From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 5926CC54E5D for ; Mon, 18 Mar 2024 21:08:00 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 839206B0095; Mon, 18 Mar 2024 17:07:59 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id 7EA366B0099; Mon, 18 Mar 2024 17:07:59 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 663AC6B009A; Mon, 18 Mar 2024 17:07:59 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0011.hostedemail.com [216.40.44.11]) by kanga.kvack.org (Postfix) with ESMTP id 538446B0095 for ; Mon, 18 Mar 2024 17:07:59 -0400 (EDT) Received: from smtpin23.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay05.hostedemail.com (Postfix) with ESMTP id D29D64080F for ; Mon, 18 Mar 2024 21:07:58 +0000 (UTC) X-FDA: 81911397036.23.305D2D7 Received: from mail-qk1-f170.google.com (mail-qk1-f170.google.com [209.85.222.170]) by imf09.hostedemail.com (Postfix) with ESMTP id B10F4140020 for ; Mon, 18 Mar 2024 21:07:56 +0000 (UTC) Authentication-Results: imf09.hostedemail.com; dkim=pass header.d=gmail.com header.s=20230601 header.b=gYYwh1KV; spf=pass (imf09.hostedemail.com: domain of boqun.feng@gmail.com designates 209.85.222.170 as permitted sender) smtp.mailfrom=boqun.feng@gmail.com; dmarc=pass (policy=none) header.from=gmail.com ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1710796076; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=eiVYCH3ebRwARaRqeO4Qvn+w/sqdsvs+eK65f6OjZ8c=; b=LQkI26MKKRIgHwripOmKJwn4jSplKHYkpDU7AckGov61UcHyZwLiJjDCKCx3Hrn/kD3PVb xoJMWhOtIYHhQe8Pe6Ma/chlq68ol2vIHBn4Pa4pXvV1M0KkkfW+kF64QEvmB3hZQjwiFF i5dev9LPmyBXG6NB30UhRQRbUVeixR8= ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1710796076; a=rsa-sha256; cv=none; b=QeCLRRKckcXQ/sqTSaqOrXnV/kkpP+8ByHb8XVKrJ7Ss0pGLiOKwh3ZGvU26IM0ZEul5E6 +BLLObXJiJ9kGBJgl0jhA/P/8P2Y+sBbuBigCKGvf9x3orL634oU/9BfOph0RzzCOIMX36 C0GuiVGtXALSSNevknMDGQPP/TGw0+k= ARC-Authentication-Results: i=1; imf09.hostedemail.com; dkim=pass header.d=gmail.com header.s=20230601 header.b=gYYwh1KV; spf=pass (imf09.hostedemail.com: domain of boqun.feng@gmail.com designates 209.85.222.170 as permitted sender) smtp.mailfrom=boqun.feng@gmail.com; dmarc=pass (policy=none) header.from=gmail.com Received: by mail-qk1-f170.google.com with SMTP id af79cd13be357-789fb1f80f5so103938685a.3 for ; Mon, 18 Mar 2024 14:07:56 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1710796076; x=1711400876; darn=kvack.org; h=in-reply-to:content-transfer-encoding:content-disposition :mime-version:references:message-id:subject:cc:to:from:date :feedback-id:from:to:cc:subject:date:message-id:reply-to; bh=eiVYCH3ebRwARaRqeO4Qvn+w/sqdsvs+eK65f6OjZ8c=; b=gYYwh1KVGNbV7k+g43yacYEBaOoUPqafLvn5lUvCZ4AxzpD9x5D+78bGY0VDhzsD2h xtFtESERkHV33I7KPdiEUVWraf2ARyd7dLWzThtjUrSlxOO2i9BJmGAoKVzdnfz9ws9z