| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <81C84BD8-D99C-4103-A280-CFC71DF58E3B@collabora.com>
Date: Sun, 10 Aug 2025 11:27:12 -0300
From: Daniel Almeida <daniel.almeida@...labora.com>
To: Sidong Yang <sidong.yang@...iosa.ai>
Cc: Benno Lossin <lossin@...nel.org>,
Caleb Sander Mateos <csander@...estorage.com>,
Miguel Ojeda <ojeda@...nel.org>,
Arnd Bergmann <arnd@...db.de>,
Jens Axboe <axboe@...nel.dk>,
Greg Kroah-Hartman <gregkh@...uxfoundation.org>,
rust-for-linux@...r.kernel.org,
linux-kernel@...r.kernel.org,
io-uring@...r.kernel.org
Subject: Re: [RFC PATCH v2 2/4] rust: io_uring: introduce rust abstraction for
io-uring cmd
> On 10 Aug 2025, at 10:50, Sidong Yang <sidong.yang@...iosa.ai> wrote:
>
> On Sat, Aug 09, 2025 at 10:22:06PM +0200, Benno Lossin wrote:
>> On Sat Aug 9, 2025 at 2:51 PM CEST, Sidong Yang wrote:
>>> On Sat, Aug 09, 2025 at 12:18:49PM +0200, Benno Lossin wrote:
>>>> We'd need to ensure that `borrow_pdu` can only be called if `store_pdu`
>>>> has been called before. Is there any way we can just ensure that pdu is
>>>> always initialized? Like a callback that's called once, before the value
>>>> is used at all?
>>>
>>> I've thought about this. As Celab said, returning `&mut MaybeUninit<[u8;32]> is
>>> simple and best. Only driver knows it's initialized. There is no way to
>>> check whether it's initialized with reading the pdu. The best way is to return
>>> `&mut MaybeUninit<[u8;32]>` and driver initializes it in first time. After
>>> init, driver knows it's guranteed that it's initialized so it could call
>>> `assume_init_mut()`. And casting to other struct is another problem. The driver
>>> is responsible for determining how to interpret the PDU, whether by using it
>>> directly as a byte array or by performing an unsafe cast to another struct.
>>
>> But then drivers will have to use `unsafe` & possibly cast the slice to
>> a struct? I think that's bad design since we try to avoid unsafe code in
>> drivers as much as possible. Couldn't we try to ensure from the
>> abstraction side that any time you create such an object, the driver
>> needs to provide the pdu data? Or we could make it implement `Default`
>> and then set it to that before handing it to the driver.
>
> pdu data is [u8; 32] memory space that driver can borrow. this has two kind of
> issues. The one is that the array is not initialized and another one is it's
> array type that driver should cast it to private data structure unsafely.
> The first one could be resolved with returning `&mut MaybeUninit<>`. And the
> second one, casting issue, is remaining.
>
> It seems that we need new unsafe trait like below:
>
> /// Pdu should be... repr C or transparent, sizeof <= 20
> unsafe trait Pdu: Sized {}
>
> /// Returning to casted Pdu type T
> pub fn pdu<T: Pdu>(&mut self) -> &mut MaybeUninit<T>
Wait, you receive an uninitialized array, and you’re supposed to cast it to
T, is that correct? Because that does not fit the signature above.
>
> I think it is like bytemuck::Pod trait. Pod meaning plain old data.
>
> Thanks,
> Sidong
>
>
>>
>> ---
>> Cheers,
>> Benno
I'm not really sure how this solves the transmute/cast problem. Is the trait
you're referring to supposed to have any member functions? Or is it just a
marker trait?
I wonder if we can fit the existing "kernel::FromBytes" for this problem.
— Daniel
Powered by blists - more mailing lists