| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <DC83WSYHY3K1.1D3XEES0BIKGS@kernel.org> Date: Thu, 21 Aug 2025 14:32:44 +0200 From: "Danilo Krummrich" <dakr@...nel.org> To: "Vitaly Wool" <vitaly.wool@...sulko.se> Cc: <rust-for-linux@...r.kernel.org>, <linux-kernel@...r.kernel.org>, "Uladzislau Rezki" <urezki@...il.com>, "Alice Ryhl" <aliceryhl@...gle.com>, "Vlastimil Babka" <vbabka@...e.cz>, "Lorenzo Stoakes" <lorenzo.stoakes@...cle.com>, "Liam R . Howlett" <Liam.Howlett@...cle.com>, "Miguel Ojeda" <ojeda@...nel.org>, "Alex Gaynor" <alex.gaynor@...il.com>, "Boqun Feng" <boqun.feng@...il.com>, "Gary Guo" <gary@...yguo.net>, "Bjorn Roy Baron" <bjorn3_gh@...tonmail.com>, "Benno Lossin" <lossin@...nel.org>, "Andreas Hindborg" <a.hindborg@...nel.org>, "Trevor Gross" <tmgross@...ch.edu>, "Johannes Weiner" <hannes@...xchg.org>, "Yosry Ahmed" <yosry.ahmed@...ux.dev>, "Nhat Pham" <nphamcs@...il.com>, <linux-mm@...ck.org> Subject: Re: [PATCH v2] rust: zpool: add abstraction for zpool drivers On Thu Aug 21, 2025 at 2:03 PM CEST, Danilo Krummrich wrote: > On Thu Aug 21, 2025 at 1:17 PM CEST, Vitaly Wool wrote: >> + /// preferred NUMA node `nid`. If the allocation is successful, an opaque handle is returned. >> + fn malloc( >> + pool: <Self::Pool as ForeignOwnable>::BorrowedMut<'_>, >> + size: usize, >> + gfp: Flags, >> + nid: NumaNode, >> + ) -> Result<usize>; > > I still think we need a proper type representation of a zpool handle that > guarantees validity and manages its lifetime. > > For instance, what prevents a caller from calling write() with a random handle? > > Looking at zsmalloc(), if I call write() with a random number, I will most > likely oops the kernel. This is not acceptable for safe APIs. > > Alternatively, all those trait functions have to be unsafe, which would be very > unfortunate. I just noticed that I confused something here. :) So, for the backend driver this trait is obviously fine, since you have to implement the C ops -- sorry for the confusion. However, you still have to mark all functions except alloc() and total_pages() as unsafe and document and justify the corresponding safety requirements. >> + /// Free a previously allocated from the `pool` object, represented by `handle`. >> + fn free(pool: <Self::Pool as ForeignOwnable>::Borrowed<'_>, handle: usize); > > What happens if I forget to call free()? > >> + /// Make all the necessary preparations for the caller to be able to read from the object >> + /// represented by `handle` and return a valid pointer to the `handle` memory to be read. >> + fn read_begin(pool: <Self::Pool as ForeignOwnable>::Borrowed<'_>, handle: usize) >> + -> NonNull<u8>; > > Same for this, making it a NonNull<u8> is better than a *mut c_void, but it's > still a raw pointer. Nothing prevents users from using this raw pointer after > read_end() has been called. > > This needs a type representation that only lives until read_end(). > > In general, I think this design doesn't really work out well. I think the design > should be something along the lines of: > > (1) We should only provide alloc() on the Zpool itself and which returns a > Zmem instance. A Zmem instance must not outlive the Zpool it was allocated > with. > > (2) Zmem should call free() when it is dropped. It should provide read_begin() > and write() methods. > > (3) Zmem::read_begin() should return a Zslice which must not outlive Zmem and > calls read_end() when dropped. This design is obiously for when you want to use a Zpool, but not implement its backend. :)
Powered by blists - more mailing lists