From: Boqun Feng <boqun.feng@gmail.com>
To: Trevor Gross <tmgross@umich.edu>
Cc: "Alice Ryhl" <aliceryhl@google.com>,
"Andreas Hindborg" <a.hindborg@samsung.com>,
"Miguel Ojeda" <ojeda@kernel.org>,
"Alex Gaynor" <alex.gaynor@gmail.com>,
"Wedson Almeida Filho" <wedsonaf@gmail.com>,
"Gary Guo" <gary@garyguo.net>,
"Björn Roy Baron" <bjorn3_gh@protonmail.com>,
"Benno Lossin" <benno.lossin@proton.me>,
"Kees Cook" <keescook@chromium.org>,
"Al Viro" <viro@zeniv.linux.org.uk>,
"Andrew Morton" <akpm@linux-foundation.org>,
"Greg Kroah-Hartman" <gregkh@linuxfoundation.org>,
"Arve Hjønnevåg" <arve@android.com>,
"Todd Kjos" <tkjos@android.com>,
"Martijn Coenen" <maco@android.com>,
"Joel Fernandes" <joel@joelfernandes.org>,
"Carlos Llamas" <cmllamas@google.com>,
"Suren Baghdasaryan" <surenb@google.com>,
"Arnd Bergmann" <arnd@arndb.de>,
linux-mm@kvack.org, linux-kernel@vger.kernel.org,
rust-for-linux@vger.kernel.org,
"Christian Brauner" <brauner@kernel.org>
Subject: Re: [PATCH 3/3] rust: add abstraction for `struct page`
Date: Mon, 5 Feb 2024 09:23:46 -0800 [thread overview]
Message-ID: <ZcEZosrTCkLXeHh2@boqun-archlinux> (raw)
In-Reply-To: <CALNs47uy5rQ15wByzQA0_YzORM0nTFdi9-TvwyC4+ZTXVQBj4g@mail.gmail.com>
On Thu, Feb 01, 2024 at 01:50:53AM -0500, Trevor Gross wrote:
> On Fri, Jan 26, 2024 at 1:28 PM Boqun Feng <boqun.feng@gmail.com> wrote:
> >
> > On Fri, Jan 26, 2024 at 01:33:46PM +0100, Alice Ryhl wrote:
> > > On Fri, Jan 26, 2024 at 1:47 AM Boqun Feng <boqun.feng@gmail.com> wrote:
> > > >
> > > > On Wed, Jan 24, 2024 at 11:20:23AM +0000, Alice Ryhl wrote:
> > > > > [...]
> > > > > + /// Maps the page and writes into it from the given buffer.
> > > > > + ///
> > > > > + /// # Safety
> > > > > + ///
> > > > > + /// Callers must ensure that `src` is valid for reading `len` bytes.
> > > > > + pub unsafe fn write(&self, src: *const u8, offset: usize, len: usize) -> Result {
> > > >
> > > > Use a slice like type as `src` maybe? Then the function can be safe:
> > > >
> > > > pub fn write<S: AsRef<[u8]>>(&self, src: S, offset: usize) -> Result
> > > >
> > > > Besides, since `Page` impl `Sync`, shouldn't this `write` and the
> > > > `fill_zero` be a `&mut self` function? Or make them both `unsafe`
> > > > because of potential race and add some safety requirement?
> > >
> > > Ideally, we don't want data races with these methods to be UB. They
> >
> > I understand that, but in the current code, you can write:
> >
> > CPU 0 CPU 1
> > ===== =====
> >
> > page.write(src1, 0, 8);
> > page.write(src2, 0, 8);
> >
> > and it's a data race at kernel end. So my question is more how we can
> > prevent the UB ;-)
>
> Hm. Would the following work?
>
> // Change existing functions to work with references, meaning they need an
> // exclusive &mut self
> pub fn with_page_mapped<T>(
> &mut self,
> f: impl FnOnce(&mut [u8; PAGE_SIZE]) -> T
> ) -> T
>
> pub fn with_pointer_into_page<T>(
> &mut self,
> off: usize,
> len: usize,
> f: impl FnOnce(&mut [u8]) -> Result<T>,
> ) -> Result<T>
>
> // writing methods now take &mut self
> pub fn write(&mut self ...)
> pub fn fill_zero(&mut self ...)
> pub fn copy_into_page(&mut self ...)
