lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20230802190514.24a5bdcf.gary@garyguo.net>
Date:   Wed, 2 Aug 2023 19:05:14 +0100
From:   Gary Guo <gary@...yguo.net>
To:     Benno Lossin <benno.lossin@...ton.me>
Cc:     Miguel Ojeda <ojeda@...nel.org>,
        Wedson Almeida Filho <wedsonaf@...il.com>,
        Alex Gaynor <alex.gaynor@...il.com>,
        Boqun Feng <boqun.feng@...il.com>,
        Björn Roy Baron <bjorn3_gh@...tonmail.com>,
        Alice Ryhl <aliceryhl@...gle.com>,
        Andreas Hindborg <nmi@...aspace.dk>,
        rust-for-linux@...r.kernel.org, linux-kernel@...r.kernel.org,
        Asahi Lina <lina@...hilina.net>,
        Martin Rodriguez Reboredo <yakoyoku@...il.com>
Subject: Re: [PATCH v3 07/13] rust: init: add `..Zeroable::zeroed()` syntax
 for zeroing all missing fields

On Sat, 29 Jul 2023 09:09:59 +0000
Benno Lossin <benno.lossin@...ton.me> wrote:

> Add the struct update syntax to the init macros, but only for
> `..Zeroable::zeroed()`. Adding this at the end of the struct initializer
> allows one to omit fields from the initializer, these fields will be
> initialized with 0x00 set to every byte. Only types that implement the
> `Zeroable` trait can utilize this.
> 
> Suggested-by: Asahi Lina <lina@...hilina.net>
> Reviewed-by: Martin Rodriguez Reboredo <yakoyoku@...il.com>
> Reviewed-by: Alice Ryhl <aliceryhl@...gle.com>
> Signed-off-by: Benno Lossin <benno.lossin@...ton.me>

