Received: by 2002:ab2:6203:0:b0:1f5:f2ab:c469 with SMTP id o3csp296398lqt; Thu, 18 Apr 2024 15:58:28 -0700 (PDT) X-Forwarded-Encrypted: i=3; AJvYcCUfTPFWBkY6uRAICQmNT/4KLXd79PrrVk2Y3e2T63pqwXFJPdLgBks/TQbnFdQr4adZEW0ofovrN+wq9pZeoaXDsG0EYQFOYk4HPsLKtA== X-Google-Smtp-Source: AGHT+IHZRdJAjuq/zu87NjHbiNIqm+cpUFgGyzJpO8S/wGdcdwRGxpHIm9RwlpadyTamdJH+4h/Z X-Received: by 2002:a05:6a00:a19:b0:6ed:d5f5:869 with SMTP id p25-20020a056a000a1900b006edd5f50869mr605326pfh.3.1713481108591; Thu, 18 Apr 2024 15:58:28 -0700 (PDT) ARC-Seal: i=2; a=rsa-sha256; t=1713481108; cv=pass; d=google.com; s=arc-20160816; b=yN+aECQbHViTbu4BvgAIGbv64r3qsm0WBukzD8OBMDRNaYW++rOmdUAqPosXCrDlZo HQZkHITyj7Ly5jtAzCVO1S9FmR5DMrHHuBhC+AU7mLy1LcqjyqYBNROUslpBbtlE6cnJ XJYVtT25mCVPkF0n0COEbw/qdpmPH4IlYPynhxHxf1z0jsci8+ML5zBWYkuScb5tBvTP 004MWANq+xXCWiwnpRyq+64+lROO+91VbWxTkImpkbvRYfehn6PglViLHMjELd2Q05mZ SjEa4/tk4gWqMuAyBR9ocb1/1JkImEzVsRmC2w1PIlW3eIe48dYjtJR4ib2KcwaTiW1c sd7A== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=in-reply-to:content-disposition:mime-version:list-unsubscribe :list-subscribe:list-id:precedence:references:message-id:subject:cc :to:from:date:feedback-id:dkim-signature; bh=a1ppV7Fh/1Iy/7RRfewnFGGAltFLGrqr5zJ2zdSeDXI=; fh=P3YYWkkbrAdNzLSNIlZmjeIVCklguZQQXZ501E8UhK4=; b=vAQIk381wqvKVRnSyvJL5GL+neE9FqkJ2MuxJxstt58+H33fwRqkYigu7jSYNuhodV MW0Gb5zU6ltCaNaHowgEcBA5VyhKAs9v9COJWBGOgEVagWWIulWP7e2F1bqk/jwGQ1jj fcKEmnVmkmcsFg3oS+Kz/08I0g/nEMb1FzKJe+0n2GZhHCd8X/JdKKuC6eGWm/WFcgkO RR3dRHMs8a4RVz9RktOUgUD1dxic36jV+hGVwGI9QuNgux23gmy77IZVtUJcECbXpWMN 2d6W4AWLSlTQYhI9ggJ2/g5qQ6kaf+0ceFV3pydgshXLU2jY/3yhWqdmzSumRbqTfEeE fYIw==; dara=google.com ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@gmail.com header.s=20230601 header.b=W3uofsCc; arc=pass (i=1 spf=pass spfdomain=gmail.com dkim=pass dkdomain=gmail.com dmarc=pass fromdomain=gmail.com); spf=pass (google.com: domain of linux-kernel+bounces-150846-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:40f1:3f00::1 as permitted sender) smtp.mailfrom="linux-kernel+bounces-150846-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from sy.mirrors.kernel.org (sy.mirrors.kernel.org. [2604:1380:40f1:3f00::1]) by mx.google.com with ESMTPS id by13-20020a056a02058d00b005ceca1094c3si2370127pgb.853.2024.04.18.15.58.28 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 18 Apr 2024 15:58:28 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel+bounces-150846-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:40f1:3f00::1 as permitted sender) client-ip=2604:1380:40f1:3f00::1; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20230601 header.b=W3uofsCc; arc=pass (i=1 spf=pass spfdomain=gmail.com dkim=pass dkdomain=gmail.com dmarc=pass fromdomain=gmail.com); spf=pass (google.com: domain of linux-kernel+bounces-150846-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:40f1:3f00::1 as permitted