2023-04-11 05:45:39 +00:00
|
|
|
// SPDX-License-Identifier: GPL-2.0
|
|
|
|
|
|
|
|
|
|
//! Tasks (threads and processes).
|
|
|
|
|
//!
|
2023-12-15 23:54:28 +00:00
|
|
|
//! C header: [`include/linux/sched.h`](srctree/include/linux/sched.h).
|
2023-04-11 05:45:39 +00:00
|
|
|
|
2024-09-15 14:31:27 +00:00
|
|
|
use crate::{
|
|
|
|
|
bindings,
|
2024-11-27 01:54:58 +00:00
|
|
|
ffi::{c_int, c_long, c_uint},
|
task: rust: rework how current is accessed
Introduce a new type called `CurrentTask` that lets you perform various
operations that are only safe on the `current` task. Use the new type to
provide a way to access the current mm without incrementing its refcount.
With this change, you can write stuff such as
let vma = current!().mm().lock_vma_under_rcu(addr);
without incrementing any refcounts.
This replaces the existing abstractions for accessing the current pid
namespace. With the old approach, every field access to current involves
both a macro and a unsafe helper function. The new approach simplifies
that to a single safe function on the `CurrentTask` type. This makes it
less heavy-weight to add additional current accessors in the future.
That said, creating a `CurrentTask` type like the one in this patch
requires that we are careful to ensure that it cannot escape the current
task or otherwise access things after they are freed. To do this, I
declared that it cannot escape the current "task context" where I defined
a "task context" as essentially the region in which `current` remains
unchanged. So e.g., release_task() or begin_new_exec() would leave the
task context.
If a userspace thread returns to userspace and later makes another
syscall, then I consider the two syscalls to be different task contexts.
This allows values stored in that task to be modified between syscalls,
even if they're guaranteed to be immutable during a syscall.
Ensuring correctness of `CurrentTask` is slightly tricky if we also want
the ability to have a safe `kthread_use_mm()` implementation in Rust. To
support that safely, there are two patterns we need to ensure are safe:
// Case 1: current!() called inside the scope.
let mm;
kthread_use_mm(some_mm, || {
mm = current!().mm();
});
drop(some_mm);
mm.do_something(); // UAF
and:
// Case 2: current!() called before the scope.
let mm;
let task = current!();
kthread_use_mm(some_mm, || {
mm = task.mm();
});
drop(some_mm);
mm.do_something(); // UAF
The existing `current!()` abstraction already natively prevents the first
case: The `&CurrentTask` would be tied to the inner scope, so the
borrow-checker ensures that no reference derived from it can escape the
scope.
Fixing the second case is a bit more tricky. The solution is to
essentially pretend that the contents of the scope execute on an different
thread, which means that only thread-safe types can cross the boundary.
Since `CurrentTask` is marked `NotThreadSafe`, attempts to move it to
another thread will fail, and this includes our fake pretend thread
boundary.
This has the disadvantage that other types that aren't thread-safe for
reasons unrelated to `current` also cannot be moved across the
`kthread_use_mm()` boundary. I consider this an acceptable tradeoff.
Link: https://lkml.kernel.org/r/20250408-vma-v16-8-d8b446e885d9@google.com
Signed-off-by: Alice Ryhl <aliceryhl@google.com>
Acked-by: Lorenzo Stoakes <lorenzo.stoakes@oracle.com>
Acked-by: Liam R. Howlett <Liam.Howlett@Oracle.com>
Reviewed-by: Boqun Feng <boqun.feng@gmail.com>
Reviewed-by: Andreas Hindborg <a.hindborg@kernel.org>
Reviewed-by: Gary Guo <gary@garyguo.net>
Cc: Alex Gaynor <alex.gaynor@gmail.com>
Cc: Arnd Bergmann <arnd@arndb.de>
Cc: Balbir Singh <balbirs@nvidia.com>
Cc: Benno Lossin <benno.lossin@proton.me>
Cc: Björn Roy Baron <bjorn3_gh@protonmail.com>
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Cc: Jann Horn <jannh@google.com>
Cc: John Hubbard <jhubbard@nvidia.com>
Cc: Matthew Wilcox (Oracle) <willy@infradead.org>
Cc: Miguel Ojeda <ojeda@kernel.org>
Cc: Suren Baghdasaryan <surenb@google.com>
Cc: Trevor Gross <tmgross@umich.edu>
Cc: Vlastimil Babka <vbabka@suse.cz>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
2025-04-08 09:22:45 +00:00
|
|
|
mm::MmWithUser,
|
2024-10-02 11:38:10 +00:00
|
|
|
pid_namespace::PidNamespace,
|
|
|
|
|
types::{ARef, NotThreadSafe, Opaque},
|
2024-09-15 14:31:27 +00:00
|
|
|
};
|
2024-11-27 01:54:58 +00:00
|
|
|
use core::{
|
|
|
|
|
cmp::{Eq, PartialEq},
|
|
|
|
|
ops::Deref,
|
|
|
|
|
ptr,
|
|
|
|
|
};
|
2024-01-08 14:49:59 +00:00
|
|
|
|
|
|
|
|
/// A sentinel value used for infinite timeouts.
|
|
|
|
|
pub const MAX_SCHEDULE_TIMEOUT: c_long = c_long::MAX;
|
2023-04-11 05:45:40 +00:00
|
|
|
|
2024-01-08 14:50:00 +00:00
|
|
|
/// Bitmask for tasks that are sleeping in an interruptible state.
|
|
|
|
|
pub const TASK_INTERRUPTIBLE: c_int = bindings::TASK_INTERRUPTIBLE as c_int;
|
|
|
|
|
/// Bitmask for tasks that are sleeping in an uninterruptible state.
|
|
|
|
|
pub const TASK_UNINTERRUPTIBLE: c_int = bindings::TASK_UNINTERRUPTIBLE as c_int;
|
2025-03-07 23:26:59 +00:00
|
|
|
/// Bitmask for tasks that are sleeping in a freezable state.
|
|
|
|
|
pub const TASK_FREEZABLE: c_int = bindings::TASK_FREEZABLE as c_int;
|
2024-01-08 14:50:00 +00:00
|
|
|
/// Convenience constant for waking up tasks regardless of whether they are in interruptible or
|
|
|
|
|
/// uninterruptible sleep.
|
|
|
|
|
pub const TASK_NORMAL: c_uint = bindings::TASK_NORMAL as c_uint;
|
|
|
|
|
|
2023-04-11 05:45:40 +00:00
|
|
|
/// Returns the currently running task.
|
|
|
|
|
#[macro_export]
|
|
|
|
|
macro_rules! current {
|
|
|
|
|
() => {
|
task: rust: rework how current is accessed
Introduce a new type called `CurrentTask` that lets you perform various
operations that are only safe on the `current` task. Use the new type to
provide a way to access the current mm without incrementing its refcount.
With this change, you can write stuff such as
let vma = current!().mm().lock_vma_under_rcu(addr);
without incrementing any refcounts.
This replaces the existing abstractions for accessing the current pid
namespace. With the old approach, every field access to current involves
both a macro and a unsafe helper function. The new approach simplifies
that to a single safe function on the `CurrentTask` type. This makes it
less heavy-weight to add additional current accessors in the future.
That said, creating a `CurrentTask` type like the one in this patch
requires that we are careful to ensure that it cannot escape the current
task or otherwise access things after they are freed. To do this, I
declared that it cannot escape the current "task context" where I defined
a "task context" as essentially the region in which `current` remains
unchanged. So e.g., release_task() or begin_new_exec() would leave the
task context.
If a userspace thread returns to userspace and later makes another
syscall, then I consider the two syscalls to be different task contexts.
This allows values stored in that task to be modified between syscalls,
even if they're guaranteed to be immutable during a syscall.
Ensuring correctness of `CurrentTask` is slightly tricky if we also want
the ability to have a safe `kthread_use_mm()` implementation in Rust. To
support that safely, there are two patterns we need to ensure are safe:
// Case 1: current!() called inside the scope.
let mm;
kthread_use_mm(some_mm, || {
mm = current!().mm();
});
drop(some_mm);
mm.do_something(); // UAF
and:
// Case 2: current!() called before the scope.
let mm;
let task = current!();
kthread_use_mm(some_mm, || {
mm = task.mm();
});
drop(some_mm);
mm.do_something(); // UAF
The existing `current!()` abstraction already natively prevents the first
case: The `&CurrentTask` would be tied to the inner scope, so the
borrow-checker ensures that no reference derived from it can escape the
scope.
Fixing the second case is a bit more tricky. The solution is to
essentially pretend that the contents of the scope execute on an different
thread, which means that only thread-safe types can cross the boundary.
