From nobody Wed Dec 17 08:51:19 2025 Received: from mail-qk1-f181.google.com (mail-qk1-f181.google.com [209.85.222.181]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 4CF2B2192E1; Wed, 16 Apr 2025 17:15:52 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.222.181 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1744823755; cv=none; b=tpA4c5FNE7CZtwbrNuynsR48ZG2GXWXi59cPjf7BV4Css6Tz/mEgK1gqmkzDHduh5HvQyQHt8r6wSR1DJJLil5RR3RXz5iX6UHXk43gN93FgnXpDWcdBlLKAwXskbd+SVvxjrA8PnddyLrTSO4vdZJeizz2fzTXKvJoCemcdOlY= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1744823755; c=relaxed/simple; bh=9rLtOPLY17gx2GMZGMRkOO2WIaL1Ea9WAPym9LTlxWs=; h=From:Date:Subject:MIME-Version:Content-Type:Message-Id:References: In-Reply-To:To:Cc; b=nZNhfa7SCNtKAmdBC4ARQlytRjAhnb8guVmJWbj+eZQ2UoSctEFyWi/oqik40AegCYXmq+zKCYKL4ulS7AaHGI7+4mGeN0OD2qHv9/psSmYtQQVyVF+EK+9vVA7ddlXEvQ6EL4fFYM7RJV4FrsJLm16DP8fzVTRyk4LIM+2Ia4A= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=EW3AeXtF; arc=none smtp.client-ip=209.85.222.181 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="EW3AeXtF" Received: by mail-qk1-f181.google.com with SMTP id af79cd13be357-7c55b53a459so739553685a.3; Wed, 16 Apr 2025 10:15:52 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1744823751; x=1745428551; darn=vger.kernel.org; h=cc:to:in-reply-to:references:message-id:content-transfer-encoding :mime-version:subject:date:from:from:to:cc:subject:date:message-id :reply-to; bh=gvj+xkW9N7eT2ycUV7dAvsc0ji3CSsziYhfLO4Kf9YI=; b=EW3AeXtFMycXLdVySbkzOEFq5NAc5/uiQkO5HXQvlH7GdSXkB/n76icsDNo+qTgvCY mTQXcczUdQi3WPSrvvF+ltUi2VcytX3gStFxIciHsN5hcxI7ZqQV7cg31e/rcrrqX5MC wPI11x9qycnBsc1tApvZYNjE3cWVKdG/AQSO+deGHITQGgXV5IC38l7JL3tyBKsEETeW S2XMM13WwNY4ActRrgUZTt2EsjL5mX0NI5XiYG4NwSvzXuIT8DPmBD1MfLf9gURLi95n 2T7MUQsRBoifbScBZv3kHvmkT252wRw6PIwX53hixUPsyBKrlqeVvvIfnuwbtgcnzulP epyw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1744823751; x=1745428551; h=cc:to:in-reply-to:references:message-id:content-transfer-encoding :mime-version:subject:date:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=gvj+xkW9N7eT2ycUV7dAvsc0ji3CSsziYhfLO4Kf9YI=; b=hIdE/8GrjuQMjIUWTgey9zU9DDo+j23vzyWxtIIeGN1UYoz85Hy2ZcP6gzf04qL70k 9LLpdYHj6i5cdiFajJBeJ/AkK/VU8e2Hg33AlA0lALIeLCXvMePcj+qOR8rMK844bIpp klzy0DHx1mn6y3n92zwHZSNB+Zz4GLgsMf/akFkl+KxudKC1WjvDyXp9aNBHhkH/bQuL RBRZnLv5K1WGxz2roXM4MNmYlU4NuwAsNKTvJLnZmLY61nf0BUj8jM1Nn2otWA6NcWn7 6/wiDZRb2T76PC0V4szk0oDWegLbEgWMfBBJQdfXBSxjH60eaWl2ve+8Z/mgz9WG7Oik 7fYg== X-Forwarded-Encrypted: i=1; AJvYcCUPmnOdBPRWex61tDm/UxUVvkUp5eoYLQDpdXO2JrSUkZGip3H+lIkpKUokYOWR4I7BgALh5+yF8q+UGaI=@vger.kernel.org X-Gm-Message-State: AOJu0YzukJWO6etgM3358Lm4sUQGZcuPV45weuRoo8z+JkCVTtPhw8Bq tAyyzY0MOTk5MOlgNh8TwysKYSQjbavwBY9xO5TZhkeec55CRdzG X-Gm-Gg: ASbGncvc20KoTgfjJB+39/KH7RUSa3v6MmZt4O+pOFbX5HI7Mk89ioL9yUqUXmu8tCF 21Hnhi3JI4DlmaC0b0rCAXK+46dNsC1TkOnAjkJVNXVD4ozvuBIjBG7kbjio6ji+HZdTVQDlJpf Azc5HaGO4yflNW5Wmdq5S/N12C8Q+wSPeRTtbsOZmqzLs5nbjHsuCyG015QN20XsJCWn/EBT6Da qJ/B5MXY4k363fP9IOAxjp2Dcz7oC7g/tGLNyw3qWbibu25O0HZnXXIaOuWat5G168qD551d2p7 Xw97n2dj0ta7CJ9T4IGyaXUAerbcXHaDnEX9SQ8acxpzVzlpbl7sSHDXCa+ajK7z3zBeUz4unsS ae0upuHk6pRHbhc7CsLfrNIFi5xqwAdwSYq7i5hEmGvZl X-Google-Smtp-Source: AGHT+IGqr3/RByWmVXQ5my8rSOiLv0uwBMH6X9JeNtQeRyAbo2LCL0hwCqx95wUv0ABEd0mp4ZvcrQ== X-Received: by 2002:a05:620a:4112:b0:7c7:a5f5:61be with SMTP id af79cd13be357-7c91900478emr419476585a.32.1744823751065; Wed, 16 Apr 2025 10:15:51 -0700 (PDT) Received: from 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa ([2620:10d:c091:600::1:a61d]) by smtp.gmail.com with ESMTPSA id af79cd13be357-7c7a8943834sm1084605185a.22.2025.04.16.10.15.50 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 16 Apr 2025 10:15:50 -0700 (PDT) From: Tamir Duberstein Date: Wed, 16 Apr 2025 13:15:40 -0400 Subject: [PATCH v4 1/4] rust: alloc: add Vec::len() <= Vec::capacity invariant Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Message-Id: <20250416-vec-set-len-v4-1-112b222604cd@gmail.com> References: <20250416-vec-set-len-v4-0-112b222604cd@gmail.com> In-Reply-To: <20250416-vec-set-len-v4-0-112b222604cd@gmail.com> To: Danilo Krummrich , Andrew Ballance , Alice Ryhl , Miguel Ojeda , Alex Gaynor , Boqun Feng , Gary Guo , =?utf-8?q?Bj=C3=B6rn_Roy_Baron?= , Benno Lossin , Andreas Hindborg , Trevor Gross Cc: rust-for-linux@vger.kernel.org, linux-kernel@vger.kernel.org, Tamir Duberstein X-Mailer: b4 0.15-dev Document the invariant that the vector's length is always less than or equal to its capacity. This is already implied by these other invariants: - `self.len` always represents the exact number of elements stored in the vector. - `self.layout` represents the absolute number of elements that can be stored within the vector without re-allocation. but it doesn't hurt to spell it out. Note that the language references `self.capacity` rather than `self.layout.len` as the latter is zero for a vector of ZSTs. Update a safety comment touched by this patch to correctly reference `realloc` rather than `alloc` and replace "leaves" with "leave" to improve grammar. Signed-off-by: Tamir Duberstein Reviewed-by: Alice Ryhl --- rust/kernel/alloc/kvec.rs | 15 +++++++++------ 1 file changed, 9 insertions(+), 6 deletions(-) diff --git a/rust/kernel/alloc/kvec.rs b/rust/kernel/alloc/kvec.rs index 6ac8756989e5..ca30fad90de5 100644 --- a/rust/kernel/alloc/kvec.rs +++ b/rust/kernel/alloc/kvec.rs @@ -90,6 +90,8 @@ macro_rules! kvec { /// without re-allocation. For ZSTs `self.layout`'s capacity is zero. Ho= wever, it is legal for the /// backing buffer to be larger than `layout`. /// +/// - `self.len()` is always less than or equal to `self.capacity()`. +/// /// - The `Allocator` type `A` of the vector is the exact same `Allocator`= type the backing buffer /// was allocated with (and must be freed with). pub struct Vec { @@ -262,8 +264,8 @@ pub const fn new() -> Self { /// Returns a slice of `MaybeUninit` for the remaining spare capaci= ty of the vector. pub fn spare_capacity_mut(&mut self) -> &mut [MaybeUninit] { // SAFETY: - // - `self.len` is smaller than `self.capacity` and hence, the res= ulting pointer is - // guaranteed to be part of the same allocated object. + // - `self.len` is smaller than `self.capacity` by the type invari= ant and hence, the + // resulting pointer is guaranteed to be part of the same alloca= ted object. // - `self.len` can not overflow `isize`. let ptr =3D unsafe { self.as_mut_ptr().add(self.len) } as *mut May= beUninit; =20 @@ -817,12 +819,13 @@ pub fn collect(self, flags: Flags) -> Vec { unsafe { ptr::copy(ptr, buf.as_ptr(), len) }; ptr =3D buf.as_ptr(); =20 - // SAFETY: `len` is guaranteed to be smaller than `self.layout= .len()`. + // SAFETY: `len` is guaranteed to be smaller than `self.layout= .len()` by the type + // invariant. let layout =3D unsafe { ArrayLayout::::new_unchecked(len) }; =20 - // SAFETY: `buf` points to the start of the backing buffer and= `len` is guaranteed to be - // smaller than `cap`. Depending