On 05.08.24 17:19, Danilo Krummrich wrote: > Implement `Allocator` for `Kmalloc`, the kernel's default allocator, > typically used for objects smaller than page size. > > All memory allocations made with `Kmalloc` end up in `krealloc()`. > > It serves as allocator for the subsequently introduced types `KBox` and > `KVec`. > > Signed-off-by: Danilo Krummrich <dakr@xxxxxxxxxx> > --- > rust/helpers.c | 3 +- > rust/kernel/alloc.rs | 2 +- > rust/kernel/alloc/allocator.rs | 68 +++++++++++++++++++++++++++++++++- > 3 files changed, 69 insertions(+), 4 deletions(-) > > diff --git a/rust/helpers.c b/rust/helpers.c > index 92d3c03ae1bd..9f7275493365 100644 > --- a/rust/helpers.c > +++ b/rust/helpers.c > @@ -193,8 +193,7 @@ void rust_helper_init_work_with_key(struct work_struct *work, work_func_t func, > } > EXPORT_SYMBOL_GPL(rust_helper_init_work_with_key); > > -void * __must_check __realloc_size(2) > -rust_helper_krealloc(const void *objp, size_t new_size, gfp_t flags) > +void *rust_helper_krealloc(const void *objp, size_t new_size, gfp_t flags) > { > return krealloc(objp, new_size, flags); > } > diff --git a/rust/kernel/alloc.rs b/rust/kernel/alloc.rs > index 8a71a589469d..bc01a17df5e0 100644 > --- a/rust/kernel/alloc.rs > +++ b/rust/kernel/alloc.rs > @@ -4,7 +4,7 @@ > > #[cfg(not(test))] > #[cfg(not(testlib))] > -mod allocator; > +pub mod allocator; > pub mod box_ext; > pub mod vec_ext; > > diff --git a/rust/kernel/alloc/allocator.rs b/rust/kernel/alloc/allocator.rs > index 2c1eae25da84..c6ad1dd59dd0 100644 > --- a/rust/kernel/alloc/allocator.rs > +++ b/rust/kernel/alloc/allocator.rs > @@ -5,8 +5,16 @@ > use super::{flags::*, Flags}; > use core::alloc::{GlobalAlloc, Layout}; > use core::ptr; > +use core::ptr::NonNull; > > -struct Kmalloc; > +use crate::alloc::{AllocError, Allocator}; > +use crate::bindings; > + > +/// The contiguous kernel allocator. > +/// > +/// The contiguous kernel allocator only ever allocates physically contiguous memory through > +/// `bindings::krealloc`. > +pub struct Kmalloc; > > /// Returns a proper size to alloc a new object aligned to `new_layout`'s alignment. > fn aligned_size(new_layout: Layout) -> usize { > @@ -40,6 +48,64 @@ pub(crate) unsafe fn krealloc_aligned(ptr: *mut u8, new_layout: Layout, flags: F > } > } > > +/// # Invariants > +/// > +/// One of the following `krealloc`, `vrealloc`, `kvrealloc`. > +struct ReallocFunc( > + unsafe extern "C" fn(*const core::ffi::c_void, usize, u32) -> *mut core::ffi::c_void, > +); > + > +impl ReallocFunc { > + // INVARIANT: `krealloc` satisfies the type invariants. This INVARIANT comment should be moved one line downwards. > + fn krealloc() -> Self { > + Self(bindings::krealloc) > + } > + > + /// # Safety > + /// > + /// This method has the exact same safety requirements as `Allocator::realloc`. I would remove "exact", I don't think we want to mean "almost the same" when we write just "same". > + unsafe fn call( > + &self, > + ptr: Option<NonNull<u8>>, > + layout: Layout, > + flags: Flags, > + ) -> Result<NonNull<[u8]>, AllocError> { > + let size = aligned_size(layout); > + let ptr = match ptr { > + Some(ptr) => ptr.as_ptr(), > + None => ptr::null(), > + }; > + > + // SAFETY: `ptr` is valid by the safety requirements of this function. "`ptr` is either NULL or valid by the safety requirements of this function." > + let raw_ptr = unsafe { > + // If `size == 0` and `ptr != NULL` the memory behind the pointer is freed. > + self.0(ptr.cast(), size, flags.0).cast() > + }; > + > + let ptr = if size == 0 { > + NonNull::dangling() If we call `realloc(Some(ptr), <layout with size = 0>, ...)`, then this leaks the pointer returned by the call to `self.0` above. I don't know what the return value of the different functions are that can appear in `self.0`, do they return NULL? What about the following sequence: let ptr = realloc(None, <layout with size = 0>, ...); let ptr = realloc(Some(ptr), <layout with size = 0>, ...); Then the above call to `self.0` is done with a dangling pointer, can the functions that appear in `self.0` handle that? > + } else { > + NonNull::new(raw_ptr).ok_or(AllocError)? > + }; > + > + Ok(NonNull::slice_from_raw_parts(ptr, size)) > + } > +} > + > +unsafe impl Allocator for Kmalloc { > + unsafe fn realloc( > + ptr: Option<NonNull<u8>>, > + layout: Layout, > + flags: Flags, > + ) -> Result<NonNull<[u8]>, AllocError> { > + let realloc = ReallocFunc::krealloc(); > + > + // SAFETY: If not `None`, `ptr` is guaranteed to point to valid memory, which was previously > + // allocated with this `Allocator`. What about the other requirements? (they should be satisfied, since they are also requirements for calling this function) > + unsafe { realloc.call(ptr, layout, flags) } If you make `ReallocFunc::krealloc()` into a constant `ReallocFunc::KREALLOC`, then we could avoid the let binding above. --- Cheers, Benno > + } > +} > + > unsafe impl GlobalAlloc for Kmalloc { > unsafe fn alloc(&self, layout: Layout) -> *mut u8 { > // SAFETY: `ptr::null_mut()` is null and `layout` has a non-zero size by the function safety > -- > 2.45.2 >