lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Fri, 24 May 2024 23:56:40 +0100
From: Al Viro <viro@...iv.linux.org.uk>
To: Alice Ryhl <aliceryhl@...gle.com>
Cc: brauner@...nel.org, a.hindborg@...sung.com, alex.gaynor@...il.com,
	arve@...roid.com, benno.lossin@...ton.me, bjorn3_gh@...tonmail.com,
	boqun.feng@...il.com, cmllamas@...gle.com, dan.j.williams@...el.com,
	dxu@...uu.xyz, gary@...yguo.net, gregkh@...uxfoundation.org,
	joel@...lfernandes.org, keescook@...omium.org,
	linux-fsdevel@...r.kernel.org, linux-kernel@...r.kernel.org,
	maco@...roid.com, ojeda@...nel.org, peterz@...radead.org,
	rust-for-linux@...r.kernel.org, surenb@...gle.com,
	tglx@...utronix.de, tkjos@...roid.com, tmgross@...ch.edu,
	wedsonaf@...il.com, willy@...radead.org, yakoyoku@...il.com
Subject: Re: [PATCH v6 3/8] rust: file: add Rust abstraction for `struct file`

On Fri, May 24, 2024 at 07:17:13PM +0000, Alice Ryhl wrote:
> > And then those both implement a get_file() method so the caller can take
> > an explicit long-term reference to the file.
> 
> Even if you call `get_file` to get a long-term reference from something
> you have an fdget_pos reference to, that doesn't necessarily mean that
> you can share that long-term reference with other threads. You would
> need to release the fdget_pos reference first. For that reason, the
> long-term reference returned by `get_file` would still need to have the
> `File<MaybeFdgetPos>` type.

Why would you want such a bizarre requirement?

> Note that since it forgets which fd and fd table it came from, calls to
> `fdget` are actually not a problem for sending our long-term references
> across threads. The `fdget` requirements only care about things that
> touch the entry in the file descriptor table, such as closing the fd.
> The `ARef<File>` type does not provide any methods that could lead to
> that happening, so sharing it across threads is okay *even if* there is
> an light reference. That's why I have an `MaybeFdgetPos` but no
> `MaybeFdget`.

Huh?

What is "the entry in the file descriptor table"?  Which one and in which one?

> 	let file = File::fget(my_fd)?;
> 	// SAFETY: We know that there are no active `fdget_pos` calls on
> 	// the current thread, since this is an ioctl and we have not
> 	// called `fdget_pos` inside the Binder driver.
> 	let thread_safe_file = unsafe { file.assume_no_fdget_pos() };
> 
> (search for File::from_fd in the RFC to find where this would go)
> 
> The `assume_no_fdget_pos` call has no effect at runtime - it is purely a
> compile-time thing to force the user to use unsafe to "promise" that
> there aren't any `fdget_pos` calls on the same fd.

Why does fdget_pos() even matter?  The above makes no sense...

Again, cloning a reference and sending it to another thread is perfectly
fine.  And what's so special about fdget_pos()/fdput_pos() compared to
fdget()/fdput()?

_What_ memory safety issues are you talking about?

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