on `alloc` this operation may= shrink the buffer or leaves - // it as it is. + // SAFETY: `buf` points to the start of the backing buffer and= `len` is guaranteed by + // the type invariant to be smaller than `cap`. Depending on `= realloc` this operation + // may shrink the buffer or leave it as it is. ptr =3D match unsafe { A::realloc(Some(buf.cast()), layout.into(), old_layout.int= o(), flags) } { --=20 2.49.0 From nobody Wed Dec 17 08:51:19 2025 Received: from mail-qk1-f178.google.com (mail-qk1-f178.google.com [209.85.222.178]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id BCC602192FE; Wed, 16 Apr 2025 17:15:53 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.222.178 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1744823755; cv=none; b=EYaR8i0KbXwKN4NCL/Mz6/wJxWAJyHszu+fovozEMG1RNNpYHs9yKwUlPr/tACy7osW2nBnn9rwdCGhOnFqDNF+HLhwryLvIH+87mMVkr5EPRSJMpGKv1+UwIe0DesQoj4anv1dDIGR3ISq6VpRDxB7hjXIVD1Suxvnj8KfaPZw= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1744823755; c=relaxed/simple; bh=dGZobBVOSjNjtOuPhmAiQkQ4Q7FnLCHzvIVHNXKELAs=; h=From:Date:Subject:MIME-Version:Content-Type:Message-Id:References: In-Reply-To:To:Cc; b=Zx9ToZkF+ivwQS42UoJ2w5F+AZZ/kiaEKCLPBEFPn4Se4Oy94nJ0ksEWNnVJmXePY0Jst96XMDjJRQB33J+7DCKQ4Npzydv4iTPfIhQVfj4ynb614rkGC4xhNY/AAuVfYCH0fiwWxuYaV+IERQabntYVEX2VRKTIa32Pzx6ODeQ= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=ewN64Ocw; arc=none smtp.client-ip=209.85.222.178 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="ewN64Ocw" Received: by mail-qk1-f178.google.com with SMTP id af79cd13be357-7be49f6b331so755972785a.1; Wed, 16 Apr 2025 10:15:53 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1744823752; x=1745428552; darn=vger.kernel.org; h=cc:to:in-reply-to:references:message-id:content-transfer-encoding :mime-version:subject:date:from:from:to:cc:subject:date:message-id :reply-to; bh=XOOqAanHNr2fjh0vWf+LQYt1BqTrOs/5JiHUjG+RR1g=; b=ewN64OcwQiaLT1bFj8ZwCqAyYLQPkU7EUdzyrChwrtTETXLTCa/1/z4phGA7C9DCbD cuZzUqrxDBUnkdAG7NrJ6NBvN4APMwlyIcfbW/nzERSmy7SEHx62OA5kzy24/0J9io2s D32O5eVvW05ybTqzDibqaLLkKPn92bwYl7pdoTzQWFt7vTTsvYCkLhSTddO3+mSL6mIu Xw/9O7BXnhx4NFwx9lGkmEbNTZKyZW7+ur9nIXy+0PM6U1mgz59Rr9mFHU8xFb8QF+j3 eODkQF2/uY3hSweIw3YhBvkQrN5/f5vCQWarXhcg4gKGahc08Z7x1LtjWiPpED0twq5h n6qg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1744823752; x=1745428552; h=cc:to:in-reply-to:references:message-id:content-transfer-encoding :mime-version:subject:date:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=XOOqAanHNr2fjh0vWf+LQYt1BqTrOs/5JiHUjG+RR1g=; b=iNd/WojK5MXH+N8wdSS45jiK8i+AFm3F8NS7jUvLvBUVxD81JzuW4PwGc7ZM4k7nLM skt/8hgAKpuvcEDdXYnMkvUsN9r5c3LMf0ObPvuc71GPtBXIzYrTGKYAXLASRRI5Oh7T JMyC4kIz+tfBYUIN1uuPv5BXv7awmNxcmuG9W0LThJ3ILjtclQsHPOvEf1OI6wiMGuNO ++aeVFO5kdA+DWRj0uKUh+i4CcKdFsAXBeKoKO7zbQKG1v2EHxr9I8OoMdRUUyejfP0s ktrghJh/ZMgwavBI8P0sQLEWoxTliIprzHLpGcbDGlz8vDuxRLsOjQVIWy01a+OsYAgE P7XQ== X-Forwarded-Encrypted: i=1; AJvYcCWIM3fEN86LfQfu/TShU1hUdItNCkmHNLk08FGXoX8O0472JQZ1+4HLL3f5C1mhzDlXoaxFJeYb4Rdk0Vc=@vger.kernel.org X-Gm-Message-State: AOJu0YwAZ8jjh6PBjOuoNmOtkZBu4jGjFxaL99Lk5gLzoEHLCGsuklX4 RcdxoZQLguw+QDk7HkjJ/GwQEaSiZMiWFX8RSEf6N7KQNDLpXspyyEv6pvw+ X-Gm-Gg: ASbGncsMSinM8TtjoT3jPeeCgeH7/+EUwrQ36cxCZyJ0CIoynEtuj+H7I4dVx4dqw0X Hjz/4EvCiR8bdumT88Y/Ey99JsVzTdttMTYuj6gUH/kUrodA7X6jVz3PoAykgq2PzuQL7jNbgvc LTE2DS0ujQdtH+mVnJKw9aCPsL4xmRWIzCPut6vqhZGqSL+DT6tXidgrLS4cycqlq2NJrDESgh4 zYhwdXyXnR6qCc5fh3/St/sbaiTqRnrVBNyzBmy0FSVsa9TTWj9wi1p84h2uOhVO/v2YVMbe3Vd