From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <owner-linux-mm@kvack.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 7B57FC4828F
	for <linux-mm@archiver.kernel.org>; Thu,  8 Feb 2024 13:36:53 +0000 (UTC)
Received: by kanga.kvack.org (Postfix)
	id ED0696B0075; Thu,  8 Feb 2024 08:36:52 -0500 (EST)
Received: by kanga.kvack.org (Postfix, from userid 40)
	id E81276B0078; Thu,  8 Feb 2024 08:36:52 -0500 (EST)
X-Delivered-To: int-list-linux-mm@kvack.org
Received: by kanga.kvack.org (Postfix, from userid 63042)
	id D47E26B007D; Thu,  8 Feb 2024 08:36:52 -0500 (EST)
X-Delivered-To: linux-mm@kvack.org
Received: from relay.hostedemail.com (smtprelay0015.hostedemail.com [216.40.44.15])
	by kanga.kvack.org (Postfix) with ESMTP id C63D06B0075
	for <linux-mm@kvack.org>; Thu,  8 Feb 2024 08:36:52 -0500 (EST)
Received: from smtpin17.hostedemail.com (a10.router.float.18 [10.200.18.1])
	by unirelay05.hostedemail.com (Postfix) with ESMTP id 9328840EF2
	for <linux-mm@kvack.org>; Thu,  8 Feb 2024 13:36:52 +0000 (UTC)
X-FDA: 81768737064.17.DC7158A
Received: from mail-ua1-f50.google.com (mail-ua1-f50.google.com [209.85.222.50])
	by imf18.hostedemail.com (Postfix) with ESMTP id D0DA21C0014
	for <linux-mm@kvack.org>; Thu,  8 Feb 2024 13:36:50 +0000 (UTC)
Authentication-Results: imf18.hostedemail.com;
	dkim=pass header.d=google.com header.s=20230601 header.b="rXtaFuB/";
	spf=pass (imf18.hostedemail.com: domain of aliceryhl@google.com designates 209.85.222.50 as permitted sender) smtp.mailfrom=aliceryhl@google.com;
	dmarc=pass (policy=reject) header.from=google.com
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com;
	s=arc-20220608; t=1707399410;
	h=from:from:sender:reply-to:subject:subject:date:date:
	 message-id:message-id:to:to:cc:cc:mime-version:mime-version:
	 content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references:dkim-signature;
	bh=Kn/V3vxoIjIUSC8M3Y2S4b8UAF5QxV/6wcQ3800sVJE=;
	b=1fkd/pv0UUurB3m3ZUMlrjX2HweHeFkb2mKtpV/5NUILf4N+1kUtOsmbFeY7U79bnKQECY
	6HcB/4MIwgYYpeA6sSqEC7A76HNhDvnWCbcHeI+gjB4LkkBBnH88s4/J3zbdsrcmr2mqoY
	UO8mmeMWT4/CrEesk8mhPc2XjhEG0vo=
ARC-Authentication-Results: i=1;
	imf18.hostedemail.com;
	dkim=pass header.d=google.com header.s=20230601 header.b="rXtaFuB/";
	spf=pass (imf18.hostedemail.com: domain of aliceryhl@google.com designates 209.85.222.50 as permitted sender) smtp.mailfrom=aliceryhl@google.com;
	dmarc=pass (policy=reject) header.from=google.com
ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1707399410; a=rsa-sha256;
	cv=none;
	b=3wt+R1IUnl6UiMvOhvb76IRlTph8zYKS+s7mFWZF/Pbiz8Q94BuNFNUMhQC3PKoGq/htIS
	VcUbnPSVylxwVr/kdZx1EMjRdttWFhGfBA2LOSB0tOeFVcRZPXAPsg51M6XMw0jVL3CvLS
	j161gsBBHENRdM4th0H3HuqAFlJW1Jw=
Received: by mail-ua1-f50.google.com with SMTP id a1e0cc1a2514c-7d643a40a91so771255241.0
