| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <52b1a806-48c7-4ae2-b78c-ca0e8bf5e1d7@proton.me>
Date: Tue, 06 Aug 2024 20:04:30 +0000
From: Benno Lossin <benno.lossin@...ton.me>
To: Danilo Krummrich <dakr@...nel.org>
Cc: ojeda@...nel.org, alex.gaynor@...il.com, wedsonaf@...il.com, boqun.feng@...il.com, gary@...yguo.net, bjorn3_gh@...tonmail.com, a.hindborg@...sung.com, aliceryhl@...gle.com, akpm@...ux-foundation.org, daniel.almeida@...labora.com, faith.ekstrand@...labora.com, boris.brezillon@...labora.com, lina@...hilina.net, mcanal@...lia.com, zhiw@...dia.com, acurrid@...dia.com, cjia@...dia.com, jhubbard@...dia.com, airlied@...hat.com, ajanulgu@...hat.com, lyude@...hat.com, linux-kernel@...r.kernel.org, rust-for-linux@...r.kernel.org, linux-mm@...ck.org
Subject: Re: [PATCH v4 01/28] rust: alloc: add `Allocator` trait
On 06.08.24 20:30, Danilo Krummrich wrote:
> On Tue, Aug 06, 2024 at 04:03:49PM +0000, Benno Lossin wrote:
>> On 05.08.24 17:19, Danilo Krummrich wrote:
>>> Add a kernel specific `Allocator` trait, that in contrast to the one in
>>> Rust's core library doesn't require unstable features and supports GFP
>>> flags.
>>>
>>> Subsequent patches add the following trait implementors: `Kmalloc`,
>>> `Vmalloc` and `KVmalloc`.
>>>
>>> Signed-off-by: Danilo Krummrich <dakr@...nel.org>
>>> ---
>>> rust/kernel/alloc.rs | 79 ++++++++++++++++++++++++++++++++++++++++++++
>>> 1 file changed, 79 insertions(+)
>>>
>>> diff --git a/rust/kernel/alloc.rs b/rust/kernel/alloc.rs
>>> index 1966bd407017..8a71a589469d 100644
>>> --- a/rust/kernel/alloc.rs
>>> +++ b/rust/kernel/alloc.rs
>>> @@ -11,6 +11,7 @@
>>> /// Indicates an allocation error.
>>> #[derive(Copy, Clone, PartialEq, Eq, Debug)]
>>> pub struct AllocError;
>>> +use core::{alloc::Layout, ptr::NonNull};
>>>
>>> /// Flags to be used when allocating memory.
>>> ///
>>> @@ -86,3 +87,81 @@ pub mod flags {
>>> /// small allocations.
>>> pub const GFP_NOWAIT: Flags = Flags(bindings::GFP_NOWAIT);
>>> }
>>> +
>>> +/// The kernel's [`Allocator`] trait.
>>> +///
>>> +/// An implementation of [`Allocator`] can allocate, re-allocate and free memory buffer described
>>> +/// via [`Layout`].
>>> +///
>>> +/// [`Allocator`] is designed to be implemented as a ZST; [`Allocator`] functions do not operate on
>>> +/// an object instance.
>>
>> This will prevent us from implementing arena-type allocators [^1]. Do we
>> want/need those?
>
> I'm not aware of any code in the kernel that does exactly this, but kmem_cache
> is rather close to that.
>
>> I have heard that some people use them in embedded systems, but I can't
>> say for sure. But this is a rather big design decision, so we should
>> discuss it now.
>>
>> [^1]: For those who don't know what I mean by that here is a quick
>> sketch (without handling flags and optimizations):
>>
>> pub struct ArenaAlloc<const SIZE: usize> {
>> memory: Opaque<[u8; SIZE]>,
>> head: Cell<usize>,
>> }
>>
>> impl<const SIZE: usize> ArenaAlloc<SIZE> {
>> pub fn new() -> Self {
>> Self {
>> memory: Opaque::uninit(),
>> head: 0,
>> }
>> }
>> }
>>
>> impl<const SIZE: usize> Allocator for ArenaAlloc<SIZE> {
>> fn alloc(&self, layout: Layout, _flags: Flags) -> Result<NonNull<u8>, AllocError> {
>> let head = self.head.get();
>> if head + layout.size() >= SIZE {
>> return Err(AllocError);
>> }
>> let ptr = self.memory.get();
>> let ptr = ptr.cast::<u8>();
>> let ptr = unsafe { ptr.add(head) };
>> self.head.set(head + layout.size());
>> unsafe { NonNull::new_unchecked(ptr) }
>> }
>>
>> unsafe fn realloc(
>> &self,
>> ptr: Option<NonNull<u8>>,
>> old_layout: Layout, // Note that we also need `old_layout`!
>> layout: Layout,
>> flags: Flags
>> ) -> Result<NonNull<u8>, AllocError> {
>> let new = self.alloc(layout, flags)?;
>> let Some(ptr) = ptr else { return Ok(new); };
>> unsafe { core::ptr::copy_nonoverlapping(ptr.as_ptr(), new.as_ptr(), old_layout.size()) };
>> self.free(ptr);
>> Ok(new)
>> }
>>
>> fn free(&self, ptr: NonNull<u8>) { /* noop */ }
>> }
>>
>>> +///
>>> +/// In order to be able to support `#[derive(SmartPointer)]` later on, we need to avoid a design
>>> +/// that requires an `Allocator` to be instantiated, hence its functions must not contain any kind
>>> +/// of `self` parameter.
