From: "Danilo Krummrich" <dakr@kernel.org>
To: "Vitaly Wool" <vitaly.wool@konsulko.se>
Cc: <rust-for-linux@vger.kernel.org>, <linux-kernel@vger.kernel.org>,
"Uladzislau Rezki" <urezki@gmail.com>,
"Alice Ryhl" <aliceryhl@google.com>,
"Vlastimil Babka" <vbabka@suse.cz>,
"Lorenzo Stoakes" <lorenzo.stoakes@oracle.com>,
"Liam R . Howlett" <Liam.Howlett@oracle.com>,
"Miguel Ojeda" <ojeda@kernel.org>,
"Alex Gaynor" <alex.gaynor@gmail.com>,
"Boqun Feng" <boqun.feng@gmail.com>,
"Gary Guo" <gary@garyguo.net>,
"Bjorn Roy Baron" <bjorn3_gh@protonmail.com>,
"Benno Lossin" <lossin@kernel.org>,
"Andreas Hindborg" <a.hindborg@kernel.org>,
"Trevor Gross" <tmgross@umich.edu>,
"Johannes Weiner" <hannes@cmpxchg.org>,
"Yosry Ahmed" <yosry.ahmed@linux.dev>,
"Nhat Pham" <nphamcs@gmail.com>, <linux-mm@kvack.org>
Subject: Re: [PATCH v2] rust: zpool: add abstraction for zpool drivers
Date: Thu, 21 Aug 2025 14:32:44 +0200 [thread overview]
Message-ID: <DC83WSYHY3K1.1D3XEES0BIKGS@kernel.org> (raw)
In-Reply-To: <DC83A2M3G8EH.12FRM3C05ABCR@kernel.org>
On Thu Aug 21, 2025 at 2:03 PM CEST, Danilo Krummrich wrote:
> On Thu Aug 21, 2025 at 1:17 PM CEST, Vitaly Wool wrote:
>> + /// preferred NUMA node `nid`. If the allocation is successful, an opaque handle is returned.
>> + fn malloc(
>> + pool: <Self::Pool as ForeignOwnable>::BorrowedMut<'_>,
>> + size: usize,
>> + gfp: Flags,
>> + nid: NumaNode,
>> + ) -> Result<usize>;
>
> I still think we need a proper type representation of a zpool handle that
> guarantees validity and manages its lifetime.
>
> For instance, what prevents a caller from calling write() with a random handle?
>
> Looking at zsmalloc(), if I call write() with a random number, I will most
> likely oops the kernel. This is not acceptable for safe APIs.
>
> Alternatively, all those trait functions have to be unsafe, which would be very
> unfortunate.
I just noticed that I confused something here. :)
So, for the backend driver this trait is obviously fine, since you have to implement
the C ops -- sorry for the confusion.
However, you still have to mark all functions except alloc() and total_pages()
as unsafe and document and justify the corresponding safety requirements.
>> + /// Free a previously allocated from the `pool` object, represented by `handle`.
>> + fn free(pool: <Self::Pool as ForeignOwnable>::Borrowed<'_>, handle: usize);
>
> What happens if I forget to call free()?
>
>> + /// Make all the necessary preparations for the caller to be able to read from the object
>> + /// represented by `handle` and return a valid pointer to the `handle` memory to be read.
>> + fn read_begin(pool: <Self::Pool as ForeignOwnable>::Borrowed<'_>, handle: usize)
>> + -> NonNull<u8>;
>
> Same for this, making it a NonNull<u8> is better than a *mut c_void, but it's
> still a raw pointer. Nothing prevents users from using this raw pointer after
> read_end() has been called.
>
> This needs a type representation that only lives until read_end().
>
> In general, I think this design doesn't really work out well. I think the design
> should be something along the lines of:
>
> (1) We should only provide alloc() on the Zpool itself and which returns a
> Zmem instance. A Zmem instance must not outlive the Zpool it was allocated
> with.
>
> (2) Zmem should call free() when it is dropped. It should provide read_begin()
> and write() methods.
>
> (3) Zmem::read_begin() should return a Zslice which must not outlive Zmem and
> calls read_end() when dropped.
This design is obiously for when you want to use a Zpool, but not implement its
backend. :)
next prev parent reply other threads:[~2025-08-21 12:32 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-08-21 11:17 Vitaly Wool
2025-08-21 12:03 ` Danilo Krummrich
2025-08-21 12:32 ` Danilo Krummrich [this message]
2025-08-21 14:15 ` Vitaly Wool
2025-08-21 14:32 ` Danilo Krummrich
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=DC83WSYHY3K1.1D3XEES0BIKGS@kernel.org \
--to=dakr@kernel.org \
--cc=Liam.Howlett@oracle.com \
--cc=a.hindborg@kernel.org \
--cc=alex.gaynor@gmail.com \
--cc=aliceryhl@google.com \
--cc=bjorn3_gh@protonmail.com \
--cc=boqun.feng@gmail.com \
--cc=gary@garyguo.net \
--cc=hannes@cmpxchg.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=lorenzo.stoakes@oracle.com \
--cc=lossin@kernel.org \
--cc=nphamcs@gmail.com \
--cc=ojeda@kernel.org \
--cc=rust-for-linux@vger.kernel.org \
--cc=tmgross@umich.edu \
--cc=urezki@gmail.com \
--cc=vbabka@suse.cz \
--cc=vitaly.wool@konsulko.se \
--cc=yosry.ahmed@linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox