From patchwork Sun Sep 15 14:31:27 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Alice Ryhl X-Patchwork-Id: 13804825 X-Patchwork-Delegate: paul@paul-moore.com Received: from mail-yw1-f201.google.com (mail-yw1-f201.google.com [209.85.128.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 1F1D01C7B66 for ; Sun, 15 Sep 2024 14:31:38 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.128.201 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1726410701; cv=none; b=f5ZiHNjMPoVxx2/LTmsgD3OlUO8vWk/xtL9o+yHB1n/NLrzc7xYJ2g4aGTZw8Q/p6SbDKsiUaMAWV23m6XZYdx7ZwUenkcxtfpjKyPvtyS8TRTCvHFBue2m18v7HE4ZxRDh+QwbavR44ZcTKn5cjCb1DJVVn7Dd2wCbTDQ5T3Zw= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1726410701; c=relaxed/simple; bh=pya4UxUIvqhrpbWbTgUte469le+L6lTszY8lv89yptM=; h=Date:In-Reply-To:Mime-Version:References:Message-ID:Subject:From: To:Cc:Content-Type; b=onDx9aJB794Po7hp5NFCcW+y5m4zLAu/1QVWSyb4e+Gev1JvnFEbZ5WrInryddLi5QNBatYzpH7qBMegcHyJmbHNpVT6GEmqOJdKYA6hAv/ZZFmddQLxDb6FZLEsZHTs0kDeypVYCAYd1yDl5J+QHYRvrbCF0KC0gfm1s4aBbsY= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com; spf=pass smtp.mailfrom=flex--aliceryhl.bounces.google.com; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b=pUOmdc5Y; arc=none smtp.client-ip=209.85.128.201 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=flex--aliceryhl.bounces.google.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="pUOmdc5Y" Received: by mail-yw1-f201.google.com with SMTP id 00721157ae682-6d4426ad833so120517847b3.2 for ; Sun, 15 Sep 2024 07:31:38 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20230601; t=1726410698; x=1727015498; darn=vger.kernel.org; h=content-transfer-encoding:cc:to:from:subject:message-id:references :mime-version:in-reply-to:date:from:to:cc:subject:date:message-id :reply-to; bh=oI5g3/Lv8mNk/syaak4D+x2fQixDZyZK48NDDewIoU0=; b=pUOmdc5YAlk6OnGwbdw2c2impum0KEq9Ozacc4QNrEkaSKMrPFf9TpyROXahQ2J/LH NS9vUOMkblAn2edAFywE7svqlAB/BFAdYGUhx+YxIuy02jlOfXyfUkaa9FDPnp/NxWqw n3YtzMCSA4j/iih6Di5T7fm1woeRe24zg0y55diUXuwvdndXx8pHURkp+ju1glPbWglK EZPTvN22nHQ7KGQvSyn0C4ULAecBCeiU1tmCNmMwX4RVY8VQhSYe7ShIO7hyiFC4tQGM 9ts2PBSomKYx/2uLjeNizhJ/L9ZNszpaBFPGwO+XHjfV8qrUqqedRt0weotvnKS7pcwK D2LQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1726410698; x=1727015498; h=content-transfer-encoding:cc:to:from:subject:message-id:references :mime-version:in-reply-to:date:x-gm-message-state:from:to:cc:subject :date:message-id:reply-to; bh=oI5g3/Lv8mNk/syaak4D+x2fQixDZyZK48NDDewIoU0=; b=cxvel2xpl7znZCdT7L0MO2lEhpa0koDl70jz0/Ut49fmT974qwWWnfa+92UgTRCrc6 e6piDxal3fEqGePkG9Qe30DLnMDKlH376eq19eTuVircsQe7PrXj9FnfmLYHRyuAOGdQ nt1QwFFkWRyfTXcq6NBWf7EmJxwrQw0DsPeNstwnf3zx5jCOjR9VPd8mhgrYammC84hq BAz2jy2cJIJccalwL7H5YGOn3hukVpMJu1vP0/pqplsLYP7TpliYXIsV5ik47CGDzHQH PN0D8qdnYPaFLBvKTAovEZl8GBXxXUBqBy+Tvy6vyfOzPFJlXOt+o6qHv2AlIlNLOqgI Gn7w== X-Forwarded-Encrypted: i=1; AJvYcCX2pbdWzWeA3ZOxBkXObY9zPRoGQaNmCWyJGgkFqHDafnXpZ8F/RMJZR49ekOHYUEoUonSLGtCv5uZuC01LWgQAZbch/sM=@vger.kernel.org X-Gm-Message-State: AOJu0YwrqGvk1pyFzZbPxHsddg4U4T95Olg0dXreZTOTY4wfwrzH9Es+ JwViRVpn04l6jpRzBABgZYP3aEFi+75+oeMDDCnBQv/wG2UoR6nEGmNqqfdOO2PZI7lWlN+q5Bc K5SsdRHaEKIVLZg== X-Google-Smtp-Source: AGHT+IHjXaRfgDfbsN9t5X94X1h1J0q/L8jWWMpEfes9EEkZxqwHEsm+kVBYzjFmCqJGj3geMIb4GpG0QYKCT58= X-Received: from aliceryhl.c.googlers.com ([fda3:e722:ac3:cc00:28:9cb1:c0a8:35bd]) (user=aliceryhl job=sendgmr) by 2002:a05:690c:2030:b0:6db:c3b8:c4ce with SMTP id 00721157ae682-6dbc3b8c63fmr2582617b3.7.1726410698029; Sun, 15 Sep 2024 07:31:38 -0700 (PDT) Date: Sun, 15 Sep 2024 14:31:27 +0000 In-Reply-To: <20240915-alice-file-v10-0-88484f7a3dcf@google.com> Precedence: bulk X-Mailing-List: linux-security-module@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: Mime-Version: 1.0 References: <20240915-alice-file-v10-0-88484f7a3dcf@google.com> X-Developer-Key: i=aliceryhl@google.com; a=openpgp; fpr=49F6C1FAA74960F43A5B86A1EE7A392FDE96209F X-Developer-Signature: v=1; a=openpgp-sha256; l=5617; i=aliceryhl@google.com; h=from:subject:message-id; bh=Oe7pz1TphdHtcU8pqH5nIlSad+Ilg1tAQMGPgpqw6+I=; b=owEBbQKS/ZANAwAKAQRYvu5YxjlGAcsmYgBm5u/AAW7zNDH5xHrnIe2hBqOk4mGN9359+nykk RBk/acu8NKJAjMEAAEKAB0WIQSDkqKUTWQHCvFIvbIEWL7uWMY5RgUCZubvwAAKCRAEWL7uWMY5 RrsvEACsWEL6NtArNiSxBd2J3ZysiPTJPROquuDhpEYvHs/lnaaixYq9Il7RoItxd+iZiX4Embv COeR6cFe2ERf4edkBwW7st7Ok5QG7VeeTTtfllDZsTR2GWhFqRhqhbg9OEuzhMJfRT1llD2+lQY cm+4uyMQwvBSvjyyNZT/90+hsfP2WFHOMN6LZbJf0BLX5w53VawcSXha/yeel5XTKJ3MH/S9srr xMul3q/SxCoKARSlkdR/sBa8mGlrJ034t29tNd5nR4Z9sk182TV32cIdMd9+b65R9tAr60GlPm5 NQ7K76du8S3nFLNeYNDiAK0YtzRmKY/HWAYex2+zykYTj7DhUxQ+DhaHWx1d/44TEMtfM8d3g37 yxkirA4RnADJcGD9UX2jk1f29yqXR7R6+Pkz3gfAv43RROqhnyaqTPTvwotviD3BV3/EWwULe8P g9w0amu8FU1d7G1j6bbM2fQ1DLs+MdZnn351dLjLSPIzj/60Qey4bQtM/j8mBIJR4EjdhcKA1fq yR5SwAMSuay0cAPCRbLS09w/IJo4vEOytcPYwKUrMOvncXDlP/Y1NAFjXGfHYDDkm9QuVpBlwJd iEtS97IQU4LqIR0NaKRRIYN6NdB+/d9GeGkqJeIP+4AXLHJ0owZUVexMOxGTZo5rrxSKgu/zYIN uJShrgMYV5BRRxA== X-Mailer: b4 0.13.0 Message-ID: <20240915-alice-file-v10-1-88484f7a3dcf@google.com> Subject: [PATCH v10 1/8] rust: types: add `NotThreadSafe` From: Alice Ryhl To: Paul Moore , James Morris , "Serge E. Hallyn" , Miguel Ojeda , Christian Brauner Cc: Alex Gaynor , Wedson Almeida Filho , Boqun Feng , Gary Guo , " =?utf-8?q?Bj=C3=B6rn_Roy_Baron?= " , Benno Lossin , Andreas Hindborg , Peter Zijlstra , Alexander Viro , Greg Kroah-Hartman , " =?utf-8?q?Arve_Hj=C3=B8?= =?utf-8?q?nnev=C3=A5g?= " , Todd Kjos , Martijn Coenen , Joel Fernandes , Carlos Llamas , Suren Baghdasaryan , Dan Williams , Matthew Wilcox , Thomas Gleixner , Daniel Xu , Martin Rodriguez Reboredo , Trevor Gross , linux-kernel@vger.kernel.org, linux-security-module@vger.kernel.org, rust-for-linux@vger.kernel.org, linux-fsdevel@vger.kernel.org, Alice Ryhl , Kees Cook This introduces a new marker type for types that shouldn't be thread safe. By adding a field of this type to a struct, it becomes non-Send and non-Sync, which means that it cannot be accessed in any way from threads other than the one it was created on. This is useful for APIs that require globals such as `current` to remain constant while the value exists. We update two existing users in the Kernel to use this helper: * `Task::current()` - moving the return type of this value to a different thread would not be safe as you can no longer be guaranteed that the `current` pointer remains valid. * Lock guards. Mutexes and spinlocks should be unlocked on the same thread as where they were locked, so we enforce this using the Send trait. There are also additional users in later patches of this patchset. See [1] and [2] for the discussion that led to the introduction of this patch. Link: https://lore.kernel.org/all/nFDPJFnzE9Q5cqY7FwSMByRH2OAn_BpI4H53NQfWIlN6I2qfmAqnkp2wRqn0XjMO65OyZY4h6P4K2nAGKJpAOSzksYXaiAK_FoH_8QbgBI4=@proton.me/ [1] Link: https://lore.kernel.org/all/nFDPJFnzE9Q5cqY7FwSMByRH2OAn_BpI4H53NQfWIlN6I2qfmAqnkp2wRqn0XjMO65OyZY4h6P4K2nAGKJpAOSzksYXaiAK_FoH_8QbgBI4=@proton.me/ [2] Suggested-by: Benno Lossin Reviewed-by: Benno Lossin Reviewed-by: Trevor Gross Reviewed-by: Martin Rodriguez Reboredo Reviewed-by: