| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <DAES0YHHTRQS.3EGLTCPLP3SK3@kernel.org> Date: Thu, 05 Jun 2025 19:30:39 +0200 From: "Benno Lossin" <lossin@...nel.org> To: "Christian Schrefl" <chrisi.schrefl@...il.com>, "Sky" <sky@...9.dev>, "Miguel Ojeda" <ojeda@...nel.org>, "Alex Gaynor" <alex.gaynor@...il.com>, "Boqun Feng" <boqun.feng@...il.com>, "Gary Guo" <gary@...yguo.net>, Björn Roy Baron <bjorn3_gh@...tonmail.com>, "Benno Lossin" <benno.lossin@...ton.me>, "Andreas Hindborg" <a.hindborg@...nel.org>, "Alice Ryhl" <aliceryhl@...gle.com>, "Trevor Gross" <tmgross@...ch.edu>, "Danilo Krummrich" <dakr@...nel.org>, Gerald Wisböck <gerald.wisboeck@...ther.ink>, "Nathan Chancellor" <nathan@...nel.org>, "Nick Desaulniers" <nick.desaulniers+lkml@...il.com>, "Bill Wendling" <morbo@...gle.com>, "Justin Stitt" <justinstitt@...gle.com> Cc: <linux-kernel@...r.kernel.org>, <rust-for-linux@...r.kernel.org>, <llvm@...ts.linux.dev> Subject: Re: [PATCH v4 1/3] rust: add UnsafePinned type On Thu Jun 5, 2025 at 7:03 PM CEST, Christian Schrefl wrote: > On 11.05.25 8:21 PM, Christian Schrefl wrote: >> +/// This type provides a way to opt-out of typical aliasing rules; >> +/// specifically, `&mut UnsafePinned<T>` is not guaranteed to be a unique pointer. >> +/// >> +/// However, even if you define your type like `pub struct Wrapper(UnsafePinned<...>)`, it is still >> +/// very risky to have an `&mut Wrapper` that aliases anything else. Many functions that work >> +/// generically on `&mut T` assume that the memory that stores `T` is uniquely owned (such as >> +/// `mem::swap`). In other words, while having aliasing with `&mut Wrapper` is not immediate >> +/// Undefined Behavior, it is still unsound to expose such a mutable reference to code you do not >> +/// control! Techniques such as pinning via [`Pin`](core::pin::Pin) are needed to ensure soundness. >> +/// >> +/// Similar to [`UnsafeCell`], [`UnsafePinned`] will not usually show up in >> +/// the public API of a library. It is an internal implementation detail of libraries that need to >> +/// support aliasing mutable references. >> +/// >> +/// Further note that this does *not* lift the requirement that shared references must be read-only! >> +/// Use [`UnsafeCell`] for that. > > The upstream rust PR [0] that changes this was just merged. So now `UnsafePinned` includes > `UnsafeCell` semantics. It's probably best to also change this in the kernel docs. > Though it's still the case that removing the guarantee is simpler than adding it back later, > so let me know what you all think. Depends on how "stable" this decision is. I haven't followed the discussion, but given that this once changed to the "non-backwards" compatible case it feels permanent. How close is it to stabilization? If it's close-ish, then I'd suggest we change this to reflect the new semantics. If not, then we should leave it as-is. --- Cheers, Benno > [0]: https://github.com/rust-lang/rust/pull/140638
Powered by blists - more mailing lists