From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id AE35AC3DA49 for ; Tue, 30 Jul 2024 18:37:18 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 099016B007B; Tue, 30 Jul 2024 14:37:18 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id 049386B0082; Tue, 30 Jul 2024 14:37:17 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id E52956B0083; Tue, 30 Jul 2024 14:37:17 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0016.hostedemail.com [216.40.44.16]) by kanga.kvack.org (Postfix) with ESMTP id C772D6B007B for ; Tue, 30 Jul 2024 14:37:17 -0400 (EDT) Received: from smtpin05.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay10.hostedemail.com (Postfix) with ESMTP id D921FC03CA for ; Tue, 30 Jul 2024 18:37:16 +0000 (UTC) X-FDA: 82397276472.05.9A23D54 Received: from mail-40134.protonmail.ch (mail-40134.protonmail.ch [185.70.40.134]) by imf26.hostedemail.com (Postfix) with ESMTP id D62C3140004 for ; Tue, 30 Jul 2024 18:37:14 +0000 (UTC) Authentication-Results: imf26.hostedemail.com; dkim=pass header.d=proton.me header.s=protonmail header.b=hhnXRvYP; spf=pass (imf26.hostedemail.com: domain of benno.lossin@proton.me designates 185.70.40.134 as permitted sender) smtp.mailfrom=benno.lossin@proton.me; dmarc=pass (policy=quarantine) header.from=proton.me ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1722364592; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=+vUfzUTV6ECXtEhzuiHcq10NNoZ0aUeyonhn6MPajjM=; b=GefTfxgoKUkQLOerBt5VDzQZ14Vp/3XWVKURmT1QE1INHoCV6h5p0Xo4aRMQVBS1Ts0d+2 zcNsjycAVu6Mvpm5rAr2cTvqFNWXvnqQNBasw00v7DkWt1TZlrvZC5E+Vb+EyNP7q1q5cV tIpyWqAStMh2ZJ4TR9yI5KadauizusQ= ARC-Authentication-Results: i=1; imf26.hostedemail.com; dkim=pass header.d=proton.me header.s=protonmail header.b=hhnXRvYP; spf=pass (imf26.hostedemail.com: domain of benno.lossin@proton.me designates 185.70.40.134 as permitted sender) smtp.mailfrom=benno.lossin@proton.me; dmarc=pass (policy=quarantine) header.from=proton.me ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1722364592; a=rsa-sha256; cv=none; b=giOKu9LlyeQw8zvkAM1PEqeEyq/8WcHoCDOXqCFctkIPEjK9S/gP/lKeTmph7i3xMqrZ34 CH0CZSgp/NL8BjlT7kntp7lj0CjzvY9OTlxo55TFwq+nHQG1R9269rWxHje2CJGj3aqDQR Ii4+Z1DtE+iZHEhRwtKqlxLwhcQU1EY= DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=proton.me; s=protonmail; t=1722364632; x=1722623832; bh=+vUfzUTV6ECXtEhzuiHcq10NNoZ0aUeyonhn6MPajjM=; h=Date:To:From:Cc:Subject:Message-ID:In-Reply-To:References: Feedback-ID:From:To:Cc:Date:Subject:Reply-To:Feedback-ID: Message-ID:BIMI-Selector; b=hhnXRvYPdwDJm0sDMSAlhzBaKPObPYjaqs256POG7Vu+inSDOYGJ5sWjPeoNOgL+z x2hjtSWbC+0gA+DcIkioo4E7fSgIDq/SVcI/Hwe2Tl9CcmISZGK2B3OafQHEJ0NGMK spDZayA36Lay7Qq3MjsxKK9UdOVxfTH1EY0EY/3qjqEozz5d7v4n32LWuEImV931C4 +iSOLqdUI+OoR+J3YFRP7sQBlaDAJ7qsU6uit0AoVfai8VCfKP95u1g6qjME5/FPhB Q3biHra3qLPCt5MM7X4ihF0DTq3rwu9h+9+sjdqXoM1zMLvGYaw2npsmIq0yL22yPm Mm5H66ps5ZZ3w== Date: Tue, 30 Jul 2024 18:37:07 +0000 To: Alice Ryhl From: Benno Lossin Cc: Miguel Ojeda , Andrew Morton , Alex Gaynor , Wedson Almeida Filho , Boqun Feng , Gary Guo , =?utf-8?Q?Bj=C3=B6rn_Roy_Baron?= , Andreas Hindborg , Matthew Wilcox , linux-kernel@vger.kernel.org, linux-mm@kvack.org, rust-for-linux@vger.kernel.org Subject: Re: [PATCH v2] rust: mm: add abstractions for mm_struct and vm_area_struct Message-ID: <87034744-5d9b-4ac6-bc36-a54aa32eafb2@proton.me> In-Reply-To: References: <20240727-vma-v2-1-ab3e5927dc3a@google.com> <3ffd4742-7a84-434d-ad0d-962f302b977a@proton.me> Feedback-ID: 71780778:user:proton X-Pm-Message-ID: 0bad8e60e31edf27af4145b663e083c67d2abd79 MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Stat-Signature: wnt5qswfo19g5cwhpu1szdiykz83hqhj X-Rspam-User: X-Rspamd-Queue-Id: D62C3140004 