aON8aQ00I0YrIPH9ewH8+fxmGSFgu8umpd/caFGcuJvVAWW2A6vxSnii02I7+dVy6jtH lZNub/4hP+OHBq80ThBHvCKdSAZKK02qyWcZ1qhbLD4OW+xuT1e+OzvvzT8Wxo+fNKRx aNJxkeZz4HhdEu/CxCoJNT2vpxOjROLX4hcAFd7lX3GgKrOOygq3fu9JjjhRqci3QtEy VPyQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1710796076; x=1711400876; h=in-reply-to:content-transfer-encoding:content-disposition :mime-version:references:message-id:subject:cc:to:from:date :feedback-id:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=eiVYCH3ebRwARaRqeO4Qvn+w/sqdsvs+eK65f6OjZ8c=; b=ObUWtbNDfXSfBY8RmmWz3ZBhBedz6mXk/QqucC50kcbTwTRh6XLgzLOCffQwz2ZPEW 1mhP28TtmRzZWXDhDFn1hv3s4PHJrFwW6CdxCASzBPsUNttjvB5NDirxR3swsv0vyX+k lnrcGt4OvXdrWanQyF//pV6eRuAJxhDKGpXkt4GaXHzmw3UHtZlEzEn5y9TFhPFKN0oa sShgs1ZsiQxaDazvrd9UsqiklKqWh+3GLr/Y6vbs/ioWxXz39v/mcc+5KtQl0jXuj//7 CIubNs26Gu0MaOrDX+0KavLXon05fFetWWKe4+eUbNq4GnS2aj2xUi0seQTdOXkcTXrm ln6g== X-Forwarded-Encrypted: i=1; AJvYcCVus9n0OgViobc6EVw9rd7pdFJ26l3ALvA/noHnckl827FqbEpVbin1O5kePx6ejNDZRaUZ/w9bEdjtkv2+OO6dUpU= X-Gm-Message-State: AOJu0YypyOcuobywEvG4jpne4J/50qFEJ/oG0jYRTibmOE+DzCwRhAFI x11UVIfTZFhQWDNlO6az/3bpGTEywr3sdjujGVV8uumjMGMhmQh4 X-Google-Smtp-Source: AGHT+IFEGdB2ae30dqn+0fOOHR9nVxS27IfG+d/7Ow0+sJwZwSUmc8SgVHnnzbFqXyfj/Rc2mIWS/g== X-Received: by 2002:a05:6214:1084:b0:691:3c21:2c11 with SMTP id o4-20020a056214108400b006913c212c11mr575731qvr.26.1710796075858; Mon, 18 Mar 2024 14:07:55 -0700 (PDT) Received: from fauth1-smtp.messagingengine.com (fauth1-smtp.messagingengine.com. [103.168.172.200]) by smtp.gmail.com with ESMTPSA id g12-20020a0caacc000000b0069186a078b3sm3649840qvb.143.2024.03.18.14.07.55 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 18 Mar 2024 14:07:55 -0700 (PDT) Received: from compute5.internal (compute5.nyi.internal [10.202.2.45]) by mailfauth.nyi.internal (Postfix) with ESMTP id BB7281200032; Mon, 18 Mar 2024 17:07:54 -0400 (EDT) Received: from mailfrontend1 ([10.202.2.162]) by compute5.internal (MEProxy); Mon, 18 Mar 2024 17:07:54 -0400 X-ME-Sender: X-ME-Received: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedvledrkeejgddugeehucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen uceurghilhhouhhtmecufedttdenucesvcftvggtihhpihgvnhhtshculddquddttddmne cujfgurhepfffhvfevuffkfhggtggugfgjsehtkeertddttdejnecuhfhrohhmpeeuohhq uhhnucfhvghnghcuoegsohhquhhnrdhfvghnghesghhmrghilhdrtghomheqnecuggftrf grthhtvghrnhepvefghfeuveekudetgfevudeuudejfeeltdfhgfehgeekkeeigfdukefh gfegleefnecuvehluhhsthgvrhfuihiivgeptdenucfrrghrrghmpehmrghilhhfrhhomh epsghoqhhunhdomhgvshhmthhprghuthhhphgvrhhsohhnrghlihhthidqieelvdeghedt ieegqddujeejkeehheehvddqsghoqhhunhdrfhgvnhhgpeepghhmrghilhdrtghomhesfh higihmvgdrnhgrmhgv X-ME-Proxy: Feedback-ID: iad51458e:Fastmail Received: by mail.messagingengine.com (Postfix) with ESMTPA; Mon, 18 Mar 2024 17:07:53 -0400 (EDT) Date: Mon, 18 Mar 2024 14:07:43 -0700 From: Boqun Feng To: Alice Ryhl Cc: Miguel Ojeda , Matthew Wilcox , Al Viro , Andrew Morton , Kees Cook , Alex Gaynor , Wedson Almeida Filho , Gary Guo , =?iso-8859-1?Q?Bj=F6rn?