pmrj3eZTZD39jQXTK6mHnryNCfrEfbeITvV7tW31t93XrYfwddanoTYFLt/dIP36u2IjaDW8483 74pKai2r3K3MHekKGvsVN//qTD6YZ6WIEFnMe/6O43/7P3bmrhRPsy4c= X-Google-Smtp-Source: AGHT+IEtvBnuz7fKL9252oRIPAxAg3OyfEOnVpGRTE7+OEABAPPwv1NhWIfd9QOjUC4G2mIEuCFQgg== X-Received: by 2002:a05:620a:3191:b0:7c5:5cc4:ca5b with SMTP id af79cd13be357-7c918fcad7fmr289318085a.12.1744823752269; Wed, 16 Apr 2025 10:15:52 -0700 (PDT) Received: from 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa ([2620:10d:c091:600::1:a61d]) by smtp.gmail.com with ESMTPSA id af79cd13be357-7c7a8943834sm1084605185a.22.2025.04.16.10.15.51 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 16 Apr 2025 10:15:51 -0700 (PDT) From: Tamir Duberstein Date: Wed, 16 Apr 2025 13:15:41 -0400 Subject: [PATCH v4 2/4] rust: alloc: add `Vec::dec_len` Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Message-Id: <20250416-vec-set-len-v4-2-112b222604cd@gmail.com> References: <20250416-vec-set-len-v4-0-112b222604cd@gmail.com> In-Reply-To: <20250416-vec-set-len-v4-0-112b222604cd@gmail.com> To: Danilo Krummrich , Andrew Ballance , Alice Ryhl , Miguel Ojeda , Alex Gaynor , Boqun Feng , Gary Guo , =?utf-8?q?Bj=C3=B6rn_Roy_Baron?= , Benno Lossin , Andreas Hindborg , Trevor Gross Cc: rust-for-linux@vger.kernel.org, linux-kernel@vger.kernel.org, Tamir Duberstein X-Mailer: b4 0.15-dev Add `Vec::dec_len` that reduces the length of the receiver. This method is intended to be used from methods that remove elements from `Vec` such as `truncate`, `pop`, `remove`, and others. This method is intentionally not `pub`. Reviewed-by: Alice Ryhl Signed-off-by: Tamir Duberstein --- rust/kernel/alloc/kvec.rs | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) diff --git a/rust/kernel/alloc/kvec.rs b/rust/kernel/alloc/kvec.rs index ca30fad90de5..a84a907acae4 100644 --- a/rust/kernel/alloc/kvec.rs +++ b/rust/kernel/alloc/kvec.rs @@ -201,6 +201,25 @@ pub unsafe fn set_len(&mut self, new_len: usize) { self.len =3D new_len; } =20 + /// Decreases `self.len` by `count`. + /// + /// Returns a mutable slice to the elements forgotten by the vector. I= t is the caller's + /// responsibility to drop these elements if necessary. + /// + /// # Safety + /// + /// - `count` must be less than or equal to `self.len`. + unsafe fn dec_len(&mut self, count: usize) -> &mut [T] { + debug_assert!(count <=3D self.len()); + // INVARIANT: We relinquish ownership of the elements within the r= ange `[self.len - count, + // self.len)`, hence the updated value of `set.len` represents the= exact number of elements + // stored within `self`. + self.len -=3D count; + // SAFETY: The memory after `self.len()` is guaranteed to contain = `count` initialized + // elements of type `T`. + unsafe { slice::from_raw_parts_mut(self.as_mut_ptr().add(self.len)= , count) } + } + /// Returns a slice of the entire vector. #[inline] pub fn as_slice(&self) -> &[T] { --=20 2.49.0 From nobody Wed Dec 17 08:51:19 2025 Received: from mail-qk1-f174.google.com (mail-qk1-f174.google.com [209.85.222.174]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id D6F2C219A71; Wed, 16 Apr 2025 17:15:54 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.222.174 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1744823756; cv=none; b=Y5JzRCU0AkVihirhq1wgvfFM1pJSm9Wm3rd+D4tonRWsxDM/vpEhCQEsQp3XULzAKq1DsJyRDijTH9aAO8ChnWOpAfnJYxv2/PxzZHbtFw9hWBtyP5+jCkN3UWL1z5StIZSfnNB8Vqz9vJ3Jq0mXCwK7uBIkmE2LqbeRRu/4nBk= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1744823756; c=relaxed/simple; bh=theyHJpujek3mRPTB1t0/HuOjXg8LCIlAN/KT8QL5Fk=; h=From:Date:Subject:MIME-Version:Content-Type:Message-Id:References: In-Reply-To:To:Cc; b=ranvm93o5ZuVKv1uJJ8o+u7ccBKcLtNuOnpj7qeyvw4qLATvIxGLsZI/qOQUhYuEHk8rvHPY8+ZmTj64kgleScKCK3zBKdDCRC6x1MQ6G0vmixTo1gSaHY+XIAUj8TnGzjOJNcb2gUG1xFYdl/dzMkWLKBx/ztPMXNH32zUlqlg= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=FCsyRROL; arc=none smtp.client-ip=209.85.222.174 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="FCsyRROL" Received: by mail-qk1-f174.google.com with SMTP id af79cd13be357-7c5c815f8efso640431385a.2; Wed, 16 Apr 2025 10:15:54 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1744823754; x=1745428554; darn=vger.kernel.org; h=cc:to:in-reply-to:references:message-id:content-transfer-encoding :mime-version:subject:date:from:from:to:cc:subject:date:message-id :reply-to; bh=ZxFAp/0sVarAzZpw7nCXHm4ELNRIXpdSHCkEIQ/RdSM=; b=FCsyRROLCH7bVHmjyaFdFCiQw+/ZS5jwEE9ik04+MAYhbARSM+maE84B6r+vHZs8/I W6idt8/ekHfLg6iBQVzc+NyNt8D4HNKUtWsWTMzH4VaXLM6oPOGaHtevbmec7vr2WHle piThM2j3+DDtNU2I1d7QLXjfqtY3yQswEklolc/9TXL7hiDt9J8mPqQdzJwPMVolCkfn IMhune9DXpQIZWryoKYyO7+zri7wMVMgFDQ/zFhjvqJrJ3RfEHF19k5QU4qBgADuhtOP cn1Hvzj3HYnuKNsaXSevnZ8thr+KKuWkSSgfd/37j+xYw7Z+yjcyjk2Sx+gCWWjfy6cx jn/Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1744823754; x=1745428554; h=cc:to:in-reply-to:references:message-id:content-transfer-encoding :mime-version:subject:date:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=ZxFAp/0sVarAzZpw7nCXHm4ELNRIXpdSHCkEIQ/RdSM=; b=f7gd9e03xdityelA04paErXDEQKYp/rqXwNzCu0aMyRkAIwo3MEWwPDdJLKs58Qyw6 0QXtBi8ZV2ORxcwtT90qL2naKYKMPBrKY5XFRqWXV1J+e6kT6k5+NF14HI5OpmDwqEji e0tpWmmFZgIVErfi+7qxz2p5DpdIzi6RmSDyoopB47RoyLhh+k6x8cuzTAgZCfADKVlu 29pXNiSPubG2AmRrPL8btjk6tDOb/CCG09rZCNP3XiHebmyeyWGs4gLimCy2dzc8WHbO 7ttvnrcBvBujQCi0AGzUq08nCdasO0Chg4gJouexm5JTrVRU/9Er8U7eNx9BcBzesSvA hFKA== X-Forwarded-Encrypted: i=1; AJvYcCW49f5Lmldg/+wwuT82DWatXpzy2JlHl62bH3tYnd9iDlrW9UpAnKkJIX/6Matzv5mv69i8A/snGEWfstI=@vger.kernel.org X-Gm-Message-State: AOJu0YyBQTJTwvP9UF5VOax3k+k2VbSMcYACfRh+sOMf7/tTHl8VHA27 TuRjpwEFLgM6hv+QVgVJ6NvTSzm3czewOMXQm31Qa+pKVlkdA+J3 X-Gm-Gg: ASbGnctoXzU+IIvSWDS75r/pAMMMmJvOvZzYFna5rw+EZClELS1e3lbyYsMhMJlfuxk 4d7Rle47AiUMn8YbI32uz2bwpHt2U4XG7+I0x+LWRTp+5NRJJ/phv5AuR7KdlyKISED0hqEKwdl 5t2hdZ5EZqpoGJlE50K+s7mqPP9ELnXMdDvIg57GosOruF3KiP036Rqo7NG6+rbDHnGCLsIqA9l r884cgtvfLRtisR8B8avlTzIMWJq5Vesqyq52FYqw04HIO1kE6pjeHrvxSBCYYtV9LD93BOElPE Gaw/KJdGksL15I3YBMF+XrWDGxQk6C1ko3IgxrC5xGtJmMvNvaLr4JJl/wsI1epJlL2v23RiMo1 Hu6aw42/EobfM7yKa48VquO3udjlPiHO8k4dbqHODSLtZ X-Google-Smtp-Source: AGHT+IE9/MP+dQOQ7UtGckvEBLlGrYv/kaF9xVlJ5yP6t3Gsl45SwJznT3KW4bSF9YyURkWypX7Q5A== X-Received: by 2002:a05:620a:1a90:b0:7c3:d7ef:f7f5 with SMTP id af79cd13be357-7c918fec5b1mr335542785a.18.1744823753525; Wed, 16 Apr 2025 10:15:53 -0700 (PDT) Received: from 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa ([2620:10d:c091:600::1:a61d]) by smtp.gmail.com with ESMTPSA id af79cd13be357-7c7a8943834sm1084605185a.22.2025.04.16.10.15.52 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 16 Apr 2025 10:15:52 -0700 (PDT) From: Tamir Duberstein Date: Wed, 16 Apr 2025 13:15:42 -0400 Subject: [PATCH v4 3/4] rust: alloc: refactor `Vec::truncate` using `dec_len` Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Message-Id: <20250416-vec-set-len-v4-3-112b222604cd@gmail.com> References: <20250416-vec-set-len-v4-0-112b222604cd@gmail.com> In-Reply-To: <20250416-vec-set-len-v4-0-112b222604cd@gmail.com> To: Danilo Krummrich , Andrew Ballance , Alice Ryhl , Miguel Ojeda , Alex Gaynor , Boqun Feng , Gary Guo , =?utf-8?q?Bj=C3=B6rn_Roy_Baron?