| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <ZoklB7aLyc90kWPT@pollux.localdomain>
Date: Sat, 6 Jul 2024 13:05:43 +0200
From: Danilo Krummrich <dakr@...hat.com>
To: Benno Lossin <benno.lossin@...ton.me>
Cc: ojeda@...nel.org, alex.gaynor@...il.com, wedsonaf@...il.com,
boqun.feng@...il.com, gary@...yguo.net, bjorn3_gh@...tonmail.com,
a.hindborg@...sung.com, aliceryhl@...gle.com,
daniel.almeida@...labora.com, faith.ekstrand@...labora.com,
boris.brezillon@...labora.com, lina@...hilina.net,
mcanal@...lia.com, zhiw@...dia.com, acurrid@...dia.com,
cjia@...dia.com, jhubbard@...dia.com, airlied@...hat.com,
ajanulgu@...hat.com, lyude@...hat.com, linux-kernel@...r.kernel.org,
rust-for-linux@...r.kernel.org
Subject: Re: [PATCH 01/20] rust: alloc: add `Allocator` trait
On Sat, Jul 06, 2024 at 10:33:49AM +0000, Benno Lossin wrote:
> On 04.07.24 19:06, Danilo Krummrich wrote:
> > Add a kernel specific `Allocator` trait, that in contrast to the one in
> > Rust's core library doesn't require unstable features and supports GFP
> > flags.
> >
> > Subsequent patches add the following trait implementors: `Kmalloc`,
> > `Vmalloc` and `KVmalloc`.
> >
> > Signed-off-by: Danilo Krummrich <dakr@...hat.com>
> > ---
> > rust/kernel/alloc.rs | 73 ++++++++++++++++++++++++++++++++++++++++++++
> > 1 file changed, 73 insertions(+)
> >
> > diff --git a/rust/kernel/alloc.rs b/rust/kernel/alloc.rs
> > index 531b5e471cb1..462e00982510 100644
> > --- a/rust/kernel/alloc.rs
> > +++ b/rust/kernel/alloc.rs
> > @@ -11,6 +11,7 @@
> > /// Indicates an allocation error.
> > #[derive(Copy, Clone, PartialEq, Eq, Debug)]
> > pub struct AllocError;
> > +use core::{alloc::Layout, ptr, ptr::NonNull};
> >
> > /// Flags to be used when allocating memory.
> > ///
> > @@ -71,3 +72,75 @@ pub mod flags {
> > /// small allocations.
> > pub const GFP_NOWAIT: Flags = Flags(bindings::GFP_NOWAIT);
> > }
> > +
> > +/// The kernel's [`Allocator`] trait.
> > +///
> > +/// An implementation of [`Allocator`] can allocate, re-allocate and free memory buffer described
> > +/// via [`Layout`].
> > +///
> > +/// [`Allocator`] is designed to be implemented on ZSTs; its safety requirements to not allow for
> > +/// keeping a state throughout an instance.
>
> Why do the functions take `&self` if it is forbidden to have state? I
> would remove the receiver in that case.
Yes, that that makes sense.
>
> > +///
> > +/// # Safety
> > +///
> > +/// Memory returned from an allocator must point to a valid memory buffer and remain valid until
> > +/// its explicitly freed.
> > +///
> > +/// Copying, cloning, or moving the allocator must not invalidate memory blocks returned from this
> > +/// allocator. A copied, cloned or even new allocator of the same type must behave like the same
> > +/// allocator, and any pointer to a memory buffer which is currently allocated may be passed to any
> > +/// other method of the allocator.
>
> If you provide no receiver methods, then I think we can remove this
> requirement.
Indeed.
>
> > +pub unsafe trait Allocator {
> > + /// Allocate memory based on `layout` and `flags`.
> > + ///
> > + /// On success, returns a buffer represented as `NonNull<[u8]>` that satisfies the size an
>
> typo "an" -> "and"
>
> > + /// alignment requirements of layout, but may exceed the requested size.
>
> Also if it may exceed the size, then I wouldn't call that "satisfies the
> size [...] requirements".
Do you have a better proposal? To me "satisfies or exceeds" sounds reasonable.
>
> > + ///
> > + /// This function is equivalent to `realloc` when called with a NULL pointer and an `old_size`
> > + /// of `0`.
