On Tue, Aug 06, 2024 at 04:51:28PM +0000, Benno Lossin wrote:
> On 05.08.24 17:19, Danilo Krummrich wrote:
> > Implement `Allocator` for `Kmalloc`, the kernel's default allocator,
> > typically used for objects smaller than page size.
> >
> > All memory allocations made with `Kmalloc` end up in `krealloc()`.
> >
> > It serves as allocator for the subsequently introduced types `KBox` and
> > `KVec`.
> >
> > Signed-off-by: Danilo Krummrich <dakr@xxxxxxxxxx>
> > ---
> > rust/helpers.c | 3 +-
> > rust/kernel/alloc.rs | 2 +-
> > rust/kernel/alloc/allocator.rs | 68 +++++++++++++++++++++++++++++++++-
> > 3 files changed, 69 insertions(+), 4 deletions(-)
> >
> > diff --git a/rust/helpers.c b/rust/helpers.c
> > index 92d3c03ae1bd..9f7275493365 100644
> > --- a/rust/helpers.c
> > +++ b/rust/helpers.c
> > @@ -193,8 +193,7 @@ void rust_helper_init_work_with_key(struct work_struct *work, work_func_t func,
> > }
> > EXPORT_SYMBOL_GPL(rust_helper_init_work_with_key);
> >
> > -void * __must_check __realloc_size(2)
> > -rust_helper_krealloc(const void *objp, size_t new_size, gfp_t flags)
> > +void *rust_helper_krealloc(const void *objp, size_t new_size, gfp_t flags)
> > {
> > return krealloc(objp, new_size, flags);
> > }
> > diff --git a/rust/kernel/alloc.rs b/rust/kernel/alloc.rs
> > index 8a71a589469d..bc01a17df5e0 100644
> > --- a/rust/kernel/alloc.rs
> > +++ b/rust/kernel/alloc.rs
> > @@ -4,7 +4,7 @@
> >
> > #[cfg(not(test))]
> > #[cfg(not(testlib))]
> > -mod allocator;
> > +pub mod allocator;
> > pub mod box_ext;
> > pub mod vec_ext;
> >
> > diff --git a/rust/kernel/alloc/allocator.rs b/rust/kernel/alloc/allocator.rs
> > index 2c1eae25da84..c6ad1dd59dd0 100644
> > --- a/rust/kernel/alloc/allocator.rs
> > +++ b/rust/kernel/alloc/allocator.rs
> > @@ -5,8 +5,16 @@
> > use super::{flags::*, Flags};
> > use core::alloc::{GlobalAlloc, Layout};
> > use core::ptr;
> > +use core::ptr::NonNull;
> >
> > -struct Kmalloc;
> > +use crate::alloc::{AllocError, Allocator};
> > +use crate::bindings;
> > +
> > +/// The contiguous kernel allocator.
> > +///
> > +/// The contiguous kernel allocator only ever allocates physically contiguous memory through
> > +/// `bindings::krealloc`.
> > +pub struct Kmalloc;
> >
> > /// Returns a proper size to alloc a new object aligned to `new_layout`'s alignment.
> > fn aligned_size(new_layout: Layout) -> usize {
> > @@ -40,6 +48,64 @@ pub(crate) unsafe fn krealloc_aligned(ptr: *mut u8, new_layout: Layout, flags: F
> > }
> > }
> >
> > +/// # Invariants
> > +///
> > +/// One of the following `krealloc`, `vrealloc`, `kvrealloc`.
> > +struct ReallocFunc(
> > + unsafe extern "C" fn(*const core::ffi::c_void, usize, u32) -> *mut core::ffi::c_void,
> > +);
> > +
> > +impl ReallocFunc {
> > + // INVARIANT: `krealloc` satisfies the type invariants.
>
> This INVARIANT comment should be moved one line downwards.
>
> > + fn krealloc() -> Self {
> > + Self(bindings::krealloc)
> > + }
> > +
> > + /// # Safety
> > + ///
> > + /// This method has the exact same safety requirements as `Allocator::realloc`.
>
> I would remove "exact", I don't think we want to mean "almost the same"
> when we write just "same".
>
> > + unsafe fn call(
> > + &self,
> > + ptr: Option<NonNull<u8>>,
> > + layout: Layout,
> > + flags: Flags,
> > + ) -> Result<NonNull<[u8]>, AllocError> {
> > + let size = aligned_size(layout);
> > + let ptr = match ptr {
> > + Some(ptr) => ptr.as_ptr(),
> > + None => ptr::null(),
> > + };
> > +
> > + // SAFETY: `ptr` is valid by the safety requirements of this function.
>
> "`ptr` is either NULL or valid by the safety requirements of this
> function."
Agreed, for this one and the above ones.
>
> > + let raw_ptr = unsafe {
> > + // If `size == 0` and `ptr != NULL` the memory behind the pointer is freed.
> > + self.0(ptr.cast(), size, flags.0).cast()
> > + };
> > +
> > + let ptr = if size == 0 {
> > + NonNull::dangling()
>
> If we call `realloc(Some(ptr), <layout with size = 0>, ...)`, then this
> leaks the pointer returned by the call to `self.0` above. I don't know
> what the return value of the different functions are that can appear in
> `self.0`, do they return NULL?
That is fine, we don't care about the return value. All `ReallocFunc` free the
memory behind `ptr` if called with a size of zero. But to answer the question,
they return either NULL or ZERO_SIZE_PTR.
>
> What about the following sequence:
>
> let ptr = realloc(None, <layout with size = 0>, ...);
> let ptr = realloc(Some(ptr), <layout with size = 0>, ...);
>
> Then the above call to `self.0` is done with a dangling pointer, can the
> functions that appear in `self.0` handle that?
This would be incorrect.
Calling `realloc(Some(ptr), <layout with size = 0>, ...)` frees the memory
behind `ptr`. This is guranteed behavior for all `ReallocFunc`s, i.e.
krealloc(), vrealloc(), kvrealloc().
>
> > + } else {
> > + NonNull::new(raw_ptr).ok_or(AllocError)?
> > + };
> > +
> > + Ok(NonNull::slice_from_raw_parts(ptr, size))
> > + }
> > +}
> > +
> > +unsafe impl Allocator for Kmalloc {
> > + unsafe fn realloc(
> > + ptr: Option<NonNull<u8>>,
> > + layout: Layout,
> > + flags: Flags,
> > + ) -> Result<NonNull<[u8]>, AllocError> {
> > + let realloc = ReallocFunc::krealloc();
> > +
> > + // SAFETY: If not `None`, `ptr` is guaranteed to point to valid memory, which was previously
> > + // allocated with this `Allocator`.
>
> What about the other requirements? (they should be satisfied, since they
> are also requirements for calling this function)
Indeed, I think we should just write that by definition `Realloc::call` has the
same safety requirements as `Allocator::realloc`.
>
> > + unsafe { realloc.call(ptr, layout, flags) }
>
> If you make `ReallocFunc::krealloc()` into a constant
> `ReallocFunc::KREALLOC`, then we could avoid the let binding above.
Agreed, sounds good.
>
> ---
> Cheers,
> Benno
>
> > + }
> > +}
> > +
> > unsafe impl GlobalAlloc for Kmalloc {
> > unsafe fn alloc(&self, layout: Layout) -> *mut u8 {
> > // SAFETY: `ptr::null_mut()` is null and `layout` has a non-zero size by the function safety
> > --
> > 2.45.2
> >
>
