From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 29B29C54E58 for ; Mon, 18 Mar 2024 20:10:22 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id B6EA56B0095; Mon, 18 Mar 2024 16:10:21 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id B022F6B00A2; Mon, 18 Mar 2024 16:10:21 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 972346B00A3; Mon, 18 Mar 2024 16:10:21 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0011.hostedemail.com [216.40.44.11]) by kanga.kvack.org (Postfix) with ESMTP id 7F7636B0095 for ; Mon, 18 Mar 2024 16:10:21 -0400 (EDT) Received: from smtpin27.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay05.hostedemail.com (Postfix) with ESMTP id 4BF02405AF for ; Mon, 18 Mar 2024 20:10:21 +0000 (UTC) X-FDA: 81911251842.27.F1EBE37 Received: from mail-vs1-f45.google.com (mail-vs1-f45.google.com [209.85.217.45]) by imf20.hostedemail.com (Postfix) with ESMTP id B30241C0002 for ; Mon, 18 Mar 2024 20:10:19 +0000 (UTC) Authentication-Results: imf20.hostedemail.com; dkim=pass header.d=google.com header.s=20230601 header.b=Rd+qj1GR; spf=pass (imf20.hostedemail.com: domain of aliceryhl@google.com designates 209.85.217.45 as permitted sender) smtp.mailfrom=aliceryhl@google.com; dmarc=pass (policy=reject) header.from=google.com ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1710792619; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=AQJNvq3IDOVP2lqjCGWJmSkh3t0FUICHfEvk5ZPCOg8=; b=zTfQKWy0wvkMg6E6AyG6G5cRWKlOc6U8O4qWL6NpL86YigUK2RMek9gA8QS6CA2UIe4o8y nnFlTGOWjiwPtRPB1HfQcE+8HPMVpmynEalBVC99h5V63tJ5VfoGHphAYeLCFvOuah3xRP brCNValFFf0yBjU0iWHWQSRmlnreOss= ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1710792619; a=rsa-sha256; cv=none; b=uKUyJ0ugHv4DG8zHy0EGUuHOEq+PLq3M4fGGcuTLrn6qef1hij4ueCtHotu0YiUGnUyF9N F3aZA6QIyXiMkRIbrkakY1Ti+79o1KXNv+Zt2WevVQkyRsrQYnlhNmHhAUtW0eUWmERcMZ rHAOv/oPelJL64oJShsmND9RAmYkIZg= ARC-Authentication-Results: i=1; imf20.hostedemail.com; dkim=pass header.d=google.com header.s=20230601 header.b=Rd+qj1GR; spf=pass (imf20.hostedemail.com: domain of aliceryhl@google.com designates 209.85.217.45 as permitted sender) smtp.mailfrom=aliceryhl@google.com; dmarc=pass (policy=reject) header.from=google.com Received: by mail-vs1-f45.google.com with SMTP id ada2fe7eead31-4765e6cf37aso1215817137.1 for ; Mon, 18 Mar 2024 13:10:19 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20230601; t=1710792619; x=1711397419; darn=kvack.org; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=AQJNvq3IDOVP2lqjCGWJmSkh3t0FUICHfEvk5ZPCOg8=; b=Rd+qj1GRrpfYmKMNoQ0GH1yftz2OdwQ/aMrzZbgtBcWgZYrObZn0DUCFw8Vbh03Gve s7pP41DGlWnBOL4ByQjSgMRequLxzLMgGZK8sq3OqoA0VH6g0jy22Z+Bl4c1hCv1rnk2 