= , Benno Lossin , Andreas Hindborg , Trevor Gross Cc: rust-for-linux@vger.kernel.org, linux-kernel@vger.kernel.org, Tamir Duberstein X-Mailer: b4 0.15-dev Use `checked_sub` to satisfy the safety requirements of `dec_len` and replace nearly the whole body of `truncate` with a call to `dec_len`. Reviewed-by: Andrew Ballance Reviewed-by: Alice Ryhl Signed-off-by: Tamir Duberstein --- rust/kernel/alloc/kvec.rs | 24 ++++++++---------------- 1 file changed, 8 insertions(+), 16 deletions(-) diff --git a/rust/kernel/alloc/kvec.rs b/rust/kernel/alloc/kvec.rs index a84a907acae4..87dc37ecb94d 100644 --- a/rust/kernel/alloc/kvec.rs +++ b/rust/kernel/alloc/kvec.rs @@ -488,23 +488,15 @@ pub fn reserve(&mut self, additional: usize, flags: F= lags) -> Result<(), AllocEr /// # Ok::<(), Error>(()) /// ``` pub fn truncate(&mut self, len: usize) { - if len >=3D self.len() { - return; + if let Some(count) =3D self.len().checked_sub(len) { + // SAFETY: `count` is `self.len() - len` so it is guaranteed t= o be less than or + // equal to `self.len()`. + let ptr: *mut [T] =3D unsafe { self.dec_len(count) }; + + // SAFETY: the contract of `dec_len` guarantees that the eleme= nts in `ptr` are + // valid elements whose ownership has been transferred to the = caller. + unsafe { ptr::drop_in_place(ptr) }; } - - let drop_range =3D len..self.len(); - - // SAFETY: `drop_range` is a subrange of `[0, len)` by the bounds = check above. - let ptr: *mut [T] =3D unsafe { self.get_unchecked_mut(drop_range) = }; - - // SAFETY: By the above bounds check, it is guaranteed that `len <= self.capacity()`. - unsafe { self.set_len(len) }; - - // SAFETY: - // - the dropped values are valid `T`s by the type invariant - // - we are allowed to invalidate [`new_len`, `old_len`) because w= e just changed the - // len, therefore we have exclusive access to [`new_len`, `old_l= en`) - unsafe { ptr::drop_in_place(ptr) }; } } =20 --=20 2.49.0 From nobody Wed Dec 17 08:51:19 2025 Received: from mail-qk1-f170.google.com (mail-qk1-f170.google.com [209.85.222.170]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id D2E01221D94; Wed, 16 Apr 2025 17:15:56 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.222.170 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1744823758; cv=none; b=CiGfzaNpvWRrRAP2plkiiaBnduVykeAhQp+eRRonaINqx2aA3FvRP7dK6QsHK9yHr1dl1uVgFha3VX0FAfk7g1IXtVL8r10rnv6XjLPW+7MACNCvdoRgNmPkCiV3VU2woDscbfcsG6bOkeAwl8xes4no4cY73rPMn+FKX7oqGPc= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1744823758; c=relaxed/simple; bh=HONVM/3gBdh6iNvjtIbFIPb2A1MgnYPmlfkaZFNDgT8=; h=From:Date:Subject:MIME-Version:Content-Type:Message-Id:References: In-Reply-To:To:Cc; b=gszoBkV05zcrCDkVTFWjS942qtmdhY/bVl5jcZ7StYElbYCZWt7U+QAHILS8teHYwJEUNF7Lfa2UxNLelTRMzh9zUfVyGDjM15VcZ/f+jNIMQRSMbjc8F0y/s8Wo/KQdisucUzvcwE9WYS1SPyIx46gXZcAvvI54004eiwQnw54= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=i9Cu6Asf; arc=none smtp.client-ip=209.85.222.170 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="i9Cu6Asf" Received: by mail-qk1-f170.google.com with SMTP id af79cd13be357-7c559b3eb0bso332376285a.1; Wed, 16 Apr 2025 10:15:56 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1744823755; x=1745428555; darn=vger.kernel.org; h=cc:to:in-reply-to:references:message-id:content-transfer-encoding :mime-version:subject:date:from:from:to:cc:subject:date:message-id :reply-to; bh=eebxCf0do5RI0mDndq9BzvOFzHvt6jSVZ8J5rmAS1tI=; b=i9Cu6AsfNpWkxa37YXBSd8/TJvxkRZWQudCa9kNAWb+9CsHz79m5Xl9Ywpyz5MljEG v1Ko17ps3hs41wyiiF87g696UHjRkokguWMGWBZCdhBZASnkLoMScr59I5FOSz1PL0Mh +14rKlpf+DyuCOxa2FBf2+PKYX5L67H9x7Rj/m1ObmX4Lh7i4rEDzyMnMGJdybPvkrxk 7hGAq9TBFmph8dcXNhLIBZShj1fVFIfDNrw36J3Jo3SB0VxR2D7Qe4vGSE36HmXMxF09 GyYFfwAEy6/AS/vU4VwkZQRwyVLM5fZX+1Bcpz+y/5WrcQrckEruZPj7GGo+0mTpAkjz yUdw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1744823755; x=1745428555; h=cc:to:in-reply-to:references:message-id:content-transfer-encoding :mime-version:subject:date:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=eebxCf0do5RI0mDndq9BzvOFzHvt6jSVZ8J5rmAS1tI=; b=SMZ20nt49RM5DxtghxpImR3aMoTx/YJLjM5nY9qofDQjORHK/W+NACguwJEr2EBx4d K6QBvIMqfudonoRIBTUxdnQglFXVMVmbXkVJI0DikdsyVFMy7/pwYp7o+8MP/vpqwNGx f1JJREdWEZAqJnBtW10EKk5Ilgq3Brg6E7Dw4pOkHXJnlYPIFEx4ILJtpwddq+Gg3/+7 1rMH6+mYyq2SC4sYjOcamtIepaUKcrX40hHCohhIyHOklRKsMuVe41/eGPg246dThSnG K4CuocPaaEayH83RIHhVw4L1Rzwzo+b/4iaJdViJidmXk75hMdFXvb5Bbxz0rPdCcovR ViWw== X-Forwarded-Encrypted: i=1; AJvYcCUPzCxY2Jf3zQYj0jPdvJ35gNLwBU59U9gRxURyiR/rv6WSYnCYmW1rDhZH8CtNfIJKtkcH9d1HLCrW1Wk=@vger.kernel.org X-Gm-Message-State: AOJu0YwjV8KMe1LchvYxZC7N52un5O5yJDyKIv4Wjcjkyy3rosrlYfhy 7hSYrLREwHp1zJfl6qABMIXdevXr4B9Y3TRYxTPivkTq7/Fpk8sBxa9UhvtM X-Gm-Gg: ASbGncvqZjyVUkT8PrU/45QEpM7bci7svHJ0AlqAj1HHJ1OrxzenKxL2nlWhp6tcGCL Jh6Ho4OJp77eV6xavIGpjJKRxTxjv+cibHnUqJsE13/GPlXFWSUq3wjuxefkwcuWxCZ5//eqQL9 GLrLWgCw7nc7cz35dKGpwNS6GelVZA/l12OyDzkygnwbIKMIODkb2kNRDAlETyQ0HKpJEaAUBDC uuaaK2YkoAn/j+xKysaWX5lq0JgGLKqEcLpbO3pT3Lg7IfDpv79OumzyeB/9I5T2kHPAhE1MDVi 7SY+m151WmWjYMVGnsLTqtS/56V7SKwOHykdN1earc5t78TOIWzhskwT+i7wgB13w36cFgDl0Tl beEU3xV5EuUVmnVLjRjnD3jcLLmwMKFzyKgG1goMu5bYx X-Google-Smtp-Source: AGHT+IGuG697vPrZYBUJYZ8jq6lkxyIC5MFQzO5gQGWU6a19DuYPpQz+xfbwAAsfpA7POqntMoG1hg== X-Received: by 2002:a05:620a:2611:b0:7c5:42c8:ac89 with SMTP id af79cd13be357-7c9190057dcmr419158385a.33.1744823755425; Wed, 16 Apr 2025 10:15:55 -0700 (PDT) Received: from 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa ([2620:10d:c091:600::1:a61d]) by smtp.gmail.com with ESMTPSA id af79cd13be357-7c7a8943834sm1084605185a.22.2025.04.16.10.15.53 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 16 Apr 2025 10:15:54 -0700 (PDT) From: Tamir Duberstein Date: Wed, 16 Apr 2025 13:15:43 -0400 Subject: [PATCH v4 4/4] rust: alloc: replace `Vec::set_len` with `inc_len` Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Message-Id: <20250416-vec-set-len-v4-4-112b222604cd@gmail.com> References: <20250416-vec-set-len-v4-0-112b222604cd@gmail.com> In-Reply-To: <20250416-vec-set-len-v4-0-112b222604cd@gmail.com> To: Danilo Krummrich , Andrew Ballance , Alice Ryhl , Miguel Ojeda , Alex Gaynor , Boqun Feng , Gary Guo , =?utf-8?q?Bj=C3=B6rn_Roy_Baron?= , Benno Lossin , Andreas Hindborg , Trevor Gross Cc: rust-for-linux@vger.kernel.org, linux-kernel@vger.kernel.org, Tamir Duberstein X-Mailer: b4 0.15-dev Rename `set_len` to `inc_len` and simplify its safety contract. Note that the usage in `CString::try_from_fmt` remains correct as the receiver is known to have `len =3D=3D 0`. Reviewed-by: Alice Ryhl Signed-off-by: Tamir Duberstein --- rust/kernel/alloc/kvec.rs | 25 ++++++++++++------------- rust/kernel/str.rs | 2 +- rust/kernel/uaccess.rs | 2 +- 3 files changed, 14 insertions(+), 15 deletions(-) diff --git a/rust/kernel/alloc/kvec.rs b/rust/kernel/alloc/kvec.rs index 87dc37ecb94d..5798e2c890a2 