From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 3DC8FC47258 for ; Fri, 26 Jan 2024 00:47:08 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id C02A56B0087; Thu, 25 Jan 2024 19:47:07 -0500 (EST) Received: by kanga.kvack.org (Postfix, from userid 40) id BB2796B0089; Thu, 25 Jan 2024 19:47:07 -0500 (EST) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id A2BCE6B008A; Thu, 25 Jan 2024 19:47:07 -0500 (EST) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0017.hostedemail.com [216.40.44.17]) by kanga.kvack.org (Postfix) with ESMTP id 930016B0087 for ; Thu, 25 Jan 2024 19:47:07 -0500 (EST) Received: from smtpin17.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay06.hostedemail.com (Postfix) with ESMTP id DF91EA2565 for ; Fri, 26 Jan 2024 00:47:06 +0000 (UTC) X-FDA: 81719622852.17.C0FB890 Received: from mail-qk1-f174.google.com (mail-qk1-f174.google.com [209.85.222.174]) by imf03.hostedemail.com (Postfix) with ESMTP id C130820005 for ; Fri, 26 Jan 2024 00:47:04 +0000 (UTC) Authentication-Results: imf03.hostedemail.com; dkim=pass header.d=gmail.com header.s=20230601 header.b=WQZnuXsM; dmarc=pass (policy=none) header.from=gmail.com; spf=pass (imf03.hostedemail.com: domain of boqun.feng@gmail.com designates 209.85.222.174 as permitted sender) smtp.mailfrom=boqun.feng@gmail.com ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1706230024; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=eb0k+mslh6p4v5lTPXQ4s3OPRdfCkOzWaYkI73LF69Y=; b=CkdJIaREofNQhblEoUJii5VSFlc/PEk65zsMJ8jz+SWNvPk0SXU5DGOMg4tydlc4FNzJ0I nnURgFt3tdbzFfnfjju7rzTs6HngBRdwnCJ9/nIoGSTNme9VbkWmtlYEjJncChEPQIjcEj XirNfRY+NmtbzXvuKICJPMqcjZbRaKQ= ARC-Authentication-Results: i=1; imf03.hostedemail.com; dkim=pass header.d=gmail.com header.s=20230601 header.b=WQZnuXsM; dmarc=pass (policy=none) header.from=gmail.com; spf=pass (imf03.hostedemail.com: domain of boqun.feng@gmail.com designates 209.85.222.174 as permitted sender) smtp.mailfrom=boqun.feng@gmail.com ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1706230024; a=rsa-sha256; cv=none; b=wRQPdbU+9tJYWgNec6wNtweBLJpPt6aSGAyebGtcCXgL1Zc/o9nYpOkSPJVRa5v9cDpjxO fplDRFG4UeGYqjYzPCsI7JzMJY/VPBpqNLgoN8FQcdFASpBDVRSvYt97Av1dF9GxwtgRD/ W6k/pAz4FSQ6hdMqjPs4ECiAbKZTmYg= Received: by mail-qk1-f174.google.com with SMTP id af79cd13be357-783b5aeaa63so163837785a.0 for ; Thu, 25 Jan 2024 16:47:04 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1706230024; x=1706834824; darn=kvack.org; h=in-reply-to:content-disposition:mime-version:references:message-id :subject:cc:to:from:date:feedback-id:from:to:cc:subject:date :message-id:reply-to; bh=eb0k+mslh6p4v5lTPXQ4s3OPRdfCkOzWaYkI73LF69Y=; b=WQZnuXsM6XyL7w15zkISTYsM15+syaJvDglHrlhewW/zNImCsbo9Y0jBg1UyTRzlbJ PW2xk0jYrjUOGGrbMP/ul8UO+V/CB9QRj/+JQsbZ/9ln0Y59fp7rlSFKDY7XbJdpwxZu 9fMr6UTjEOUyemw0S6VYmqMtaCiJKTb28elgp2mjrLB/E5HgxSg+ZZ4ajXVoS1ooCkuw R8WPl04+Xy2mpEmVaDYzya+2Jsoq0r6oe58n4ElwpGCLAwpBrln3iWG2p9rQfa3XaUPA