From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <owner-linux-mm@kvack.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 2B910C54E5D
	for <linux-mm@archiver.kernel.org>; Sat, 16 Mar 2024 14:16:30 +0000 (UTC)
Received: by kanga.kvack.org (Postfix)
	id 4602880160; Sat, 16 Mar 2024 10:16:30 -0400 (EDT)
Received: by kanga.kvack.org (Postfix, from userid 40)
	id 437808015F; Sat, 16 Mar 2024 10:16:30 -0400 (EDT)
X-Delivered-To: int-list-linux-mm@kvack.org
Received: by kanga.kvack.org (Postfix, from userid 63042)
	id 2B11980160; Sat, 16 Mar 2024 10:16:30 -0400 (EDT)
X-Delivered-To: linux-mm@kvack.org
Received: from relay.hostedemail.com (smtprelay0014.hostedemail.com [216.40.44.14])
	by kanga.kvack.org (Postfix) with ESMTP id 1CCDE8015F
	for <linux-mm@kvack.org>; Sat, 16 Mar 2024 10:16:30 -0400 (EDT)
Received: from smtpin13.hostedemail.com (a10.router.float.18 [10.200.18.1])
	by unirelay03.hostedemail.com (Postfix) with ESMTP id 88D93A02B4
	for <linux-mm@kvack.org>; Sat, 16 Mar 2024 14:16:29 +0000 (UTC)
X-FDA: 81903102498.13.53C6FEA
Received: from mail-40134.protonmail.ch (mail-40134.protonmail.ch [185.70.40.134])
	by imf05.hostedemail.com (Postfix) with ESMTP id 3AF23100022
	for <linux-mm@kvack.org>; Sat, 16 Mar 2024 14:16:26 +0000 (UTC)
Authentication-Results: imf05.hostedemail.com;
	dkim=pass header.d=proton.me header.s=protonmail header.b=CM93QCfd;
	spf=pass (imf05.hostedemail.com: domain of benno.lossin@proton.me designates 185.70.40.134 as permitted sender) smtp.mailfrom=benno.lossin@proton.me;
	dmarc=pass (policy=quarantine) header.from=proton.me
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com;
	s=arc-20220608; t=1710598588;
	h=from:from:sender:reply-to:subject:subject:date:date:
	 message-id:message-id:to:to:cc:cc:mime-version:mime-version:
	 content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references:dkim-signature;
	bh=mJ30TjJevPsvaLmDSaXPLq8e51apoHgFwkUiNnGZb2Y=;
	b=WOGEBYUsEybCaV1KzbfqWb357LsZS+oraAlhA/fNnXa2SZIXqnGMvYivgbFoZemw5qStKs
	7IQeqQrLpb/kbPB/ewgFhPLqcgwhopRjMsR8CTgYKP/vKDwVXOVPz/A6DtcCdHgp/ImkZ6
	VEpAkPr91+Ii0RUjI5AuDs07NwzTSGQ=
ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1710598588; a=rsa-sha256;
	cv=none;
	b=sbxzCnqCMFQMSIS8jQikpfPVD/4N6Lw7ZxB+fjkj3hTvuaIS3wVLmKOBfQ7M70D4lxM7W0
	4121d2fqx6WHYXHQWzdGc+sPwIIV7sLODIA3qCfewt9r7TJiFuKx5wa+LwEjr1ReFNqqiK
	qCn0RWyb5Xdik5Pc3VT8WmwxsShp20c=
ARC-Authentication-Results: i=1;
	imf05.hostedemail.com;
	dkim=pass header.d=proton.me header.s=protonmail header.b=CM93QCfd;
	spf=pass (imf05.hostedemail.com: domain of benno.lossin@proton.me designates 185.70.40.134 as permitted sender) smtp.mailfrom=benno.lossin@proton.me;
	dmarc=pass (policy=quarantine) header.from=proton.me
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=proton.me;
	s=protonmail; t=1710598585; x=1710857785;
	bh=mJ30TjJevPsvaLmDSaXPLq8e51apoHgFwkUiNnGZb2Y=;
	h=Date:To:From:Cc:Subject:Message-ID:In-Reply-To:References:
