From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <owner-linux-mm@kvack.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17])
	by smtp.lore.kernel.org (Postfix) with ESMTP id E6989C4345F
	for <linux-mm@archiver.kernel.org>; Thu, 18 Apr 2024 22:08:52 +0000 (UTC)
Received: by kanga.kvack.org (Postfix)
	id 649BA6B007B; Thu, 18 Apr 2024 18:08:52 -0400 (EDT)
Received: by kanga.kvack.org (Postfix, from userid 40)
	id 5F9686B0092; Thu, 18 Apr 2024 18:08:52 -0400 (EDT)
X-Delivered-To: int-list-linux-mm@kvack.org
Received: by kanga.kvack.org (Postfix, from userid 63042)
	id 49A006B0093; Thu, 18 Apr 2024 18:08:52 -0400 (EDT)
X-Delivered-To: linux-mm@kvack.org
Received: from relay.hostedemail.com (smtprelay0017.hostedemail.com [216.40.44.17])
	by kanga.kvack.org (Postfix) with ESMTP id 2C09F6B007B
	for <linux-mm@kvack.org>; Thu, 18 Apr 2024 18:08:52 -0400 (EDT)
Received: from smtpin10.hostedemail.com (a10.router.float.18 [10.200.18.1])
	by unirelay04.hostedemail.com (Postfix) with ESMTP id 9827A1A0230
	for <linux-mm@kvack.org>; Thu, 18 Apr 2024 22:08:51 +0000 (UTC)
X-FDA: 82024043262.10.9586017
Received: from mail-40131.protonmail.ch (mail-40131.protonmail.ch [185.70.40.131])
	by imf06.hostedemail.com (Postfix) with ESMTP id ACAEF180004
	for <linux-mm@kvack.org>; Thu, 18 Apr 2024 22:08:49 +0000 (UTC)
Authentication-Results: imf06.hostedemail.com;
	dkim=pass header.d=proton.me header.s=r6zuhh2gpff4riwh2mm7beoj3q.protonmail header.b=fT8B6Pml;
	dmarc=pass (policy=quarantine) header.from=proton.me;
	spf=pass (imf06.hostedemail.com: domain of benno.lossin@proton.me designates 185.70.40.131 as permitted sender) smtp.mailfrom=benno.lossin@proton.me
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com;
	s=arc-20220608; t=1713478130;
	h=from:from:sender:reply-to:subject:subject:date:date:
	 message-id:message-id:to:to:cc:cc:mime-version:mime-version:
	 content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references:dkim-signature;
	bh=BjZw5NoXdZy4cjpwzceRMewixxlr0ZNrjRE7YuR6ZzQ=;
	b=8l3b2aZMdKnRaG5REW7K2SwpnQJzGLu25hFKHJTPFg33X4YanE+ahQg7zEFhRNJrw8bo0F
	U/Dv7tOrjhmeNJSxkOyZCe+1+DIEQUiuM7IbCGJshu3c0Hpk3aVEet/GwPhTzKNVr4drVy
	XrKCt/DJcQuA/h4vFF2tlmRIu9UXubg=
ARC-Authentication-Results: i=1;
	imf06.hostedemail.com;
	dkim=pass header.d=proton.me header.s=r6zuhh2gpff4riwh2mm7beoj3q.protonmail header.b=fT8B6Pml;
	dmarc=pass (policy=quarantine) header.from=proton.me;
	spf=pass (imf06.hostedemail.com: domain of benno.lossin@proton.me designates 185.70.40.131 as permitted sender) smtp.mailfrom=benno.lossin@proton.me
ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1713478130; a=rsa-sha256;
	cv=none;
	b=klu4mXNSI2dFQY8oFJhgXtf4WFzQkiufQAhaCgC5ts4C8fNLoYhdF3hUu2BTrTQcu3z9tU
	o6NSitMF/OiOSAVetDl5krH1avyIQt3IGOb3DGFH8gIwK8N/zLj66aYxjkfyPg4Q454rc4
	6JQnyjpHPe6db7u/v0alKkLZxetxZRM=
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=proton.me;
	s=r6zuhh2gpff4riwh2mm7beoj3q.protonmail; t=1713478127; x=1713737327;
	bh=BjZw5NoXdZy4cjpwzceRMewixxlr0ZNrjRE7YuR6ZzQ=;
	h=Date:To:From:Cc:Subject:Message-ID:In-Reply-To:References:
	 Feedback-ID:From:To:Cc:Date:Subject:Reply-To:Feedback-ID:
	 Message-ID:BIMI-Selector;
	b=fT8B6PmlDHeDQ4NR6WOPZAFGeOM3AkMJP+HEIGfVsXqhHRxDrwroYmciROBh7weqZ
	 vH27Ji8ol8PBYoNBhEFf2SZwthGAloNqtWk8ZT2HoJW40FTHYxqPWLrlGs2kZJt4v6
	 GMKca4XYiOv9oN9Tc5uJe6ShVj6SC++mYTrkfsskr4DbhLxlAF0QTd3OIbUiA7B0EW
	 pNJ7zirktW3xqJ0sbmPvIBp1K2nACmIxYLaoVTM0onD2c4mL5RcN32V54l4v/ULy8A