sender) smtp.mailfrom="linux-kernel+bounces-150846-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by sy.mirrors.kernel.org (Postfix) with ESMTPS id 0945DB21F03 for ; Thu, 18 Apr 2024 22:56:52 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 6706754907; Thu, 18 Apr 2024 22:56:42 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="W3uofsCc" Received: from mail-qv1-f47.google.com (mail-qv1-f47.google.com [209.85.219.47]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id E5F21286AF; Thu, 18 Apr 2024 22:56:39 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.219.47 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1713481001; cv=none; b=Jmlv06fULTJAP5CutneboWWlmTjZnUcroS/vqp2paZB5A3J6FvczYxhWDbbdzDMm12kRZP307Qc/btsuZ1Gib574nnkFVglOfFiqGZwU3GD92o3Sy5MyeX2aohZYW1vNx7h9UACPGbG2oNHZCwEdRpR0ThjlHWXAXsvFe+U7zTE= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1713481001; c=relaxed/simple; bh=bHJCGzkyI/xV99l7MF5GV4Nn6oNmJKgGAoB0mOAvELk=; h=Date:From:To:Cc:Subject:Message-ID:References:MIME-Version: Content-Type:Content-Disposition:In-Reply-To; b=tJAW3Qhg13GHUpq2RhQWsfkborWLXDQDnL7Wia+WQtGKuk96oyLDv2FclIKMsPRRR1j7nLnQj1wD9ODns99G0RDI6aRYDjdUMqAqiLbJq/ToZUSGkjAHVRMS7Zt8QxoBEyGAW/R2cs7LGLgkrq5G0pfmUfEEeegKIW2ciXTjP+o= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=W3uofsCc; arc=none smtp.client-ip=209.85.219.47 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Received: by mail-qv1-f47.google.com with SMTP id 6a1803df08f44-69b59c10720so8241256d6.3; Thu, 18 Apr 2024 15:56:39 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1713480999; x=1714085799; darn=vger.kernel.org; h=in-reply-to:content-disposition:mime-version:references:message-id :subject:cc:to:from:date:feedback-id:from:to:cc:subject:date :message-id:reply-to; bh=a1ppV7Fh/1Iy/7RRfewnFGGAltFLGrqr5zJ2zdSeDXI=; b=W3uofsCcgjq+jufEPDD8MSq/Nf0++MUBopztwTL6x0OLzInrVa8EbwaS989DO2RkL1 2i73b01Kcy1He3nPAVtR5eufmG9/NJx4kNFbLq8Ih7vGbdK4f+bec163NHy16FzNG8gl Dj+kgz2TtTAxgIwzyZHANzRoZRF5EvrdQE35kV4yaP1R+Yl1YkL5isnjicVumZl2izNN 1BGk0S+kDG0HSa21kRKdBfpk1MUss4cgwk5n14lmQGKlme0SxAG8cLOKD9UEuaOGu5mk tns9WxIQf9eiKtn1InLIneWIhHNfwHqhtnUsVQmubb7wEVwZmbIWnPTctqLvHusInM8a xBHA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1713480999; x=1714085799; h=in-reply-to:content-disposition:mime-version:references:message-id :subject:cc:to:from:date:feedback-id:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=a1ppV7Fh/1Iy/7RRfewnFGGAltFLGrqr5zJ2zdSeDXI=; b=Dc+Ohjr5S3CSpNDIkcyGic4IVdhS+asLGiKTagG6ORLjD0Kmd3keqIWgEM7jTpDav3 bcMOvOeyZf7tUVzwrpenetdD8llZAFlA3Z2NFqshAXJkG/mCyKI0u4RW6GNBVNP14Whu t4+ppL6zIcVTrRir3Jd9S5g88jn9+B7zUK0MQqIuToIokAIV7ifGP4eecC1xpoDuoNgl qyCm/unurn0Dp8lhc/JKMjNM0FbL93eHjbMGWd5pbmwTDDti6Q6nnZJQyTdDgoHNtf3R zR/oul5fRpjZiMr4HhDLTuyrVqhAbq/cLRZAK9Fvg2jq6l8l4+gCuRrEXnx/6uza43LD UJoA== X-Forwarded-Encrypted: i=1; AJvYcCWOb8vaWEBQGbMaS4wM1kAiLOZlHRkIEFPJz2vbQIj004zfu1UdrW1yse3lOCygAF21xl6P9Au1Psv55AyKbbMAvev5oVWeYEOTTZFozVemF+hBp1aOHEGaDe/Mvw583FpLBtBW9tF5/KxcG/E= X-Gm-Message-State: AOJu0Yx578sQETIp1ZHcJ/vcIbOQGt8k+hx2hHCi72ChZ4efW4JJNztO UUjK4+J6yATTT9AzaVptbs8oJJGtfkMeNZBiARgVfid7gMr5+5vn X-Received: by 2002:a05:6214:a52:b0:699:1f58:398c with SMTP id ee18-20020a0562140a5200b006991f58398cmr447097qvb.5.1713480998697; Thu, 18 Apr 2024 15:56:38 -0700 (PDT) Received: from fauth1-smtp.messagingengine.com (fauth1-smtp.messagingengine.com. [103.168.172.200]) by smtp.gmail.com with ESMTPSA id a13-20020a0ce38d000000b0069b23dd33besm1042193qvl.126.2024.04.18.15.56.37 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 18 Apr 2024 15:56:38 -0700 (PDT) Received: from compute3.internal (compute3.nyi.internal [10.202.2.43]) by mailfauth.nyi.internal (Postfix) with ESMTP id 2BC041200032; Thu, 18 Apr 2024 18:56:37 -0400 (EDT) Received: from mailfrontend2 ([10.202.2.163]) by compute3.internal (MEProxy); Thu, 18 Apr 2024 18:56:37 -0400 X-ME-Sender: X-ME-Received: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedvledrudekuddgudejucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen uceurghilhhouhhtmecufedttdenucesvcftvggtihhpihgvnhhtshculddquddttddmne goufhprghmrfhhohhnvgdqohhuthculdehtddtmdenucfjughrpeffhffvvefukfhfgggt uggjsehttdertddttddvnecuhfhrohhmpeeuohhquhhnucfhvghnghcuoegsohhquhhnrd hfvghnghesghhmrghilhdrtghomheqnecuggftrfgrthhtvghrnhephedugfduffffteeu tddvheeuveelvdfhleelieevtdeguefhgeeuveeiudffiedvnecuufhprghmrfhhohhnvg epudektdegvdegvddthedvnecuvehluhhsthgvrhfuihiivgeptdenucfrrghrrghmpehm rghilhhfrhhomhepsghoqhhunhdomhgvshhmthhprghuthhhphgvrhhsohhnrghlihhthi dqieelvdeghedtieegqddujeejkeehheehvddqsghoqhhunhdrfhgvnhhgpeepghhmrghi lhdrtghomhesfhhigihmvgdrnhgrmhgv X-ME-Proxy: Feedback-ID: iad51458e:Fastmail Received: by mail.messagingengine.com (Postfix) with ESMTPA; Thu, 18 Apr 2024 18:56:36 -0400 (EDT) Date: Thu, 18 Apr 2024 15:56:11 -0700 From: Boqun Feng To: Benno Lossin Cc: Alice Ryhl , Miguel Ojeda , Matthew Wilcox , Al Viro , Andrew Morton , Kees Cook , Alex Gaynor , Wedson Almeida Filho , Gary Guo , =?iso-8859-1?Q?Bj=F6rn?= Roy Baron , Andreas Hindborg , Greg Kroah-Hartman , Arve =?iso-8859-1?B?SGr4bm5lduVn?= , Todd Kjos , Martijn Coenen , Joel Fernandes , Carlos Llamas , Suren Baghdasaryan , Arnd Bergmann , Trevor Gross , linux-mm@kvack.org, linux-kernel@vger.kernel.org, rust-for-linux@vger.kernel.org, Christian Brauner Subject: Re: [PATCH v6 4/4] rust: add abstraction for `struct page` Message-ID: References: <20240418-alice-mm-v6-0-cb8f3e5d688f@google.com> <20240418-alice-mm-v6-4-cb8f3e5d688f@google.com> <87dc4cdf-ccf6-4b08-8915-313aad313f93@proton.me> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <87dc4cdf-ccf6-4b08-8915-313aad313f93@proton.me> On Thu, Apr 18, 2024 at 10:08:40PM +0000, Benno Lossin wrote: > On 18.04.24 20:52, Boqun Feng wrote: > > On Thu, Apr 18, 2024 at 08:59:20AM +0000, Alice Ryhl wrote: > >> + /// Runs a piece of code with a raw pointer to a slice of this page, with