaOmV9sy438tp9Cj16Mg7w8sn1lG9J3GzAUEkknd3wcK34tYhYwPRq2+xoAZm8Hi7CXb+RgjW1PzIrD+M2uohZFwVLoTc8JaPRuFiSpFZ6AaibBU4XtS5OERkF87F7JnwO4m4lS7QWGOa9f1YbcMoMFkslQjXeKonCpz0G8CbI3iQ+z1zqARVXp7BHFqMUk5GjFZzTzzOupOjLdw20yoB94wfim3mF72cv0lr73k6pAghNnelSW98eF8O5ETcL2bn+8nU0W+xkfrmQkm/Vt4tmzu1/nPcOcdU7Zs5C2Mk1DgBQ/vAev8m8kvg3QXkmQ2tJTmT9jPVq4xv7HmQvyFmcsKohK8v7P7iHtuZ4eKXG5gnUTtqcq1AkZdv2Mp7LHqgsB0i+SyipSZ0vyovcY5iUUwb6yl2Y/fSYs9HSx3yinvac6j+LrE6bL7mbhJrnpdfEWFv5Gn/V8qVRCH1yE0GCGznQvehhAFfX60FBjoNASL9FDKdvaRHhnYQSJCuLDNwuR8yDCRHncHxu9t62FKHsPd32HFekMGpQ36rJq2CLvdGIzMx9vPPSxR6dpU7liiOpFfRGXdqh9wdVdUdCfA+4UCRw4nXv6c3oGpqXxZjzlSJ7b+zz7+kBU3XvF24EXY3UTHFxs3nPw/AGg/d/49MD3gy RpwCclKt OLUkuy3wko6fTLrs2CtRA8ODL19oUgrbZ761xGmatxvzJe4wbacFC32JUwvOSVTkDdBBvcmWhsl9LzgXugslE+fxP0xiutdS96+jqDlV282O/osCEbQkNtutEkxC+Y+Eyyy2ZHedTxfMKDnkEm4zXJZwBOC2Y9o/+UEHKp+kr26rkyVE= X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: List-Subscribe: List-Unsubscribe: On Mon, Mar 11, 2024 at 10:47:13AM +0000, Alice Ryhl wrote: > From: Wedson Almeida Filho > [...] > +/// # Examples > +/// > +/// Takes a region of userspace memory from the current process, and modify it > +/// by adding one to every byte in the region. > +/// > +/// ```no_run > +/// use alloc::vec::Vec; > +/// use core::ffi::c_void; > +/// use kernel::error::Result; > +/// use kernel::uaccess::UserSlice; > +/// > +/// pub fn bytes_add_one(uptr: *mut c_void, len: usize) -> Result<()> { I hit the following compile error when trying to run kunit test: ERROR:root:error: unreachable `pub` item --> rust/doctests_kernel_generated.rs:4167:1 | 4167 | pub fn bytes_add_one(uptr: *mut c_void, len: usize) -> Result<()> { | ---^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ | | | help: consider restricting its visibility: `pub(crate)` | = help: or consider exporting it for use by other crates = note: requested on the command line with `-D unreachable-pub` error: unreachable `pub` item --> rust/doctests_kernel_generated.rs:4243:1 | 4243 | pub fn get_bytes_if_valid(uptr: *mut c_void, len: usize) -> Result> { | ---^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ | | | help: consider restricting its visibility: `pub(crate)` | = help: or consider exporting it for use by other crates error: aborting due to 2 previous errors , which should be fixed if we make the function in the example not `pub`. > +/// let (read, mut write) = UserSlice::new(uptr, len).reader_writer(); > +/// > +/// let mut buf = Vec::new(); > +/// read.read_all(&mut buf)?; > +/// > +/// for b in &mut buf { > +/// *b = b.wrapping_add(1); > +/// } > +/// > +/// write.write_slice(&buf)?; > +/// Ok(()) > +/// } > +/// ``` > +/// > +/// Example illustrating a TOCTOU (time-of-check to time-of-use) bug. > +/// > +/// ```no_run > +/// use alloc::vec::Vec; > +/// use core::ffi::c_void; > +/// use kernel::error::{code::EINVAL, Result}; > +/// use kernel::uaccess::UserSlice; > +/// > +/// /// Returns whether the data in this region is valid. > +/// fn is_valid(uptr: *mut c_void, len: usize) -> Result { > +/// let read = UserSlice::new(uptr, len).reader(); > +/// > +/// let mut buf = Vec::new(); > +/// read.read_all(&mut buf)?; > +/// > +/// todo!() > +/// } > +/// > +/// /// Returns the bytes behind this user pointer if they are valid. > +/// pub fn get_bytes_if_valid(uptr: *mut c_void, len: usize) -> Result> { Ditto here. > +/// if !is_valid(uptr, len)? { > +/// return Err(EINVAL); > +/// } > +/// > +/// let read = UserSlice::new(uptr, len).reader(); > +/// > +/// let mut buf = Vec::new(); > +/// read.read_all(&mut buf)?; > +/// > +/// // THIS IS A BUG! The bytes could have changed since we checked them. > +/// // > +/// // To avoid this kind of bug, don't call `UserSlice::new` multiple > +/// // times with the same address. > +/// Ok(buf) > +/// } > +/// ``` > +/// > +/// [`std::io`]: https://doc.rust-lang.org/std/io/index.html > +/// [`clone_reader`]: UserSliceReader::clone_reader > +pub struct UserSlice { > + ptr: *mut c_void, > + length: usize, > +} > + Regards, Boqun [...]