X-Rspamd-Server: rspam02 X-HE-Tag: 1722364634-198239 X-HE-Meta: U2FsdGVkX1+/HZsQiVS9bXM7mevBn+iO1ZADZrBBtP+dHInWt7632xUuvUoTN64jN9Q4M5C9xbqrI9PRyzcz/hMflXvTYG+xmL3hW796nt4Y8uYQvjX9Oz7rLLsBdAfeGs6qvtJhnGyV0cc2UR95xvePLmy3RVbqOqqZY1Vap87MKbgtl21rwOfdoerdbI5trPuRLN8scE2T9+yaXQ61Lgg+Ju1gK0yWDYQSauW/OSPKwDyyOG2rR4uaAGlDK94Pb2AK37zo+iYUJpG2ODVb1zWPwR7SWI+HOCHRLidQ9/G8i/dW8v8HhNuRW11ogAWbkddkJ8Yp9GiOfYw0TYyYyceFSiiaFbf0/iz1cjrXo/P35aZrYG74YIW/7GKDOj/WnS1vO/CBSpX8tfltXp/G0B51CkM9hsQkPEaH/kGBtdLx1ElrK9dnPFKvXo8m1yjCgQSpvhl8PNGtosi8pVP+Xn/sOaDMOVMK05F3veiAKxbur6YF4N7U+S7EAbqCT/TfdS7l2IyE27bm3F44mr6YKdTjJX0y3T3Ozx53McYcdIdeYLrC2SPgvILZfvtnxVQyNodWfyt2DfftoteowuK+9fhkR9W4d1BFkuVuFP8xqy61sigI5kI+j9tEhSBSXgbdDFUF0Vh19UEqh+kITRnrwo75/IO5IdKfrOQ5tty6olVR0xION1rCL7Knq4Y2sUyoSEG4LrJtoFGmzkea6ewi4Jwg6DByXpxyZxJYlDBq4m3g7XCFfvSxVkX8dO1fSp+aaYeyDtB0HqJvJ//WtV6VnOL4rZUOkSAodXi7pswEhyIp+pnkUI0vpjQP/OIP2CFjpjqOaTsOoUczl75JjDLnDRHxfqnLHXVaSI/5A5UUJWp1YjuHoXc5zP6wzIfSxtWz2c9VnawM5rFnYup6WG9IlPzChe4KUa+EeZDKBnkr8LGpEPm3SkOw6GWnzUlfvGCLWGTCh8XiH2J2cPsdNhs oVzV0qrM 1izWJT09xD4S8x6O3ezOdleUSYK/knWStHd5O/u3N9BwPqBjc0/YjgjxE+c8yE6SGTZe3XcbL/ybra6VePxrdLLv2dcgAwMg4xJvU2fCBtk1gnp5v8Sry77VxCQawLsQ9qPCxkxgQF0i0max+zPg8zZ/TFflTe/E1drX4T7n1GgF86evehQoZhU+WjjU4pjX65C9z1/Mhty4XaDrJElJ5KkWrzpE7VyJyMSjqatazktV7VeQS4fBTelHuPnAZA4+usW6CDR9D+37xBIPxzycRGf7zzCqH0MF8+MqB4XMmFisrsapPrsF5vnfofkbKhhlDIXjdCJahOthrdFvfqLWCr+z9+1WWjoIWDVDg2uMuwLbaAjFNZXBliGXJM+YJxGbZhTSaw3rIfhRPpfpNNcthvAuKeA== X-Bogosity: Ham, tests=bogofilter, spamicity=0.000013, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: List-Subscribe: List-Unsubscribe: On 30.07.24 12:57, Alice Ryhl wrote: > On Mon, Jul 29, 2024 at 6:13=E2=80=AFPM Benno Lossin wrote: >> On 27.07.24 11:03, Alice Ryhl wrote: >>> +/// Equivalent to `ARef` but uses `mmput_async` in destruc= tor. >>> +/// >>> +/// The destructor of this type will never sleep. >>> +/// >>> +/// # Invariants >>> +/// >>> +/// `inner` points to a valid `mm_struct` and the `ARefMmWithUserAsync= ` owns an `mmget` refcount. >>> +pub struct ARefMmWithUserAsync { >>> + inner: NonNull, >> >> I am confused, why doesn't `mm: MM` work here? I.e. also allow usage of >> `ARef`. >=20 > We could do that, but I don't know how much sense it makes. With Mm > and MmWithUser there's a legitimate distinction between them that > makes sense regardless of whether it's behind an ARef or &. But with > the `mmput_async` case, the distinction only makes sense for ARef > pointers, and &MmWithUser and &MmWithUserAsync would be 100% > interchangeable. >=20 > That is to say, this is a property of the pointer, not the pointee. I > don't think it makes sense semantically to have it be a wrapper around > MmWithUser. Hmm, I don't think that is a problem. We have `ARef` for the following reasons (quoting myself from the ARef pattern thread): (1) prevents having to implement multiple abstractions for a single C object: say there is a `struct foo` that is both used via reference counting and by-value on the stack. Without `ARef`, we would have to write two abstractions, one for each use-case. With `ARef`, we can have one `Foo` that can be wrapped with `ARef` to represent a reference-counted object. (2) `ARef` always represents a reference counted object, so it helps with understanding the code. If you read `Foo`, you cannot be sure if it is heap or stack allocated. (3) generalizes common code of reference-counted objects (ie avoiding code duplication) and concentration of `unsafe` code. If you don't use `ARef`, you - have to implement `Deref`, `Drop`, `From>` manually, - have a rather ugly name, - don't benefit from the three points above. I don't really see a downside to just using `ARef` in this case. >> Another