bounds checking. > >> + /// > >> + /// If `f` is called, then it will be called with a pointer that points at `off` bytes into the > >> + /// page, and the pointer will be valid for at least `len` bytes. The pointer is only valid on > >> + /// this task, as this method uses a local mapping. > >> + /// > >> + /// If `off` and `len` refers to a region outside of this page, then this method returns > >> + /// `EINVAL` and does not call `f`. > >> + /// > >> + /// # Using the raw pointer > >> + /// > >> + /// It is up to the caller to use the provided raw pointer correctly. The pointer is valid for > >> + /// `len` bytes and for the duration in which the closure is called. The pointer might only be > >> + /// mapped on the current thread, and when that is the case, dereferencing it on other threads > >> + /// is UB. Other than that, the usual rules for dereferencing a raw pointer apply: don't cause > >> + /// data races, the memory may be uninitialized, and so on. > >> + /// > >> + /// If multiple threads map the same page at the same time, then they may reference with > >> + /// different addresses. However, even if the addresses are different, the underlying memory is > >> + /// still the same for these purposes (e.g., it's still a data race if they both write to the > >> + /// same underlying byte at the same time). > >> + fn with_pointer_into_page( > >> + &self, > >> + off: usize, > >> + len: usize, > >> + f: impl FnOnce(*mut u8) -> Result, > > > > I wonder whether the way to go here is making this function signature: > > > > fn with_slice_in_page ( > > &self, > > off: usize, > > len: usize, > > f: iml FnOnce(&UnsafeCell<[u8]>) -> Result > > ) -> Result > > > > , because in this way, it makes a bit more clear that what memory that > > `f` can access, in other words, the users are less likely to use the > > pointer in a wrong way. > > > > But that depends on whether `&UnsafeCell<[u8]>` is the correct > > abstraction and the ecosystem around it: for example, I feel like these > > two functions: > > > > fn len(slice: &UnsafeCell<[u8]>) -> usize > > fn as_ptr(slice: &UnsafeCell<[u8]>) -> *mut u8 > > > > should be trivially safe, but I might be wrong. Again this is just for > > future discussion. > > I think the "better" type would be `&[UnsafeCell]`. Since there you > can always access the length. > Hmm.. here is the thing, having `&UnsafeCell<[u8]>` means having a `*mut [u8]>`, and it should always be safe to get a "length" of `*mut [u8]`, right? I haven't found any method doing that, but the length should be just a part of fat pointer, so I think getting that is a defined behavior. But maybe I'm missing something. > Another question would be if page allows for uninitialized bits, in that > case, we would need `&[Opaque]`. > Yes, or `&Opaque<[u8>]`. Regards, Boqun > But I don't remember how to get a valid raw pointer from > `&[UnsafeCell]`. > > -- > Cheers, > Benno >