Re: [PATCH v2] rust: zpool: add abstraction for zpool drivers

From: Vitaly Wool
Date: Thu Aug 21 2025 - 10:21:53 EST

Next message: Biju: "[PATCH v2 2/4] can: rcar_canfd: Update RCANFD_CFG_* macros"
Previous message: Andrew Lunn: "Re: [PATCH net-next v3 7/8] net: dsa: lantiq_gswip: store switch API version in priv"
In reply to: Danilo Krummrich: "Re: [PATCH v2] rust: zpool: add abstraction for zpool drivers"
Next in thread: Danilo Krummrich: "Re: [PATCH v2] rust: zpool: add abstraction for zpool drivers"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 8/21/25 14:32, Danilo Krummrich wrote:

On Thu Aug 21, 2025 at 2:03 PM CEST, Danilo Krummrich wrote:

On Thu Aug 21, 2025 at 1:17 PM CEST, Vitaly Wool wrote:

+ /// preferred NUMA node `nid`. If the allocation is successful, an opaque handle is returned.
+ fn malloc(
+ pool: <Self::Pool as ForeignOwnable>::BorrowedMut<'_>,
+ size: usize,
+ gfp: Flags,
+ nid: NumaNode,
+ ) -> Result<usize>;

I still think we need a proper type representation of a zpool handle that
guarantees validity and manages its lifetime.

For instance, what prevents a caller from calling write() with a random handle?

Looking at zsmalloc(), if I call write() with a random number, I will most
likely oops the kernel. This is not acceptable for safe APIs.

Alternatively, all those trait functions have to be unsafe, which would be very
unfortunate.

I just noticed that I confused something here. :)

So, for the backend driver this trait is obviously fine, since you have to implement
the C ops -- sorry for the confusion.

However, you still have to mark all functions except alloc() and total_pages()
as unsafe and document and justify the corresponding safety requirements.

How is destroy() different from alloc() in terms of safety? I believe it's only free, read_{begin|end}, write that should be marked as unsafe.

+ /// Free a previously allocated from the `pool` object, represented by `handle`.
+ fn free(pool: <Self::Pool as ForeignOwnable>::Borrowed<'_>, handle: usize);

What happens if I forget to call free()?

+ /// Make all the necessary preparations for the caller to be able to read from the object
+ /// represented by `handle` and return a valid pointer to the `handle` memory to be read.
+ fn read_begin(pool: <Self::Pool as ForeignOwnable>::Borrowed<'_>, handle: usize)
+ -> NonNull<u8>;

Same for this, making it a NonNull<u8> is better than a *mut c_void, but it's
still a raw pointer. Nothing prevents users from using this raw pointer after
read_end() has been called.

This needs a type representation that only lives until read_end().

In general, I think this design doesn't really work out well. I think the design
should be something along the lines of:

(1) We should only provide alloc() on the Zpool itself and which returns a
Zmem instance. A Zmem instance must not outlive the Zpool it was allocated
with.

(2) Zmem should call free() when it is dropped. It should provide read_begin()
and write() methods.

(3) Zmem::read_begin() should return a Zslice which must not outlive Zmem and
calls read_end() when dropped.

This design is obiously for when you want to use a Zpool, but not implement its
backend. :)

Next message: Biju: "[PATCH v2 2/4] can: rcar_canfd: Update RCANFD_CFG_* macros"
Previous message: Andrew Lunn: "Re: [PATCH net-next v3 7/8] net: dsa: lantiq_gswip: store switch API version in priv"
In reply to: Danilo Krummrich: "Re: [PATCH v2] rust: zpool: add abstraction for zpool drivers"
Next in thread: Danilo Krummrich: "Re: [PATCH v2] rust: zpool: add abstraction for zpool drivers"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]