| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20240524225640.GU2118490@ZenIV>
Date: Fri, 24 May 2024 23:56:40 +0100
From: Al Viro <viro@...iv.linux.org.uk>
To: Alice Ryhl <aliceryhl@...gle.com>
Cc: brauner@...nel.org, a.hindborg@...sung.com, alex.gaynor@...il.com,
arve@...roid.com, benno.lossin@...ton.me, bjorn3_gh@...tonmail.com,
boqun.feng@...il.com, cmllamas@...gle.com, dan.j.williams@...el.com,
dxu@...uu.xyz, gary@...yguo.net, gregkh@...uxfoundation.org,
joel@...lfernandes.org, keescook@...omium.org,
linux-fsdevel@...r.kernel.org, linux-kernel@...r.kernel.org,
maco@...roid.com, ojeda@...nel.org, peterz@...radead.org,
rust-for-linux@...r.kernel.org, surenb@...gle.com,
tglx@...utronix.de, tkjos@...roid.com, tmgross@...ch.edu,
wedsonaf@...il.com, willy@...radead.org, yakoyoku@...il.com
Subject: Re: [PATCH v6 3/8] rust: file: add Rust abstraction for `struct file`
On Fri, May 24, 2024 at 07:17:13PM +0000, Alice Ryhl wrote:
> > And then those both implement a get_file() method so the caller can take
> > an explicit long-term reference to the file.
>
> Even if you call `get_file` to get a long-term reference from something
> you have an fdget_pos reference to, that doesn't necessarily mean that
> you can share that long-term reference with other threads. You would
> need to release the fdget_pos reference first. For that reason, the
> long-term reference returned by `get_file` would still need to have the
> `File<MaybeFdgetPos>` type.
Why would you want such a bizarre requirement?
> Note that since it forgets which fd and fd table it came from, calls to
> `fdget` are actually not a problem for sending our long-term references
> across threads. The `fdget` requirements only care about things that
> touch the entry in the file descriptor table, such as closing the fd.
> The `ARef<File>` type does not provide any methods that could lead to
> that happening, so sharing it across threads is okay *even if* there is
> an light reference. That's why I have an `MaybeFdgetPos` but no
> `MaybeFdget`.
Huh?
What is "the entry in the file descriptor table"? Which one and in which one?
> let file = File::fget(my_fd)?;
> // SAFETY: We know that there are no active `fdget_pos` calls on
> // the current thread, since this is an ioctl and we have not
> // called `fdget_pos` inside the Binder driver.
> let thread_safe_file = unsafe { file.assume_no_fdget_pos() };
>
> (search for File::from_fd in the RFC to find where this would go)
>
> The `assume_no_fdget_pos` call has no effect at runtime - it is purely a
> compile-time thing to force the user to use unsafe to "promise" that
> there aren't any `fdget_pos` calls on the same fd.
Why does fdget_pos() even matter? The above makes no sense...
Again, cloning a reference and sending it to another thread is perfectly
fine. And what's so special about fdget_pos()/fdput_pos() compared to
fdget()/fdput()?
_What_ memory safety issues are you talking about?
Powered by blists - more mailing lists