| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <27139676-8470-4067-b259-f01022751bbc@konsulko.se>
Date: Thu, 21 Aug 2025 16:15:25 +0200
From: Vitaly Wool <vitaly.wool@...sulko.se>
To: Danilo Krummrich <dakr@...nel.org>
Cc: rust-for-linux@...r.kernel.org, linux-kernel@...r.kernel.org,
Uladzislau Rezki <urezki@...il.com>, Alice Ryhl <aliceryhl@...gle.com>,
Vlastimil Babka <vbabka@...e.cz>,
Lorenzo Stoakes <lorenzo.stoakes@...cle.com>,
"Liam R . Howlett" <Liam.Howlett@...cle.com>, Miguel Ojeda
<ojeda@...nel.org>, Alex Gaynor <alex.gaynor@...il.com>,
Boqun Feng <boqun.feng@...il.com>, Gary Guo <gary@...yguo.net>,
Bjorn Roy Baron <bjorn3_gh@...tonmail.com>, Benno Lossin
<lossin@...nel.org>, Andreas Hindborg <a.hindborg@...nel.org>,
Trevor Gross <tmgross@...ch.edu>, Johannes Weiner <hannes@...xchg.org>,
Yosry Ahmed <yosry.ahmed@...ux.dev>, Nhat Pham <nphamcs@...il.com>,
linux-mm@...ck.org
Subject: Re: [PATCH v2] rust: zpool: add abstraction for zpool drivers
On 8/21/25 14:32, Danilo Krummrich wrote:
> On Thu Aug 21, 2025 at 2:03 PM CEST, Danilo Krummrich wrote:
>> On Thu Aug 21, 2025 at 1:17 PM CEST, Vitaly Wool wrote:
>>> + /// preferred NUMA node `nid`. If the allocation is successful, an opaque handle is returned.
>>> + fn malloc(
>>> + pool: <Self::Pool as ForeignOwnable>::BorrowedMut<'_>,
>>> + size: usize,
>>> + gfp: Flags,
>>> + nid: NumaNode,
>>> + ) -> Result<usize>;
>>
>> I still think we need a proper type representation of a zpool handle that
>> guarantees validity and manages its lifetime.
>>
>> For instance, what prevents a caller from calling write() with a random handle?
>>
>> Looking at zsmalloc(), if I call write() with a random number, I will most
>> likely oops the kernel. This is not acceptable for safe APIs.
>>
>> Alternatively, all those trait functions have to be unsafe, which would be very
>> unfortunate.
>
> I just noticed that I confused something here. :)
>
> So, for the backend driver this trait is obviously fine, since you have to implement
> the C ops -- sorry for the confusion.
>
> However, you still have to mark all functions except alloc() and total_pages()
> as unsafe and document and justify the corresponding safety requirements.
How is destroy() different from alloc() in terms of safety? I believe
it's only free, read_{begin|end}, write that should be marked as unsafe.
>>> + /// Free a previously allocated from the `pool` object, represented by `handle`.
>>> + fn free(pool: <Self::Pool as ForeignOwnable>::Borrowed<'_>, handle: usize);
>>
>> What happens if I forget to call free()?
>>
>>> + /// Make all the necessary preparations for the caller to be able to read from the object
>>> + /// represented by `handle` and return a valid pointer to the `handle` memory to be read.
>>> + fn read_begin(pool: <Self::Pool as ForeignOwnable>::Borrowed<'_>, handle: usize)
>>> + -> NonNull<u8>;
>>
>> Same for this, making it a NonNull<u8> is better than a *mut c_void, but it's
>> still a raw pointer. Nothing prevents users from using this raw pointer after
>> read_end() has been called.
>>
>> This needs a type representation that only lives until read_end().
>>
>> In general, I think this design doesn't really work out well. I think the design
>> should be something along the lines of:
>>
>> (1) We should only provide alloc() on the Zpool itself and which returns a
>> Zmem instance. A Zmem instance must not outlive the Zpool it was allocated
>> with.
>>
>> (2) Zmem should call free() when it is dropped. It should provide read_begin()
>> and write() methods.
>>
>> (3) Zmem::read_begin() should return a Zslice which must not outlive Zmem and
>> calls read_end() when dropped.
>
> This design is obiously for when you want to use a Zpool, but not implement its
> backend. :)
Powered by blists - more mailing lists