| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20250123132940.1f3c2666@mordecai.tesarici.cz>
Date: Thu, 23 Jan 2025 13:30:09 +0100
From: Petr Tesařík <petr@...arici.cz>
To: Abdiel Janulgue <abdiel.janulgue@...il.com>
Cc: rust-for-linux@...r.kernel.org, daniel.almeida@...labora.com,
dakr@...nel.org, robin.murphy@....com, aliceryhl@...gle.com, Miguel Ojeda
<ojeda@...nel.org>, Alex Gaynor <alex.gaynor@...il.com>, Boqun Feng
<boqun.feng@...il.com>, Gary Guo <gary@...yguo.net>, Björn
Roy Baron <bjorn3_gh@...tonmail.com>, Benno Lossin
<benno.lossin@...ton.me>, Andreas Hindborg <a.hindborg@...nel.org>, Trevor
Gross <tmgross@...ch.edu>, Valentin Obst <kernel@...entinobst.de>,
linux-kernel@...r.kernel.org (open list), Christoph Hellwig <hch@....de>,
Marek Szyprowski <m.szyprowski@...sung.com>, airlied@...hat.com,
iommu@...ts.linux.dev (open list:DMA MAPPING HELPERS)
Subject: Re: [PATCH v11 2/3] rust: add dma coherent allocator abstraction.
On Thu, 23 Jan 2025 12:42:58 +0200
Abdiel Janulgue <abdiel.janulgue@...il.com> wrote:
> Add a simple dma coherent allocator rust abstraction. Based on
> Andreas Hindborg's dma abstractions from the rnvme driver, which
> was also based on earlier work by Wedson Almeida Filho.
>
> Signed-off-by: Abdiel Janulgue <abdiel.janulgue@...il.com>
>[...]
> +/// An abstraction of the `dma_alloc_coherent` API.
> +///
> +/// This is an abstraction around the `dma_alloc_coherent` API which is used to allocate and map
> +/// large consistent DMA regions.
> +///
> +/// A [`CoherentAllocation`] instance contains a pointer to the allocated region (in the
> +/// processor's virtual address space) and the device address which can be given to the device
> +/// as the DMA address base of the region. The region is released once [`CoherentAllocation`]
> +/// is dropped.
> +///
> +/// # Invariants
> +///
> +/// For the lifetime of an instance of [`CoherentAllocation`], the cpu address is a valid pointer
> +/// to an allocated region of consistent memory and we hold a reference to the device.
> +pub struct CoherentAllocation<T: AsBytes + FromBytes> {
> + dev: ARef<Device>,
> + dma_handle: bindings::dma_addr_t,
> + count: usize,
> + cpu_addr: *mut T,
> + dma_attrs: Attrs,
> +}
> +
> +impl<T: AsBytes + FromBytes> CoherentAllocation<T> {
> + /// Allocates a region of `size_of::<T> * count` of consistent memory.
> + ///
> + /// # Examples
> + ///
> + /// ```
> + /// use kernel::device::Device;
> + /// use kernel::dma::{attrs::*, CoherentAllocation};
> + ///
> + /// # fn test(dev: &Device) -> Result {
> + /// let c: CoherentAllocation<u64> = CoherentAllocation::alloc_attrs(dev.into(), 4, GFP_KERNEL,
> + /// DMA_ATTR_NO_WARN)?;
> + /// # Ok::<(), Error>(()) }
> + /// ```
> + pub fn alloc_attrs(
> + dev: ARef<Device>,
> + count: usize,
> + gfp_flags: kernel::alloc::Flags,
> + dma_attrs: Attrs,
> + ) -> Result<CoherentAllocation<T>> {
> + build_assert!(
> + core::mem::size_of::<T>() > 0,
> + "It doesn't make sense for the allocated type to be a ZST"
> + );
> +
> + let size = count
> + .checked_mul(core::mem::size_of::<T>())
> + .ok_or(EOVERFLOW)?;
> + let mut dma_handle = 0;
> + // SAFETY: device pointer is guaranteed as valid by invariant on `Device`.