100644 --- a/rust/kernel/alloc/kvec.rs +++ b/rust/kernel/alloc/kvec.rs @@ -185,20 +185,19 @@ pub fn len(&self) -> usize { self.len } =20 - /// Forcefully sets `self.len` to `new_len`. + /// Increments `self.len` by `additional`. /// /// # Safety /// - /// - `new_len` must be less than or equal to [`Self::capacity`]. - /// - If `new_len` is greater than `self.len`, all elements within the= interval - /// [`self.len`,`new_len`) must be initialized. + /// - `additional` must be less than or equal to `self.capacity - self= .len`. + /// - All elements within the interval [`self.len`,`self.len + additio= nal`) must be initialized. #[inline] - pub unsafe fn set_len(&mut self, new_len: usize) { - debug_assert!(new_len <=3D self.capacity()); - - // INVARIANT: By the safety requirements of this method `new_len` = represents the exact - // number of elements stored within `self`. - self.len =3D new_len; + pub unsafe fn inc_len(&mut self, additional: usize) { + // Guaranteed by the type invariant to never underflow. + debug_assert!(additional <=3D self.capacity() - self.len()); + // INVARIANT: By the safety requirements of this method this repre= sents the exact number of + // elements stored within `self`. + self.len +=3D additional; } =20 /// Decreases `self.len` by `count`. @@ -317,7 +316,7 @@ pub fn push(&mut self, v: T, flags: Flags) -> Result<()= , AllocError> { // SAFETY: We just initialised the first spare entry, so it is saf= e to increase the length // by 1. We also know that the new length is <=3D capacity because= of the previous call to // `reserve` above. - unsafe { self.set_len(self.len() + 1) }; + unsafe { self.inc_len(1) }; Ok(()) } =20 @@ -521,7 +520,7 @@ pub fn extend_with(&mut self, n: usize, value: T, flags= : Flags) -> Result<(), Al // SAFETY: // - `self.len() + n < self.capacity()` due to the call to reserve= above, // - the loop and the line above initialized the next `n` elements. - unsafe { self.set_len(self.len() + n) }; + unsafe { self.inc_len(n) }; =20 Ok(()) } @@ -552,7 +551,7 @@ pub fn extend_from_slice(&mut self, other: &[T], flags:= Flags) -> Result<(), All // the length by the same number. // - `self.len() + other.len() <=3D self.capacity()` is guaranteed= by the preceding `reserve` // call. - unsafe { self.set_len(self.len() + other.len()) }; + unsafe { self.inc_len(other.len()) }; Ok(()) } =20 diff --git a/rust/kernel/str.rs b/rust/kernel/str.rs index 878111cb77bc..d3b0b00e05fa 100644 --- a/rust/kernel/str.rs +++ b/rust/kernel/str.rs @@ -886,7 +886,7 @@ pub fn try_from_fmt(args: fmt::Arguments<'_>) -> Result= { =20 // SAFETY: The number of bytes that can be written to `f` is bound= ed by `size`, which is // `buf`'s capacity. The contents of the buffer have been initiali= sed by writes to `f`. - unsafe { buf.set_len(f.bytes_written()) }; + unsafe { buf.inc_len(f.bytes_written()) }; =20 // Check that there are no `NUL` bytes before the end. // SAFETY: The buffer is valid for read because `f.bytes_written()= ` is bounded by `size` diff --git a/rust/kernel/uaccess.rs b/rust/kernel/uaccess.rs index 80a9782b1c6e..e4882f113d79 100644 --- a/rust/kernel/uaccess.rs +++ b/rust/kernel/uaccess.rs @@ -290,7 +290,7 @@ pub fn read_all(mut self, buf: &mut Vec, flags: Flags) -> R =20 // SAFETY: Since the call to `read_raw` was successful, so the nex= t `len` bytes of the // vector have been initialized. - unsafe { buf.set_len(buf.len() + len) }; + unsafe { buf.inc_len(len) }; Ok(()) } } --=20 2.49.0