Since `CurrentTask` is marked `NotThreadSafe`, attempts to move it to
another thread will fail, and this includes our fake pretend thread
boundary.
This has the disadvantage that other types that aren't thread-safe for
reasons unrelated to `current` also cannot be moved across the
`kthread_use_mm()` boundary. I consider this an acceptable tradeoff.
Link: https://lkml.kernel.org/r/20250408-vma-v16-8-d8b446e885d9@google.com
Signed-off-by: Alice Ryhl <aliceryhl@google.com>
Acked-by: Lorenzo Stoakes <lorenzo.stoakes@oracle.com>
Acked-by: Liam R. Howlett <Liam.Howlett@Oracle.com>
Reviewed-by: Boqun Feng <boqun.feng@gmail.com>
Reviewed-by: Andreas Hindborg <a.hindborg@kernel.org>
Reviewed-by: Gary Guo <gary@garyguo.net>
Cc: Alex Gaynor <alex.gaynor@gmail.com>
Cc: Arnd Bergmann <arnd@arndb.de>
Cc: Balbir Singh <balbirs@nvidia.com>
Cc: Benno Lossin <benno.lossin@proton.me>
Cc: Björn Roy Baron <bjorn3_gh@protonmail.com>
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Cc: Jann Horn <jannh@google.com>
Cc: John Hubbard <jhubbard@nvidia.com>
Cc: Matthew Wilcox (Oracle) <willy@infradead.org>
Cc: Miguel Ojeda <ojeda@kernel.org>
Cc: Suren Baghdasaryan <surenb@google.com>
Cc: Trevor Gross <tmgross@umich.edu>
Cc: Vlastimil Babka <vbabka@suse.cz>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
2025-04-08 09:22:45 +00:00
|
|
|
// SAFETY: This expression creates a temporary value that is dropped at the end of the
|
|
|
|
|
// caller's scope. The following mechanisms ensure that the resulting `&CurrentTask` cannot
|
|
|
|
|
// leave current task context:
|
|
|
|
|
//
|
|
|
|
|
// * To return to userspace, the caller must leave the current scope.
|
|
|
|
|
// * Operations such as `begin_new_exec()` are necessarily unsafe and the caller of
|
|
|
|
|
// `begin_new_exec()` is responsible for safety.
|
|
|
|
|
// * Rust abstractions for things such as a `kthread_use_mm()` scope must require the
|
|
|
|
|
// closure to be `Send`, so the `NotThreadSafe` field of `CurrentTask` ensures that the
|
|
|
|
|
// `&CurrentTask` cannot cross the scope in either direction.
|
2023-04-11 05:45:40 +00:00
|
|
|
unsafe { &*$crate::task::Task::current() }
|
|
|
|
|
};
|
|
|
|
|
}
|
2023-04-11 05:45:39 +00:00
|
|
|
|
|
|
|
|
/// Wraps the kernel's `struct task_struct`.
|
|
|
|
|
///
|
|
|
|
|
/// # Invariants
|
|
|
|
|
///
|
|
|
|
|
/// All instances are valid tasks created by the C portion of the kernel.
|
|
|
|
|
///
|
2024-01-31 20:23:29 +00:00
|
|
|
/// Instances of this type are always refcounted, that is, a call to `get_task_struct` ensures
|
2023-04-11 05:45:39 +00:00
|
|
|
/// that the allocation remains valid at least until the matching call to `put_task_struct`.
|
2023-04-11 05:45:40 +00:00
|
|
|
///
|
|
|
|
|
/// # Examples
|
|
|
|
|
///
|
|
|
|
|
/// The following is an example of getting the PID of the current thread with zero additional cost
|
|
|
|
|
/// when compared to the C version:
|
|
|
|
|
///
|
|
|
|
|
/// ```
|
|
|
|
|
/// let pid = current!().pid();
|
|
|
|
|
/// ```
|
|
|
|
|
///
|
|
|
|
|
/// Getting the PID of the current process, also zero additional cost:
|
|
|
|
|
///
|
|
|
|
|
/// ```
|
|
|
|
|
/// let pid = current!().group_leader().pid();
|
|
|
|
|
/// ```
|
|
|
|
|
///
|
|
|
|
|
/// Getting the current task and storing it in some struct. The reference count is automatically
|
|
|
|
|
/// incremented when creating `State` and decremented when it is dropped:
|
|
|
|
|
///
|
|
|
|
|
/// ```
|
|
|
|
|
/// use kernel::{task::Task, types::ARef};
|
|
|
|
|
///
|
|
|
|
|
/// struct State {
|
|
|
|
|
/// creator: ARef<Task>,
|
|
|
|
|
/// index: u32,
|
|
|
|
|
/// }
|
|
|
|
|
///
|
|
|
|
|
/// impl State {
|
|
|
|
|
/// fn new() -> Self {
|
|
|
|
|
/// Self {
|
task: rust: rework how current is accessed
Introduce a new type called `CurrentTask` that lets you perform various
operations that are only safe on the `current` task. Use the new type to
provide a way to access the current mm without incrementing its refcount.
With this change, you can write stuff such as
let vma = current!().mm().lock_vma_under_rcu(addr);
without incrementing any refcounts.
This replaces the existing abstractions for accessing the current pid
namespace. With the old approach, every field access to current involves
both a macro and a unsafe helper function. The new approach simplifies
that to a single safe function on the `CurrentTask` type. This makes it
less heavy-weight to add additional current accessors in the future.
That said, creating a `CurrentTask` type like the one in this patch
requires that we are careful to ensure that it cannot escape the current
task or otherwise access things after they are freed. To do this, I
declared that it cannot escape the current "task context" where I defined
a "task context" as essentially the region in which `current` remains
unchanged. So e.g., release_task() or begin_new_exec() would leave the
task context.
If a userspace thread returns to userspace and later makes another
syscall, then I consider the two syscalls to be different task contexts.
This allows values stored in that task to be modified between syscalls,
even if they're guaranteed to be immutable during a syscall.
Ensuring correctness of `CurrentTask` is slightly tricky if we also want
the ability to have a safe `kthread_use_mm()` implementation in Rust. To
support that safely, there are two patterns we need to ensure are safe:
// Case 1: current!() called inside the scope.
let mm;
kthread_use_mm(some_mm, || {
mm = current!().mm();
});
drop(some_mm);
mm.do_something(); // UAF
and:
// Case 2: current!() called before the scope.
let mm;
let task = current!();
kthread_use_mm(some_mm, || {
mm = task.mm();
});
drop(some_mm);
mm.do_something(); // UAF
The existing `current!()` abstraction already natively prevents the first
case: The `&CurrentTask` would be tied to the inner scope, so the
borrow-checker ensures that no reference derived from it can escape the
scope.
Fixing the second case is a bit more tricky. The solution is to
essentially pretend that the contents of the scope execute on an different
thread, which means that only thread-safe types can cross the boundary.
Since `CurrentTask` is marked `NotThreadSafe`, attempts to move it to
another thread will fail, and this includes our fake pretend thread
boundary.
This has the disadvantage that other types that aren't thread-safe for
reasons unrelated to `current` also cannot be moved across the
`kthread_use_mm()` boundary. I consider this an acceptable tradeoff.
Link: https://lkml.kernel.org/r/20250408-vma-v16-8-d8b446e885d9@google.com
Signed-off-by: Alice Ryhl <aliceryhl@google.com>
Acked-by: Lorenzo Stoakes <lorenzo.stoakes@oracle.com>
Acked-by: Liam R. Howlett <Liam.Howlett@Oracle.com>
Reviewed-by: Boqun Feng <boqun.feng@gmail.com>
Reviewed-by: Andreas Hindborg <a.hindborg@kernel.org>
Reviewed-by: Gary Guo <gary@garyguo.net>
Cc: Alex Gaynor <alex.gaynor@gmail.com>
Cc: Arnd Bergmann <arnd@arndb.de>
Cc: Balbir Singh <balbirs@nvidia.com>
Cc: Benno Lossin <benno.lossin@proton.me>
Cc: Björn Roy Baron <bjorn3_gh@protonmail.com>
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Cc: Jann Horn <jannh@google.com>
Cc: John Hubbard <jhubbard@nvidia.com>
Cc: Matthew Wilcox (Oracle) <willy@infradead.org>
Cc: Miguel Ojeda <ojeda@kernel.org>
Cc: Suren Baghdasaryan <surenb@google.com>
Cc: Trevor Gross <tmgross@umich.edu>
Cc: Vlastimil Babka <vbabka@suse.cz>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
2025-04-08 09:22:45 +00:00
|
|
|
/// creator: ARef::from(&**current!()),
|
2023-04-11 05:45:40 +00:00
|
|
|
/// index: 0,
|
|
|
|
|
/// }
|
|
|
|
|
/// }
|
|
|
|
|
/// }
|
|
|
|
|
/// ```
|
2023-04-11 05:45:39 +00:00
|
|
|
#[repr(transparent)]
|
|
|
|
|
pub struct Task(pub(crate) Opaque<bindings::task_struct>);
|
|
|
|
|
|
2023-05-31 14:59:39 +00:00
|
|
|
// SAFETY: By design, the only way to access a `Task` is via the `current` function or via an
|
|
|
|
|
// `ARef<Task>` obtained through the `AlwaysRefCounted` impl. This means that the only situation in
|
|
|
|
|
// which a `Task` can be accessed mutably is when the refcount drops to zero and the destructor
|
|
|
|
|
// runs. It is safe for that to happen on any thread, so it is ok for this type to be `Send`.