approach might be to have the function on `MmWithUser`: >> >> fn put_async(this: ARef) >> >> Or do you need it to be done on drop? >=20 > This needs to happen in drop so that use of the question mark > operation doesn't suddenly result in sleep-in-atomic-ctx bugs. >=20 >>> +} >>> + >>> +// Make all `Mm` methods available on `MmWithUser`. >>> +impl Deref for MmWithUser { >>> + type Target =3D Mm; >>> + >>> + #[inline] >>> + fn deref(&self) -> &Mm { >>> + &self.mm >>> + } >> >> Does it really make sense to expose every function? E.g. >> `mmget_not_zero` would always succeed, right? >=20 > I don't think it's a problem. Right now it exposes mmget_not_zero, > is_same_mm, and as_raw. The only one where it doesn't make much sense > is mmget_not_zero, but I don't think it hurts either. >=20 >>> +} >>> + >>> +// These methods are safe to call even if `mm_users` is zero. >> >> [...] >> >>> diff --git a/rust/kernel/mm/virt.rs b/rust/kernel/mm/virt.rs >>> new file mode 100644 >>> index 000000000000..2e97ef1eac58 >>> --- /dev/null >>> +++ b/rust/kernel/mm/virt.rs >>> @@ -0,0 +1,199 @@ >>> +// SPDX-License-Identifier: GPL-2.0 >>> + >>> +// Copyright (C) 2024 Google LLC. >>> + >>> +//! Virtual memory. >>> + >>> +use crate::{ >>> + bindings, >>> + error::{to_result, Result}, >>> + page::Page, >>> + types::Opaque, >>> +}; >>> + >>> +/// A wrapper for the kernel's `struct vm_area_struct`. >>> +/// >>> +/// It represents an area of virtual memory. >>> +#[repr(transparent)] >>> +pub struct VmArea { >>> + vma: Opaque, >>> +} >>> + >>> +impl VmArea { >>> + /// Access a virtual memory area given a raw pointer. >>> + /// >>> + /// # Safety >>> + /// >>> + /// Callers must ensure that `vma` is valid for the duration of 'a= , with shared access. The >>> + /// caller must ensure that using the pointer for immutable operat= ions is okay. >> >> Nothing here states that the pointee is not allowed to be changed, >> unless you mean that by "shared access" which would not match my >> definition. >=20 > How about this? >=20 > Callers must ensure that: > * `vma` is valid for the duration of 'a. > * the caller holds the mmap read lock for 'a. >=20 > And `from_raw_vma_mut` would instead require the caller to hold the > mmap write lock. SGTM. >>> + #[inline] >>> + pub unsafe fn from_raw_vma<'a>(vma: *const bindings::vm_area_struc= t) -> &'a Self { >>> + // SAFETY: The caller ensures that the pointer is valid. >>> + unsafe { &*vma.cast() } >>> + } >>> + >>> + /// Access a virtual memory area given a raw pointer. >>> + /// >>> + /// # Safety >>> + /// >>> + /// Callers must ensure that `vma` is valid for the duration of 'a= , with exclusive access. The >>> + /// caller must ensure that using the pointer for immutable and mu= table operations is okay. >>> + #[inline] >>> + pub unsafe fn from_raw_vma_mut<'a>(vma: *mut bindings::vm_area_str= uct) -> &'a mut Self { >>> + // SAFETY: The caller ensures that the pointer is valid. >>> + unsafe { &mut *vma.cast() } >>> + } >>> + >>> + /// Returns a raw pointer to this area. >>> + #[inline] >>> + pub fn as_ptr(&self) -> *mut bindings::vm_area_struct { >>> + self.vma.get() >>> + } >>> + >>> + /// Returns the flags associated with the virtual memory area. >>> + /// >>> + /// The possible flags are a combination of the constants in [`fla= gs`]. >>> + #[inline] >>> + pub fn flags(&self) -> usize { >>> + // SAFETY: The pointer is valid since self is a reference. The= field is valid for reading >>> + // given a shared reference. >> >> Why is the field not changed from the C side? Is this part readonly? >=20 > Because we hold the mmap read lock. (or the write lock) Oh, then it would be good to have it be an invariant. --- Cheers, Benno