	 Feedback-ID:From:To:Cc:Date:Subject:Reply-To:Feedback-ID:
	 Message-ID:BIMI-Selector;
	b=CM93QCfdmepzajlDwRdrBx35pjQDO5CM1XRroIcXqUBwtmz9WPbXz8w/K/x+D8lfn
	 WtoOEiqfLKXaOs9MFX+bVheTQwKuGb0Il/Q0LY1YWRel7Yc2NO63qLGAb9lR6RXpZT
	 b9z34hxT8eX/PyWyB2U6oM2WXXz/6kRD+3+YJB2+ec7qsQ6hCo0IOqkLaDdp3d6p5f
	 RbZtqDvMGwAQLl3FLLY/ECx3Bf6K2f5zd5JvGItQv/eoAYENSy6P0pg2aH0921dlua
	 iKvrCCLMR4P9xUubQ/DON9Gn+QWn2XWDV/lMj8SKLbw5Ribfd1XKmsTtLA1fQTW88L
	 xNgmEBXzNgPHw==
Date: Sat, 16 Mar 2024 14:16:11 +0000
To: Alice Ryhl <aliceryhl@google.com>, Miguel Ojeda <ojeda@kernel.org>, Matthew Wilcox <willy@infradead.org>, Al Viro <viro@zeniv.linux.org.uk>, Andrew Morton <akpm@linux-foundation.org>, Kees Cook <keescook@chromium.org>
From: Benno Lossin <benno.lossin@proton.me>
Cc: Alex Gaynor <alex.gaynor@gmail.com>, Wedson Almeida Filho <wedsonaf@gmail.com>, Boqun Feng <boqun.feng@gmail.com>, Gary Guo <gary@garyguo.net>, =?utf-8?Q?Bj=C3=B6rn_Roy_Baron?= <bjorn3_gh@protonmail.com>, Andreas Hindborg <a.hindborg@samsung.com>, Greg Kroah-Hartman <gregkh@linuxfoundation.org>, =?utf-8?Q?Arve_Hj=C3=B8nnev=C3=A5g?= <arve@android.com>, Todd Kjos <tkjos@android.com>, Martijn Coenen <maco@android.com>, Joel Fernandes <joel@joelfernandes.org>, Carlos Llamas <cmllamas@google.com>, Suren Baghdasaryan <surenb@google.com>, Arnd Bergmann <arnd@arndb.de>, linux-mm@kvack.org, linux-kernel@vger.kernel.org, rust-for-linux@vger.kernel.org, Christian Brauner <brauner@kernel.org>
Subject: Re: [PATCH v3 1/4] rust: uaccess: add userspace pointers
Message-ID: <a0605a13-a738-4c2a-8eaf-2c4f2f17dacd@proton.me>
In-Reply-To: <20240311-alice-mm-v3-1-cdf7b3a2049c@google.com>
References: <20240311-alice-mm-v3-0-cdf7b3a2049c@google.com> <20240311-alice-mm-v3-1-cdf7b3a2049c@google.com>
Feedback-ID: 71780778:user:proton
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
X-Stat-Signature: q6rttbxbbmipauwsurirrs1f9tha8o53
X-Rspamd-Server: rspam10
X-Rspamd-Queue-Id: 3AF23100022
X-Rspam-User: 
X-HE-Tag: 1710598586-530409
X-HE-Meta: U2FsdGVkX1/FcRHgOftQearG2PPfU/+gxgLIQWqYxP/+ZW08SiO14JMsBe62flv9woKN4LlOYh/DHMObfcWmY0NeaWw76GLWStF6WH6BOksd/YTDos+qfWA59DxhNKu8mj4WRoGkzmH3gau/ih+skZx1uehBFKPp/vD4Mapg/w7oG+LbkhaqKMCSayCAwyRpB4aDIZT9UyKDLZGf/IPUk0yL7SqzE46J/9JpOYunsWfAFSNCU+OTO3LtLEnc9Dif02kCq32XLzrHOVl1eAuslfRvW1wzuer24k16pfHR/y/Mc04R0maj++ALfsOZDjmVAqBuJPcdzQBwb8vsc7vZBZDZD3fzVAnJzgVwQFBd972qV3y2NjseOVMD+iXkH4jlp+Un4ZvOKNcBDtP9PsbZo3VybeLpioXSLGJimXkdv9l0Mv+66HK8T3vzVFHFCOsBiwl9R4DjkD0iQEj5d8DYMIkiNZkPsVui2Wroono5KdyWbtiSuGw/OJnBASJ6TXbFtS9uH6lUcc3TwdtsuH8iZYck2PTjSa8DvE7qMafwxk2+2PBYuB4udjlCVXsJrMhP1xq6xS91GQBqXZWc7DqU7CaFG3N1bDRzQp/p3jg/pJSc7zOevQVB8cvaBmTQ39c2sHCL6qREsU7LLzQYXXN8eQLlAJJy4CwJRf4jcgXrcnYPISVne5cmjsT6U35Kufd1MnI1DV9zRBGkpts/4ALwDJzp1mqRa0qLxLMef2AdR4kpDhVePZjNLbWd2eKY9XEm7N1CsRMNoDz5EHQrtZTjqR+Bt8hlbHcQ37XQknIgqdcaxDVw6f8MQ1F6YL0VhzUbiIY4KAxmflzgCG2QevJRw2s/VRf1p/+c5HMadwSQRvSffL4BBPuG2z3GZzfAvM7c+vKsZd6/ntaaMMcQEjA/xXysCJsaN6cfgyHVy/meRc6WvKrLSWzgpIJe80ohogVTJUqUt3hf9jbFV9ovh9w
 1eNGgEtD