|
|
|
|
|
unsafe impl Send for Task {}
|
|
|
|
|
|
|
|
|
|
// SAFETY: It's OK to access `Task` through shared references from other threads because we're
|
|
|
|
|
// either accessing properties that don't change (e.g., `pid`, `group_leader`) or that are properly
|
2023-04-11 05:45:39 +00:00
|
|
|
// synchronised by C code (e.g., `signal_pending`).
|
|
|
|
|
unsafe impl Sync for Task {}
|
|
|
|
|
|
task: rust: rework how current is accessed
Introduce a new type called `CurrentTask` that lets you perform various
operations that are only safe on the `current` task. Use the new type to
provide a way to access the current mm without incrementing its refcount.
With this change, you can write stuff such as
let vma = current!().mm().lock_vma_under_rcu(addr);
without incrementing any refcounts.
This replaces the existing abstractions for accessing the current pid
namespace. With the old approach, every field access to current involves
both a macro and a unsafe helper function. The new approach simplifies
that to a single safe function on the `CurrentTask` type. This makes it
less heavy-weight to add additional current accessors in the future.
That said, creating a `CurrentTask` type like the one in this patch
requires that we are careful to ensure that it cannot escape the current
task or otherwise access things after they are freed. To do this, I
declared that it cannot escape the current "task context" where I defined
a "task context" as essentially the region in which `current` remains
unchanged. So e.g., release_task() or begin_new_exec() would leave the
task context.
If a userspace thread returns to userspace and later makes another
syscall, then I consider the two syscalls to be different task contexts.
This allows values stored in that task to be modified between syscalls,
even if they're guaranteed to be immutable during a syscall.
Ensuring correctness of `CurrentTask` is slightly tricky if we also want
the ability to have a safe `kthread_use_mm()` implementation in Rust. To
support that safely, there are two patterns we need to ensure are safe:
// Case 1: current!() called inside the scope.
let mm;
kthread_use_mm(some_mm, || {
mm = current!().mm();
});
drop(some_mm);
mm.do_something(); // UAF
and:
// Case 2: current!() called before the scope.
let mm;
let task = current!();
kthread_use_mm(some_mm, || {
mm = task.mm();
});
drop(some_mm);
mm.do_something(); // UAF
The existing `current!()` abstraction already natively prevents the first
case: The `&CurrentTask` would be tied to the inner scope, so the
borrow-checker ensures that no reference derived from it can escape the
scope.
Fixing the second case is a bit more tricky. The solution is to
essentially pretend that the contents of the scope execute on an different
thread, which means that only thread-safe types can cross the boundary.
Since `CurrentTask` is marked `NotThreadSafe`, attempts to move it to
another thread will fail, and this includes our fake pretend thread
boundary.
This has the disadvantage that other types that aren't thread-safe for
reasons unrelated to `current` also cannot be moved across the
`kthread_use_mm()` boundary. I consider this an acceptable tradeoff.
Link: https://lkml.kernel.org/r/20250408-vma-v16-8-d8b446e885d9@google.com
Signed-off-by: Alice Ryhl <aliceryhl@google.com>
Acked-by: Lorenzo Stoakes <lorenzo.stoakes@oracle.com>
Acked-by: Liam R. Howlett <Liam.Howlett@Oracle.com>
Reviewed-by: Boqun Feng <boqun.feng@gmail.com>
Reviewed-by: Andreas Hindborg <a.hindborg@kernel.org>
Reviewed-by: Gary Guo <gary@garyguo.net>
Cc: Alex Gaynor <alex.gaynor@gmail.com>
Cc: Arnd Bergmann <arnd@arndb.de>
Cc: Balbir Singh <balbirs@nvidia.com>
Cc: Benno Lossin <benno.lossin@proton.me>
Cc: Björn Roy Baron <bjorn3_gh@protonmail.com>
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Cc: Jann Horn <jannh@google.com>
Cc: John Hubbard <jhubbard@nvidia.com>
Cc: Matthew Wilcox (Oracle) <willy@infradead.org>
Cc: Miguel Ojeda <ojeda@kernel.org>
Cc: Suren Baghdasaryan <surenb@google.com>
Cc: Trevor Gross <tmgross@umich.edu>
Cc: Vlastimil Babka <vbabka@suse.cz>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
2025-04-08 09:22:45 +00:00
|
|
|
/// Represents the [`Task`] in the `current` global.
|
|
|
|
|
///
|
|
|
|
|
/// This type exists to provide more efficient operations that are only valid on the current task.
|
|
|
|
|
/// For example, to retrieve the pid-namespace of a task, you must use rcu protection unless it is
|
|
|
|
|
/// the current task.
|
|
|
|
|
///
|
|
|
|
|
/// # Invariants
|
|
|
|
|
///
|
|
|
|
|
/// Each value of this type must only be accessed from the task context it was created within.
|
|
|
|
|
///
|
|
|
|
|
/// Of course, every thread is in a different task context, but for the purposes of this invariant,
|
|
|
|
|
/// these operations also permanently leave the task context:
|
|
|
|
|
///
|
|
|
|
|
/// * Returning to userspace from system call context.
|
|
|
|
|
/// * Calling `release_task()`.
|
|
|
|
|
/// * Calling `begin_new_exec()` in a binary format loader.
|
|
|
|
|
///
|
|
|
|
|
/// Other operations temporarily create a new sub-context:
|
|
|
|
|
///
|
|
|
|
|
/// * Calling `kthread_use_mm()` creates a new context, and `kthread_unuse_mm()` returns to the
|
|
|
|
|
/// old context.
|
|
|
|
|
///
|
|
|
|
|
/// This means that a `CurrentTask` obtained before a `kthread_use_mm()` call may be used again
|
|
|
|
|
/// once `kthread_unuse_mm()` is called, but it must not be used between these two calls.
|
|
|
|
|
/// Conversely, a `CurrentTask` obtained between a `kthread_use_mm()`/`kthread_unuse_mm()` pair
|
|
|
|
|
/// must not be used after `kthread_unuse_mm()`.
|
|
|
|
|
#[repr(transparent)]
|
|
|
|
|
pub struct CurrentTask(Task, NotThreadSafe);
|
|
|
|
|
|
|
|
|
|
// Make all `Task` methods available on `CurrentTask`.
|
|
|
|
|
impl Deref for CurrentTask {
|
|
|
|
|
type Target = Task;
|
|
|
|
|
#[inline]
|
|
|
|
|
fn deref(&self) -> &Task {
|
|
|
|
|
&self.0
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2023-04-11 05:45:39 +00:00
|
|
|
/// The type of process identifiers (PIDs).
|
2025-01-30 11:21:38 +00:00
|
|
|
pub type Pid = bindings::pid_t;
|
2023-04-11 05:45:39 +00:00
|
|
|
|
rust: file: add `Kuid` wrapper
Adds a wrapper around `kuid_t` called `Kuid`. This allows us to define
various operations on kuids such as equality and current_euid. It also
lets us provide conversions from kuid into userspace values.
Rust Binder needs these operations because it needs to compare kuids for
equality, and it needs to tell userspace about the pid and uid of
incoming transactions.
To read kuids from a `struct task_struct`, you must currently use
various #defines that perform the appropriate field access under an RCU
read lock. Currently, we do not have a Rust wrapper for rcu_read_lock,
which means that for this patch, there are two ways forward:
1. Inline the methods into Rust code, and use __rcu_read_lock directly
rather than the rcu_read_lock wrapper. This gives up lockdep for
these usages of RCU.
