rust-for-linux.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: Christian Brauner <brauner@kernel.org>
To: Alice Ryhl <aliceryhl@google.com>
Cc: benno.lossin@proton.me, a.hindborg@samsung.com,
	alex.gaynor@gmail.com, arve@android.com,
	bjorn3_gh@protonmail.com, boqun.feng@gmail.com,
	cmllamas@google.com, dan.j.williams@intel.com, dxu@dxuuu.xyz,
	gary@garyguo.net, gregkh@linuxfoundation.org,
	joel@joelfernandes.org, keescook@chromium.org,
	linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org,
	maco@android.com, ojeda@kernel.org, peterz@infradead.org,
	rust-for-linux@vger.kernel.org, surenb@google.com,
	tglx@linutronix.de, tkjos@android.com, viro@zeniv.linux.org.uk,
	wedsonaf@gmail.com, willy@infradead.org
Subject: Re: [PATCH 2/7] rust: cred: add Rust abstraction for `struct cred`
Date: Fri, 1 Dec 2023 11:27:33 +0100	[thread overview]
Message-ID: <20231201-zacken-gewachsen-73fe323b067b@brauner> (raw)
In-Reply-To: <20231201090636.2179663-1-aliceryhl@google.com>

On Fri, Dec 01, 2023 at 09:06:35AM +0000, Alice Ryhl wrote:
> Benno Lossin <benno.lossin@proton.me> writes:
> > On 11/29/23 13:51, Alice Ryhl wrote:
> >> +    /// Returns the credentials of the task that originally opened the file.
> >> +    pub fn cred(&self) -> &Credential {
> >> +        // This `read_volatile` is intended to correspond to a READ_ONCE call.
> >> +        //
> >> +        // SAFETY: The file is valid because the shared reference guarantees a nonzero refcount.
> >> +        //
> >> +        // TODO: Replace with `read_once` when available on the Rust side.
> >> +        let ptr = unsafe { core::ptr::addr_of!((*self.0.get()).f_cred).read_volatile() };
> >> +
> >> +        // SAFETY: The signature of this function ensures that the caller will only access the
> >> +        // returned credential while the file is still valid, and the credential must stay valid
> >> +        // while the file is valid.
> > 
> > About the last part of this safety comment, is this a guarantee from the
> > C side? If yes, then I would phrase it that way:
> > 
> >     ... while the file is still valid, and the C side ensures that the
> >     credentials stay valid while the file is valid.
> 
> Yes, that's my intention with this code.
> 
> But I guess this is a good question for Christian Brauner to confirm:
> 
> If I read the credential from the `f_cred` field, is it guaranteed that
> the pointer remains valid for at least as long as the file?
> 
> Or should I do some dance along the lines of "lock file, increment
> refcount on credential, unlock file"?

The lifetime of the f_cred reference is at least as long as the lifetime
of the file:

// file not yet visible anywhere
some_file = alloc_file*()
-> init_file()
   {
           file->f_cred = get_cred(cred /* usually current_cred() */)
   }


// install into fd_table -> irreversible, thing visible, possibly shared
fd_install(1234, some_file)

// last fput
fput()
// atomic_dec_and_test() dance:
-> file_free() // either "delayed" through task work, workqueue, or
	       // sometimes freed right away if file hasn't been opened,
	       // i.e., if fd_install() wasn't called
   -> put_cred(file->f_cred)

In order to access anything you must hold a reference to the file or
files->file_lock. IOW, no poking around in f->f_cred or any field for
that matter just under rcu_read_lock() for example. Because files are
SLAB_TYPESAFE_BY_RCU. You might be poking in someone else's creds then.

  reply	other threads:[~2023-12-01 10:27 UTC|newest]