>
> This is only true for the default implementation and could be
> overridden, since it is not a requirement of implementing this trait to
> keep it this way. I would remove this sentence.
I could add a bit more generic description and say that for the default impl
"This function is eq..."?
>
> > + fn alloc(&self, layout: Layout, flags: Flags) -> Result<NonNull<[u8]>, AllocError> {
>
> Instead of using the `Flags` type from the alloc module, we should have
> an associated `Flags` type in this trait.
What does this give us?
>
> Similarly, it might also be a good idea to let the implementer specify a
> custom error type.
Same here, why?
>
> > + // SAFETY: Passing a NULL pointer to `realloc` is valid by it's safety requirements and asks
> > + // for a new memory allocation.
> > + unsafe { self.realloc(ptr::null_mut(), 0, layout, flags) }
> > + }
> > +
> > + /// Re-allocate an existing memory allocation to satisfy the requested `layout`. If the
> > + /// requested size is zero, `realloc` behaves equivalent to `free`.
>
> This is not guaranteed by the implementation.
Not sure what exactly you mean? Is it about "satisfy" again?
>
> > + ///
> > + /// If the requested size is larger than `old_size`, a successful call to `realloc` guarantees
> > + /// that the new or grown buffer has at least `Layout::size` bytes, but may also be larger.
> > + ///
> > + /// If the requested size is smaller than `old_size`, `realloc` may or may not shrink the
> > + /// buffer; this is implementation specific to the allocator.
> > + ///
> > + /// On allocation failure, the existing buffer, if any, remains valid.
> > + ///
> > + /// The buffer is represented as `NonNull<[u8]>`.
> > + ///
> > + /// # Safety
> > + ///
> > + /// `ptr` must point to an existing and valid memory allocation created by this allocator
> > + /// instance of a size of at least `old_size`.
> > + ///
> > + /// Additionally, `ptr` is allowed to be a NULL pointer; in this case a new memory allocation is
> > + /// created.
> > + unsafe fn realloc(
> > + &self,
> > + ptr: *mut u8,
> > + old_size: usize,
>
> Why not request the old layout like the std Allocator's grow/shrink
> functions do?
Because we only care about the size that needs to be preserved when growing the
buffer. The `alignment` field of `Layout` would be wasted.
>
> > + layout: Layout,
> > + flags: Flags,
> > + ) -> Result<NonNull<[u8]>, AllocError>;
> > +
> > + /// Free an existing memory allocation.
> > + ///
> > + /// # Safety
> > + ///
> > + /// `ptr` must point to an existing and valid memory allocation created by this `Allocator`
> > + /// instance.
> > + unsafe fn free(&self, ptr: *mut u8) {
>
> `ptr` should be `NonNull<u8>`.
Creating a `NonNull` from a raw pointer is an extra operation for any user of
`free` and given that all `free` functions in the kernel accept a NULL pointer,
I think there is not much value in making this `NonNull`.
>
> > + // SAFETY: `ptr` is guaranteed to be previously allocated with this `Allocator` or NULL.
> > + // Calling `realloc` with a buffer size of zero, frees the buffer `ptr` points to.
> > + let _ = unsafe { self.realloc(ptr, 0, Layout::new::<()>(), Flags(0)) };
>
> Why does the implementer have to guarantee this?
Who else can guarantee this?
>
> > + }
> > +}
> > --
> > 2.45.2
> >
>
> More general questions:
> - are there functions in the kernel to efficiently allocate zeroed
> memory? In that case, the Allocator trait should also have methods
> that do that (with a iterating default impl).
We do this with GFP flags. In particular, you can pass GFP_ZERO to `alloc` and
`realloc` to get zeroed memory. Hence, I think having dedicated functions that
just do "flags | GFP_ZERO" would not add much value.
> - I am not sure putting everything into the single realloc function is a
> good idea, I like the grow/shrink methods of the std allocator. Is
> there a reason aside from concentrating the impl to go for only a
> single realloc function?
Yes, `krealloc()` already provides exactly the described behaviour. See the
implementation of `Kmalloc`.
>
> ---
> Cheers,
> Benno
>
Powered by blists - more mailing lists