 7ihszniBWdojHTNaogdyZ/qKgVCFscWrUgFGqJtU2FSqmo4+Xl8DzPimrsg2NLZWlWDHb2SQPrYZVMSSwh+uUCN/dMs5xccPtd6HYqeVHUIkuteQPjdNyAnURnnkt1of91aVKGVoXH/Vkp6AuEMU+0Hr0WzrLnf08gJEam21sL2hnrbR1nsmBUNm1wOXsAXWg74XNeU9RA/KDwI8jaXUqWGC/2+FJkg3SDSD1mfzZ0dpw3B7+jqH1ZGHz3MNPNJJdVSAwaLmoR7mlf7Il3aGASiUU0zVcak7DW4fdYrashOpsyh4L1DHeoHfE1IfOzV0nd0oys3R0L7xJUoUC6cz/MScF+Y6OjSF+43aY3xnulvImWyREPRkx2pUhuQ==
X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4
Sender: owner-linux-mm@kvack.org
Precedence: bulk
X-Loop: owner-majordomo@kvack.org
List-ID: <linux-mm.kvack.org>
List-Subscribe: <mailto:majordomo@kvack.org>
List-Unsubscribe: <mailto:majordomo@kvack.org>

On 3/11/24 11:47, Alice Ryhl wrote:
> From: Wedson Almeida Filho <wedsonaf@gmail.com>
>=20
> A pointer to an area in userspace memory, which can be either read-only
> or read-write.
>=20
> All methods on this struct are safe: invalid pointers return `EFAULT`.
> Concurrent access, *including data races to/from userspace memory*, is
> permitted, because fundamentally another userspace thread/process could
> always be modifying memory at the same time (in the same way that
> userspace Rust's `std::io` permits data races with the contents of
> files on disk). In the presence of a race, the exact byte values
> read/written are unspecified but the operation is well-defined.
> Kernelspace code should validate its copy of data after completing a
> read, and not expect that multiple reads of the same address will return
> the same value.
>=20
> These APIs are designed to make it difficult to accidentally write
> TOCTOU bugs. Every time you read from a memory location, the pointer is
> advanced by the length so that you cannot use that reader to read the
> same memory location twice. Preventing double-fetches avoids TOCTOU
> bugs. This is accomplished by taking `self` by value to prevent
> obtaining multiple readers on a given `UserSlicePtr`, and the readers
> only permitting forward reads. If double-fetching a memory location is
> necessary for some reason, then that is done by creating multiple
> readers to the same memory location.
>=20
> Constructing a `UserSlicePtr` performs no checks on the provided
> address and length, it can safely be constructed inside a kernel thread
> with no current userspace process. Reads and writes wrap the kernel APIs
> `copy_from_user` and `copy_to_user`, which check the memory map of the
> current process and enforce that the address range is within the user
> range (no additional calls to `access_ok` are needed).
>=20
> This code is based on something that was originally written by Wedson on
> the old rust branch. It was modified by Alice by removing the
> `IoBufferReader` and `IoBufferWriter` traits, and various other changes.
>=20
> Signed-off-by: Wedson Almeida Filho <wedsonaf@gmail.com>
> Co-developed-by: Alice Ryhl <aliceryhl@google.com>
> Signed-off-by: Alice Ryhl <aliceryhl@google.com>

Reviewed-by: Benno Lossin <benno.lossin@proton.me>