lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <87h64mcimw.fsf@kernel.org>
Date: Sat, 22 Feb 2025 12:40:23 +0100
From: Andreas Hindborg <a.hindborg@...nel.org>
To: "Boqun Feng" <boqun.feng@...il.com>
Cc: "Tamir Duberstein" <tamird@...il.com>,  "Miguel Ojeda"
 <ojeda@...nel.org>,  "Anna-Maria Behnsen" <anna-maria@...utronix.de>,
  "Frederic Weisbecker" <frederic@...nel.org>,  "Thomas Gleixner"
 <tglx@...utronix.de>,  "Danilo Krummrich" <dakr@...nel.org>,  "Alex
 Gaynor" <alex.gaynor@...il.com>,  "Gary Guo" <gary@...yguo.net>,
  Björn
 Roy Baron <bjorn3_gh@...tonmail.com>,  "Benno Lossin"
 <benno.lossin@...ton.me>,  "Alice Ryhl" <aliceryhl@...gle.com>,  "Trevor
 Gross" <tmgross@...ch.edu>,  "Lyude Paul" <lyude@...hat.com>,  "Guangbo
 Cui" <2407018371@...com>,  "Dirk Behme" <dirk.behme@...il.com>,  "Daniel
 Almeida" <daniel.almeida@...labora.com>,
  <rust-for-linux@...r.kernel.org>,  <linux-kernel@...r.kernel.org>
Subject: Re: [PATCH v8 02/14] rust: hrtimer: introduce hrtimer support

Andreas Hindborg <a.hindborg@...nel.org> writes:

> "Boqun Feng" <boqun.feng@...il.com> writes:
>
>> On Fri, Feb 21, 2025 at 09:46:08AM -0500, Tamir Duberstein wrote:
>>> On Fri, Feb 21, 2025 at 9:40 AM Boqun Feng <boqun.feng@...il.com> wrote:
>>> >
>>> > Hmm... if you mean:
>>> >
>>> > trait HasHrTimer {
>>> >     unsafe fn start(&self, expires: Ktime) {
>>> >         ...
>>> >     }
>>> > }
>>> >
>>> > Then it'll be problematic because the pointer derived from `&self`
>>> > doesn't have write provenance, therefore in a timer callback, the
>>> > pointer cannot be used for write, which means for example you cannot
>>> > convert the pointer back into a `Pin<Box<HasTimer>>`.
>>> >
>>> > To answer Tamir's question, pointers are heavily used here because we
>>> > need to preserve the provenance.
>>>
>>> Wouldn't the natural implication be that &mut self is needed? Maybe
>>
>> For an `Arc<HasTimer>`, you cannot get `&mut self`.
>>
>>> you can help me understand why pointers can express a contract that
>>> references can't?
>>
>> I assume you already know what a pointer provenance is?
>>
>> 	http://doc.rust-lang.org/std/ptr/index.html#provenance
>>
>> Passing a pointer (including offset operation on it) preserves the
>> provenance (determined as derive time), however, deriving a pointer from
>> a reference gives the pointer a provenance based on the reference type.
>> For example, let's say we have an `Arc<i32>` and a clone:
>>
>> 	let arc = Arc::new(42);
>> 	let clone = arc.clone();
>>
>> you can obviously do a into_raw() + from_raw() pair:
>>
>> 	let ptr = Arc::into_raw(arc);
>> 	let arc = unsafe { Arc::from_raw(arc) };
>>
>> however, if you create a reference based on `Arc::into_raw()`, and then
>> derive a pointer from that, you change the provenance,
>
> In this case, the pointer will have the pointer of `Arc::into_raw()`
> will have the provenance of the original reference. When you turn that
> pointer back into a reference, won't the reference inherit the
> provenance of the pointer, which is the same as the original reference?
>
> As I read the docs, getting a reference to a `Timer` from a reference to
> a `<MyType as HasHrTimer>` by converting `&MyType` to a `*const MyType`,
> doing a `ptr.cast::<u8>().add(offset).cast::<HrTimer<T>>()` and
> converting that pointer to a reference should be fine? The final pointer
> before converting back to a reference will still have provenance of the
> original reference. Converting to a reference at the end will shrink the
> provenance, but it is still fine.
>
> Going from a `&HrTimer<T>` to a `&T` is a problem, because that would
> require offset outside spatial permission of pointer provenance, and it
> would require increasing the size of the spatial permission.
>
> Is this correctly understood?

How does provenance work across language boundaries? Should we actually
use `with_addr` [1] when we get pointers from C round trips?


Best regards,
Andreas Hindborg



[1] https://doc.rust-lang.org/stable/std/primitive.pointer.html#method.with_addr

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