Received: by 2002:ab2:620c:0:b0:1ef:ffd0:ce49 with SMTP id o12csp494604lqt; Mon, 18 Mar 2024 14:08:15 -0700 (PDT) X-Forwarded-Encrypted: i=3; AJvYcCVElUI+kohRHrteuRmIlD2c9wnZV8r5fxKFr7lKmEVS5hrxf65h96e2HkenCkZEJidAeTK523IJokFZKAzN7dlu0KLzOsBA1r6F34RlCQ== X-Google-Smtp-Source: AGHT+IFgQyxzHb94/dK1bJZ47mvmxdDSOA7tPpAX5Fm/MiSv26QFk/jGs2HLVw5o3XJftRbzYMvS X-Received: by 2002:a05:6a21:1707:b0:1a3:6ea1:f24c with SMTP id nv7-20020a056a21170700b001a36ea1f24cmr734805pzb.6.1710796095407; Mon, 18 Mar 2024 14:08:15 -0700 (PDT) ARC-Seal: i=2; a=rsa-sha256; t=1710796095; cv=pass; d=google.com; s=arc-20160816; b=TawRolBHleGztFaU6+ezzT0FgxZT9nf14gWqbaZUYFNnaAYnCRzRu71lhwPraMgOkl QKFfuRTBVwfdPnPahOB6zmyd4nd5mr9cAYqm6BDKK97muDMAgyARM4DK0x/MNfZ6go2Z dF4rPdXJdL6Uq9El6vedrid1UVbTbh00AKBk8eU4IffDfm5xrERxeVLJqR9TjKVjs/H/ +ajOcrNkk5YAhsxM/U9nTiusoVRnOm5RZ0LNnJTZt/O36c2eO1tm9WKfYlu+9qQGWJvN 8vYWeOgQDdJEvccDzJYmuPbvMXaFOVj75icLh5Q3x49imDoWeLrI4YV1dqqxYr4GCyGi i2UA== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=in-reply-to:content-transfer-encoding:content-disposition :mime-version:list-unsubscribe:list-subscribe:list-id:precedence :references:message-id:subject:cc:to:from:date:feedback-id :dkim-signature; bh=eiVYCH3ebRwARaRqeO4Qvn+w/sqdsvs+eK65f6OjZ8c=; fh=lsK+n2J0d1kN6iRoofGDQvM4jQJl0ZVoQDt32kcwLG4=; b=eGwHf/WuVipWE3lwVko7AH7PQwC3Zpif1hmY62uamjkVhn7VZg9u6eMHiVNn0cIGvb FxwHEkp06rsywYzUcXURVT3qP1humFBWfsLXvWCxK08dPor+tCWII8/RzEvFqJskr0+y 0m8M51nHlpBcVzNWXHFFyFra9HHqB7HXKrVK/EOdBnEoamMnuBNooVs8lnpqM7E6f/MN hT3HfTPY4//ZiFaw953uX+gukA1uy1Leu7N0YZLW1F4xdCNK5Suh+EVrRkmt7wK8/Evt nVY5xfzVKpuSpy0PdAI9k7YvrFzzKZTpjimfEIYrsEu90AA08OgaeBMUiKrH9NCRbKCh yXdw==; dara=google.com ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@gmail.com header.s=20230601 header.b=GieAZG0d; arc=pass (i=1 spf=pass spfdomain=gmail.com dkim=pass dkdomain=gmail.com dmarc=pass fromdomain=gmail.com); spf=pass (google.com: domain of linux-kernel+bounces-106669-linux.lists.archive=gmail.com@vger.kernel.org designates 139.178.88.99 as permitted sender) smtp.mailfrom="linux-kernel+bounces-106669-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from sv.mirrors.kernel.org (sv.mirrors.kernel.org. [139.178.88.99]) by mx.google.com with ESMTPS id k9-20020a633d09000000b005d7a78810acsi8773161pga.278.2024.03.18.14.08.15 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 18 Mar 2024 14:08:15 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel+bounces-106669-linux.lists.archive=gmail.com@vger.kernel.org designates 139.178.88.99 as permitted sender) client-ip=139.178.88.99; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20230601 header.b=GieAZG0d; arc=pass (i=1 spf=pass spfdomain=gmail.com dkim=pass dkdomain=gmail.com dmarc=pass fromdomain=gmail.com); spf=pass (google.com: domain of linux-kernel+bounces-106669-linux.lists.archive=gmail.com@vger.kernel.org designates 139.178.88.99 as permitted sender) smtp.mailfrom="linux-kernel+bounces-106669-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by