Received: by 2002:a05:7412:d1aa:b0:fc:a2b0:25d7 with SMTP id ba42csp34876rdb; Wed, 31 Jan 2024 22:52:21 -0800 (PST) X-Google-Smtp-Source: AGHT+IFoqBRMxPYCtLIxlf+mqvIfVRYPA0TUzJ3zxvfaWM1zk1PTGyYMkObAioGr94cC51OHL4xG X-Received: by 2002:a17:902:c94a:b0:1d8:f232:c405 with SMTP id i10-20020a170902c94a00b001d8f232c405mr3952718pla.63.1706770341677; Wed, 31 Jan 2024 22:52:21 -0800 (PST) ARC-Seal: i=2; a=rsa-sha256; t=1706770341; cv=pass; d=google.com; s=arc-20160816; b=U49/6+PAz9BgT5k61RX6Nek3lNMsilHCiSt8eW8pzXnZ2rdKsw1fxEkn0iktIzojDu OiuKhwwLTqIAFFaCATd2W2pu5nxhWSNBimihRy6OuDfSjxGH71B3fd2DT75qi4nAI+DJ sKBkzUSrOTT5DdrBlcMT7ZTagTLHcl+2XBaC1HHBAbFx1rRtTaSbd9xtmfv4TaXSy6US 7G3IagutvuOxK7VKr6eIfjckfkZaTNw+/vhTEoRd+HM/jRLTVvSfNdWeVX0b/W4EaX+P x2yz51XkXbevGjwX3WaB8igr//y5mY/ZnI5o0BEJ13F1FM+zHqoZdnS+cUSR8mUlSmao d4kA== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:list-unsubscribe:list-subscribe :list-id:precedence:dkim-signature; bh=r0VzwVbSa/n1qDmz4589AdSmL/ygOZFpk7QXNbXjzSU=; fh=VeuJA+3ZO4wIK/NOvunWBJKL0VNJYPAoR8R8ZK57v3E=; b=0KVRGGZ5rA3gaHBk8h9QHdIObZO2fxkVdbBhPgbj9eq5Egl/wjyt5IATfUDFRQlN8n xPYNY4t5Vj+xZf58T5rv2IYESUFRFr9J7oC7snAwaBikpVSSnIWALg/Ua8xDa9GPVOrs asndSCj2wjBBH3ipHcxVCWJPoOqjzZwbyni13jBDoMfa2IPgvmOaG9N5CQdEqb6U89W1 TMqS9z0MfX4bD9SG9rTxFQJJ1iUsYno5NOdJK3NQvQopFodkShOZ3GgUz3RLgBG/XM3v kqTRMsrCpf0J/kmGtltnvRWxBza3iJCjNyNCsp78Z3R1kMCmzIzHliXNlkfad6ok0nbC 08XQ==; dara=google.com ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@umich.edu header.s=google-2016-06-03 header.b=mwPg9gZk; arc=pass (i=1 spf=pass spfdomain=umich.edu dkim=pass dkdomain=umich.edu dmarc=pass fromdomain=umich.edu); spf=pass (google.com: domain of linux-kernel+bounces-47713-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45e3:2400::1 as permitted sender) smtp.mailfrom="linux-kernel+bounces-47713-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=umich.edu X-Forwarded-Encrypted: i=1; AJvYcCVtnht9R8/u6epTELZi/WBYEVeRL2I/cyRJmocTtL+vWYsvtJ9kpHaZxPWh5GNFACcD5Eiz9C3NurYG/HdFXAmq3ZKOqTTx6p7Z89cJlQ== Return-Path: Received: from sv.mirrors.kernel.org (sv.mirrors.kernel.org. [2604:1380:45e3:2400::1]) by mx.google.com with ESMTPS id z20-20020a1709028f9400b001d7204a84ddsi11385014plo.499.2024.01.31.22.52.21 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 31 Jan 2024 22:52:21 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel+bounces-47713-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45e3:2400::1 as permitted sender) client-ip=2604:1380:45e3:2400::1; Authentication-Results: mx.google.com; dkim=pass header.i=@umich.edu header.s=google-2016-06-03 header.b=mwPg9gZk; arc=pass (i=1 spf=pass spfdomain=umich.edu dkim=pass dkdomain=umich.edu dmarc=pass fromdomain=umich.edu); spf=pass (google.com: domain of linux-kernel+bounces-47713-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45e3:2400::1 as permitted sender) smtp.mailfrom="linux-kernel+bounces-47713-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=umich.edu Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by sv.mirrors.kernel.org (Postfix) with ESMTPS id 8BC072891F0 for ; Thu, 1 Feb 2024 06:51:17 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 6C6772B9D1; Thu, 1 Feb 2024 06:51:08 