> + // We ensure that we catch the failure on this function and throw an ENOMEM
> + let ret = unsafe {
> + bindings::dma_alloc_attrs(
> + dev.as_raw(),
> + size,
> + &mut dma_handle,
> + gfp_flags.as_raw(),
> + dma_attrs.as_raw(),
> + )
> + };
> + if ret.is_null() {
> + return Err(ENOMEM);
> + }
> + // INVARIANT: We just successfully allocated a coherent region which is accessible for
> + // `count` elements, hence the cpu address is valid. We also hold a refcounted reference
> + // to the device.
> + Ok(Self {
> + dev,
> + dma_handle,
> + count,
> + cpu_addr: ret as *mut T,
> + dma_attrs,
> + })
> + }
> +
> + /// Performs the same functionality as `alloc_attrs`, except the `dma_attrs` is 0 by default.
> + pub fn alloc_coherent(
> + dev: ARef<Device>,
> + count: usize,
> + gfp_flags: kernel::alloc::Flags,
> + ) -> Result<CoherentAllocation<T>> {
> + CoherentAllocation::alloc_attrs(dev, count, gfp_flags, Attrs(0))
> + }
> +
> + /// Returns the device, base address, dma handle, attributes and the size of the
> + /// allocated region.
> + ///
> + /// The caller takes ownership of the returned resources, i.e., will have the responsibility
> + /// in calling `bindings::dma_free_attrs`. The allocated region is valid as long as
> + /// the returned device exists.
> + pub fn into_parts(
> + self,
> + ) -> (
> + ARef<Device>,
> + *mut T,
> + bindings::dma_addr_t,
> + crate::ffi::c_ulong,
> + usize,
> + ) {
> + let size = self.count * core::mem::size_of::<T>();
> + let ret = (
> + // SAFETY: `&self.dev` is valid for reads.
> + unsafe { core::ptr::read(&self.dev) },
> + self.cpu_addr,
> + self.dma_handle,
> + self.dma_attrs.as_raw(),
> + size,
> + );
> + core::mem::forget(self);
> + ret
> + }
> +
> + /// Returns the base address to the allocated region in the CPU's virtual address space.
> + pub fn start_ptr(&self) -> *const T {
> + self.cpu_addr
> + }
> +
> + /// Returns the base address to the allocated region in the CPU's virtual address space as
> + /// a mutable pointer.
> + pub fn start_ptr_mut(&mut self) -> *mut T {
> + self.cpu_addr
> + }
> +
> + /// Returns a DMA handle which may given to the device as the DMA address base of
> + /// the region.
> + pub fn dma_handle(&self) -> bindings::dma_addr_t {
> + self.dma_handle
> + }
> +
> + /// Reads data from the region starting from `offset` as a slice.
> + /// `offset` and `count` are in units of `T`, not the number of bytes.
> + ///
> + /// Due to the safety requirements of slice, the data returned should be regarded by the
> + /// caller as a snapshot of the region when this function is called, as the region could
> + /// be modified by the device at anytime. For ringbuffer type of r/w access or use-cases
> + /// where the pointer to the live data is needed, `start_ptr()` or `start_ptr_mut()`
> + /// could be used instead.
> + ///
> + /// # Safety
> + ///
> + /// Callers must ensure that no hardware operations that involve the buffer are currently
> + /// taking place while the returned slice is live.
> + pub unsafe fn as_slice(&self, offset: usize, count: usize) -> Result<&[T]> {
> + if offset + count >= self.count {
I'm probably missing something, but how do you know that this addition
can't overflow? I mean, since this is a public function, users can do
something dumb such as buf.as_slice(usize::MAX, n), can't they?
What about something like:
let end = offset.checked_add(count).ok_or(EOVERFLOW)?;
if end >= self.count { ... }
> + return Err(EINVAL);
> + }
> + // SAFETY:
> + // - The pointer is valid due to type invariant on `CoherentAllocation`,
> + // we've just checked that the range and index is within bounds. The immutability of the
> + // of data is also guaranteed by the safety requirements of the function.
> + // - `offset` can't overflow since it is smaller than `self.count` and we've checked
> + // that `self.count` won't overflow early in the constructor.
> + Ok(unsafe { core::slice::from_raw_parts(self.cpu_addr.add(offset), count) })
> + }
> +
> + /// Writes data to the region starting from `offset`. `offset` is in units of `T`, not the
> + /// number of bytes.
> + pub fn write(&self, src: &[T], offset: usize) -> Result {
> + if offset + src.len() >= self.count {
Same here.
Petr T
Powered by blists - more mailing lists