Reviewed-by: Gary Guo <gary@...yguo.net>

> ---
> v2 -> v3:
> - changed `if false` argument to use `never executed closure`,
> - added Reviewed-by's from Martin and Alice.
> 
> v1 -> v2:
> - fix doctest imports,
> - fix doctest examples,
> - fix `Zeroable` path in the `__init_internal` macro,
> - rename `is_zeroable` -> `assert_zeroable`,
> - add missing `{}` to the case when `..Zeroable::zeroed()` is present,
> - add `allow(unused_assignments)` in the type-checked struct
>   initializer.
> 
>  rust/kernel/init.rs        |  16 +++++-
>  rust/kernel/init/macros.rs | 115 ++++++++++++++++++++++++++++++++++++-
>  2 files changed, 129 insertions(+), 2 deletions(-)
> 
> diff --git a/rust/kernel/init.rs b/rust/kernel/init.rs
> index 0120674b451e..460f808ebf84 100644
> --- a/rust/kernel/init.rs
> +++ b/rust/kernel/init.rs
> @@ -517,13 +517,17 @@ macro_rules! stack_try_pin_init {
>  /// - Fields that you want to initialize in-place have to use `<-` instead of `:`.
>  /// - In front of the initializer you can write `&this in` to have access to a [`NonNull<Self>`]
>  ///   pointer named `this` inside of the initializer.
> +/// - Using struct update syntax one can place `..Zeroable::zeroed()` at the very end of the
> +///   struct, this initializes every field with 0 and then runs all initializers specified in the
> +///   body. This can only be done if [`Zeroable`] is implemented for the struct.
>  ///
>  /// For instance:
>  ///
>  /// ```rust
> -/// # use kernel::{macros::pin_data, pin_init};
> +/// # use kernel::{macros::{Zeroable, pin_data}, pin_init};
>  /// # use core::{ptr::addr_of_mut, marker::PhantomPinned};
>  /// #[pin_data]
> +/// #[derive(Zeroable)]
>  /// struct Buf {
>  ///     // `ptr` points into `buf`.
>  ///     ptr: *mut u8,
> @@ -536,6 +540,10 @@ macro_rules! stack_try_pin_init {
>  ///     ptr: unsafe { addr_of_mut!((*this.as_ptr()).buf).cast() },
>  ///     pin: PhantomPinned,
>  /// });
> +/// pin_init!(Buf {
> +///     buf: [1; 64],
> +///     ..Zeroable::zeroed()
> +/// });
>  /// ```
>  ///
>  /// [`try_pin_init!`]: kernel::try_pin_init
> @@ -555,6 +563,7 @@ macro_rules! pin_init {
>              @data(PinData, use_data),
>              @has_data(HasPinData, __pin_data),
>              @construct_closure(pin_init_from_closure),
> +            @munch_fields($($fields)*),
>          )
>      };
>  }
> @@ -611,6 +620,7 @@ macro_rules! try_pin_init {
>              @data(PinData, use_data),
>              @has_data(HasPinData, __pin_data),
>              @construct_closure(pin_init_from_closure),
> +            @munch_fields($($fields)*),
>          )
>      };
>      ($(&$this:ident in)? $t:ident $(::<$($generics:ty),* $(,)?>)? {
> @@ -624,6 +634,7 @@ macro_rules! try_pin_init {
>              @data(PinData, use_data),
>              @has_data(HasPinData, __pin_data),
>              @construct_closure(pin_init_from_closure),
> +            @munch_fields($($fields)*),
>          )
>      };
>  }
> @@ -658,6 +669,7 @@ macro_rules! init {
>              @data(InitData, /*no use_data*/),
>              @has_data(HasInitData, __init_data),
>              @construct_closure(init_from_closure),
> +            @munch_fields($($fields)*),
>          )
>      }
>  }
> @@ -708,6 +720,7 @@ macro_rules! try_init {
>              @data(InitData, /*no use_data*/),
>              @has_data(HasInitData, __init_data),
>              @construct_closure(init_from_closure),
> +            @munch_fields($($fields)*),
>          )
>      };
>      ($(&$this:ident in)? $t:ident $(::<$($generics:ty),* $(,)?>)? {
> @@ -721,6 +734,7 @@ macro_rules! try_init {
>              @data(InitData, /*no use_data*/),
>              @has_data(HasInitData, __init_data),
>              @construct_closure(init_from_closure),
> +            @munch_fields($($fields)*),
>          )
>      };
>  }
> diff --git a/rust/kernel/init/macros.rs b/rust/kernel/init/macros.rs
> index cfeacc4b3f7d..4c86281301d8 100644
> --- a/rust/kernel/init/macros.rs
> +++ b/rust/kernel/init/macros.rs
> @@ -991,6 +991,7 @@ impl<$($impl_generics)*> $pin_data<$($ty_generics)*>
>  ///
>  /// This macro has multiple internal call configurations, these are always the very first ident:
>  /// - nothing: this is the base case and called by the `{try_}{pin_}init!` macros.
> +/// - `with_update_parsed`: when the `..Zeroable::zeroed()` syntax has been handled.
>  /// - `init_slot`: recursively creates the code that initializes all fields in `slot`.
>  /// - `make_initializer`: recursively create the struct initializer that guarantees that every
>  ///   field has been initialized exactly once.
> @@ -1009,6 +1010,82 @@ macro_rules! __init_internal {
>          @has_data($has_data:ident, $get_data:ident),
>          // `pin_init_from_closure` or `init_from_closure`.
>          @construct_closure($construct_closure:ident),
> +        @munch_fields(),
> +    ) => {
> +        $crate::__init_internal!(with_update_parsed:
> +            @this($($this)?),
> +            @typ($t $(::<$($generics),*>)? ),
> +            @fields($($fields)*),
> +            @error($err),
> +            @data($data, $($use_data)?),
> +            @has_data($has_data, $get_data),
> +            @construct_closure($construct_closure),
> +            @zeroed(), // nothing means default behavior.
> +        )
> +    };
> +    (
> +        @this($($this:ident)?),
> +        @typ($t:ident $(::<$($generics:ty),*>)?),
> +        @fields($($fields:tt)*),
> +        @error($err:ty),
> +        // Either `PinData` or `InitData`, `$use_data` should only be present in the `PinData`
> +        // case.
> +        @data($data:ident, $($use_data:ident)?),
> +        // `HasPinData` or `HasInitData`.