z0/XzO8Ll7KwXl1JLADW1oHvDAxVinsKO/me43yIzB4x5jwsxOv2P/AAsywoyeGzGwp+ fWtQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1706230024; x=1706834824; h=in-reply-to:content-disposition:mime-version:references:message-id :subject:cc:to:from:date:feedback-id:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=eb0k+mslh6p4v5lTPXQ4s3OPRdfCkOzWaYkI73LF69Y=; b=L3g57V1DzwAJAEoINzs3Bfp/OJq6NLylloXjtYPDNs3M0GUylRexkXJwB7ajAzNmIt tO1DKmEuu9gt+dA6JTmTDgHpBknMGDx4vcHy+EuRbWkeSeWuY1EtvNTwBC1rYY3M1Sii S507p6Vzbf65fVgJ560sDamrJ6imJy/7P92GJLtgbz+c88bIn4gl4Z10DGQ4i93jNGiO qFafa56pPfWtMtzmoOiYkzzIiaIYOFFKowI7GHcXa4rbGuu519GPW7+K45nJFiCVMoam lLlsagLYFSpUYySgemriTnOYWgtB+TJI0dW7UlcFiAyAMtZQDe/Nc+eQmATdT4CiJjuS NBaw== X-Gm-Message-State: AOJu0YxVIqQ90QJ1IyvZBkIVE/eFP2mhEUaLhYj9WfcZ+kmuNb2juqm1 p/iHj1HOwlMpSfrerybPuBwblYenIGZLyGJo7I2jVFtilDd83/SFgK70XQfX X-Google-Smtp-Source: AGHT+IG2J8w56HlcU6RBuC4uKuoBV3MrlGDHdSu4bpeB7MKWZ25NaYZaPmZQNqTKIsr82eJm6uHyQw== X-Received: by 2002:a37:ef15:0:b0:783:c869:8367 with SMTP id j21-20020a37ef15000000b00783c8698367mr562326qkk.139.1706230023816; Thu, 25 Jan 2024 16:47:03 -0800 (PST) Received: from auth1-smtp.messagingengine.com (auth1-smtp.messagingengine.com. [66.111.4.227]) by smtp.gmail.com with ESMTPSA id m3-20020ae9e003000000b00781bdb17d8asm70244qkk.118.2024.01.25.16.47.02 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 25 Jan 2024 16:47:03 -0800 (PST) Received: from compute4.internal (compute4.nyi.internal [10.202.2.44]) by mailauth.nyi.internal (Postfix) with ESMTP id ACDFC27C005B; Thu, 25 Jan 2024 19:47:02 -0500 (EST) Received: from mailfrontend1 ([10.202.2.162]) by compute4.internal (MEProxy); Thu, 25 Jan 2024 19:47:02 -0500 X-ME-Sender: X-ME-Received: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedvkedrvdeliedgvdegucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen uceurghilhhouhhtmecufedttdenucesvcftvggtihhpihgvnhhtshculddquddttddmne cujfgurhepfffhvfevuffkfhggtggujgesthdtredttddtvdenucfhrhhomhepuehoqhhu nhcuhfgvnhhguceosghoqhhunhdrfhgvnhhgsehgmhgrihhlrdgtohhmqeenucggtffrrg htthgvrhhnpeehudfgudffffetuedtvdehueevledvhfelleeivedtgeeuhfegueeviedu ffeivdenucevlhhushhtvghrufhiiigvpedtnecurfgrrhgrmhepmhgrihhlfhhrohhmpe gsohhquhhnodhmvghsmhhtphgruhhthhhpvghrshhonhgrlhhithihqdeiledvgeehtdei gedqudejjeekheehhedvqdgsohhquhhnrdhfvghngheppehgmhgrihhlrdgtohhmsehfih igmhgvrdhnrghmvg X-ME-Proxy: Feedback-ID: iad51458e:Fastmail Received: by mail.messagingengine.com (Postfix) with ESMTPA; Thu, 25 Jan 2024 19:47:01 -0500 (EST) Date: Thu, 25 Jan 2024 16:46:15 -0800 From: Boqun Feng To: Alice Ryhl Cc: Miguel Ojeda , Alex Gaynor , Wedson Almeida Filho , Gary Guo , =?iso-8859-1?Q?Bj=F6rn?= Roy Baron , Benno Lossin , Andreas Hindborg , Kees Cook , Al Viro , Andrew Morton , Greg Kroah-Hartman , Arve =?iso-8859-1?B?SGr4bm5lduVn?