        for <linux-mm@kvack.org>; Thu, 08 Feb 2024 05:36:50 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20230601; t=1707399410; x=1708004210; darn=kvack.org;
        h=content-transfer-encoding:cc:to:subject:message-id:date:from
         :in-reply-to:references:mime-version:from:to:cc:subject:date
         :message-id:reply-to;
        bh=Kn/V3vxoIjIUSC8M3Y2S4b8UAF5QxV/6wcQ3800sVJE=;
        b=rXtaFuB/gUMF1Ups4EGsImxzz+PDfitm74dif+ysQmKLxHK0mW+am5unGm9Mkrc/S0
         0aAXoAAYKQ/qf48VixAlyxcPhitl6cuttqG0dSqzqjl2Iyh5A5Sr2RPrdsm6fdBNchYZ
         NtoedTpO0Px/YMVEotaEnNFiCoqJ/deYwI4+8oJ/iUm7KNpW9kzJbDZW4c7l7yXcgXSp
         KtpqhUtXzhlNoCphuS21T11Wym/hNaqmVXvJvVHHSofe+87+ltVpj07OrJxS0YyCzv3a
         JNjcAVkbiBBCsmy87VOkRZMs/wfZ71jaJSlRMxR9qXd1XpGeQg4phsMe8SnMMhpNWAeV
         ukdw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1707399410; x=1708004210;
        h=content-transfer-encoding:cc:to:subject:message-id:date:from
         :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=Kn/V3vxoIjIUSC8M3Y2S4b8UAF5QxV/6wcQ3800sVJE=;
        b=tTqIrid8q4pTv69HDbu1E9l/q+10ZZocaENGcxu9P3Tmwp9XXTBW7hgzE5nDIp76K3
         7KGB7A1YwBQqytruDjNiqZS2Etshi95cqiWbg95raN6nK83brFDHTuMx9LCNSmO/eMKr
         sHWYBhz9UWlNFiO7i3lxRCYXcLo2zkDG1n7G14jia7bdNNU544xjPYO9yFQBAd+iIJTV
         dGGvEJpKLiFuzzghAsDMv8yPBwTMroBbEaTXcagtEl2po3Z/zEggFx8yTGVArTW4E5R6
         /UUBdCqfCLiE6Th58BT/L3a/iZ3JxPY5AbvJ5AzIroTyDGb0YBAM21YaZzN+cPyHNl56
         g57w==
X-Gm-Message-State: AOJu0YxdTDhjDcqzkPZwLunyPynTmPmONhpYS45QgJb64ZJbYKNbPC/i
	TtOFyU43s7AWydCRnU209xXlJhCGxPmmOcjwyEZYpqKhorZyQxWSMTDVOnnWIXWd+YGGhjt623R
	Hjjnwwoiu+vN5qCnoIO+R857PAqDqbl6OA4Zz
X-Google-Smtp-Source: AGHT+IF9Fvq5IrgEGgEG+1r7dMwVzweHbYqlYapUQEoUpjqP9B/NinoiHrV94HMpa24eTruhWvgZvbZdVK8ImcRm0vM=
X-Received: by 2002:a05:6102:a05:b0:46d:2a90:f8ce with SMTP id
 t5-20020a0561020a0500b0046d2a90f8cemr5223903vsa.28.1707399409792; Thu, 08 Feb
 2024 05:36:49 -0800 (PST)
MIME-Version: 1.0
References: <20240124-alice-mm-v1-0-d1abcec83c44@google.com>
 <20240124-alice-mm-v1-3-d1abcec83c44@google.com> <ZbMA1yiM6Bqv9Sqg@boqun-archlinux>
 <CAH5fLgiNphSebaG82XkQHGFPFp1Mf1egyaiX6MFzsU2X3-Ni8w@mail.gmail.com>
 <ZbP50nEIMqULfVuj@Boquns-Mac-mini.home> <CALNs47uy5rQ15wByzQA0_YzORM0nTFdi9-TvwyC4+ZTXVQBj4g@mail.gmail.com>
In-Reply-To: <CALNs47uy5rQ15wByzQA0_YzORM0nTFdi9-TvwyC4+ZTXVQBj4g@mail.gmail.com>
From: Alice Ryhl <aliceryhl@google.com>
Date: Thu, 8 Feb 2024 14:36:38 +0100
Message-ID: <CAH5fLggA1MxtR-H5454X_mkQW-E=ZHnE6iYbbLyXGzp6wg5kDQ@mail.gmail.com>
Subject: Re: [PATCH 3/3] rust: add abstraction for `struct page`
To: Trevor Gross <tmgross@umich.edu>
Cc: Boqun Feng <boqun.feng@gmail.com>, Andreas Hindborg <a.hindborg@samsung.com>, 