2. Wrap the various #defines in helpers and call the helpers from Rust.
This patch uses the second option. One possible disadvantage of the
second option is the possible introduction of speculation gadgets, but
as discussed in [1], the risk appears to be acceptable.
Of course, once a wrapper for rcu_read_lock is available, it is
preferable to use that over either of the two above approaches.
Link: https://lore.kernel.org/all/202312080947.674CD2DC7@keescook/ [1]
Reviewed-by: Benno Lossin <benno.lossin@proton.me>
Reviewed-by: Martin Rodriguez Reboredo <yakoyoku@gmail.com>
Reviewed-by: Trevor Gross <tmgross@umich.edu>
Signed-off-by: Alice Ryhl <aliceryhl@google.com>
Link: https://lore.kernel.org/r/20240915-alice-file-v10-7-88484f7a3dcf@google.com
Signed-off-by: Christian Brauner <brauner@kernel.org>
2024-09-15 14:31:33 +00:00
|
|
|
/// The type of user identifiers (UIDs).
|
|
|
|
|
#[derive(Copy, Clone)]
|
|
|
|
|
pub struct Kuid {
|
|
|
|
|
kuid: bindings::kuid_t,
|
|
|
|
|
}
|
|
|
|
|
|
2023-04-11 05:45:39 +00:00
|
|
|
impl Task {
|
2024-09-15 14:31:28 +00:00
|
|
|
/// Returns a raw pointer to the current task.
|
|
|
|
|
///
|
|
|
|
|
/// It is up to the user to use the pointer correctly.
|
|
|
|
|
#[inline]
|
|
|
|
|
pub fn current_raw() -> *mut bindings::task_struct {
|
|
|
|
|
// SAFETY: Getting the current pointer is always safe.
|
|
|
|
|
unsafe { bindings::get_current() }
|
|
|
|
|
}
|
|
|
|
|
|
2023-04-11 05:45:40 +00:00
|
|
|
/// Returns a task reference for the currently executing task/thread.
|
|
|
|
|
///
|
|
|
|
|
/// The recommended way to get the current task/thread is to use the
|
2023-10-05 21:05:53 +00:00
|
|
|
/// [`current`] macro because it is safe.
|
2023-04-11 05:45:40 +00:00
|
|
|
///
|
|
|
|
|
/// # Safety
|
|
|
|
|
///
|
task: rust: rework how current is accessed
Introduce a new type called `CurrentTask` that lets you perform various
operations that are only safe on the `current` task. Use the new type to
provide a way to access the current mm without incrementing its refcount.
With this change, you can write stuff such as
let vma = current!().mm().lock_vma_under_rcu(addr);
without incrementing any refcounts.
This replaces the existing abstractions for accessing the current pid
namespace. With the old approach, every field access to current involves
both a macro and a unsafe helper function. The new approach simplifies
that to a single safe function on the `CurrentTask` type. This makes it
less heavy-weight to add additional current accessors in the future.
That said, creating a `CurrentTask` type like the one in this patch
requires that we are careful to ensure that it cannot escape the current
task or otherwise access things after they are freed. To do this, I
declared that it cannot escape the current "task context" where I defined
a "task context" as essentially the region in which `current` remains
unchanged. So e.g., release_task() or begin_new_exec() would leave the
task context.
If a userspace thread returns to userspace and later makes another
syscall, then I consider the two syscalls to be different task contexts.
This allows values stored in that task to be modified between syscalls,
even if they're guaranteed to be immutable during a syscall.
Ensuring correctness of `CurrentTask` is slightly tricky if we also want
the ability to have a safe `kthread_use_mm()` implementation in Rust. To
support that safely, there are two patterns we need to ensure are safe:
// Case 1: current!() called inside the scope.
let mm;
kthread_use_mm(some_mm, || {
mm = current!().mm();
});
drop(some_mm);
mm.do_something(); // UAF
and:
// Case 2: current!() called before the scope.
let mm;
let task = current!();
kthread_use_mm(some_mm, || {
mm = task.mm();
});
drop(some_mm);
mm.do_something(); // UAF
The existing `current!()` abstraction already natively prevents the first
case: The `&CurrentTask` would be tied to the inner scope, so the
borrow-checker ensures that no reference derived from it can escape the
scope.
Fixing the second case is a bit more tricky. The solution is to
essentially pretend that the contents of the scope execute on an different
thread, which means that only thread-safe types can cross the boundary.
Since `CurrentTask` is marked `NotThreadSafe`, attempts to move it to
another thread will fail, and this includes our fake pretend thread
boundary.
This has the disadvantage that other types that aren't thread-safe for
reasons unrelated to `current` also cannot be moved across the
`kthread_use_mm()` boundary. I consider this an acceptable tradeoff.
Link: https://lkml.kernel.org/r/20250408-vma-v16-8-d8b446e885d9@google.com
Signed-off-by: Alice Ryhl <aliceryhl@google.com>
Acked-by: Lorenzo Stoakes <lorenzo.stoakes@oracle.com>
Acked-by: Liam R. Howlett <Liam.Howlett@Oracle.com>
Reviewed-by: Boqun Feng <boqun.feng@gmail.com>
Reviewed-by: Andreas Hindborg <a.hindborg@kernel.org>
Reviewed-by: Gary Guo <gary@garyguo.net>
Cc: Alex Gaynor <alex.gaynor@gmail.com>
Cc: Arnd Bergmann <arnd@arndb.de>
Cc: Balbir Singh <balbirs@nvidia.com>
Cc: Benno Lossin <benno.lossin@proton.me>
Cc: Björn Roy Baron <bjorn3_gh@protonmail.com>
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Cc: Jann Horn <jannh@google.com>
Cc: John Hubbard <jhubbard@nvidia.com>
Cc: Matthew Wilcox (Oracle) <willy@infradead.org>
Cc: Miguel Ojeda <ojeda@kernel.org>
Cc: Suren Baghdasaryan <surenb@google.com>
Cc: Trevor Gross <tmgross@umich.edu>
Cc: Vlastimil Babka <vbabka@suse.cz>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
2025-04-08 09:22:45 +00:00
|
|
|
/// Callers must ensure that the returned object is only used to access a [`CurrentTask`]
|
|
|
|
|
/// within the task context that was active when this function was called. For more details,
|
|
|
|
|
/// see the invariants section for [`CurrentTask`].
|
|
|
|
|
pub unsafe fn current() -> impl Deref<Target = CurrentTask> {
|
|
|
|
|
struct TaskRef {
|
|
|
|
|
task: *const CurrentTask,
|
2023-04-11 05:45:40 +00:00
|
|
|
}
|
|
|
|
|
|
task: rust: rework how current is accessed
Introduce a new type called `CurrentTask` that lets you perform various
operations that are only safe on the `current` task. Use the new type to
provide a way to access the current mm without incrementing its refcount.
With this change, you can write stuff such as
let vma = current!().mm().lock_vma_under_rcu(addr);
without incrementing any refcounts.
This replaces the existing abstractions for accessing the current pid
namespace. With the old approach, every field access to current involves
both a macro and a unsafe helper function. The new approach simplifies
that to a single safe function on the `CurrentTask` type. This makes it
less heavy-weight to add additional current accessors in the future.
That said, creating a `CurrentTask` type like the one in this patch
requires that we are careful to ensure that it cannot escape the current
task or otherwise access things after they are freed. To do this, I
declared that it cannot escape the current "task context" where I defined
a "task context" as essentially the region in which `current` remains
unchanged. So e.g., release_task() or begin_new_exec() would leave the
task context.
If a userspace thread returns to userspace and later makes another
syscall, then I consider the two syscalls to be different task contexts.
This allows values stored in that task to be modified between syscalls,
even if they're guaranteed to be immutable during a syscall.
Ensuring correctness of `CurrentTask` is slightly tricky if we also want
the ability to have a safe `kthread_use_mm()` implementation in Rust. To
support that safely, there are two patterns we need to ensure are safe:
// Case 1: current!() called inside the scope.
let mm;
kthread_use_mm(some_mm, || {
mm = current!().mm();
});
drop(some_mm);
mm.do_something(); // UAF
and:
// Case 2: current!() called before the scope.
let mm;
let task = current!();
kthread_use_mm(some_mm, || {
mm = task.mm();
});
drop(some_mm);
mm.do_something(); // UAF
The existing `current!()` abstraction already natively prevents the first
case: The `&CurrentTask` would be tied to the inner scope, so the
borrow-checker ensures that no reference derived from it can escape the
scope.
Fixing the second case is a bit more tricky. The solution is to
essentially pretend that the contents of the scope execute on an different
thread, which means that only thread-safe types can cross the boundary.