Thread overview: 96+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2023-11-29 12:51 [PATCH 0/7] File abstractions needed by Rust Binder Alice Ryhl
2023-11-29 12:51 ` [PATCH 1/7] rust: file: add Rust abstraction for `struct file` Alice Ryhl
2023-11-29 15:13   ` Matthew Wilcox
2023-11-29 15:23     ` Peter Zijlstra
2023-11-29 17:08       ` Boqun Feng
2023-11-30 10:42         ` Peter Zijlstra
2023-11-30 15:25           ` Boqun Feng
2023-12-01  8:53             ` Peter Zijlstra
2023-12-01  9:19               ` Boqun Feng
2023-12-01  9:40                 ` Peter Zijlstra
2023-12-01 10:36                   ` Boqun Feng
2023-12-01 11:05                     ` Peter Zijlstra
2023-12-01  9:00             ` Peter Zijlstra
2023-12-01  9:52               ` Boqun Feng
2023-11-29 16:42     ` Alice Ryhl
2023-11-29 16:45       ` Peter Zijlstra
2023-11-30 15:02     ` Benno Lossin
2023-11-29 17:06   ` Christian Brauner
2023-11-29 21:27     ` Alice Ryhl
2023-11-29 23:17       ` Benno Lossin
2023-11-30 10:48       ` Christian Brauner
2023-11-30 12:10         ` Alice Ryhl
2023-11-30 12:36           ` Christian Brauner
2023-11-30 14:53   ` Benno Lossin
2023-11-30 14:59     ` Greg Kroah-Hartman
2023-11-30 15:46       ` Benno Lossin
2023-11-30 15:56         ` Greg Kroah-Hartman
2023-11-30 15:58         ` Theodore Ts'o
2023-11-30 16:12           ` Benno Lossin
2023-12-01  1:16             ` Theodore Ts'o
2023-12-01 12:11             ` David Laight
2023-12-01 12:27               ` Alice Ryhl
2023-12-01 15:04                 ` Theodore Ts'o
2023-12-01 15:14                   ` Benno Lossin
2023-12-01 17:25                     ` David Laight
2023-12-01 17:37                       ` Benno Lossin
2023-11-29 12:51 ` [PATCH 2/7] rust: cred: add Rust abstraction for `struct cred` Alice Ryhl
2023-11-30 16:17   ` Benno Lossin
2023-12-01  9:06     ` Alice Ryhl
2023-12-01 10:27       ` Christian Brauner [this message]
2023-12-04 15:42         ` Alice Ryhl
2023-11-29 13:11 ` [PATCH 3/7] rust: security: add abstraction for secctx Alice Ryhl
2023-11-30 16:26   ` Benno Lossin
2023-12-01 10:48     ` Alice Ryhl
2023-12-02 10:03       ` Benno Lossin
2023-11-29 13:11 ` [PATCH 4/7] rust: file: add `FileDescriptorReservation` Alice Ryhl
2023-11-29 16:14   ` Christian Brauner
2023-11-29 16:55     ` Alice Ryhl
2023-11-29 17:14       ` Alice Ryhl
2023-11-30  9:12         ` Christian Brauner
2023-11-30  9:23           ` Alice Ryhl
2023-11-30  9:09       ` Christian Brauner
2023-11-30  9:17         ` Alice Ryhl
2023-11-30 10:51           ` Christian Brauner
2023-11-30 11:54             ` Alice Ryhl
2023-11-30 12:17               ` Benno Lossin
2023-11-30 12:33                 ` Christian Brauner
2023-11-30 16:40   ` Benno Lossin
2023-12-01 11:32     ` Alice Ryhl
2023-11-29 13:12 ` [PATCH 5/7] rust: file: add `Kuid` wrapper Alice Ryhl
2023-11-29 16:28   ` Christian Brauner
2023-11-29 16:48     ` Peter Zijlstra
2023-11-30 12:46       ` Christian Brauner
2023-12-06 19:59         ` Kent Overstreet
2023-12-08 16:26           ` Peter Zijlstra
2023-12-08 19:58             ` Kent Overstreet
2023-12-08  5:28         ` comex
2023-12-08 16:19           ` Miguel Ojeda
2023-12-08 17:08             ` Nick Desaulniers
2023-12-08 17:37               ` Miguel Ojeda
2023-12-08 17:43               ` Boqun Feng
2023-12-08 20:43               ` Matthew Wilcox
2023-12-09  7:24             ` comex
2023-11-30  9:36     ` Alice Ryhl
2023-11-30 10:52       ` Christian Brauner
2023-11-30 10:36   ` Peter Zijlstra
2023-12-06 20:02     ` Kent Overstreet
2023-12-07  7:18       ` Greg Kroah-Hartman
2023-12-07  7:46         ` Kent Overstreet
2023-11-30 16:48   ` Benno Lossin
2023-11-29 13:12 ` [PATCH 6/7] rust: file: add `DeferredFdCloser` Alice Ryhl
2023-11-30 17:12   ` Benno Lossin
2023-12-01 11:35     ` Alice Ryhl
2023-12-02 10:16       ` Benno Lossin
2023-12-05 14:43         ` Alice Ryhl
2023-12-05 18:16           ` Alice Ryhl
2023-11-29 13:12 ` [PATCH 7/7] rust: file: add abstraction for `poll_table` Alice Ryhl
2023-11-30 17:42   ` Benno Lossin
2023-12-01 11:47     ` Alice Ryhl
2023-11-30 22:39   ` Boqun Feng
2023-12-01 11:50     ` Alice Ryhl
2023-11-30 22:50   ` Boqun Feng
2023-11-29 16:31 ` [PATCH 0/7] File abstractions needed by Rust Binder Christian Brauner
2023-11-29 16:48   ` Miguel Ojeda
2023-12-06 20:05   ` Kent Overstreet
2023-12-08 16:59     ` Miguel Ojeda

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20231201-zacken-gewachsen-73fe323b067b@brauner \
    --to=brauner@kernel.org \
    --cc=a.hindborg@samsung.com \
    --cc=alex.gaynor@gmail.com \
    --cc=aliceryhl@google.com \
    --cc=arve@android.com \
    --cc=benno.lossin@proton.me \
    --cc=bjorn3_gh@protonmail.com \
    --cc=boqun.feng@gmail.com \
    --cc=cmllamas@google.com \
    --cc=dan.j.williams@intel.com \
    --cc=dxu@dxuuu.xyz \
    --cc=gary@garyguo.net \
    --cc=gregkh@linuxfoundation.org \
    --cc=joel@joelfernandes.org \
    --cc=keescook@chromium.org \
    --cc=linux-fsdevel@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=maco@android.com \
    --cc=ojeda@kernel.org \
    --cc=peterz@infradead.org \
    --cc=rust-for-linux@vger.kernel.org \
    --cc=surenb@google.com \
    --cc=tglx@linutronix.de \
    --cc=tkjos@android.com \
    --cc=viro@zeniv.linux.org.uk \
    --cc=wedsonaf@gmail.com \
    --cc=willy@infradead.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).