lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-Id: <DBUMKISHUL6D.UVSF04ZRQR9Z@kernel.org>
Date: Tue, 05 Aug 2025 18:12:44 +0200
From: "Danilo Krummrich" <dakr@...nel.org>
To: "Jason Gunthorpe" <jgg@...pe.ca>
Cc: "Abdiel Janulgue" <abdiel.janulgue@...il.com>, "Alexandre Courbot"
 <acourbot@...dia.com>, <lyude@...hat.com>, "Miguel Ojeda"
 <ojeda@...nel.org>, "Alex Gaynor" <alex.gaynor@...il.com>, "Boqun Feng"
 <boqun.feng@...il.com>, "Gary Guo" <gary@...yguo.net>,
 Björn Roy Baron <bjorn3_gh@...tonmail.com>, "Benno Lossin"
 <lossin@...nel.org>, "Andreas Hindborg" <a.hindborg@...nel.org>, "Alice
 Ryhl" <aliceryhl@...gle.com>, "Trevor Gross" <tmgross@...ch.edu>, "Tamir
 Duberstein" <tamird@...il.com>, "FUJITA Tomonori"
 <fujita.tomonori@...il.com>, "open list" <linux-kernel@...r.kernel.org>,
 "Andrew Morton" <akpm@...ux-foundation.org>, "Randy Dunlap"
 <rdunlap@...radead.org>, "Herbert Xu" <herbert@...dor.apana.org.au>, "Caleb
 Sander Mateos" <csander@...estorage.com>, "Petr Tesarik"
 <petr@...arici.cz>, "Sui Jingfeng" <sui.jingfeng@...ux.dev>, "Marek
 Szyprowski" <m.szyprowski@...sung.com>, "Robin Murphy"
 <robin.murphy@....com>, <airlied@...hat.com>, "open list:DMA MAPPING
 HELPERS" <iommu@...ts.linux.dev>, <rust-for-linux@...r.kernel.org>
Subject: Re: [PATCH v3 1/2] rust: add initial scatterlist abstraction

On Tue Aug 5, 2025 at 5:42 PM CEST, Jason Gunthorpe wrote:
> On Mon, Aug 04, 2025 at 11:56:53AM +0300, Abdiel Janulgue wrote:
>> Hi,
>> 
>> On 24/07/2025 08:40, Alexandre Courbot wrote:
>> > 
>> > I see a few issues with the `Item` type here.
>> > 
>> > The first one is that `Page` can only be created by allocating a new
>> > page from scratch using `Page::alloc_page`. This doesn't cover the cases
>> > where we want to map memory that is now allocated through this
>> > mechanism, e.g. when mapping a `VVec`. So I think we have no choice but
>> > return `*mut bindings::page`s.
>> > 
>> Just commenting on this bit, still going through the others one by one.
>> Anyways, there is already existing code I'm working on that should be able
>> to extend Page that are not allocated by it's constructor (e.g. those coming
>> from vmalloc_to_page). I think's it's safe at least to not expose the raw
>> pointers here if we can? Just a thought.
>
> I would try not to expose vmalloc_to_page() to safe rust.

Agreed, not directly at least, more below.

> alloc_page() at least gives you a refcounted page with a sensible
> refcount based lifecycle, vmalloc_to_page() gives you something that
> is not refcountable at all and has a lifetime bound to the vmalloc.
>
> They may both be struct page in C but for rust they have very
> different rules and probably types.

For now they actually have, i.e. BorrowedPage<'a> [1], but this will go away
once we have the Ownable trait and Owned type. Once we have that we can
represent a borrowed page as &'a Page. Where 'a represents the lifetime of the
reference in both cases.

Let me sketch up how the lifetime of a page is modeled if the page is owned by
some other entity, let's say a vmalloc allocation through VBox.

First we have a trait which represents the owner of a Page that we can borrow
the page from:

	pub trait PageOwner {
	    fn borrow_page_at<'a>(&'a mut self, n: usize) -> Result<BorrowedPage<'a>>;
	}

The Vmalloc allocator can provide a helper for vmalloc_to_page(), but this is
not an API that should be used by drivers directly:

	impl Vmalloc {
	    pub unsafe fn to_page<'a>(ptr: NonNull<u8>) -> page::BorrowedPage<'a> {
	        // SAFETY: `ptr` is a valid pointer to `Vmalloc` memory.
	        let page = unsafe { bindings::vmalloc_to_page(ptr.as_ptr().cast()) };
	
	        // SAFETY: `vmalloc_to_page` returns a valid pointer to a `struct page` for a valid pointer
	        // to `Vmalloc` memory.
	        let page = unsafe { NonNull::new_unchecked(page) };
	
	        // SAFETY:
	        // - `self.0` is a valid pointer to a `struct page`.
	        // - `self.0` is valid for the entire lifetime of `'a`.
	        unsafe { page::BorrowedPage::from_raw(page) }
	    }
	}

The implementation of VBox could look like this:

	impl<T> PageOwner for VBox<T> {
	    fn borrow_page_at<'a>(&'a mut self, n: usize) -> Result<BorrowedPage<'a>> {
	        // Calculate offset of the Nth page of the VBox and store it in `ptr`.
	
	        unsafe { Vmalloc::to_page(ptr) }
	    }
	}

(Actually, we may want to use some iterator instead. I'm not sure yet, but
either way, the same principle does apply.)

Finally, if you have some VBox you can borrow a Page list this:

	let mut vbox = VBox::<[u8; PAGE_SIZE]>::new_uninit(GFP_KERNEL)?;

	// Get the first page of the `vbox`.
	let page = borrow_page_at(&mut vbox, 0)?;

Note that the lifetime of page is now bound to the lifetime of vbox.

Analogous, any entity that owns one or multiple pages can implement the
PageOwner trait in a similar way.

For the scatterlist abstractions, we're mostly interested in VVec for now.

For an owned SGTable we would consume a value of some generic type P that
implements PageOwner (P: PageOwner), or whatever we call it in the end.

> If you want kmalloc/vmalloc to get into a scatterlist you should have
> APIs to go directly from void * and into the scatterlist, and also
> link the scatterlist to the lifetime of the original allocation.

[1] https://lore.kernel.org/rust-for-linux/20250804195023.150399-1-dakr@kernel.org/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