Since `CurrentTask` is marked `NotThreadSafe`, attempts to move it to
another thread will fail, and this includes our fake pretend thread
boundary.
This has the disadvantage that other types that aren't thread-safe for
reasons unrelated to `current` also cannot be moved across the
`kthread_use_mm()` boundary. I consider this an acceptable tradeoff.
Link: https://lkml.kernel.org/r/20250408-vma-v16-8-d8b446e885d9@google.com
Signed-off-by: Alice Ryhl <aliceryhl@google.com>
Acked-by: Lorenzo Stoakes <lorenzo.stoakes@oracle.com>
Acked-by: Liam R. Howlett <Liam.Howlett@Oracle.com>
Reviewed-by: Boqun Feng <boqun.feng@gmail.com>
Reviewed-by: Andreas Hindborg <a.hindborg@kernel.org>
Reviewed-by: Gary Guo <gary@garyguo.net>
Cc: Alex Gaynor <alex.gaynor@gmail.com>
Cc: Arnd Bergmann <arnd@arndb.de>
Cc: Balbir Singh <balbirs@nvidia.com>
Cc: Benno Lossin <benno.lossin@proton.me>
Cc: Björn Roy Baron <bjorn3_gh@protonmail.com>
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Cc: Jann Horn <jannh@google.com>
Cc: John Hubbard <jhubbard@nvidia.com>
Cc: Matthew Wilcox (Oracle) <willy@infradead.org>
Cc: Miguel Ojeda <ojeda@kernel.org>
Cc: Suren Baghdasaryan <surenb@google.com>
Cc: Trevor Gross <tmgross@umich.edu>
Cc: Vlastimil Babka <vbabka@suse.cz>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
2025-04-08 09:22:45 +00:00
|
|
|
impl Deref for TaskRef {
|
|
|
|
|
type Target = CurrentTask;
|
2023-04-11 05:45:40 +00:00
|
|
|
|
|
|
|
|
fn deref(&self) -> &Self::Target {
|
task: rust: rework how current is accessed
Introduce a new type called `CurrentTask` that lets you perform various
operations that are only safe on the `current` task. Use the new type to
provide a way to access the current mm without incrementing its refcount.
With this change, you can write stuff such as
let vma = current!().mm().lock_vma_under_rcu(addr);
without incrementing any refcounts.
This replaces the existing abstractions for accessing the current pid
namespace. With the old approach, every field access to current involves
both a macro and a unsafe helper function. The new approach simplifies
that to a single safe function on the `CurrentTask` type. This makes it
less heavy-weight to add additional current accessors in the future.
That said, creating a `CurrentTask` type like the one in this patch
requires that we are careful to ensure that it cannot escape the current
task or otherwise access things after they are freed. To do this, I
declared that it cannot escape the current "task context" where I defined
a "task context" as essentially the region in which `current` remains
unchanged. So e.g., release_task() or begin_new_exec() would leave the
task context.
If a userspace thread returns to userspace and later makes another
syscall, then I consider the two syscalls to be different task contexts.
This allows values stored in that task to be modified between syscalls,
even if they're guaranteed to be immutable during a syscall.
Ensuring correctness of `CurrentTask` is slightly tricky if we also want
the ability to have a safe `kthread_use_mm()` implementation in Rust. To
support that safely, there are two patterns we need to ensure are safe:
// Case 1: current!() called inside the scope.
let mm;
kthread_use_mm(some_mm, || {
mm = current!().mm();
});
drop(some_mm);
mm.do_something(); // UAF
and:
// Case 2: current!() called before the scope.
let mm;
let task = current!();
kthread_use_mm(some_mm, || {
mm = task.mm();
});
drop(some_mm);
mm.do_something(); // UAF
The existing `current!()` abstraction already natively prevents the first
case: The `&CurrentTask` would be tied to the inner scope, so the
borrow-checker ensures that no reference derived from it can escape the
scope.
Fixing the second case is a bit more tricky. The solution is to
essentially pretend that the contents of the scope execute on an different
thread, which means that only thread-safe types can cross the boundary.
Since `CurrentTask` is marked `NotThreadSafe`, attempts to move it to
another thread will fail, and this includes our fake pretend thread
boundary.
This has the disadvantage that other types that aren't thread-safe for
reasons unrelated to `current` also cannot be moved across the
`kthread_use_mm()` boundary. I consider this an acceptable tradeoff.
Link: https://lkml.kernel.org/r/20250408-vma-v16-8-d8b446e885d9@google.com
Signed-off-by: Alice Ryhl <aliceryhl@google.com>
Acked-by: Lorenzo Stoakes <lorenzo.stoakes@oracle.com>
Acked-by: Liam R. Howlett <Liam.Howlett@Oracle.com>
Reviewed-by: Boqun Feng <boqun.feng@gmail.com>
Reviewed-by: Andreas Hindborg <a.hindborg@kernel.org>
Reviewed-by: Gary Guo <gary@garyguo.net>
Cc: Alex Gaynor <alex.gaynor@gmail.com>
Cc: Arnd Bergmann <arnd@arndb.de>
Cc: Balbir Singh <balbirs@nvidia.com>
Cc: Benno Lossin <benno.lossin@proton.me>
Cc: Björn Roy Baron <bjorn3_gh@protonmail.com>
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Cc: Jann Horn <jannh@google.com>
Cc: John Hubbard <jhubbard@nvidia.com>
Cc: Matthew Wilcox (Oracle) <willy@infradead.org>
Cc: Miguel Ojeda <ojeda@kernel.org>
Cc: Suren Baghdasaryan <surenb@google.com>
Cc: Trevor Gross <tmgross@umich.edu>
Cc: Vlastimil Babka <vbabka@suse.cz>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
2025-04-08 09:22:45 +00:00
|
|
|
// SAFETY: The returned reference borrows from this `TaskRef`, so it cannot outlive
|
|
|
|
|
// the `TaskRef`, which the caller of `Task::current()` has promised will not
|
|
|
|
|
// outlive the task/thread for which `self.task` is the `current` pointer. Thus, it
|
|
|
|
|
// is okay to return a `CurrentTask` reference here.
|
|
|
|
|
unsafe { &*self.task }
|
2023-04-11 05:45:40 +00:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
TaskRef {
|
task: rust: rework how current is accessed
Introduce a new type called `CurrentTask` that lets you perform various
operations that are only safe on the `current` task. Use the new type to
provide a way to access the current mm without incrementing its refcount.
With this change, you can write stuff such as
let vma = current!().mm().lock_vma_under_rcu(addr);
without incrementing any refcounts.
This replaces the existing abstractions for accessing the current pid
namespace. With the old approach, every field access to current involves
both a macro and a unsafe helper function. The new approach simplifies
that to a single safe function on the `CurrentTask` type. This makes it
less heavy-weight to add additional current accessors in the future.
That said, creating a `CurrentTask` type like the one in this patch
requires that we are careful to ensure that it cannot escape the current
task or otherwise access things after they are freed. To do this, I
declared that it cannot escape the current "task context" where I defined
a "task context" as essentially the region in which `current` remains
unchanged. So e.g., release_task() or begin_new_exec() would leave the
task context.
If a userspace thread returns to userspace and later makes another
syscall, then I consider the two syscalls to be different task contexts.
This allows values stored in that task to be modified between syscalls,
even if they're guaranteed to be immutable during a syscall.
Ensuring correctness of `CurrentTask` is slightly tricky if we also want
the ability to have a safe `kthread_use_mm()` implementation in Rust. To
support that safely, there are two patterns we need to ensure are safe:
// Case 1: current!() called inside the scope.
let mm;
kthread_use_mm(some_mm, || {
mm = current!().mm();
});
drop(some_mm);
mm.do_something(); // UAF
and:
// Case 2: current!() called before the scope.
let mm;
let task = current!();
kthread_use_mm(some_mm, || {
mm = task.mm();
});
drop(some_mm);
mm.do_something(); // UAF
The existing `current!()` abstraction already natively prevents the first
case: The `&CurrentTask` would be tied to the inner scope, so the
borrow-checker ensures that no reference derived from it can escape the
scope.
Fixing the second case is a bit more tricky. The solution is to
essentially pretend that the contents of the scope execute on an different
thread, which means that only thread-safe types can cross the boundary.
Since `CurrentTask` is marked `NotThreadSafe`, attempts to move it to
another thread will fail, and this includes our fake pretend thread
boundary.
This has the disadvantage that other types that aren't thread-safe for
reasons unrelated to `current` also cannot be moved across the
`kthread_use_mm()` boundary. I consider this an acceptable tradeoff.