= , Todd Kjos , Martijn Coenen , Joel Fernandes , Carlos Llamas , Suren Baghdasaryan , Arnd Bergmann , linux-mm@kvack.org, linux-kernel@vger.kernel.org, rust-for-linux@vger.kernel.org, Christian Brauner Subject: Re: [PATCH 3/3] rust: add abstraction for `struct page` Message-ID: References: <20240124-alice-mm-v1-0-d1abcec83c44@google.com> <20240124-alice-mm-v1-3-d1abcec83c44@google.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20240124-alice-mm-v1-3-d1abcec83c44@google.com> X-Rspam-User: X-Stat-Signature: txpcuceur6e3opqs4ep4hdp15b3j9qij X-Rspamd-Server: rspam07 X-Rspamd-Queue-Id: C130820005 X-HE-Tag: 1706230024-487153 X-HE-Meta: U2FsdGVkX19HrC472NC4S3e4VJiUEdvGhvgm6JDpoQnSyR/LtVY+994Ff1tUNeGfZcE+C4s8Idgc/CLtlPUPxYkcYe8vABH9kMZTeIimQPOnejgZzAoT4FKDREvLFrNuhCJWPk1J56D8Gn1AC0bdYsAbMCGsjR0AyWgRWR/DsajY60ApwYsVVyiNeINZ5FtFv7UG0Jl0Poimn7zFW0F0sXxgAelTcbuVqr+NaHhZnoVBM1bHXcGWuSc9fNqOZegiRO5xq3nKOxAtiAXdiTrQ23Q2Z+RAfykl6dWrUMyiOzb+6VdUq+BihUeTcXOjVpjUs4l7shegcOX4RZgUS1CbkQmK7GQl6Ff1xLA+mTuJkO/6Z+kGxlT5TQX14AY7wN2eRyBT++Hf5qmn+yJGap8XTocNPkHk1gRDHH0mF0u3rMb5BffLVB6HPQoi5mZVOdwXK3kSxUT6Bi2r9ekvvprDL3iUkEp+MIwzvV7H6CaH4M3uo1KP/AtwqsHruF0/7Ns+cIgVqEQpz2UXqQTWhINEFST6HwsM8DiYd3bo4H+vKd162QplVn60IQF/XVQCY98pPLycpvjzMJPKjunqhT2TMLpK4UQtHfypslZ3VccaXWC5eL6yPxrgVNpR33K+nPvLz8UIP7ioJdXOlo0mf5l2MZVjGb1i3WjJ29jxXTbpJYjN5CsN7YbnKUh/jkw6s8quna2Tyi7S4XRdkxKfAGFVHOh0v0dtO9LwwW5jqjIp5fhEqm4Ih/SAgvaApRRk9yyHXb7ygmNrZenkxSh8nLL3GCqbr3qrGB1eQOmFqXF8z9xTf6RHsAL6kSkIphW4l5+M0sSIgIyDHWcsmHFHGvFJqlAxOqMzowJmG50pIi+tmIdYTmS49GnpNkhhlTy8kmfDmLmYbOFqzs35JlJoRr35RJvequdyCL8gW3e+4uvfBtlPnoTO0ymeEkfqDplNtUTiYoOgtabZTs0/4XNEp0A ZSqkIR3S +Ec29FXKBAw8hafdNGH6Xg4UT7oK2+drAnQfNvThUbKLFBhwUqW3Zj51Fgc0W4+g9+WKrZWR7+rL9t8ENzrITUzXBzDl7wcQwxQv2jfrqsb8vxkZU2DmBOYdPuLe/w0Hve8mU/XFwoOU8tALCVUVC83RTQmP2Mz+tZrvTUXhpwSHUw8zHj8CWH2lmcZJvXUKmuk/78k1+WD+/G8/nJW6UkSL3uTc3gfl5ap7Kmx83CbYede2GQe1b3IT21rADG5GWeeSR4ATaLGZuxwYqzTlEUtNGb0x/m/7Nx7FAn0GYpmmyappnQgEMTPno82dyb2Aj4pih0wlWU711jWZf/VcCtRMnfA0zzXcY+HSgRIJCDt5J7Z4sPO5yIZIsBEh3V8APkg6qIJ6Mo4pkLGcVZ1dkZNFMYNV4GkzYc7q/iv+0otKv556/lAm+MrCJLCkuK+JKbgzNqV8/viE00IMRHZZ4i2eJNQQ0HL8NhBvk1ghBrbRMhG0YWJ1ComSYfl1ZazuT5q1+E18vqA3gXpY= X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: List-Subscribe: List-Unsubscribe: On Wed, Jan 24, 2024 at 11:20:23AM +0000, Alice Ryhl wrote: [...] > + /// Runs a piece of code with a raw pointer to a slice of this page, with > + /// bounds checking. > + /// > + /// If `f` is called, then it will be called with a pointer that points at > + /// `off` bytes into the page, and the pointer will be valid for at least > + /// `len` bytes. The pointer is only valid on this task, as this method uses > + /// a local mapping. > + /// > + /// If `off` and `len` refers to a region outside of this page, then this > + /// method returns `EINVAL` and does not call `f`. > + pub fn with_pointer_into_page( Name it as `with_slice_in_page` maybe? > + &self, > + off: usize, > + len: usize, > + f: impl FnOnce(*mut u8) -> Result, > + ) -> Result { > + let bounds_ok = off <= PAGE_SIZE && len <= PAGE_SIZE && (off + len) <= PAGE_SIZE; > + > + if