>
> // Add two new functions that take &self, but return shared access
> pub fn with_page_mapped_raw<T>(
> &self,
> f: impl FnOnce(&UnsafeCell<[u8; PAGE_SIZE]>) -> T
> ) -> T
>
> pub fn with_pointer_into_page_raw<T>(
> &self,
> off: usize,
> len: usize,
> f: impl FnOnce(&[UnsafeCell<u8>]) -> Result<T>,
> ) -> Result<T>
>
> This would mean that anyone who can obey rust's mutability rules can
> use a page without any safety or race conditions to worry about, much
> better for usability.
>
> But if you do need to allow the data to be shared and racy, such as
> the userspace example, the `_raw` methods allow for that and you can
> `.get()` a `*mut u8` from the UnsafeCell. This moves the interior
> mutability only to the mapped data rather than the Page itself, which
> I think is more accurate anyway.
>
Looks good to me ;-) Thanks!
Regards,
Boqun
> Leveraging UnsafeCell would also make some things with UserSlicePtr
> more clear too.
>
> - Trevor
>
> > Regards,
> > Boqun
> >
> > > could be mapped into the address space of a userspace process.
> > >
> > > Alice
> >
>
next prev parent reply other threads:[~2024-02-05 17:25 UTC|newest]
Thread overview: 40+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-01-24 11:20 [PATCH 0/3] Memory management patches needed by Rust Binder Alice Ryhl
2024-01-24 11:20 ` [PATCH 1/3] rust: add userspace pointers Alice Ryhl
2024-01-24 23:12 ` Valentin Obst
2024-02-08 12:20 ` Alice Ryhl
2024-02-01 4:06 ` Trevor Gross
2024-02-08 12:53 ` Alice Ryhl
2024-02-08 15:35 ` Greg Kroah-Hartman
2024-02-08 15:41 ` Alice Ryhl
2024-02-08 15:59 ` Greg Kroah-Hartman
2024-02-10 6:20 ` Kees Cook
2024-02-10 7:06 ` Trevor Gross
2024-02-10 14:14 ` David Laight
2024-02-12 9:30 ` Alice Ryhl
2024-01-24 11:20 ` [PATCH 2/3] rust: add typed accessors for " Alice Ryhl
2024-01-24 23:46 ` Valentin Obst
2024-01-25 12:40 ` Alice Ryhl
2024-01-25 12:26 ` Arnd Bergmann
2024-01-25 12:37 ` Alice Ryhl
2024-01-25 15:59 ` Arnd Bergmann
2024-01-25 16:15 ` Alice Ryhl
2024-02-01 5:03 ` Trevor Gross
2024-02-08 13:14 ` Alice Ryhl
2024-01-24 11:20 ` [PATCH 3/3] rust: add abstraction for `struct page` Alice Ryhl
2024-01-26 0:46 ` Boqun Feng
2024-01-26 12:33 ` Alice Ryhl
2024-01-26 18:28 ` Boqun Feng
2024-02-01 6:50 ` Trevor Gross
2024-02-05 17:23 ` Boqun Feng [this message]
2024-02-08 13:36 ` Alice Ryhl
2024-01-30 9:15 ` Andreas Hindborg (Samsung)
2024-01-29 17:59 ` Matthew Wilcox
2024-01-29 18:56 ` Carlos Llamas
2024-01-29 20:19 ` Matthew Wilcox
2024-01-29 21:27 ` Alice Ryhl
2024-01-30 9:02 ` Andreas Hindborg
2024-01-30 9:06 ` Alice Ryhl
2024-02-01 6:02 ` Trevor Gross
2024-02-08 13:46 ` Alice Ryhl
2024-02-08 14:02 ` Andreas Hindborg
2024-02-08 14:12 ` Alice Ryhl
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=ZcEZosrTCkLXeHh2@boqun-archlinux \
--to=boqun.feng@gmail.com \
--cc=a.hindborg@samsung.com \
--cc=akpm@linux-foundation.org \
--cc=alex.gaynor@gmail.com \
--cc=aliceryhl@google.com \
--cc=arnd@arndb.de \
--cc=arve@android.com \
--cc=benno.lossin@proton.me \
--cc=bjorn3_gh@protonmail.com \
--cc=brauner@kernel.org \
--cc=cmllamas@google.com \
--cc=gary@garyguo.net \
--cc=gregkh@linuxfoundation.org \
--cc=joel@joelfernandes.org \
--cc=keescook@chromium.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=maco@android.com \
--cc=ojeda@kernel.org \
--cc=rust-for-linux@vger.kernel.org \
--cc=surenb@google.com \
--cc=tkjos@android.com \
--cc=tmgross@umich.edu \
--cc=viro@zeniv.linux.org.uk \
--cc=wedsonaf@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.