	 0IVlelYq9GdbK9iOjj4lJGWbmT864+43ZVhgf2EWHWhicDcj6EYvWNIOumvaT8K7H9
	 17nF5UI1VytTA==
Date: Thu, 18 Apr 2024 22:08:40 +0000
To: Boqun Feng <boqun.feng@gmail.com>, Alice Ryhl <aliceryhl@google.com>
From: Benno Lossin <benno.lossin@proton.me>
Cc: Miguel Ojeda <ojeda@kernel.org>, Matthew Wilcox <willy@infradead.org>, Al Viro <viro@zeniv.linux.org.uk>, Andrew Morton <akpm@linux-foundation.org>, Kees Cook <keescook@chromium.org>, Alex Gaynor <alex.gaynor@gmail.com>, Wedson Almeida Filho <wedsonaf@gmail.com>, Gary Guo <gary@garyguo.net>, =?utf-8?Q?Bj=C3=B6rn_Roy_Baron?= <bjorn3_gh@protonmail.com>, Andreas Hindborg <a.hindborg@samsung.com>, Greg Kroah-Hartman <gregkh@linuxfoundation.org>, =?utf-8?Q?Arve_Hj=C3=B8nnev=C3=A5g?= <arve@android.com>, Todd Kjos <tkjos@android.com>, Martijn Coenen <maco@android.com>, Joel Fernandes <joel@joelfernandes.org>, Carlos Llamas <cmllamas@google.com>, Suren Baghdasaryan <surenb@google.com>, Arnd Bergmann <arnd@arndb.de>, Trevor Gross <tmgross@umich.edu>, linux-mm@kvack.org, linux-kernel@vger.kernel.org, rust-for-linux@vger.kernel.org, Christian Brauner <brauner@kernel.org>
Subject: Re: [PATCH v6 4/4] rust: add abstraction for `struct page`
Message-ID: <87dc4cdf-ccf6-4b08-8915-313aad313f93@proton.me>
In-Reply-To: <ZiFsCLb-BZWbBHsu@boqun-archlinux>
References: <20240418-alice-mm-v6-0-cb8f3e5d688f@google.com> <20240418-alice-mm-v6-4-cb8f3e5d688f@google.com> <ZiFsCLb-BZWbBHsu@boqun-archlinux>
Feedback-ID: 71780778:user:proton
X-Pm-Message-ID: cd25ad47d5df3781bfc222584317121079a4a3b5
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
X-Rspam-User: 
X-Rspamd-Server: rspam11
X-Rspamd-Queue-Id: ACAEF180004
X-Stat-Signature: s7ysdan4r9z69ok1jqke8ypccdw6ngty
X-HE-Tag: 1713478129-453602
X-HE-Meta: U2FsdGVkX190dkKVrMm08VwwpF1wE18VlPJneaPz43tBJnVGyRylgESx2he0v1iC3ib958flxtFRDVwj67hNjorQdYt/2HiyIFrLXSWZoaBoeq7Le7CmOI53hFjSJTMERb2f81kL1wzXgy3uEmd8HZ6OXAdOVcj3qlUrNt04tiBa/1QlgIr4qBwOtPeQ913NIPmoYPVCEnMgtBIXt4IXftDt1qICNaB4sM6J2tL22O6KH/PlNS/suMsVqmx81JPMSCStZC0s6bTu+f16zA7bcZwzlnE6PqbhFT6Xnhaj0LIZ2MJMx1VFDv/ZF/PQJxcnUuXe42tCohq8/ZRW+fWjBFQ7foIV7zvw/0CkS8THMI7qPFvyZTy3+XXt4U/SLLfN4Zpj5uhGhkwyTRynD3D3zQylU5W30XceHZRmV17mFN+PP/d9pXuccnWBjG5SqqFx6EoSqYRNw0wdiEnHQrif2KgByajUD5yAXsH92wC2b1/7gIy3q8UNpT1e52oG7J4YtwXrASSVy51G35Dfzc0hkfDdIBt6gS9BFb3jk3G4TZjSCW6LI+gOVkaoASYXXMki1U9xshbS4/EWbVSMKO218R9k1m5WJ7C8vPHolSeB47TIlOsogHO5I6zfPlFRny490LLvb1zV6+cAmb4LaZ2xuQ/pp9gnaSn5JJ7KTFP6v2DNX6bwy077jLcnKAJ9gWgdl3PvysbuXbO2OV4mdDduwPmkjd6ii+uae/OtN4jqHI5hF3kXOOk+tKBxhCgfiFSfmsTIQHbaLq7bonvBRYxZTgYHz0iwd32MHJH0GtaXASCQ6dLnL5jq3lm1ipYYRrr1MDTwq6uT61E/tMpjFZ1H95uDHHfVgf4tHv6nRGYjWxTWLr5DjFcQ22iPAbBAn9WhvLXguaf8Vwr/MXoAgihHIqJ9OF2ER6mzAoRjsBmzvR/clmzamBzreI/XK4HYrjDMPmJIVFNsOmIGWjUrR1o
 G40tYWhW
 3kwqnNsIFnuCOPXpYRc1BTxfQR5CSvZr0Qv7UDvSYAuxjx8WnE+8e5eQB0REePTL/ogmC752SGjccD02nUaxgiSBK/sb/Gwl0PAkeWt0AHNJ71hYSDZtfDfJLqat8Y0/u/pLAHNvgEKe8zO5+dOOuUg/CMGZGwsfLknnaU7/EBP0lihfgiGYscPIBTmX0Sqo0HUvzGdycT/i5N3rX3KukGREvyBa6htYHhFhX4NnGNFk+PCMnVveGri4TqcOOCOpGdNxm7HatJHK2nTxNuam0hSClSqYl6RvIRQX7Iw3qCXIovuYOmbD1rbvw++KtvlyQxCky+PpLS04iSHa0hKztvSSMuVkszK9JE0k8w//gNVf5RxE=
X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4
Sender: owner-linux-mm@kvack.org
Precedence: bulk
X-Loop: owner-majordomo@kvack.org
List-ID: <linux-mm.kvack.org>
List-Subscribe: <mailto:majordomo@kvack.org>
List-Unsubscribe: <mailto:majordomo@kvack.org>