bounds_ok { > + self.with_page_mapped(move |page_addr| { > + // SAFETY: The `off` integer is at most `PAGE_SIZE`, so this pointer offset will > + // result in a pointer that is in bounds or one off the end of the page. > + f(unsafe { page_addr.cast::().add(off) }) > + }) > + } else { > + Err(EINVAL) > + } > + } > + > + /// Maps the page and reads from it into the given buffer. > + /// > + /// # Safety > + /// > + /// Callers must ensure that `dest` is valid for writing `len` bytes. > + pub unsafe fn read(&self, dest: *mut u8, offset: usize, len: usize) -> Result { > + self.with_pointer_into_page(offset, len, move |from_ptr| { > + // SAFETY: If `with_pointer_into_page` calls into this closure, then > + // it has performed a bounds check and guarantees that `from_ptr` is > + // valid for `len` bytes. > + unsafe { ptr::copy(from_ptr, dest, len) }; > + Ok(()) > + }) > + } > + > + /// Maps the page and writes into it from the given buffer. > + /// > + /// # Safety > + /// > + /// Callers must ensure that `src` is valid for reading `len` bytes. > + pub unsafe fn write(&self, src: *const u8, offset: usize, len: usize) -> Result { Use a slice like type as `src` maybe? Then the function can be safe: pub fn write>(&self, src: S, offset: usize) -> Result Besides, since `Page` impl `Sync`, shouldn't this `write` and the `fill_zero` be a `&mut self` function? Or make them both `unsafe` because of potential race and add some safety requirement? Regards, Boqun > + self.with_pointer_into_page(offset, len, move |to_ptr| { > + // SAFETY: If `with_pointer_into_page` calls into this closure, then > + // it has performed a bounds check and guarantees that `to_ptr` is > + // valid for `len` bytes. > + unsafe { ptr::copy(src, to_ptr, len) }; > + Ok(()) > + }) > + } > + > + /// Maps the page and zeroes the given slice. > + pub fn fill_zero(&self, offset: usize, len: usize) -> Result { > + self.with_pointer_into_page(offset, len, move |to_ptr| { > + // SAFETY: If `with_pointer_into_page` calls into this closure, then > + // it has performed a bounds check and guarantees that `to_ptr` is > + // valid for `len` bytes. > + unsafe { ptr::write_bytes(to_ptr, 0u8, len) }; > + Ok(()) > + }) > + } > + > + /// Copies data from userspace into this page. > + pub fn copy_into_page( > + &self, > + reader: &mut UserSlicePtrReader, > + offset: usize, > + len: usize, > + ) -> Result { > + self.with_pointer_into_page(offset, len, move |to_ptr| { > + // SAFETY: If `with_pointer_into_page` calls into this closure, then > + // it has performed a bounds check and guarantees that `to_ptr` is > + // valid for `len` bytes. > + unsafe { reader.read_raw(to_ptr, len) } > + }) > + } > +} > + > +impl Drop for Page { > + fn drop(&mut self) { > + // SAFETY: By the type invariants, we have ownership of the page and can > + // free it. > + unsafe { bindings::__free_pages(self.page.as_ptr(), 0) }; > + } > +} > > -- > 2.43.0.429.g432eaa2c6b-goog >