	Miguel Ojeda <ojeda@kernel.org>, Alex Gaynor <alex.gaynor@gmail.com>, 
	Wedson Almeida Filho <wedsonaf@gmail.com>, Gary Guo <gary@garyguo.net>, 
	=?UTF-8?Q?Bj=C3=B6rn_Roy_Baron?= <bjorn3_gh@protonmail.com>, 
	Benno Lossin <benno.lossin@proton.me>, Kees Cook <keescook@chromium.org>, 
	Al Viro <viro@zeniv.linux.org.uk>, Andrew Morton <akpm@linux-foundation.org>, 
	Greg Kroah-Hartman <gregkh@linuxfoundation.org>, =?UTF-8?B?QXJ2ZSBIasO4bm5ldsOlZw==?= <arve@android.com>, 
	Todd Kjos <tkjos@android.com>, Martijn Coenen <maco@android.com>, 
	Joel Fernandes <joel@joelfernandes.org>, Carlos Llamas <cmllamas@google.com>, 
	Suren Baghdasaryan <surenb@google.com>, Arnd Bergmann <arnd@arndb.de>, linux-mm@kvack.org, 
	linux-kernel@vger.kernel.org, rust-for-linux@vger.kernel.org, 
	Christian Brauner <brauner@kernel.org>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Rspamd-Queue-Id: D0DA21C0014
X-Rspam-User: 
X-Stat-Signature: ucjs8as1tchxawtqezap95eccum8euib
X-Rspamd-Server: rspam01
X-HE-Tag: 1707399410-338152
X-HE-Meta: U2FsdGVkX1/9k6/edD6mflD2WYNreVsuz1QSIdm80Hpm8C9hjJBGPeBdozhQNv8n6roOxp5bjlMamkdMXvOz+2vVr8sb/7cAwbeJCFEdmXaJeoinsPyXCSHEs1+m5fl14UM+WciLk29pBkfn/20V1/DFAxMDh12Xj1VyGx9I8klCwUkb84HmtNnXNOAoOoncnSRyOynpPWLdyracf1D7Hk9TxwZMpw6MhVvBi/fKqlbx4/N+v2R48m6WHi9Xa+L87UrRS33C7xssga8Ovzjnyrb7Ogq1LKWPu9FGpGpEYreVDb2lVOyL8+envOHFnABtu1eLHTUaHBMdpf/NNlBMThxfIXiGD47uE8Gop4xK7kIQ5INEIxOiO1qB69fh1VLHAbHId71PwWDI1oFp/lmskWvIgjRGGswo/VtN4jmrGsJBE3ZDONq65PbT/rv6w4P6kcGMfwy69cXf5WaQnNX3gElUAUYBG3oIN3jwCrL5Oatn0UXwUA6ozn8r+BzelQGdncYpeXfQCMX07Sq75p1XWmKb4lGZDlTc+r1uyE05Qk39MssPQLVTPZuKL36VUSPR4gjWJAET0n8cEU63MQCNKi4jckqxKGi/oRmnFuvFSRqmS9egjgq89v0xovJvU0yDvCLGD3Zt+T3N+BTOzj15rQnVq2qM5tjTlwjhFHrQSYe0maRAAe07Kznjx+7aTfKlPgloNRGWP07Ym0WY+WlKIGUOXy28Xg/WJta0P4f87DIeHQEXFNuZJSYzTimug/ghIgjrV9dIv9D5UncrfaeMbFp5WjnMdPKFRjnoX9ypCpMioC1UzERFjNsfY1ECLIyEsrCZTq/yfpBRyCCOi7H0vdiGHSCXn5he2BlAXLCUsIhRYMDf1quP6WOtT0om+oHTe7lLL7ZPMgwBahIrheumbhmPqpTqoTE4HkUYzYlR29eStKfm/4+5yOWbn51r0bM+rovaRothtYo54Wn/rHg
 w9F9K2Pz
 z2wXdrwB1Y9xD6P6drt61wH91Hl/ya37Vo1oLSErX4TYkhC9apMFVCuLXiaOMIzWDSZZiVTWDo6bm40WlILOCRwD7S0SEnWIwNqnTJ1L5Ec+0JQXq4QfGSPd8Xw6FGVvAI7E/AHN5L4QZDZcXJD7Nmf2egGmgfZp0xGd/HqdSmd86HoB3TUHwsC/dCXdWHlBah1br3lPNAg6+Y4AiDRvpipQ6RjdIDw2f7zVPBgln9asPNl4Ny9E9uFpztrwW7xdnOtnBVdwyfZDw7P4IXVNEXwbQjYe3SKJDn0BQ47qVJOPWgXPIxlLj2pxhQyYnoyN8a3p+
X-Bogosity: Ham, tests=bogofilter, spamicity=0.000004, version=1.2.4
Sender: owner-linux-mm@kvack.org
Precedence: bulk
X-Loop: owner-majordomo@kvack.org
List-ID: <linux-mm.kvack.org>
List-Subscribe: <mailto:majordomo@kvack.org>
List-Unsubscribe: <mailto:majordomo@kvack.org>

On Thu, Feb 1, 2024 at 7:51=E2=80=AFAM Trevor Gross <tmgross@umich.edu> wro=
te:
>
> On Fri, Jan 26, 2024 at 1:28=E2=80=AFPM Boqun Feng <boqun.feng@gmail.com>=