> +        @has_data($has_data:ident, $get_data:ident),
> +        // `pin_init_from_closure` or `init_from_closure`.
> +        @construct_closure($construct_closure:ident),
> +        @munch_fields(..Zeroable::zeroed()),
> +    ) => {
> +        $crate::__init_internal!(with_update_parsed:
> +            @this($($this)?),
> +            @typ($t $(::<$($generics),*>)? ),
> +            @fields($($fields)*),
> +            @error($err),
> +            @data($data, $($use_data)?),
> +            @has_data($has_data, $get_data),
> +            @construct_closure($construct_closure),
> +            @zeroed(()), // `()` means zero all fields not mentioned.
> +        )
> +    };
> +    (
> +        @this($($this:ident)?),
> +        @typ($t:ident $(::<$($generics:ty),*>)?),
> +        @fields($($fields:tt)*),
> +        @error($err:ty),
> +        // Either `PinData` or `InitData`, `$use_data` should only be present in the `PinData`
> +        // case.
> +        @data($data:ident, $($use_data:ident)?),
> +        // `HasPinData` or `HasInitData`.
> +        @has_data($has_data:ident, $get_data:ident),
> +        // `pin_init_from_closure` or `init_from_closure`.
> +        @construct_closure($construct_closure:ident),
> +        @munch_fields($ignore:tt $($rest:tt)*),
> +    ) => {
> +        $crate::__init_internal!(
> +            @this($($this)?),
> +            @typ($t $(::<$($generics),*>)? ),
> +            @fields($($fields)*),
> +            @error($err),
> +            @data($data, $($use_data)?),
> +            @has_data($has_data, $get_data),
> +            @construct_closure($construct_closure),
> +            @munch_fields($($rest)*),
> +        )
> +    };
> +    (with_update_parsed:
> +        @this($($this:ident)?),
> +        @typ($t:ident $(::<$($generics:ty),*>)?),
> +        @fields($($fields:tt)*),
> +        @error($err:ty),
> +        // Either `PinData` or `InitData`, `$use_data` should only be present in the `PinData`
> +        // case.
> +        @data($data:ident, $($use_data:ident)?),
> +        // `HasPinData` or `HasInitData`.
> +        @has_data($has_data:ident, $get_data:ident),
> +        // `pin_init_from_closure` or `init_from_closure`.
> +        @construct_closure($construct_closure:ident),
> +        @zeroed($($init_zeroed:expr)?),
>      ) => {{
>          // We do not want to allow arbitrary returns, so we declare this type as the `Ok` return
>          // type and shadow it later when we insert the arbitrary user code. That way there will be
> @@ -1026,6 +1103,17 @@ macro_rules! __init_internal {
>                  {
>                      // Shadow the structure so it cannot be used to return early.
>                      struct __InitOk;
> +                    // If `$init_zeroed` is present we should zero the slot now and not emit an
> +                    // error when fields are missing (since they will be zeroed). We also have to
> +                    // check that the type actually implements `Zeroable`.
> +                    $({
> +                        fn assert_zeroable<T: $crate::init::Zeroable>(_: *mut T) {}
> +                        // Ensure that the struct is indeed `Zeroable`.
> +                        assert_zeroable(slot);
> +                        // SAFETY:  The type implements `Zeroable` by the check above.
> +                        unsafe { ::core::ptr::write_bytes(slot, 0, 1) };
> +                        $init_zeroed // this will be `()` if set.
> +                    })?
>                      // Create the `this` so it can be referenced by the user inside of the
>                      // expressions creating the individual fields.
>                      $(let $this = unsafe { ::core::ptr::NonNull::new_unchecked(slot) };)?
> @@ -1062,7 +1150,7 @@ macro_rules! __init_internal {
>          @data($data:ident),
>          @slot($slot:ident),
>          @guards($($guards:ident,)*),
> -        @munch_fields($(,)?),
> +        @munch_fields($(..Zeroable::zeroed())? $(,)?),
>      ) => {
>          // Endpoint of munching, no fields are left. If execution reaches this point, all fields
>          // have been initialized. Therefore we can now dismiss the guards by forgetting them.
> @@ -1163,6 +1251,31 @@ macro_rules! __init_internal {
>              );
>          }
>      };
> +    (make_initializer:
> +        @slot($slot:ident),
> +        @type_name($t:ident),
> +        @munch_fields(..Zeroable::zeroed() $(,)?),
> +        @acc($($acc:tt)*),
> +    ) => {
> +        // Endpoint, nothing more to munch, create the initializer. Since the users specified
> +        // `..Zeroable::zeroed()`, the slot will already have been zeroed and all field that have
> +        // not been overwritten are thus zero and initialized. We still check that all fields are
> +        // actually accessible by using the struct update syntax ourselves.
> +        // We are inside of a closure that is never executed and thus we can abuse `slot` to
> +        // get the correct type inference here:
> +        #[allow(unused_assignments)]
> +        unsafe {
> +            let mut zeroed = ::core::mem::zeroed();
> +            // We have to use type inference here to make zeroed have the correct type. This does
> +            // not get executed, so it has no effect.
> +            ::core::ptr::write($slot, zeroed);
> +            zeroed = ::core::mem::zeroed();
> +            ::core::ptr::write($slot, $t {
> +                $($acc)*
> +                ..zeroed
> +            });
> +        }
> +    };
>      (make_initializer:
>          @slot($slot:ident),
>          @type_name($t:ident),

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