sv.mirrors.kernel.org (Postfix) with ESMTPS id 12FA228202B for ; Mon, 18 Mar 2024 21:08:15 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 844945A0F2; Mon, 18 Mar 2024 21:07:59 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="GieAZG0d" Received: from mail-qk1-f180.google.com (mail-qk1-f180.google.com [209.85.222.180]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id E5E7859B42; Mon, 18 Mar 2024 21:07:56 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.222.180 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1710796078; cv=none; b=WJNDIk+bAcJu61YqTKbtFAtmaJP30V4ziFA+6Aaz4TA8zrAtrGLwzS4TotlTAe9LOLZLJgf9+IO4mUu4AGS9R4qQPlcYJO4Uet+MQLaUyGtj8+dT82DCmYjxOUyQh/0tZ4pH+GRB7F6mRnkXIeHArR5oSoSHIDkz2t3P/iq92aI= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1710796078; c=relaxed/simple; bh=h+WqgvzP4/+gDNp7hG5rTOgG1PQ4RqFRMSs71a95YrM=; h=Date:From:To:Cc:Subject:Message-ID:References:MIME-Version: Content-Type:Content-Disposition:In-Reply-To; b=OfL4dOaRNYS/HU4YUhnyxXl03eiCLJfmarsNxcTEQ5DmGOny033JpsFo1a6wYCmpxlNHNh/P21q9jcyC+qOZ+VEFiqudmnsHcADn2s8gL7nGOO0j9mdzhaFNHLTbLgxDx4ZdMm4ETK5rYW3YF70CBQ2HZJUTS2ErH6SvzY2dYlU= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=GieAZG0d; arc=none smtp.client-ip=209.85.222.180 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Received: by mail-qk1-f180.google.com with SMTP id af79cd13be357-781753f52afso265070185a.2; Mon, 18 Mar 2024 14:07:56 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1710796076; x=1711400876; darn=vger.kernel.org; h=in-reply-to:content-transfer-encoding:content-disposition :mime-version:references:message-id:subject:cc:to:from:date :feedback-id:from:to:cc:subject:date:message-id:reply-to; bh=eiVYCH3ebRwARaRqeO4Qvn+w/sqdsvs+eK65f6OjZ8c=; b=GieAZG0dTZRPCEG2Nv/ReVyP3nOVEO9DcVRYxEGx93fsIjuZs4Vc9JmgOaUflUUT+Q gv2ejQDssAxGesJX3lX5hvj7mX4PdFe0KHgGyt/EI1faDvL9EGLDl/RKV1sIQg4wxPeJ +V3kNPrTmDYoy7NiUfb+YH64XBmY2zHnSOpTDmUwYahQUDMGVyS5SQfmrB1f+r3sMo/9 GWkYN44crTrB4c1hvncMt0Zsv8R/Ovs7adfWkuVTSm6X6ybeiBWHi14JOfsW1qKw/NTP K/hRQTvJpqmJ/rkaEDMzCRmBusTcs8pHbBgjJJbo0AXkafJOEB2iZV5SseARAqU7+WA2 IBDw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1710796076; x=1711400876; h=in-reply-to:content-transfer-encoding:content-disposition :mime-version:references:message-id:subject:cc:to:from:date :feedback-id:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=eiVYCH3ebRwARaRqeO4Qvn+w/sqdsvs+eK65f6OjZ8c=; b=AP8hc4bl/hENBH3T8NogqHt1cXuVbYm1srrPmi5R44k+3MtrHNPSJZRH7wO8y581P3 c10qnHal1/S0LJ5eoYk1WzLv/OPUUdiWLMPhEJ0l/02Wq3/1n2pKfIrDvR1aYGyaK5lB 2DZwzsLeNYtgLn0V+H7AQUOK+zf5LIe5QYMKQynIxH1xN4yGnUAOiSwO7+p8W5dWux6C vl8TTM/C+EYxpiSnuSSUXKh3X/Z6JRH2XVYkiX/e35i1CSe2nsdNODdwOfU7gZ6XNF3a yQ0Vo30V/jVXdhDh+ZoX/8Gdh250Zg2Vrvq2npjt52/XTG8TFj0/uNsuGpCgOAofJ7Z1 Guvw== X-Forwarded-Encrypted: i=1; AJvYcCVCefiEiNFrX6n3xI7FKKiPmMgDA40OVeGR+iY2xY14Nw7ubUDduaFmP/Z2hjPlTzwrB0OkiRbQJZzO/LCYPUEnhaBPToarDel5UlfLKcvnpn0oqgz1lX7rTSHjBs+9ci2OevOdG+9XMxpdPRQ= X-Gm-Message-State: AOJu0Yx0WcSH8SZl6DZeUuHfi94d1PfcdYd+jvChE8T6V+z0+c17qPqh jaoubVSoslpIuej3w3l5LN8S7Hkb5TvORbzFLOOAuM9QwP9uMO/9 X-Received: by 2002:a05:6214:1084:b0:691:3c21:2c11 with SMTP id o4-20020a056214108400b006913c212c11mr575731qvr.26.1710796075858; Mon, 18 Mar 2024 14:07:55 -0700 (PDT) Received: from fauth1-smtp.messagingengine.com (fauth1-smtp.messagingengine.com. [103.168.172.200]) by smtp.gmail.com with ESMTPSA id g12-20020a0caacc000000b0069186a078b3sm3649840qvb.143.2024.03.18.14.07.55 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 18 Mar 2024 14:07:55 -0700 (PDT) Received: from compute5.internal (compute5.nyi.internal [10.202.2.45]) by mailfauth.nyi.internal (Postfix) with ESMTP id BB7281200032; Mon, 18 Mar 2024 17:07:54 -0400 (EDT) Received: from mailfrontend1 ([10.202.2.162]) by compute5.internal (MEProxy); Mon, 18 Mar 2024 17:07:54 -0400 X-ME-Sender: X-ME-Received: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedvledrkeejgddugeehucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen uceurghilhhouhhtmecufedttdenucesvcftvggtihhpihgvnhhtshculddquddttddmne cujfgurhepfffhvfevuffkfhggtggugfgjsehtkeertddttdejnecuhfhrohhmpeeuohhq uhhnucfhvghnghcuoegsohhquhhnrdhfvghnghesghhmrghilhdrtghomheqnecuggftrf grthhtvghrnhepvefghfeuveekudetgfevudeuudejfeeltdfhgfehgeekkeeigfdukefh gfegleefnecuvehluhhsthgvrhfuihiivgeptdenucfrrghrrghmpehmrghilhhfrhhomh epsghoqhhunhdomhgvshhmthhprghuthhhphgvrhhsohhnrghlihhthidqieelvdeghedt ieegqddujeejkeehheehvddqsghoqhhunhdrfhgvnhhgpeepghhmrghilhdrtghomhesfh higihmvgdrnhgrmhgv X-ME-Proxy: Feedback-ID: iad51458e:Fastmail Received: by mail.messagingengine.com (Postfix) with ESMTPA; Mon, 18 Mar 2024 17:07:53 -0400 (EDT) Date: Mon, 18 Mar 2024 14:07:43 -0700 From: Boqun Feng To: Alice Ryhl Cc: Miguel Ojeda , Matthew Wilcox , Al Viro , Andrew Morton , Kees Cook , Alex Gaynor , Wedson Almeida Filho , Gary Guo , =?iso-8859-1?Q?Bj=F6rn?= Roy Baron , Benno Lossin , Andreas Hindborg , Greg Kroah-Hartman , Arve =?iso-8859-1?B?SGr4bm5lduVn?= , Todd Kjos , Martijn Coenen , Joel Fernandes , Carlos Llamas , Suren Baghdasaryan , Arnd Bergmann , linux-mm@kvack.org, linux-kernel@vger.kernel.org, rust-for-linux@vger.kernel.org, Christian Brauner Subject: Re: [PATCH v3 1/4] rust: uaccess: add userspace pointers Message-ID: References: <20240311-alice-mm-v3-0-cdf7b3a2049c@google.com> <20240311-alice-mm-v3-1-cdf7b3a2049c@google.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: On Mon, Mar 18, 2024 at 09:10:07PM +0100, Alice Ryhl wrote: > On Mon, Mar 18, 2024 at 8:33 PM Boqun Feng wrote: > > > > On Mon, Mar 18, 2024 at 08:12:27PM +0100, Alice Ryhl wrote: > > > On Mon, Mar 18, 2024 at 7:59 PM Boqun Feng wrote: > > > > > > > > On Mon, Mar 11, 2024 at 10:47:13AM +0000, Alice Ryhl wrote: > > > > > + > > > > > + /// Reads raw data from the user slice into a raw kernel buffer. > > > > > + /// > > > > > + /// Fails with `EFAULT` if the read encounters a page fault. > > > > > + /// > > > > > + /// # Safety > > > > > + /// > > > > > + /// The `out` pointer must be valid for writing `len` bytes. > > > > > + pub unsafe fn read_raw(&mut self, out: *mut u8, len: usize) -> Result { > > > > > > > > I don't think we want to promote the pub usage of this unsafe function, > > > > right? We can provide a safe version: > > > > > > > > pub fn read_slice(&mut self, to: &[u8]) -> Result > > > > > > > > and all users can just use the safe version (with the help of > > > > slice::from_raw_parts_mut() if necessary). > > > > > > Personally, I think having the function be unsafe is plenty discouragement. > > > > > > Also, this method would need an &mut [u8], which opens the can of > > > worms related to uninitialized memory. The _raw version of this method > > > > make it a `&mut [MayUninit]` then? If that works, then _raw version > > is not more powerful therefore no need to pub it. > > Nobody actually has a need for that. Also, it doesn't even remove the I want to use read_slice() to replace read_raw(), and avoid even pub(crate) for read_raw(). > need for unsafe code in the caller, since the caller still needs to > assert that the call has initialized the memory. > If we have the read_slice(): pub fn read_slice(&mut self, to: &mut [MayUninit]) -> Result then the read_all() function can be implemented as: pub fn read_all(mut self, buf: &mut Vec) -> Result { let len = self.length; buf.try_reserve(len)?; // Append `len` bytes in the `buf`. self.read_slice(&mut buf.spare_capacity_mut()[0..len])?; // SAFETY: Since the call to `read_slice` was successful, so the // next `len` bytes of the vector have been initialized. unsafe { buf.set_len(buf.len() + len) }; Ok(()) } one unsafe block has been removed, and yes, you're right, there is still need of unsafe here, since the caller still needs to assert the memory has been initialized. However, to me, it's still an improvement, since one unsafe block gets removed because we get away from reasoning based on raw pointers and length. And yes, for the worst case, we still have the same amount of unsafe code. For example in `Page::copy_from_user_slice`, if read_slice() is used, we still need to: let mut s = unsafe { slice::from_raw_part_mut(dst.cast::>(), len) }; reader.read_slice(&mut s); i.e. move the unsafe part from `reader` to the construction of a "writable slice". However, it's still better, since contructing a slice is quite common in Rust so it's easy to check the safety requirement. I generally think replacing a pointer+length pair with a slice is better. Regards, Boqun > > > is strictly more powerful. > > > > > > I don't think I actually use it directly in Binder, so I can make it > > > private if you think that's important. It needs to be pub(crate), > > > > I might be too picky, but avoiding pub unsafe functions if not necessary > > could help us reduce unnecessary unsafe code ;-) > > > > Regards, > > Boqun > > > > > though, since it is used in `Page`. > > > > > > Alice