 wrote:
> >
> > On Fri, Jan 26, 2024 at 01:33:46PM +0100, Alice Ryhl wrote:
> > > On Fri, Jan 26, 2024 at 1:47=E2=80=AFAM Boqun Feng <boqun.feng@gmail.=
com> wrote:
> > > >
> > > > On Wed, Jan 24, 2024 at 11:20:23AM +0000, Alice Ryhl wrote:
> > > > > [...]
> > > > > +    /// Maps the page and writes into it from the given buffer.
> > > > > +    ///
> > > > > +    /// # Safety
> > > > > +    ///
> > > > > +    /// Callers must ensure that `src` is valid for reading `len=
` bytes.
> > > > > +    pub unsafe fn write(&self, src: *const u8, offset: usize, le=
n: usize) -> Result {
> > > >
> > > > Use a slice like type as `src` maybe? Then the function can be safe=
:
> > > >
> > > >         pub fn write<S: AsRef<[u8]>>(&self, src: S, offset: usize) =
-> Result
> > > >
> > > > Besides, since `Page` impl `Sync`, shouldn't this `write` and the
> > > > `fill_zero` be a `&mut self` function? Or make them both `unsafe`
> > > > because of potential race and add some safety requirement?
> > >
> > > Ideally, we don't want data races with these methods to be UB. They
> >
> > I understand that, but in the current code, you can write:
> >
> >         CPU 0                   CPU 1
> >         =3D=3D=3D=3D=3D                   =3D=3D=3D=3D=3D
> >
> >         page.write(src1, 0, 8);
> >                                 page.write(src2, 0, 8);
> >
> > and it's a data race at kernel end. So my question is more how we can
> > prevent the UB ;-)
>
> Hm. Would the following work?
>
>     // Change existing functions to work with references, meaning they ne=
ed an
>     // exclusive &mut self
>     pub fn with_page_mapped<T>(
>         &mut self,
>         f: impl FnOnce(&mut [u8; PAGE_SIZE]) -> T
>     ) -> T
>
>     pub fn with_pointer_into_page<T>(
>         &mut self,
>         off: usize,
>         len: usize,
>         f: impl FnOnce(&mut [u8]) -> Result<T>,
>     ) -> Result<T>
>
>     // writing methods now take &mut self
>     pub fn write(&mut self ...)
>     pub fn fill_zero(&mut self ...)
>     pub fn copy_into_page(&mut self ...)
>
>     // Add two new functions that take &self, but return shared access
>     pub fn with_page_mapped_raw<T>(
>         &self,
>         f: impl FnOnce(&UnsafeCell<[u8; PAGE_SIZE]>) -> T
>     ) -> T
>
>     pub fn with_pointer_into_page_raw<T>(
>         &self,
>         off: usize,
>         len: usize,
>         f: impl FnOnce(&[UnsafeCell<u8>]) -> Result<T>,
>     ) -> Result<T>
>
> This would mean that anyone who can obey rust's mutability rules can
> use a page without any safety or race conditions to worry about, much
> better for usability.

The methods can't be `&mut self` because I need the ability to perform
concurrent writes to disjoint subsets of the page.