Link: https://lkml.kernel.org/r/20250408-vma-v16-8-d8b446e885d9@google.com
Signed-off-by: Alice Ryhl <aliceryhl@google.com>
Acked-by: Lorenzo Stoakes <lorenzo.stoakes@oracle.com>
Acked-by: Liam R. Howlett <Liam.Howlett@Oracle.com>
Reviewed-by: Boqun Feng <boqun.feng@gmail.com>
Reviewed-by: Andreas Hindborg <a.hindborg@kernel.org>
Reviewed-by: Gary Guo <gary@garyguo.net>
Cc: Alex Gaynor <alex.gaynor@gmail.com>
Cc: Arnd Bergmann <arnd@arndb.de>
Cc: Balbir Singh <balbirs@nvidia.com>
Cc: Benno Lossin <benno.lossin@proton.me>
Cc: Björn Roy Baron <bjorn3_gh@protonmail.com>
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Cc: Jann Horn <jannh@google.com>
Cc: John Hubbard <jhubbard@nvidia.com>
Cc: Matthew Wilcox (Oracle) <willy@infradead.org>
Cc: Miguel Ojeda <ojeda@kernel.org>
Cc: Suren Baghdasaryan <surenb@google.com>
Cc: Trevor Gross <tmgross@umich.edu>
Cc: Vlastimil Babka <vbabka@suse.cz>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
2025-04-08 09:22:45 +00:00
|
|
|
// CAST: The layout of `struct task_struct` and `CurrentTask` is identical.
|
|
|
|
|
task: Task::current_raw().cast(),
|
2024-10-02 11:38:10 +00:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2024-10-15 14:02:12 +00:00
|
|
|
/// Returns a raw pointer to the task.
|
|
|
|
|
#[inline]
|
|
|
|
|
pub fn as_ptr(&self) -> *mut bindings::task_struct {
|
|
|
|
|
self.0.get()
|
|
|
|
|
}
|
|
|
|
|
|
2023-04-11 05:45:39 +00:00
|
|
|
/// Returns the group leader of the given task.
|
|
|
|
|
pub fn group_leader(&self) -> &Task {
|
2024-10-15 14:02:12 +00:00
|
|
|
// SAFETY: The group leader of a task never changes after initialization, so reading this
|
|
|
|
|
// field is not a data race.
|
|
|
|
|
let ptr = unsafe { *ptr::addr_of!((*self.as_ptr()).group_leader) };
|
2023-04-11 05:45:39 +00:00
|
|
|
|
|
|
|
|
// SAFETY: The lifetime of the returned task reference is tied to the lifetime of `self`,
|
|
|
|
|
// and given that a task has a reference to its group leader, we know it must be valid for
|
|
|
|
|
// the lifetime of the returned task reference.
|
|
|
|
|
unsafe { &*ptr.cast() }
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/// Returns the PID of the given task.
|
|
|
|
|
pub fn pid(&self) -> Pid {
|
2024-10-15 14:02:12 +00:00
|
|
|
// SAFETY: The pid of a task never changes after initialization, so reading this field is
|
|
|
|
|
// not a data race.
|
|
|
|
|
unsafe { *ptr::addr_of!((*self.as_ptr()).pid) }
|
2023-04-11 05:45:39 +00:00
|
|
|
}
|
|
|
|
|
|
rust: file: add `Kuid` wrapper
Adds a wrapper around `kuid_t` called `Kuid`. This allows us to define
various operations on kuids such as equality and current_euid. It also
lets us provide conversions from kuid into userspace values.
Rust Binder needs these operations because it needs to compare kuids for
equality, and it needs to tell userspace about the pid and uid of
incoming transactions.
To read kuids from a `struct task_struct`, you must currently use
various #defines that perform the appropriate field access under an RCU
read lock. Currently, we do not have a Rust wrapper for rcu_read_lock,
which means that for this patch, there are two ways forward:
1. Inline the methods into Rust code, and use __rcu_read_lock directly
rather than the rcu_read_lock wrapper. This gives up lockdep for
these usages of RCU.
2. Wrap the various #defines in helpers and call the helpers from Rust.
This patch uses the second option. One possible disadvantage of the
second option is the possible introduction of speculation gadgets, but
as discussed in [1], the risk appears to be acceptable.
Of course, once a wrapper for rcu_read_lock is available, it is
preferable to use that over either of the two above approaches.
Link: https://lore.kernel.org/all/202312080947.674CD2DC7@keescook/ [1]
Reviewed-by: Benno Lossin <benno.lossin@proton.me>
Reviewed-by: Martin Rodriguez Reboredo <yakoyoku@gmail.com>
Reviewed-by: Trevor Gross <tmgross@umich.edu>
Signed-off-by: Alice Ryhl <aliceryhl@google.com>
Link: https://lore.kernel.org/r/20240915-alice-file-v10-7-88484f7a3dcf@google.com
Signed-off-by: Christian Brauner <brauner@kernel.org>
2024-09-15 14:31:33 +00:00
|
|
|
/// Returns the UID of the given task.
|
|
|
|
|
pub fn uid(&self) -> Kuid {
|
2024-10-15 14:02:12 +00:00
|
|
|
// SAFETY: It's always safe to call `task_uid` on a valid task.
|
|
|
|
|
Kuid::from_raw(unsafe { bindings::task_uid(self.as_ptr()) })
|
rust: file: add `Kuid` wrapper
Adds a wrapper around `kuid_t` called `Kuid`. This allows us to define
various operations on kuids such as equality and current_euid. It also
lets us provide conversions from kuid into userspace values.
Rust Binder needs these operations because it needs to compare kuids for
equality, and it needs to tell userspace about the pid and uid of
incoming transactions.
To read kuids from a `struct task_struct`, you must currently use
various #defines that perform the appropriate field access under an RCU
read lock. Currently, we do not have a Rust wrapper for rcu_read_lock,
which means that for this patch, there are two ways forward:
1. Inline the methods into Rust code, and use __rcu_read_lock directly
rather than the rcu_read_lock wrapper. This gives up lockdep for
these usages of RCU.
2. Wrap the various #defines in helpers and call the helpers from Rust.
This patch uses the second option. One possible disadvantage of the
second option is the possible introduction of speculation gadgets, but
as discussed in [1], the risk appears to be acceptable.
Of course, once a wrapper for rcu_read_lock is available, it is
preferable to use that over either of the two above approaches.
Link: https://lore.kernel.org/all/202312080947.674CD2DC7@keescook/ [1]
Reviewed-by: Benno Lossin <benno.lossin@proton.me>
Reviewed-by: Martin Rodriguez Reboredo <yakoyoku@gmail.com>
Reviewed-by: Trevor Gross <tmgross@umich.edu>
Signed-off-by: Alice Ryhl <aliceryhl@google.com>
Link: https://lore.kernel.org/r/20240915-alice-file-v10-7-88484f7a3dcf@google.com
Signed-off-by: Christian Brauner <brauner@kernel.org>
2024-09-15 14:31:33 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/// Returns the effective UID of the given task.
|
|
|
|
|
pub fn euid(&self) -> Kuid {
|
2024-10-15 14:02:12 +00:00
|
|
|
// SAFETY: It's always safe to call `task_euid` on a valid task.
|
|
|
|
|
Kuid::from_raw(unsafe { bindings::task_euid(self.as_ptr()) })
|
rust: file: add `Kuid` wrapper
Adds a wrapper around `kuid_t` called `Kuid`. This allows us to define
various operations on kuids such as equality and current_euid. It also
lets us provide conversions from kuid into userspace values.
Rust Binder needs these operations because it needs to compare kuids for
equality, and it needs to tell userspace about the pid and uid of
incoming transactions.
To read kuids from a `struct task_struct`, you must currently use
various #defines that perform the appropriate field access under an RCU
read lock. Currently, we do not have a Rust wrapper for rcu_read_lock,
which means that for this patch, there are two ways forward:
1. Inline the methods into Rust code, and use __rcu_read_lock directly
rather than the rcu_read_lock wrapper. This gives up lockdep for
these usages of RCU.
2. Wrap the various #defines in helpers and call the helpers from Rust.
This patch uses the second option. One possible disadvantage of the
second option is the possible introduction of speculation gadgets, but
as discussed in [1], the risk appears to be acceptable.
Of course, once a wrapper for rcu_read_lock is available, it is
preferable to use that over either of the two above approaches.
