Commit 3629eb70 authored by Wedson Almeida Filho's avatar Wedson Almeida Filho Committed by Treehugger Robot
Browse files

FROMLIST: rust: uaccess: add userspace pointers 



A pointer to an area in userspace memory, which can be either read-only
or read-write.

All methods on this struct are safe: invalid pointers return `EFAULT`.
Concurrent access, *including data races to/from userspace memory*, is
permitted, because fundamentally another userspace thread/process could
always be modifying memory at the same time (in the same way that
userspace Rust's `std::io` permits data races with the contents of
files on disk). In the presence of a race, the exact byte values
read/written are unspecified but the operation is well-defined.
Kernelspace code should validate its copy of data after completing a
read, and not expect that multiple reads of the same address will return
the same value.

These APIs are designed to make it difficult to accidentally write
TOCTOU bugs. Every time you read from a memory location, the pointer is
advanced by the length so that you cannot use that reader to read the
same memory location twice. Preventing double-fetches avoids TOCTOU
bugs. This is accomplished by taking `self` by value to prevent
obtaining multiple readers on a given `UserSlicePtr`, and the readers
only permitting forward reads. If double-fetching a memory location is
necessary for some reason, then that is done by creating multiple
readers to the same memory location.

Constructing a `UserSlicePtr` performs no checks on the provided
address and length, it can safely be constructed inside a kernel thread
with no current userspace process. Reads and writes wrap the kernel APIs
`copy_from_user` and `copy_to_user`, which check the memory map of the
current process and enforce that the address range is within the user
range (no additional calls to `access_ok` are needed).

This code is based on something that was originally written by Wedson on
the old rust branch. It was modified by Alice by removing the
`IoBufferReader` and `IoBufferWriter` traits, introducing the
`MAX_USER_OP_LEN` constant, and various changes to the comments and
documentation.

Signed-off-by: default avatarWedson Almeida Filho <wedsonaf@gmail.com>
Co-developed-by: default avatarAlice Ryhl <aliceryhl@google.com>
Signed-off-by: default avatarAlice Ryhl <aliceryhl@google.com>

Bug: 324206405
Link: https://lore.kernel.org/all/20240208-alice-mm-v2-1-d821250204a6@google.com/


Change-Id: Ibe3602b3a44d67692b82f355cee560461c554523
[ Add pointer_byte_offsets feature, since we are not yet on 1.75. ]
Signed-off-by: default avatarAlice Ryhl <aliceryhl@google.com>
parent afd6ccb5
Show whitespace changes
Inline Side-by-side
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Please to comment