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=umich.edu header.i=@umich.edu header.b="mwPg9gZk" Received: from mail-yw1-f179.google.com (mail-yw1-f179.google.com [209.85.128.179]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 7DBCE14D421 for ; Thu, 1 Feb 2024 06:51:05 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.128.179 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1706770267; cv=none; b=QB5JV278fWCpx1KK0+bUN3Cign4hA9BmSe6N9Cel3qkn3dhVAka/jJMxn2thqN8dKua3/kkcwSI8KAisGi7+URfz++mE3GMD9QcCUmgoVJM2URuDhrySdbP0nMsqmsU0HVTZjWJp+CfylTiXzZNo4hM7aR8rm1tZ0y1HVMu5bmM= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1706770267; c=relaxed/simple; bh=P+pMvfm6p1iUGj9fFqEXcNfnHx7jGrN/9q82u2ktWFw=; h=MIME-Version:References:In-Reply-To:From:Date:Message-ID:Subject: To:Cc:Content-Type; b=kVxwtVqH36lABSuOz19aW7SGjlwoFTzqhopOV5DlY+Ir0eOgM/SnVrLs9xm/yZfkllxkEOHZ5otPERd6wvTNLkGEaSqr0I5nqrD3c4rDeUpGMpETY/MrqEi9U+hKMgLh4ygBwD/zmdT6YWMh/QQq8buw+conXcMRuR4pJ6D0Ymc= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=umich.edu; spf=pass smtp.mailfrom=umich.edu; dkim=pass (2048-bit key) header.d=umich.edu header.i=@umich.edu header.b=mwPg9gZk; arc=none smtp.client-ip=209.85.128.179 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=umich.edu Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=umich.edu Received: by mail-yw1-f179.google.com with SMTP id 00721157ae682-6040fe8ba39so7265147b3.2 for ; Wed, 31 Jan 2024 22:51:05 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=umich.edu; s=google-2016-06-03; t=1706770264; x=1707375064; darn=vger.kernel.org; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=r0VzwVbSa/n1qDmz4589AdSmL/ygOZFpk7QXNbXjzSU=; b=mwPg9gZkvS8/Z5artXP/PAUBGR7TjrCGVEYguHpbBRAXF/KK5jVsJJguxev4u003pN 5yvCOMz9DiuKf0R/xoOhQKv7lHPgvrMHBPgwytT2PkJ5MTnFThDaNTskUsIQZcIzTp0+ 6WW9LacKc5qTzQowx+VxpitGuVwt2TlGQZxeeNIJH9wlLWfJ6iFMdvj690+g/WeGc/uK w2hvZfKtaMiXlO80HOcNEAlrJCplq4n3XzLjFxMjH2dDBJC8Pc+wGwqZBHA7yUf0gMgW 3+xYbNAy1K+Y1NFKAmDgJ0WtWKXd5OHdCBphPrbOi7Y0xPQvDiG5RrSAckF7C3cg6c+P hu4Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1706770264; x=1707375064; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=r0VzwVbSa/n1qDmz4589AdSmL/ygOZFpk7QXNbXjzSU=; b=sXCrzsuJAqvpGQcLmVlnM9g2eEWe0MxCg76ha+PEW1BFQBuzSo9QvF14U+k+sC7SVo +1r159Wagb/VQVG30Nnt+FKVmCcxkmHIIhtuimMEaKehL7QtY1X76eV0Uybs0Fs1djeQ k1fuwRm1YzwQcTSi4W+di04bSOZMz5scz3Cmxqk9W4feQew0FXkQdudlZVh3p1YuU/k/ nYloW2vATAJhWDfumqq+lgZa1MIkuCpf+HtaJdgVq+G1BU1d9VV5QyT3wWh7W4meWVqO J0P2SKTdd6ss/14klk2sOURFvY2yyuwle6nkiwj0JqAMb1rBezI9JIrsq4bV2o0P6yid smBA== X-Gm-Message-State: AOJu0Yx+QjyD1hO6ICUH3gRyPcpVl8nGDuXC+y2VwjsHqYLBk0CpXsOS dUpUmcFlnXAULyYfxPf3k6Lff92dAy/2PVE1irdSBCUVd/G40wSdR1F7a4DJxUEhdFVKFrTWOwb XODsWI/bZEQV2/GJoeX4Jls+7lUGi/yOMhurkoQ== X-Received: by 2002:a0d:e857:0:b0:5f6:4f5a:8bd2 with SMTP id r84-20020a0de857000000b005f64f5a8bd2mr3187081ywe.0.1706770264344; Wed, 31 Jan 2024 22:51:04 -0800 (PST) Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 References: <20240124-alice-mm-v1-0-d1abcec83c44@google.com> <20240124-alice-mm-v1-3-d1abcec83c44@google.com> In-Reply-To: From: Trevor Gross Date: Thu, 1 Feb 2024 01:50:53 -0500 Message-ID: Subject: Re: [PATCH 3/3] rust: add abstraction for `struct page` To: Boqun Feng , Alice Ryhl , Andreas Hindborg Cc: Miguel Ojeda , Alex Gaynor , Wedson Almeida Filho , Gary Guo , =?UTF-8?Q?Bj=C3=B6rn_Roy_Baron?