Link: https://lore.kernel.org/all/202312080947.674CD2DC7@keescook/ [1]
Reviewed-by: Benno Lossin <benno.lossin@proton.me>
Reviewed-by: Martin Rodriguez Reboredo <yakoyoku@gmail.com>
Reviewed-by: Trevor Gross <tmgross@umich.edu>
Signed-off-by: Alice Ryhl <aliceryhl@google.com>
Link: https://lore.kernel.org/r/20240915-alice-file-v10-7-88484f7a3dcf@google.com
Signed-off-by: Christian Brauner <brauner@kernel.org>
2024-09-15 14:31:33 +00:00
|
|
|
}
|
|
|
|
|
|
2023-04-11 05:45:39 +00:00
|
|
|
/// Determines whether the given task has pending signals.
|
|
|
|
|
pub fn signal_pending(&self) -> bool {
|
2024-10-15 14:02:12 +00:00
|
|
|
// SAFETY: It's always safe to call `signal_pending` on a valid task.
|
|
|
|
|
unsafe { bindings::signal_pending(self.as_ptr()) != 0 }
|
2023-04-11 05:45:39 +00:00
|
|
|
}
|
|
|
|
|
|
2024-10-02 11:38:10 +00:00
|
|
|
/// Returns task's pid namespace with elevated reference count
|
|
|
|
|
pub fn get_pid_ns(&self) -> Option<ARef<PidNamespace>> {
|
|
|
|
|
// SAFETY: By the type invariant, we know that `self.0` is valid.
|
2024-11-26 21:18:00 +00:00
|
|
|
let ptr = unsafe { bindings::task_get_pid_ns(self.as_ptr()) };
|
2024-10-02 11:38:10 +00:00
|
|
|
if ptr.is_null() {
|
|
|
|
|
None
|
|
|
|
|
} else {
|
|
|
|
|
// SAFETY: `ptr` is valid by the safety requirements of this function. And we own a
|
|
|
|
|
// reference count via `task_get_pid_ns()`.
|
|
|
|
|
// CAST: `Self` is a `repr(transparent)` wrapper around `bindings::pid_namespace`.
|
|
|
|
|
Some(unsafe { ARef::from_raw(ptr::NonNull::new_unchecked(ptr.cast::<PidNamespace>())) })
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/// Returns the given task's pid in the provided pid namespace.
|
|
|
|
|
#[doc(alias = "task_tgid_nr_ns")]
|
|
|
|
|
pub fn tgid_nr_ns(&self, pidns: Option<&PidNamespace>) -> Pid {
|
|
|
|
|
let pidns = match pidns {
|
|
|
|
|
Some(pidns) => pidns.as_ptr(),
|
|
|
|
|
None => core::ptr::null_mut(),
|
|
|
|
|
};
|
|
|
|
|
// SAFETY: By the type invariant, we know that `self.0` is valid. We received a valid
|
|
|
|
|
// PidNamespace that we can use as a pointer or we received an empty PidNamespace and
|
|
|
|
|
// thus pass a null pointer. The underlying C function is safe to be used with NULL
|
|
|
|
|
// pointers.
|
2024-11-26 21:18:00 +00:00
|
|
|
unsafe { bindings::task_tgid_nr_ns(self.as_ptr(), pidns) }
|
rust: file: add `Kuid` wrapper
Adds a wrapper around `kuid_t` called `Kuid`. This allows us to define
various operations on kuids such as equality and current_euid. It also
lets us provide conversions from kuid into userspace values.
Rust Binder needs these operations because it needs to compare kuids for
equality, and it needs to tell userspace about the pid and uid of
incoming transactions.
To read kuids from a `struct task_struct`, you must currently use
various #defines that perform the appropriate field access under an RCU
read lock. Currently, we do not have a Rust wrapper for rcu_read_lock,
which means that for this patch, there are two ways forward:
1. Inline the methods into Rust code, and use __rcu_read_lock directly
rather than the rcu_read_lock wrapper. This gives up lockdep for
these usages of RCU.
2. Wrap the various #defines in helpers and call the helpers from Rust.
This patch uses the second option. One possible disadvantage of the
second option is the possible introduction of speculation gadgets, but
as discussed in [1], the risk appears to be acceptable.
Of course, once a wrapper for rcu_read_lock is available, it is
preferable to use that over either of the two above approaches.
Link: https://lore.kernel.org/all/202312080947.674CD2DC7@keescook/ [1]
Reviewed-by: Benno Lossin <benno.lossin@proton.me>
Reviewed-by: Martin Rodriguez Reboredo <yakoyoku@gmail.com>
Reviewed-by: Trevor Gross <tmgross@umich.edu>
Signed-off-by: Alice Ryhl <aliceryhl@google.com>
Link: https://lore.kernel.org/r/20240915-alice-file-v10-7-88484f7a3dcf@google.com
Signed-off-by: Christian Brauner <brauner@kernel.org>
2024-09-15 14:31:33 +00:00
|
|
|
}
|
|
|
|
|
|
2023-04-11 05:45:39 +00:00
|
|
|
/// Wakes up the task.
|
|
|
|
|
pub fn wake_up(&self) {
|
2025-03-08 16:49:05 +00:00
|
|
|
// SAFETY: It's always safe to call `wake_up_process` on a valid task, even if the task
|
2023-04-11 05:45:39 +00:00
|
|
|
// running.
|
2024-10-15 14:02:12 +00:00
|
|
|
unsafe { bindings::wake_up_process(self.as_ptr()) };
|
2023-04-11 05:45:39 +00:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
task: rust: rework how current is accessed
Introduce a new type called `CurrentTask` that lets you perform various
operations that are only safe on the `current` task. Use the new type to
provide a way to access the current mm without incrementing its refcount.
With this change, you can write stuff such as
let vma = current!().mm().lock_vma_under_rcu(addr);
without incrementing any refcounts.
This replaces the existing abstractions for accessing the current pid
namespace. With the old approach, every field access to current involves
both a macro and a unsafe helper function. The new approach simplifies
that to a single safe function on the `CurrentTask` type. This makes it
less heavy-weight to add additional current accessors in the future.
That said, creating a `CurrentTask` type like the one in this patch
requires that we are careful to ensure that it cannot escape the current
task or otherwise access things after they are freed. To do this, I
declared that it cannot escape the current "task context" where I defined
a "task context" as essentially the region in which `current` remains
unchanged. So e.g., release_task() or begin_new_exec() would leave the
task context.
If a userspace thread returns to userspace and later makes another
syscall, then I consider the two syscalls to be different task contexts.
This allows values stored in that task to be modified between syscalls,
even if they're guaranteed to be immutable during a syscall.
Ensuring correctness of `CurrentTask` is slightly tricky if we also want
the ability to have a safe `kthread_use_mm()` implementation in Rust. To
support that safely, there are two patterns we need to ensure are safe:
// Case 1: current!() called inside the scope.
let mm;
kthread_use_mm(some_mm, || {
mm = current!().mm();
});
drop(some_mm);
mm.do_something(); // UAF
and:
// Case 2: current!() called before the scope.
let mm;
let task = current!();
kthread_use_mm(some_mm, || {
mm = task.mm();
});
drop(some_mm);
mm.do_something(); // UAF
The existing `current!()` abstraction already natively prevents the first
case: The `&CurrentTask` would be tied to the inner scope, so the
borrow-checker ensures that no reference derived from it can escape the
scope.
Fixing the second case is a bit more tricky. The solution is to
essentially pretend that the contents of the scope execute on an different
thread, which means that only thread-safe types can cross the boundary.
Since `CurrentTask` is marked `NotThreadSafe`, attempts to move it to
another thread will fail, and this includes our fake pretend thread
boundary.
This has the disadvantage that other types that aren't thread-safe for
reasons unrelated to `current` also cannot be moved across the
`kthread_use_mm()` boundary. I consider this an acceptable tradeoff.
