| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <cfc4e3e4-6df6-43e2-bd2d-e2928dffe8c3@proton.me>
Date: Thu, 26 Sep 2024 14:00:50 +0000
From: Benno Lossin <benno.lossin@...ton.me>
To: Danilo Krummrich <dakr@...nel.org>
Cc: ojeda@...nel.org, alex.gaynor@...il.com, wedsonaf@...il.com, boqun.feng@...il.com, gary@...yguo.net, bjorn3_gh@...tonmail.com, a.hindborg@...sung.com, aliceryhl@...gle.com, akpm@...ux-foundation.org, daniel.almeida@...labora.com, faith.ekstrand@...labora.com, boris.brezillon@...labora.com, lina@...hilina.net, mcanal@...lia.com, zhiw@...dia.com, cjia@...dia.com, jhubbard@...dia.com, airlied@...hat.com, ajanulgu@...hat.com, lyude@...hat.com, linux-kernel@...r.kernel.org, rust-for-linux@...r.kernel.org, linux-mm@...ck.org
Subject: Re: [PATCH v7 04/26] rust: alloc: implement `Allocator` for `Kmalloc`
On 26.09.24 15:24, Danilo Krummrich wrote:
> On Thu, Sep 26, 2024 at 01:00:58PM +0000, Benno Lossin wrote:
>> On 12.09.24 00:52, Danilo Krummrich wrote:
>>> +/// # Invariants
>>> +///
>>> +/// One of the following `krealloc`, `vrealloc`, `kvrealloc`.
>>> +struct ReallocFunc(
>>> + unsafe extern "C" fn(*const core::ffi::c_void, usize, u32) -> *mut core::ffi::c_void,
>>> +);
>>> +
>>> +impl ReallocFunc {
>>> + // INVARIANT: `krealloc` satisfies the type invariants.
>>> + const KREALLOC: Self = Self(bindings::krealloc);
>>> +
>>> + /// # Safety
>>> + ///
>>> + /// This method has the same safety requirements as [`Allocator::realloc`].
>>> + ///
>>> + /// # Guarantees
>>> + ///
>>> + /// This method has the same guarantees as `Allocator::realloc`. Additionally
>>> + /// - it accepts any pointer to a valid memory allocation allocated by this function.
>>> + /// - memory allocated by this function remains valid until it is passed to this function.
>>> + unsafe fn call(
>>> + &self,
>>> + ptr: Option<NonNull<u8>>,
>>> + layout: Layout,
>>> + flags: Flags,
>>> + ) -> Result<NonNull<[u8]>, AllocError> {
>>> + let size = aligned_size(layout);
>>> + let ptr = match ptr {
>>> + Some(ptr) => ptr.as_ptr(),
>>> + None => ptr::null(),
>>> + };
>>> +
>>> + // SAFETY:
>>> + // - `self.0` is one of `krealloc`, `vrealloc`, `kvrealloc` and thus only requires that
>>> + // `ptr` is NULL or valid.
>>> + // - `ptr` is either NULL or valid by the safety requirements of this function.
>>> + //
>>> + // GUARANTEE:
>>> + // - `self.0` is one of `krealloc`, `vrealloc`, `kvrealloc`.
>>> + // - Those functions provide the guarantees of this function.
>>> + let raw_ptr = unsafe {
>>> + // If `size == 0` and `ptr != NULL` the memory behind the pointer is freed.
>>> + self.0(ptr.cast(), size, flags.0).cast()
>>> + };
>>> +
>>> + let ptr = if size == 0 {
>>> + NonNull::dangling()
>>> + } else {
>>> + NonNull::new(raw_ptr).ok_or(AllocError)?
>>> + };
>>> +
>>> + Ok(NonNull::slice_from_raw_parts(ptr, size))
>>> + }
>>> +}
>>
>> I remember asking you to split this into a different commit. I think you
>> argued that it would be better to keep it in the same commit when
>> bisecting. I don't think that applies in this case, are there any other
>> disadvantages?
>
> I don't really like the intermediate `#[expect(dead_code)]`, plus it's
> additional work you didn't really give me a motivation for, i.e. you did not
> mention what would be the advantage.
The advantage would be that it's easier to review (granted it probably
is a bit late for that). I got confused a couple of times (but that's
probably on me).
> But sure, I will change it for the next version.
Thanks
---
Cheers,
Benno
Powered by blists - more mailing lists