DnMVY/CMH6p1DjCubOnMjnY39qug+lI2yrYBuXC0OpQ56bbhCNgE6Xi0PoNPUjnDle/c WS+1ijcNudniNPmslVQnz5zCJhfc8ewO0ieC4QCC7hTdbLEwAfRMLNf3rZBjTvc+f15E 0lfoxzTPuFksygxn37em96pIR0cvN/kpEysAdv6aEvKW0kazcE/fkV5pa++VGPjTecm+ bX0A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1710792619; x=1711397419; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=AQJNvq3IDOVP2lqjCGWJmSkh3t0FUICHfEvk5ZPCOg8=; b=V+zvWx65AH+vqieiZzikgfROHk5l5LVN1MxSTMG46ZiIvJv9Wb0+ZXvauRZMpvoZWp gLzdIFbW2ds8xyZIWYa6V8qfGSHmOAT+EWQ+dy6i206v9zUFvPkcbq7wg5jxNO0Y6LA0 yJ8iUoF+WdWE3T+9DTXU14WWB1mf9D7ZwxtQLGIGaVgvZ/SgafVpsvO9VucWUmVf4kTm aSMLUrhoec9gUmkAzUcpBK1vT8d2ZCRbVZkQ0/IfIJGFY9O5p0h4+eN/ds2voHmmoXTX sCw1IxSL0+LtxGC8SkILzSzwKTTmpPHge2KWbAJyJr7FjyGD02bTDQFu8flhwXkH+769 f1rw== X-Forwarded-Encrypted: i=1; AJvYcCUZPR12PSi0qpTvjr5HNwxlrMZ6XuyYYHms54J5bM9+UbVLdPyKoqC9A/TMERbduwXXJ0L/tSbeFVHqieezelBd+BI= X-Gm-Message-State: AOJu0YyWjaY9Kv6uRDwY9VBG/qNDH1N7HR3pPtUZdoW0nT88uh1JUH+q kCrIk93adkN91dpI7OIRekwKJIWwJWD36hExMpQx9qzekSzDwTW+KAJiB6amRw18tzIJmUqU+3W pFubxAme8cJnt/l6Rb90I/a7Wfk+p1+Ouzf5o07vTmgZqAGYhrXUd X-Google-Smtp-Source: AGHT+IHrs51HcLabtHxvPtoQjOxIqrEbANIj29qFamU4+XOJnAxft7DEXNNDgyvhg6NMzK9m2Ds5LwdeUVbSluupPzM= X-Received: by 2002:a67:cf09:0:b0:476:9707:2b67 with SMTP id y9-20020a67cf09000000b0047697072b67mr1807758vsl.23.1710792618602; Mon, 18 Mar 2024 13:10:18 -0700 (PDT) MIME-Version: 1.0 References: <20240311-alice-mm-v3-0-cdf7b3a2049c@google.com> <20240311-alice-mm-v3-1-cdf7b3a2049c@google.com> In-Reply-To: From: Alice Ryhl Date: Mon, 18 Mar 2024 21:10:07 +0100 Message-ID: Subject: Re: [PATCH v3 1/4] rust: uaccess: add userspace pointers To: Boqun Feng Cc: Miguel Ojeda , Matthew Wilcox , Al Viro , Andrew Morton , Kees Cook , Alex Gaynor , Wedson Almeida Filho , Gary Guo , =?UTF-8?Q?Bj=C3=B6rn_Roy_Baron?= , Benno Lossin , Andreas Hindborg , Greg Kroah-Hartman , =?UTF-8?B?QXJ2ZSBIasO4bm5ldsOlZw==?= , Todd Kjos , Martijn Coenen , Joel Fernandes , Carlos Llamas , Suren Baghdasaryan , Arnd Bergmann , linux-mm@kvack.org, linux-kernel@vger.kernel.org, rust-for-linux@vger.kernel.org, Christian Brauner Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Stat-Signature: pcjorcpx6d6qk9hgckx5eupkyuboq3qb X-Rspamd-Server: rspam10 X-Rspamd-Queue-Id: B30241C0002 X-Rspam-User: X-HE-Tag: 1710792619-851451 X-HE-Meta: U2FsdGVkX1+n8Z+m+OJykngfaUa/vlBMkTdrxhE+u05UUf73NVhtrlR3GTfkWv3yUQaf4pI1PJAV1le+JD7xOovlRGEXMQ0kWNtHRQhRo7/RSBCzp0INK9YIKoe+gZpII1CcFgHwB0O2byI8Vj04iQB6Nq9gwLiKODNoaJ2BJdvv214+p07k77kACjS0i+aTlznmK+vw9jtx8/NrRUy7Wxs1JFqrTnB/vl/AoM1iF7ovHNFUxQ3mQBxuV+RuhyQnBpFI32NRgX2KJkKilgvGTroNzt9oKI48jv0bvgEIla6ZvBoDDfa6KvLNYQLjatdVJp4/3x8JIHoGEr3uJfqY1z4KqW2qUgs21qOXXmuYqzgLILFWiy7xEbacFQXkzOaZPRrz1eMcBe4dUgtObbKlZqd5jMOrt/pDaRNTT5TR8xWDODP4RaEWMD510xD044NCHttnTvdG/nbt9K43tZ2PwDTFyPiselEGbZTREkDUmsMJTIwE2KcPbD++vUxlsQOe+pSHLHkf2DoAa4VJDC2qjpdAh9fRG9PuGtRrbiS8qPsZ0WALGvyfuase1+SBnHsqFj5EZ89LBtvexd9herXZ99JgWeS4gqvhu8yLz7lQ/KE6r5BCC7kREhdU4rucMrC/RlDayvs0SxTJPV9491h9SlYyxY+61hjnrNDY1S/VW+AUyKW8PEKKqJP3eEXVGjovm61q9ULzpWO1Xj+9w5T7C+/7gIZHEiaK6Oeov0KjuTwTBX+B22n4JNqlOg9lOitSub9LEKRWtPvMoN+3NX9aiAK0Mi6s2rRcLf4FXBXKrJ1PQLIUfXN946EI88TOuTJ8DCbEiNPKLh7hYmdlJe0fJO6Z35qrEXPnA6CheAbW+uITmvI0w1gkhyFU2vPwIn/PBrw1NMzxqYJkNi90yMWPTQQbvaEbzwSJ+hdPK4Lipqd8gCz+WUXBngjHFwkRTi2LJWFB4ahA22/q7GHtzJv ZiyAMzJT t2nlbz5MTaAQ8Na6oyarvt5USrTb3QnazXsy76SG8vMWu3j53G4xq6HZF496Ays/mGynu X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: List-Subscribe: List-Unsubscribe: On Mon, Mar 18, 2024 at 8:33=E2=80=AFPM Boqun Feng w= rote: > > On Mon, Mar 18, 2024 at 08:12:27PM +0100, Alice Ryhl wrote: > > On Mon, Mar 18, 2024 at 7:59=E2=80=AFPM Boqun Feng wrote: > > > > > > On Mon, Mar 11, 2024 at 10:47:13AM +0000, Alice Ryhl wrote: > > > > + > > > > + /// Reads raw data from the user slice into a raw kernel buffe= r. > > > > + /// > > > > + /// Fails with `EFAULT` if the read encounters a page fault. > > > > + /// > > > > + /// # Safety > > > > + /// > > > > + /// The `out` pointer must be valid for writing `len` bytes. > > > > + pub unsafe fn read_raw(&mut self, out: *mut u8, len: usize) ->= Result { > > > > > > I don't think we want to promote the pub usage of this unsafe functio= n, > > > right? We can provide a safe version: > > > > > > pub fn read_slice(&mut self, to: &[u8]) -> Result > > > > > > and all users can just use the safe version (with the help of > > > slice::from_raw_parts_mut() if necessary). > > > > Personally, I think having the function be unsafe is plenty discouragem= ent. > > > > Also, this method would need an &mut [u8], which opens the can of > > worms related to uninitialized memory. The _raw version of this method > > make it a `&mut [MayUninit]` then? If that works, then _raw version > is not more powerful therefore no need to pub it. Nobody actually has a need for that. Also, it doesn't even remove the need for unsafe code in the caller, since the caller still needs to assert that the call has initialized the memory. > > is strictly more powerful. > > > > I don't think I actually use it directly in Binder, so I can make it > > private if you think that's important. It needs to be pub(crate), > > I might be too picky, but avoiding pub unsafe functions if not necessary > could help us reduce unnecessary unsafe code ;-) > > Regards, > Boqun > > > though, since it is used in `Page`. > > > > Alice