lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-Id: <DBZ0O49ME4BF.2JFHBZQVPJ4TK@kernel.org>
Date: Sun, 10 Aug 2025 22:06:21 +0200
From: "Benno Lossin" <lossin@...nel.org>
To: "Sidong Yang" <sidong.yang@...iosa.ai>, "Daniel Almeida"
 <daniel.almeida@...labora.com>
Cc: "Caleb Sander Mateos" <csander@...estorage.com>, "Miguel Ojeda"
 <ojeda@...nel.org>, "Arnd Bergmann" <arnd@...db.de>, "Jens Axboe"
 <axboe@...nel.dk>, "Greg Kroah-Hartman" <gregkh@...uxfoundation.org>,
 <rust-for-linux@...r.kernel.org>, <linux-kernel@...r.kernel.org>,
 <io-uring@...r.kernel.org>
Subject: Re: [RFC PATCH v2 2/4] rust: io_uring: introduce rust abstraction
 for io-uring cmd

On Sun Aug 10, 2025 at 4:46 PM CEST, Sidong Yang wrote:
> On Sun, Aug 10, 2025 at 11:27:12AM -0300, Daniel Almeida wrote:
>> > On 10 Aug 2025, at 10:50, Sidong Yang <sidong.yang@...iosa.ai> wrote:
>> > 
>> > On Sat, Aug 09, 2025 at 10:22:06PM +0200, Benno Lossin wrote:
>> >> On Sat Aug 9, 2025 at 2:51 PM CEST, Sidong Yang wrote:
>> >>> On Sat, Aug 09, 2025 at 12:18:49PM +0200, Benno Lossin wrote:
>> >>>> We'd need to ensure that `borrow_pdu` can only be called if `store_pdu`
>> >>>> has been called before. Is there any way we can just ensure that pdu is
>> >>>> always initialized? Like a callback that's called once, before the value
>> >>>> is used at all?
>> >>> 
>> >>> I've thought about this. As Celab said, returning `&mut MaybeUninit<[u8;32]> is
>> >>> simple and best. Only driver knows it's initialized. There is no way to
>> >>> check whether it's initialized with reading the pdu. The best way is to return
>> >>> `&mut MaybeUninit<[u8;32]>` and driver initializes it in first time. After 
>> >>> init, driver knows it's guranteed that it's initialized so it could call 
>> >>> `assume_init_mut()`. And casting to other struct is another problem. The driver
>> >>> is responsible for determining how to interpret the PDU, whether by using it
>> >>> directly as a byte array or by performing an unsafe cast to another struct.
>> >> 
>> >> But then drivers will have to use `unsafe` & possibly cast the slice to
>> >> a struct? I think that's bad design since we try to avoid unsafe code in
>> >> drivers as much as possible. Couldn't we try to ensure from the
>> >> abstraction side that any time you create such an object, the driver
>> >> needs to provide the pdu data? Or we could make it implement `Default`
>> >> and then set it to that before handing it to the driver.
>> > 
>> > pdu data is [u8; 32] memory space that driver can borrow. this has two kind of
>> > issues. The one is that the array is not initialized and another one is it's
>> > array type that driver should cast it to private data structure unsafely.
>> > The first one could be resolved with returning `&mut MaybeUninit<>`. And the
>> > second one, casting issue, is remaining. 
>> > 
>> > It seems that we need new unsafe trait like below:
>> > 
>> > /// Pdu should be... repr C or transparent, sizeof <= 20
>> > unsafe trait Pdu: Sized {}
>> > 
>> > /// Returning to casted Pdu type T
>> > pub fn pdu<T: Pdu>(&mut self) -> &mut MaybeUninit<T>
>> 
>> Wait, you receive an uninitialized array, and you´re supposed to cast it to
>> T, is that correct? Because that does not fit the signature above.
>
> Sorry if my intent wasn´t clear. More example below:
>
> // in rust/kernel/io_uring.rs
> unsafe trait Pdu: Sized {}
> pub fn pdu<T: Pdu>(&mut self) -> &mut MaybeUninit<T> {
>     let inner = unsafe { &mut *self.inner.get() };
>     let ptr = &raw mut inner.pdu as *mut MaybeUninit<T>; // the cast here
>     unsafe { &mut *ptr }
> }
>
> // in driver code
> #[repr(C)] struct MyPdu { value: u64 }
> unsafe impl Pdu for MyPdu {}
>
> // initialize
> ioucmd.pdu().write(MyPdu { value: 1 });
>
> // read or modify
> let mypdu = unsafe { ioucmd.pdu().assume_init_mut() };

This is the kind of code I'd like to avoid, since it plans to use
`unsafe` in driver code (the `unsafe impl` above is also a problem, but
we can solve that with a derive macro).

Where are the entrypoints for `IoUringCmd` for driver code? I imagine
that there is some kind of a driver callback (like `probe`, `open` etc)
that contains an `Pin<&mut IoUringCmd>` as an argument, right? When is
it created, can we control that & just write some default value to the
pdu field?

---
Cheers,
Benno

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