| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Sun, 22 Jan 2023 03:34:40 -0300
From: Wedson Almeida Filho <wedsonaf@...il.com>
To: Boqun Feng <boqun.feng@...il.com>
Cc: rust-for-linux@...r.kernel.org, Miguel Ojeda <ojeda@...nel.org>,
Alex Gaynor <alex.gaynor@...il.com>,
Gary Guo <gary@...yguo.net>,
Björn Roy Baron <bjorn3_gh@...tonmail.com>,
linux-kernel@...r.kernel.org
Subject: Re: [PATCH 2/5] rust: types: introduce `ForeignOwnable`
On Fri, 20 Jan 2023 at 16:59, Boqun Feng <boqun.feng@...il.com> wrote:
>
> On Thu, Jan 19, 2023 at 02:40:33PM -0300, Wedson Almeida Filho wrote:
> > It was originally called `PointerWrapper`. It is used to convert
> > a Rust object to a pointer representation (void *) that can be
> > stored on the C side, used, and eventually returned to Rust.
> >
> > Signed-off-by: Wedson Almeida Filho <wedsonaf@...il.com>
> > ---
> > rust/kernel/lib.rs | 1 +
> > rust/kernel/types.rs | 54 ++++++++++++++++++++++++++++++++++++++++++++
> > 2 files changed, 55 insertions(+)
> >
> > diff --git a/rust/kernel/lib.rs b/rust/kernel/lib.rs
> > index e0b0e953907d..223564f9f0cc 100644
> > --- a/rust/kernel/lib.rs
> > +++ b/rust/kernel/lib.rs
> > @@ -16,6 +16,7 @@
> > #![feature(coerce_unsized)]
> > #![feature(core_ffi_c)]
> > #![feature(dispatch_from_dyn)]
> > +#![feature(generic_associated_types)]
> > #![feature(receiver_trait)]
> > #![feature(unsize)]
> >
> > diff --git a/rust/kernel/types.rs b/rust/kernel/types.rs
> > index f0ad4472292d..5475f6163002 100644
> > --- a/rust/kernel/types.rs
> > +++ b/rust/kernel/types.rs
> > @@ -9,6 +9,60 @@ use core::{
> > ops::{Deref, DerefMut},
> > };
> >
> > +/// Used to transfer ownership to and from foreign (non-Rust) languages.
> > +///
> > +/// Ownership is transferred from Rust to a foreign language by calling [`Self::into_foreign`] and
> > +/// later may be transferred back to Rust by calling [`Self::from_foreign`].
> > +///
> > +/// This trait is meant to be used in cases when Rust objects are stored in C objects and
> > +/// eventually "freed" back to Rust.
> > +pub trait ForeignOwnable {
> > + /// Type of values borrowed between calls to [`ForeignOwnable::into_foreign`] and
> > + /// [`ForeignOwnable::from_foreign`].
> > + type Borrowed<'a>;
> > +
> > + /// Converts a Rust-owned object to a foreign-owned one.
> > + ///
> > + /// The foreign representation is a pointer to void.
> > + fn into_foreign(self) -> *const core::ffi::c_void;
> > +
> > + /// Borrows a foreign-owned object.
> > + ///
> > + /// # Safety
> > + ///
> > + /// `ptr` must have been returned by a previous call to [`ForeignOwnable::into_foreign`] for
> > + /// which a previous matching [`ForeignOwnable::from_foreign`] hasn't been called yet.
> > + /// Additionally, all instances (if any) of values returned by [`ForeignOwnable::borrow_mut`]
> > + /// for this object must have been dropped.
> > + unsafe fn borrow<'a>(ptr: *const core::ffi::c_void) -> Self::Borrowed<'a>;
> > +
> > + /// Mutably borrows a foreign-owned object.
> > + ///
> > + /// # Safety
> > + ///
> > + /// `ptr` must have been returned by a previous call to [`ForeignOwnable::into_foreign`] for
> > + /// which a previous matching [`ForeignOwnable::from_foreign`] hasn't been called yet.
> > + /// Additionally, all instances (if any) of values returned by [`ForeignOwnable::borrow`] and
> > + /// [`ForeignOwnable::borrow_mut`] for this object must have been dropped.
> > + unsafe fn borrow_mut<T: ForeignOwnable>(ptr: *const core::ffi::c_void) -> ScopeGuard<T, fn(T)> {
> > + // SAFETY: The safety requirements ensure that `ptr` came from a previous call to
> > + // `into_foreign`.
> > + ScopeGuard::new_with_data(unsafe { T::from_foreign(ptr) }, |d| {
> > + d.into_foreign();
> > + })
>
> I kinda want to suggest borrow_mut() to be implemented as:
>
> pub trait ForeignOwnable {
> ...
> unsafe fn borrow_mut(ptr: *const core::ffi::c_void) -> ScopeGuard<Self, fn(Self)> {
> // SAFETY: The safety requirements ensure that `ptr` came from a previous call to
> // `into_foreign`.
> ScopeGuard::new_with_data(unsafe { Self::from_foreign(ptr) }, |d| {
> d.into_foreign();
> })
> }
Oh, eliminate the generic type `T` and just use `Self`. Yes, I think
that's a good simplification.
>
> to avoid funny code as follow:
>
> let a = Box::new(0).into_foreign();
> // Using an irrelevant `impl ForeignOwnable` to `borrow_mut`
> let borrowed_a: ScopeGuard<Box<i32>, ...> = unsafe { Arc::<u64>::borrow_mut(a) };
>
> but that requires `Self: Sized`. Is it too restrictive?
It isn't. Since we want the raw pointer to fit in a single pointer
(from C's perspective), we already require `Self: Sized`.
I'll make this change in v2.
>
> Regards,
> Boqun
>
> > + }
> > +
> > + /// Converts a foreign-owned object back to a Rust-owned one.
> > + ///
> > + /// # Safety
> > + ///
> > + /// `ptr` must have been returned by a previous call to [`ForeignOwnable::into_foreign`] for
> > + /// which a previous matching [`ForeignOwnable::from_foreign`] hasn't been called yet.
> > + /// Additionally, all instances (if any) of values returned by [`ForeignOwnable::borrow`] and
> > + /// [`ForeignOwnable::borrow_mut`] for this object must have been dropped.
> > + unsafe fn from_foreign(ptr: *const core::ffi::c_void) -> Self;
> > +}
> > +
> > /// Runs a cleanup function/closure when dropped.
> > ///
> > /// The [`ScopeGuard::dismiss`] function prevents the cleanup function from running.
> > --
> > 2.34.1
> >
Powered by blists - more mailing lists