On 18.04.24 20:52, Boqun Feng wrote:
> On Thu, Apr 18, 2024 at 08:59:20AM +0000, Alice Ryhl wrote:
>> +    /// Runs a piece of code with a raw pointer to a slice of this page=
, with bounds checking.
>> +    ///
>> +    /// If `f` is called, then it will be called with a pointer that po=
ints at `off` bytes into the
>> +    /// page, and the pointer will be valid for at least `len` bytes. T=
he pointer is only valid on
>> +    /// this task, as this method uses a local mapping.
>> +    ///
>> +    /// If `off` and `len` refers to a region outside of this page, the=
n this method returns
>> +    /// `EINVAL` and does not call `f`.
>> +    ///
>> +    /// # Using the raw pointer
>> +    ///
>> +    /// It is up to the caller to use the provided raw pointer correctl=
y. The pointer is valid for
>> +    /// `len` bytes and for the duration in which the closure is called=
. The pointer might only be
>> +    /// mapped on the current thread, and when that is the case, derefe=
rencing it on other threads
>> +    /// is UB. Other than that, the usual rules for dereferencing a raw=
 pointer apply: don't cause
>> +    /// data races, the memory may be uninitialized, and so on.
>> +    ///
>> +    /// If multiple threads map the same page at the same time, then th=
ey may reference with
>> +    /// different addresses. However, even if the addresses are differe=
nt, the underlying memory is
>> +    /// still the same for these purposes (e.g., it's still a data race=
 if they both write to the
>> +    /// same underlying byte at the same time).
>> +    fn with_pointer_into_page<T>(
>> +        &self,
>> +        off: usize,
>> +        len: usize,
>> +        f: impl FnOnce(*mut u8) -> Result<T>,
>=20
> I wonder whether the way to go here is making this function signature:
>=20
>      fn with_slice_in_page<T> (
>          &self,
> =09       off: usize,
> =09       len: usize,
> =09       f: iml FnOnce(&UnsafeCell<[u8]>) -> Result<T>
>      ) -> Result<T>
>=20
> , because in this way, it makes a bit more clear that what memory that
> `f` can access, in other words, the users are less likely to use the
> pointer in a wrong way.
>=20
> But that depends on whether `&UnsafeCell<[u8]>` is the correct
> abstraction and the ecosystem around it: for example, I feel like these
> two functions:
>=20
> =09    fn len(slice: &UnsafeCell<[u8]>) -> usize
> =09    fn as_ptr(slice: &UnsafeCell<[u8]>) -> *mut u8
>=20
> should be trivially safe, but I might be wrong. Again this is just for
> future discussion.

I think the "better" type would be `&[UnsafeCell<u8>]`. Since there you
can always access the length.

Another question would be if page allows for uninitialized bits, in that
case, we would need `&[Opaque<u8>]`.

But I don't remember how to get a valid raw pointer from
`&[UnsafeCell<u8>]`.

--=20
Cheers,
Benno