= Roy Baron , Benno Lossin , Andreas Hindborg , Greg Kroah-Hartman , Arve =?iso-8859-1?B?SGr4bm5lduVn?= , Todd Kjos , Martijn Coenen , Joel Fernandes , Carlos Llamas , Suren Baghdasaryan , Arnd Bergmann , linux-mm@kvack.org, linux-kernel@vger.kernel.org, rust-for-linux@vger.kernel.org, Christian Brauner Subject: Re: [PATCH v3 1/4] rust: uaccess: add userspace pointers Message-ID: References: <20240311-alice-mm-v3-0-cdf7b3a2049c@google.com> <20240311-alice-mm-v3-1-cdf7b3a2049c@google.com> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: X-Rspamd-Queue-Id: B10F4140020 X-Rspam-User: X-Rspamd-Server: rspam11 X-Stat-Signature: ej74obhuqo9yofdr8hdzopkparz1kxtc X-HE-Tag: 1710796076-243312 X-HE-Meta: U2FsdGVkX18ZWGwuy1N8K/q4bTxcxRwfVUJ1WiQ64jDStpIyw4jPADIPUFiMyO5jqFctHVh5NYtPlVh/pOOK3q5U2VFagXRShqOC0b7Hh05Vn9aWKFS63WipgAX5zaJD43algxoHw4jiIn8Zje5wXiMBsXFAr/muvPY91eJEHHPB7X3seB28V/PrV1OznlWKVlrRkuhANs2qlO4lXM5uFPUKudxrTOpjL0eyZh1ap8ICruepn1NoXKC3uCLnH01xXrhnk4ICvk62NzVqsahGvzPkK/5d1tSF4ibXzoLaxOlKcvm2ZqB8ckhDY7oF19XjUZnouTqzzHpQjvK+MtVWyHgTZczqvoNaBQOACQhlgUt236dGajv4Qhk6axljBQttk/4B2JEV/AOlpAjgnAT1dll2YRsm5Xe+tvgZjW3yGU690lAcyCoeZjA6X66i68RfAeBrpyc/IhFVlSV+YJX2pjDzMW/jAJ0GiHULYgFNfx1s3xBcfSBvAEBZrbbtz9HceWkbBatPEnbaKYdZyjiX5CAOZqVr12iGicu3fB/IwWkVfUTz/r0aMwUPIRXvrgNbMWyATO0EyFGjE+FOHt0z5s7nPuJtFLN8CfgFlHWovZPM/xubE5lBD1UvnAG975PhnhbyeT0pfS/AcjSOVaJuU9/IaFm9s5r+IWbDY13IUZDekDhuRlO47SceVjUhnsC6dsDqi8Ih/pc0Arf+KB1jF4N4KcmL3BSaGz9cySGxhT7VPwIRmBkBVHG3gyNOoDFeliyOACmD20EHmpRsoC5XKEHeA3BUqXKxr+FbONcvwRSKf3YDRmzjsZycNC1/sOhrqmsc4InF6ESGrvWioaF2wYDBuFH3GdRqTaa3xYfMsi3Cqoz1ImWJ8vsUzdPA2Nq/cnByyfeUuGiUHD6IG0DU+iOoN1iM7MN/oRqCa5cdfja/TO4J6pkHqYZhRvBWX6p80oIzGGiSsFDmosMNgO1 jTI0WoS7 H5LOpAgF1cKVPFTYqO7lCm0yTzDheHBMyAOoNO8TLbohNoncz165PgUcRq2mD+hwKW024STZqiPnZLDSqHXUrAK+K+AfMnwCOlKkvgA69YnS1cwjUD4c0RuTDQAEZnU0++qbpqEgttq2MtdHSaalZcLcthUQQ2+FO8gQmnDE6L5MpnKu/hArIqWUVXA== X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: List-Subscribe: List-Unsubscribe: On Mon, Mar 18, 2024 at 09:10:07PM +0100, Alice Ryhl wrote: > On Mon, Mar 18, 2024 at 8:33 PM Boqun Feng wrote: > > > > On Mon, Mar 18, 2024 at 08:12:27PM +0100, Alice Ryhl wrote: > > > On Mon, Mar 18, 2024 at 7:59 PM Boqun Feng wrote: > > > > > > > > On Mon, Mar 11, 2024 at 10:47:13AM +0000, Alice Ryhl wrote: > > > > > + > > > > > + /// Reads raw data from the user slice into a raw kernel buffer. > > > > > + /// > > > > > + /// Fails with `EFAULT` if the read encounters a page fault. > > > > > + /// > > > > > + /// # Safety > > > > > + /// > > > > > + /// The `out` pointer must be valid for writing `len` bytes. > > > > > + pub unsafe fn read_raw(&mut self, out: *mut u8, len: usize) -> Result { > > > > > > > > I don't think we want to promote the pub usage of this unsafe function, > > > > right? We can provide a safe version: > > > > > > > > pub fn read_slice(&mut self, to: &[u8]) -> Result > > > > > > > > and all users can just use the safe version (with the help of > > > > slice::from_raw_parts_mut() if necessary). > > > > > > Personally, I think having the function be unsafe is plenty discouragement. > > > > > > Also, this method would need an &mut [u8], which opens the can of > > > worms related to uninitialized memory. The _raw version of this method > > > > make it a `&mut [MayUninit]` then? If that works, then _raw version > > is not more powerful therefore no need to pub it. > > Nobody actually has a need for that. Also, it doesn't even remove the I want to use read_slice() to replace read_raw(), and avoid even pub(crate) for read_raw(). > need for unsafe code in the caller, since the caller still needs to > assert that the call has initialized the memory. > If we have the read_slice(): pub fn read_slice(&mut self, to: &mut [MayUninit]) -> Result then the read_all() function can be implemented as: pub fn read_all(mut self, buf: &mut Vec) -> Result { let len = self.length; buf.try_reserve(len)?; // Append `len` bytes in the `buf`. self.read_slice(&mut buf.spare_capacity_mut()[0..len])?; // SAFETY: Since the call to `read_slice` was successful, so the // next `len` bytes of the vector have been initialized. unsafe { buf.set_len(buf.len() + len) }; Ok(()) } one unsafe block has been removed, and yes, you're right, there is still need of unsafe here, since the caller still needs to assert the memory has been initialized. However, to me, it's still an improvement, since one unsafe block gets removed because we get away from reasoning based on raw pointers and length. And yes, for the worst case, we still have the same amount of unsafe code. For example in `Page::copy_from_user_slice`, if read_slice() is used, we still need to: let mut s = unsafe { slice::from_raw_part_mut(dst.cast::>(), len) }; reader.read_slice(&mut s); i.e. move the unsafe part from `reader` to the construction of a "writable slice". However, it's still better, since contructing a slice is quite common in Rust so it's easy to check the safety requirement. I generally think replacing a pointer+length pair with a slice is better. Regards, Boqun > > > is strictly more powerful. > > > > > > I don't think I actually use it directly in Binder, so I can make it > > > private if you think that's important. It needs to be pub(crate), > > > > I might be too picky, but avoiding pub unsafe functions if not necessary > > could help us reduce unnecessary unsafe code ;-) > > > > Regards, > > Boqun > > > > > though, since it is used in `Page`. > > > > > > Alice