| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <2025050215-affluent-repair-3bb2@gregkh>
Date: Fri, 2 May 2025 16:07:33 +0200
From: Greg KH <gregkh@...uxfoundation.org>
To: Alice Ryhl <aliceryhl@...gle.com>
Cc: Danilo Krummrich <dakr@...nel.org>, Matthew Maurer <mmaurer@...gle.com>,
rust-for-linux@...r.kernel.org, linux-kernel@...r.kernel.org
Subject: Re: [PATCH v5 3/7] rust: alloc: add Vec::push_within_capacity
On Fri, May 02, 2025 at 01:19:31PM +0000, Alice Ryhl wrote:
> This introduces a new method called `push_within_capacity` for appending
> to a vector without attempting to allocate if the capacity is full. Rust
> Binder will use this in various places to safely push to a vector while
> holding a spinlock.
>
> The implementation is moved to a push_within_capacity_unchecked method.
> This is preferred over having push() call push_within_capacity()
> followed by an unwrap_unchecked() for simpler unsafe.
>
> Panics in the kernel are best avoided when possible, so an error is
> returned if the vector does not have sufficient capacity. An error type
> is used rather than just returning Result<(),T> to make it more
> convenient for callers (i.e. they can use ? or unwrap).
>
> Signed-off-by: Alice Ryhl <aliceryhl@...gle.com>
> ---
> rust/kernel/alloc/kvec.rs | 46 ++++++++++++++++++++++++++++++++++++----
> rust/kernel/alloc/kvec/errors.rs | 23 ++++++++++++++++++++
> 2 files changed, 65 insertions(+), 4 deletions(-)
>
> diff --git a/rust/kernel/alloc/kvec.rs b/rust/kernel/alloc/kvec.rs
> index ebca0cfd31c67f3ce13c4825d7039e34bb54f4d4..e9bf4c97a5a78fc9b54751b57f15a33c716c607b 100644
> --- a/rust/kernel/alloc/kvec.rs
> +++ b/rust/kernel/alloc/kvec.rs
> @@ -21,6 +21,9 @@
> slice::SliceIndex,
> };
>
> +mod errors;
> +pub use self::errors::PushError;
> +
> /// Create a [`KVec`] containing the arguments.
> ///
> /// New memory is allocated with `GFP_KERNEL`.
> @@ -307,17 +310,52 @@ pub fn spare_capacity_mut(&mut self) -> &mut [MaybeUninit<T>] {
> /// ```
> pub fn push(&mut self, v: T, flags: Flags) -> Result<(), AllocError> {
> self.reserve(1, flags)?;
> + // SAFETY: The call to `reserve` was successful, so the capacity is at least one greater
> + // than the length.
> + unsafe { self.push_within_capacity_unchecked(v) };
> + Ok(())
> + }
>
> + /// Appends an element to the back of the [`Vec`] instance without reallocating.
> + ///
> + /// Fails if the vector does not have capacity for the new element.
> + ///
> + /// # Examples
> + ///
> + /// ```
> + /// let mut v = KVec::with_capacity(10, GFP_KERNEL)?;
> + /// for i in 0..10 {
> + /// v.push_within_capacity(i)?;
> + /// }
> + ///
> + /// assert!(v.push_within_capacity(10).is_err());
> + /// # Ok::<(), Error>(())
> + /// ```
> + pub fn push_within_capacity(&mut self, v: T) -> Result<(), PushError<T>> {
> + if self.len() < self.capacity() {
> + // SAFETY: The length is less than the capacity.
> + unsafe { self.push_within_capacity_unchecked(v) };
> + Ok(())
> + } else {
> + Err(PushError(v))
> + }
> + }
> +
> + /// Appends an element to the back of the [`Vec`] instance without reallocating.
> + ///
> + /// # Safety
> + ///
> + /// The length must be less than the capacity.
> + pub unsafe fn push_within_capacity_unchecked(&mut self, v: T) {
Why does this have to be public? Does binder need to call this instead
of just push_within_capacity()?
thanks,
greg k-h
Powered by blists - more mailing lists