>>
>> Ah I see, so since `#[derive(SmartPointer)]` needs `Box` to only consist
>> of one non ZST field... I skimmed the RFC discussion and it seems like a
>> problem that *might* be solved in the future, but probably not in the
>> (very) near future. I guess this is just a bullet that we have to bite.
>> We can always have an `ArenaBox` that can deal with that (although
>> without `DispatchFromDyn`).
>> We should revisit this when `#[derive(SmartPointer)]` becomes advanced
>> enough.
>
> Agreed.
I opened https://github.com/Rust-for-Linux/linux/issues/1095 to track
this.
>>> +///
>>> +/// # Safety
>>> +///
>>> +/// Memory returned from an allocator must point to a valid memory buffer and remain valid until
>>> +/// it is explicitly freed.
>>> +///
>>> +/// Any pointer to a memory buffer which is currently allocated must be valid to be passed to any
>>> +/// other [`Allocator`] function of the same type. The same applies for a NULL pointer.
>>> +///
>>> +/// If `realloc` is called with:
>>> +/// - a size of zero, the given memory allocation, if any, must be freed
>>> +/// - a NULL pointer, a new memory allocation must be created
>>> +pub unsafe trait Allocator {
>>> + /// Allocate memory based on `layout` and `flags`.
>>> + ///
>>> + /// On success, returns a buffer represented as `NonNull<[u8]>` that satisfies the layout
>>> + /// constraints (i.e. minimum size and alignment as specified by `layout`).
>>> + ///
>>> + /// This function is equivalent to `realloc` when called with a NULL pointer.
>>> + fn alloc(layout: Layout, flags: Flags) -> Result<NonNull<[u8]>, AllocError> {
>>> + // SAFETY: Passing a NULL pointer to `realloc` is valid by it's safety requirements and asks
>>> + // for a new memory allocation.
>>> + unsafe { Self::realloc(None, layout, flags) }
>>> + }
>>> +
>>> + /// Re-allocate an existing memory allocation to satisfy the requested `layout`. If the
>>> + /// requested size is zero, `realloc` behaves equivalent to `free`.
>>> + ///
>>> + /// If the requested size is larger than the size of the existing allocation, a successful call
>>> + /// to `realloc` guarantees that the new or grown buffer has at least `Layout::size` bytes, but
>>> + /// may also be larger.
>>> + ///
>>> + /// If the requested size is smaller than the size of the existing allocation, `realloc` may or
>>> + /// may not shrink the buffer; this is implementation specific to the allocator.
>>> + ///
>>> + /// On allocation failure, the existing buffer, if any, remains valid.
>>> + ///
>>> + /// The buffer is represented as `NonNull<[u8]>`.
>>> + ///
>>> + /// # Safety
>>> + ///
>>> + /// `Some(ptr)` must point to an existing and valid memory allocation created by this allocator
>>
>> This is the wrong way around, `ptr: Option<NonNull<u8>>`, so
>> `Some(ptr): Option<Option<NonNull<u8>>>`. Instead I would write
>> "If `ptr = Some(p)`, then `p` must point to...".
>
> Yes, makes sense.
>
>>
>>> + /// instance. The alignment encoded in `layout` must be smaller than or equal to the alignment
>>> + /// requested in the previous `alloc` or `realloc` call of the same allocation.
>>> + ///
>>> + /// Additionally, `ptr` is allowed to be `None`; in this case a new memory allocation is
>>> + /// created.
>>> + ///
>>> + unsafe fn realloc(
>>> + ptr: Option<NonNull<u8>>,
>>> + layout: Layout,
>>> + flags: Flags,
>>> + ) -> Result<NonNull<[u8]>, AllocError>;
>>> +
>>> + /// Free an existing memory allocation.
>>> + ///
>>> + /// # Safety
>>> + ///
>>> + /// `ptr` must point to an existing and valid memory allocation created by this `Allocator`
>>> + /// instance.
>>
>> Additionally, you need "The memory allocation at `ptr` must never again
>> be read from or written to.".
>
> I'm fine adding it, but I wonder if technically this is really required? The
> condition whether the pointer is ever accessed again in any way is not relevant
> in terms of being a precondition for `free` not causing UB, right?
I don't see how else we would find the mistake in the following code:
let ptr = Box::into_raw(Box::<i32, Kmalloc>::new(42));
// SAFETY: `ptr` came from `Box::into_raw` and thus is pointing to a
// valid and existing memory allocation allocated by `Kmalloc`.
unsafe { Kmalloc::free(ptr) };
// SAFETY: `ptr` came from `Box::into_raw` and thus is pointing at a
// valid `i32`.
let v = unsafe { ptr.read() };
Also see the `from_raw` for our `Arc`:
/// Recreates an [`Arc`] instance previously deconstructed via [`Arc::into_raw`].
///
/// # Safety
///
/// `ptr` must have been returned by a previous call to [`Arc::into_raw`]. Additionally, it
/// must not be called more than once for each previous call to [`Arc::into_raw`].
pub unsafe fn from_raw(ptr: *const T) -> Self {
That also requires that the function must not be called more than once.
This reminds me, I forgot to say that about `Box::from_raw`.
---
Cheers,
Benno
Powered by blists - more mailing lists