= , Benno Lossin , Kees Cook , Al Viro , Andrew Morton , Greg Kroah-Hartman , =?UTF-8?B?QXJ2ZSBIasO4bm5ldsOlZw==?= , Todd Kjos , Martijn Coenen , Joel Fernandes , Carlos Llamas , Suren Baghdasaryan , Arnd Bergmann , linux-mm@kvack.org, linux-kernel@vger.kernel.org, rust-for-linux@vger.kernel.org, Christian Brauner Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable On Fri, Jan 26, 2024 at 1:28=E2=80=AFPM Boqun Feng w= rote: > > On Fri, Jan 26, 2024 at 01:33:46PM +0100, Alice Ryhl wrote: > > On Fri, Jan 26, 2024 at 1:47=E2=80=AFAM Boqun Feng wrote: > > > > > > On Wed, Jan 24, 2024 at 11:20:23AM +0000, Alice Ryhl wrote: > > > > [...] > > > > + /// Maps the page and writes into it from the given buffer. > > > > + /// > > > > + /// # Safety > > > > + /// > > > > + /// Callers must ensure that `src` is valid for reading `len` = bytes. > > > > + pub unsafe fn write(&self, src: *const u8, offset: usize, len:= usize) -> Result { > > > > > > Use a slice like type as `src` maybe? Then the function can be safe: > > > > > > pub fn write>(&self, src: S, offset: usize) ->= Result > > > > > > Besides, since `Page` impl `Sync`, shouldn't this `write` and the > > > `fill_zero` be a `&mut self` function? Or make them both `unsafe` > > > because of potential race and add some safety requirement? > > > > Ideally, we don't want data races with these methods to be UB. They > > I understand that, but in the current code, you can write: > > CPU 0 CPU 1 > =3D=3D=3D=3D=3D =3D=3D=3D=3D=3D > > page.write(src1, 0, 8); > page.write(src2, 0, 8); > > and it's a data race at kernel end. So my question is more how we can > prevent the UB ;-) Hm. Would the following work? // Change existing functions to work with references, meaning they need= an // exclusive &mut self pub fn with_page_mapped( &mut self, f: impl FnOnce(&mut [u8; PAGE_SIZE]) -> T ) -> T pub fn with_pointer_into_page( &mut self, off: usize, len: usize, f: impl FnOnce(&mut [u8]) -> Result, ) -> Result // writing methods now take &mut self pub fn write(&mut self ...) pub fn fill_zero(&mut self ...) pub fn copy_into_page(&mut self ...) // Add two new functions that take &self, but return shared access pub fn with_page_mapped_raw( &self, f: impl FnOnce(&UnsafeCell<[u8; PAGE_SIZE]>) -> T ) -> T pub fn with_pointer_into_page_raw( &self, off: usize, len: usize, f: impl FnOnce(&[UnsafeCell]) -> Result, ) -> Result This would mean that anyone who can obey rust's mutability rules can use a page without any safety or race conditions to worry about, much better for usability. But if you do need to allow the data to be shared and racy, such as the userspace example, the `_raw` methods allow for that and you can `.get()` a `*mut u8` from the UnsafeCell. This moves the interior mutability only to the mapped data rather than the Page itself, which I think is more accurate anyway. Leveraging UnsafeCell would also make some things with UserSlicePtr more clear too. - Trevor > Regards, > Boqun > > > could be mapped into the address space of a userspace process. > > > > Alice >