Björn Roy Baron Reviewed-by: Gary Guo Signed-off-by: Alice Ryhl --- rust/kernel/sync/lock.rs | 13 +++++++++---- rust/kernel/task.rs | 10 ++++++---- rust/kernel/types.rs | 21 +++++++++++++++++++++ 3 files changed, 36 insertions(+), 8 deletions(-) diff --git a/rust/kernel/sync/lock.rs b/rust/kernel/sync/lock.rs index f6c34ca4d819..d6e9bab114b8 100644 --- a/rust/kernel/sync/lock.rs +++ b/rust/kernel/sync/lock.rs @@ -6,8 +6,13 @@ //! spinlocks, raw spinlocks) to be provided with minimal effort. use super::LockClassKey; -use crate::{init::PinInit, pin_init, str::CStr, types::Opaque, types::ScopeGuard}; -use core::{cell::UnsafeCell, marker::PhantomData, marker::PhantomPinned}; +use crate::{ + init::PinInit, + pin_init, + str::CStr, + types::{NotThreadSafe, Opaque, ScopeGuard}, +}; +use core::{cell::UnsafeCell, marker::PhantomPinned}; use macros::pin_data; pub mod mutex; @@ -139,7 +144,7 @@ pub fn lock(&self) -> Guard<'_, T, B> { pub struct Guard<'a, T: ?Sized, B: Backend> { pub(crate) lock: &'a Lock, pub(crate) state: B::GuardState, - _not_send: PhantomData<*mut ()>, + _not_send: NotThreadSafe, } // SAFETY: `Guard` is sync when the data protected by the lock is also sync. @@ -191,7 +196,7 @@ pub(crate) unsafe fn new(lock: &'a Lock, state: B::GuardState) -> Self { Self { lock, state, - _not_send: PhantomData, + _not_send: NotThreadSafe, } } } diff --git a/rust/kernel/task.rs b/rust/kernel/task.rs index 55dff7e088bf..278c623de0c6 100644 --- a/rust/kernel/task.rs +++ b/rust/kernel/task.rs @@ -4,10 +4,12 @@ //! //! C header: [`include/linux/sched.h`](srctree/include/linux/sched.h). -use crate::types::Opaque; +use crate::{ + bindings, + types::{NotThreadSafe, Opaque}, +}; use core::{ ffi::{c_int, c_long, c_uint}, - marker::PhantomData, ops::Deref, ptr, }; @@ -106,7 +108,7 @@ impl Task { pub unsafe fn current() -> impl Deref { struct TaskRef<'a> { task: &'a Task, - _not_send: PhantomData<*mut ()>, + _not_send: NotThreadSafe, } impl Deref for TaskRef<'_> { @@ -125,7 +127,7 @@ fn deref(&self) -> &Self::Target { // that `TaskRef` is not `Send`, we know it cannot be transferred to another thread // (where it could potentially outlive the caller). task: unsafe { &*ptr.cast() }, - _not_send: PhantomData, + _not_send: NotThreadSafe, } } diff --git a/rust/kernel/types.rs b/rust/kernel/types.rs index 9e7ca066355c..3238ffaab031 100644 --- a/rust/kernel/types.rs +++ b/rust/kernel/types.rs @@ -532,3 +532,24 @@ unsafe impl AsBytes for str {} // does not have any uninitialized portions either. unsafe impl AsBytes for [T] {} unsafe impl AsBytes for [T; N] {} + +/// Zero-sized type to mark types not [`Send`]. +/// +/// Add this type as a field to your struct if your type should not be sent to a different task. +/// Since [`Send`] is an auto trait, adding a single field that is `!Send` will ensure that the +/// whole type is `!Send`. +/// +/// If a type is `!Send` it is impossible to give control over an instance of the type to another +/// task. This is useful to include in types that store or reference task-local information. A file +/// descriptor is an example of such task-local information. +/// +/// This type also makes the type `!Sync`, which prevents immutable access to the value from +/// several threads in parallel. +pub type NotThreadSafe = PhantomData<*mut ()>; + +/// Used to construct instances of type [`NotThreadSafe`] similar to how `PhantomData` is +/// constructed. +/// +/// [`NotThreadSafe`]: type@NotThreadSafe +#[allow(non_upper_case_globals)] +pub const NotThreadSafe: NotThreadSafe = PhantomData;