| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <87o6ynp7nr.fsf@kernel.org>
Date: Thu, 27 Feb 2025 19:24:56 +0100
From: Andreas Hindborg <a.hindborg@...nel.org>
To: "Tamir Duberstein" <tamird@...il.com>
Cc: "Danilo Krummrich" <dakr@...nel.org>, "Miguel Ojeda"
<ojeda@...nel.org>, "Alex Gaynor" <alex.gaynor@...il.com>, "Boqun Feng"
<boqun.feng@...il.com>, "Gary Guo" <gary@...yguo.net>, Björn Roy Baron
<bjorn3_gh@...tonmail.com>, "Benno Lossin" <benno.lossin@...ton.me>,
"Alice Ryhl" <aliceryhl@...gle.com>, "Trevor Gross" <tmgross@...ch.edu>,
"Joel Becker" <jlbec@...lplan.org>, "Peter Zijlstra"
<peterz@...radead.org>, "Ingo Molnar" <mingo@...hat.com>, "Will Deacon"
<will@...nel.org>, "Waiman Long" <longman@...hat.com>, "Fiona Behrens"
<me@...enk.dev>, "Charalampos Mitrodimas" <charmitro@...teo.net>,
"Daniel Almeida" <daniel.almeida@...labora.com>,
<rust-for-linux@...r.kernel.org>, <linux-kernel@...r.kernel.org>
Subject: Re: [PATCH v5 1/4] rust: sync: change `<Arc<T> as
ForeignOwnable>::PointedTo` to `T`
"Tamir Duberstein" <tamird@...il.com> writes:
> On Thu, Feb 27, 2025 at 7:37 AM Andreas Hindborg <a.hindborg@...nel.org> wrote:
>>
>> Using `ArcInner` as `PoinedTo` in the `ForeignOwnable` implementation for
>> `Arc` is a bit unfortunate. Using `T` as `PointedTo` does not remove any
>> functionality, but allows `ArcInner` to be private. Further, it allows
>> downstream users to write code that is generic over `Box` and `Arc`, when
>> downstream users need access to `T` after calling `into_foreign`.
>>
>> Reviewed-by: Fiona Behrens <me@...enk.dev>
>> Reviewed-by: Daniel Almeida <daniel.almeida@...labora.com>
>> Tested-by: Daniel Almeida <daniel.almeida@...labora.com>
>> Signed-off-by: Andreas Hindborg <a.hindborg@...nel.org>
>> ---
>>
>> This patch is a dependency for Rust `configfs` abstractions. It allows both
>> `Box` and `Arc` to be used as pointer types in the `configfs` hierarchy.
>> ---
>> rust/kernel/sync/arc.rs | 21 ++++++++++++++++-----
>> 1 file changed, 16 insertions(+), 5 deletions(-)
>>
>> diff --git a/rust/kernel/sync/arc.rs b/rust/kernel/sync/arc.rs
>> index dfe4abf82c25..3d77a31e116f 100644
>> --- a/rust/kernel/sync/arc.rs
>> +++ b/rust/kernel/sync/arc.rs
>> @@ -143,7 +143,7 @@ pub struct Arc<T: ?Sized> {
>> #[doc(hidden)]
>> #[pin_data]
>> #[repr(C)]
>> -pub struct ArcInner<T: ?Sized> {
>> +struct ArcInner<T: ?Sized> {
>> refcount: Opaque<bindings::refcount_t>,
>> data: T,
>> }
>> @@ -345,18 +345,25 @@ pub fn into_unique_or_drop(self) -> Option<Pin<UniqueArc<T>>> {
>>
>> // SAFETY: The `into_foreign` function returns a pointer that is well-aligned.
>> unsafe impl<T: 'static> ForeignOwnable for Arc<T> {
>> - type PointedTo = ArcInner<T>;
>> + type PointedTo = T;
>> type Borrowed<'a> = ArcBorrow<'a, T>;
>> type BorrowedMut<'a> = Self::Borrowed<'a>;
>>
>> fn into_foreign(self) -> *mut Self::PointedTo {
>> - ManuallyDrop::new(self).ptr.as_ptr()
>> + let this = ManuallyDrop::new(self).ptr.as_ptr();
>> + // SAFETY: `x` is a valid pointer to `Self` so the projection below is
>> + // in bounds of the allocation.
>
> Isn't the unsafe bit `*this`, which is what this comment should
> justify?
Yes, not sure what the origin of that name is. Good catch.
> In Rust 1.82+ `addr_of_mut!` isn't unsafe I believe. Also `x`
> is likely meant to be `this`.
The field projection (*this).data is still unsafe, as far as I know.
Actually the macro is not required any longer, the underlying raw
reference syntax has been stabilized. But since our minimum rust version
is 1.78, we have to keep the macro.
>
>> + unsafe { core::ptr::addr_of_mut!((*this).data) }
>> }
>>
>> unsafe fn from_foreign(ptr: *mut Self::PointedTo) -> Self {
>> + // SAFETY: We did the reverse offset calculation in `into_foreign`, so
>> + // the offset calculation below is in bounds of the allocation.
>> + let inner_ptr = unsafe { kernel::container_of!(ptr, ArcInner<T>, data).cast_mut() };
>> +
>> // SAFETY: The safety requirements of this function ensure that `ptr` comes from a previous
>> // call to `Self::into_foreign`.
>> - let inner = unsafe { NonNull::new_unchecked(ptr) };
>> + let inner = unsafe { NonNull::new_unchecked(inner_ptr) };
>>
>> // SAFETY: By the safety requirement of this function, we know that `ptr` came from
>> // a previous call to `Arc::into_foreign`, which guarantees that `ptr` is valid and
>> @@ -365,9 +372,13 @@ unsafe fn from_foreign(ptr: *mut Self::PointedTo) -> Self {
>> }
>>
>> unsafe fn borrow<'a>(ptr: *mut Self::PointedTo) -> ArcBorrow<'a, T> {
>> + // SAFETY: We did the reverse offset calculation in `into_foreign`, so
>> + // the offset calculation below is in bounds of the allocation.
>> + let inner_ptr = unsafe { kernel::container_of!(ptr, ArcInner<T>, data).cast_mut() };
>> +
>> // SAFETY: The safety requirements of this function ensure that `ptr` comes from a previous
>> // call to `Self::into_foreign`.
>> - let inner = unsafe { NonNull::new_unchecked(ptr) };
>> + let inner = unsafe { NonNull::new_unchecked(inner_ptr) };
>>
>> // SAFETY: The safety requirements of `from_foreign` ensure that the object remains alive
>> // for the lifetime of the returned value.
>
> It might be good to extract a shared helper from `from_foreign` and
> `borrow`, though the duplication isn't new in this patch. Either way:
I would encourage a follow-up patch :)
>
> Reviewed-by: Tamir Duberstein <tamird@...il.com>
Thanks!
Best regards,
Andreas Hindborg
Powered by blists - more mailing lists