Link: https://lkml.kernel.org/r/20250408-vma-v16-8-d8b446e885d9@google.com
Signed-off-by: Alice Ryhl <aliceryhl@google.com>
Acked-by: Lorenzo Stoakes <lorenzo.stoakes@oracle.com>
Acked-by: Liam R. Howlett <Liam.Howlett@Oracle.com>
Reviewed-by: Boqun Feng <boqun.feng@gmail.com>
Reviewed-by: Andreas Hindborg <a.hindborg@kernel.org>
Reviewed-by: Gary Guo <gary@garyguo.net>
Cc: Alex Gaynor <alex.gaynor@gmail.com>
Cc: Arnd Bergmann <arnd@arndb.de>
Cc: Balbir Singh <balbirs@nvidia.com>
Cc: Benno Lossin <benno.lossin@proton.me>
Cc: Björn Roy Baron <bjorn3_gh@protonmail.com>
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Cc: Jann Horn <jannh@google.com>
Cc: John Hubbard <jhubbard@nvidia.com>
Cc: Matthew Wilcox (Oracle) <willy@infradead.org>
Cc: Miguel Ojeda <ojeda@kernel.org>
Cc: Suren Baghdasaryan <surenb@google.com>
Cc: Trevor Gross <tmgross@umich.edu>
Cc: Vlastimil Babka <vbabka@suse.cz>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
2025-04-08 09:22:45 +00:00
|
|
|
impl CurrentTask {
|
|
|
|
|
/// Access the address space of the current task.
|
|
|
|
|
///
|
|
|
|
|
/// This function does not touch the refcount of the mm.
|
|
|
|
|
#[inline]
|
|
|
|
|
pub fn mm(&self) -> Option<&MmWithUser> {
|
|
|
|
|
// SAFETY: The `mm` field of `current` is not modified from other threads, so reading it is
|
|
|
|
|
// not a data race.
|
|
|
|
|
let mm = unsafe { (*self.as_ptr()).mm };
|
|
|
|
|
|
|
|
|
|
if mm.is_null() {
|
|
|
|
|
return None;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// SAFETY: If `current->mm` is non-null, then it references a valid mm with a non-zero
|
|
|
|
|
// value of `mm_users`. Furthermore, the returned `&MmWithUser` borrows from this
|
|
|
|
|
// `CurrentTask`, so it cannot escape the scope in which the current pointer was obtained.
|
|
|
|
|
//
|
|
|
|
|
// This is safe even if `kthread_use_mm()`/`kthread_unuse_mm()` are used. There are two
|
|
|
|
|
// relevant cases:
|
|
|
|
|
// * If the `&CurrentTask` was created before `kthread_use_mm()`, then it cannot be
|
|
|
|
|
// accessed during the `kthread_use_mm()`/`kthread_unuse_mm()` scope due to the
|
|
|
|
|
// `NotThreadSafe` field of `CurrentTask`.
|
|
|
|
|
// * If the `&CurrentTask` was created within a `kthread_use_mm()`/`kthread_unuse_mm()`
|
|
|
|
|
// scope, then the `&CurrentTask` cannot escape that scope, so the returned `&MmWithUser`
|
|
|
|
|
// also cannot escape that scope.
|
|
|
|
|
// In either case, it's not possible to read `current->mm` and keep using it after the
|
|
|
|
|
// scope is ended with `kthread_unuse_mm()`.
|
|
|
|
|
Some(unsafe { MmWithUser::from_raw(mm) })
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/// Access the pid namespace of the current task.
|
|
|
|
|
///
|
|
|
|
|
/// This function does not touch the refcount of the namespace or use RCU protection.
|
|
|
|
|
///
|
|
|
|
|
/// To access the pid namespace of another task, see [`Task::get_pid_ns`].
|
|
|
|
|
#[doc(alias = "task_active_pid_ns")]
|
|
|
|
|
#[inline]
|
|
|
|
|
pub fn active_pid_ns(&self) -> Option<&PidNamespace> {
|
|
|
|
|
// SAFETY: It is safe to call `task_active_pid_ns` without RCU protection when calling it
|
|
|
|
|
// on the current task.
|
|
|
|
|
let active_ns = unsafe { bindings::task_active_pid_ns(self.as_ptr()) };
|
|
|
|
|
|
|
|
|
|
if active_ns.is_null() {
|
|
|
|
|
return None;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// The lifetime of `PidNamespace` is bound to `Task` and `struct pid`.
|
|
|
|
|
//
|
|
|
|
|
// The `PidNamespace` of a `Task` doesn't ever change once the `Task` is alive.
|
|
|
|
|
//
|
|
|
|
|
// From system call context retrieving the `PidNamespace` for the current task is always
|
|
|
|
|
// safe and requires neither RCU locking nor a reference count to be held. Retrieving the
|
|
|
|
|
// `PidNamespace` after `release_task()` for current will return `NULL` but no codepath
|
|
|
|
|
// like that is exposed to Rust.
|
|
|
|
|
//
|
|
|
|
|
// SAFETY: If `current`'s pid ns is non-null, then it references a valid pid ns.
|
|
|
|
|
// Furthermore, the returned `&PidNamespace` borrows from this `CurrentTask`, so it cannot
|
|
|
|
|
// escape the scope in which the current pointer was obtained, e.g. it cannot live past a
|
|
|
|
|
// `release_task()` call.
|
|
|
|
|
Some(unsafe { PidNamespace::from_ptr(active_ns) })
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2024-01-31 20:23:29 +00:00
|
|
|
// SAFETY: The type invariants guarantee that `Task` is always refcounted.
|
2023-04-11 05:45:39 +00:00
|
|
|
unsafe impl crate::types::AlwaysRefCounted for Task {
|
|
|
|
|
fn inc_ref(&self) {
|
|
|
|
|
// SAFETY: The existence of a shared reference means that the refcount is nonzero.
|
2024-10-15 14:02:12 +00:00
|
|
|
unsafe { bindings::get_task_struct(self.as_ptr()) };
|
2023-04-11 05:45:39 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
unsafe fn dec_ref(obj: ptr::NonNull<Self>) {
|
|
|
|
|
// SAFETY: The safety requirements guarantee that the refcount is nonzero.
|
|
|
|
|
unsafe { bindings::put_task_struct(obj.cast().as_ptr()) }
|
|
|
|
|
}
|
|
|
|
|
}
|
rust: file: add `Kuid` wrapper
Adds a wrapper around `kuid_t` called `Kuid`. This allows us to define
various operations on kuids such as equality and current_euid. It also
lets us provide conversions from kuid into userspace values.
Rust Binder needs these operations because it needs to compare kuids for
equality, and it needs to tell userspace about the pid and uid of
incoming transactions.
To read kuids from a `struct task_struct`, you must currently use
various #defines that perform the appropriate field access under an RCU
read lock. Currently, we do not have a Rust wrapper for rcu_read_lock,
which means that for this patch, there are two ways forward:
1. Inline the methods into Rust code, and use __rcu_read_lock directly
rather than the rcu_read_lock wrapper. This gives up lockdep for
these usages of RCU.
2. Wrap the various #defines in helpers and call the helpers from Rust.
This patch uses the second option. One possible disadvantage of the
second option is the possible introduction of speculation gadgets, but
as discussed in [1], the risk appears to be acceptable.
Of course, once a wrapper for rcu_read_lock is available, it is
preferable to use that over either of the two above approaches.
Link: https://lore.kernel.org/all/202312080947.674CD2DC7@keescook/ [1]
Reviewed-by: Benno Lossin <benno.lossin@proton.me>
Reviewed-by: Martin Rodriguez Reboredo <yakoyoku@gmail.com>
Reviewed-by: Trevor Gross <tmgross@umich.edu>
Signed-off-by: Alice Ryhl <aliceryhl@google.com>
Link: https://lore.kernel.org/r/20240915-alice-file-v10-7-88484f7a3dcf@google.com
Signed-off-by: Christian Brauner <brauner@kernel.org>
2024-09-15 14:31:33 +00:00
|
|
|
|
|
|
|
|
impl Kuid {
|
|
|
|
|
/// Get the current euid.
|
|
|
|
|
#[inline]
|
|
|
|
|
pub fn current_euid() -> Kuid {
|
|
|
|
|
// SAFETY: Just an FFI call.
|
|
|
|
|
Self::from_raw(unsafe { bindings::current_euid() })
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/// Create a `Kuid` given the raw C type.
|
|
|
|
|
#[inline]
|
|
|
|
|
pub fn from_raw(kuid: bindings::kuid_t) -> Self {
|
|
|
|
|
Self { kuid }
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/// Turn this kuid into the raw C type.
|
|
|
|
|
#[inline]
|
|
|
|
|
pub fn into_raw(self) -> bindings::kuid_t {
|
|
|
|
|
self.kuid
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/// Converts this kernel UID into a userspace UID.
|
|
|
|
|
///
|
|
|
|
|
/// Uses the namespace of the current task.
|
|
|
|
|
#[inline]
|
|
|
|
|
pub fn into_uid_in_current_ns(self) -> bindings::uid_t {
|
|
|
|
|
// SAFETY: Just an FFI call.
|
|
|
|
|
unsafe { bindings::from_kuid(bindings::current_user_ns(), self.kuid) }
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
impl PartialEq for Kuid {
|
|
|
|
|
#[inline]
|
|
|
|
|
fn eq(&self, other: &Kuid) -> bool {
|
|
|
|
|
// SAFETY: Just an FFI call.
|
|
|
|
|
unsafe { bindings::uid_eq(self.kuid, other.kuid) }
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
impl Eq for Kuid {}
|
