| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <63f92378-dde9-4bee-b2ae-b994052e8fd0@gmail.com> Date: Thu, 5 Jun 2025 19:57:49 +0200 From: Christian Schrefl <chrisi.schrefl@...il.com> To: Benno Lossin <lossin@...nel.org>, Sky <sky@...9.dev>, Miguel Ojeda <ojeda@...nel.org>, Alex Gaynor <alex.gaynor@...il.com>, Boqun Feng <boqun.feng@...il.com>, Gary Guo <gary@...yguo.net>, Björn Roy Baron <bjorn3_gh@...tonmail.com>, Benno Lossin <benno.lossin@...ton.me>, Andreas Hindborg <a.hindborg@...nel.org>, Alice Ryhl <aliceryhl@...gle.com>, Trevor Gross <tmgross@...ch.edu>, Danilo Krummrich <dakr@...nel.org>, Gerald Wisböck <gerald.wisboeck@...ther.ink>, Nathan Chancellor <nathan@...nel.org>, Nick Desaulniers <nick.desaulniers+lkml@...il.com>, Bill Wendling <morbo@...gle.com>, Justin Stitt <justinstitt@...gle.com> Cc: linux-kernel@...r.kernel.org, rust-for-linux@...r.kernel.org, llvm@...ts.linux.dev, Ralf Jung <post@...fj.de> Subject: Re: [PATCH v4 1/3] rust: add UnsafePinned type On 05.06.25 7:30 PM, Benno Lossin wrote: > On Thu Jun 5, 2025 at 7:03 PM CEST, Christian Schrefl wrote: >> On 11.05.25 8:21 PM, Christian Schrefl wrote: >>> +/// This type provides a way to opt-out of typical aliasing rules; >>> +/// specifically, `&mut UnsafePinned<T>` is not guaranteed to be a unique pointer. >>> +/// >>> +/// However, even if you define your type like `pub struct Wrapper(UnsafePinned<...>)`, it is still >>> +/// very risky to have an `&mut Wrapper` that aliases anything else. Many functions that work >>> +/// generically on `&mut T` assume that the memory that stores `T` is uniquely owned (such as >>> +/// `mem::swap`). In other words, while having aliasing with `&mut Wrapper` is not immediate >>> +/// Undefined Behavior, it is still unsound to expose such a mutable reference to code you do not >>> +/// control! Techniques such as pinning via [`Pin`](core::pin::Pin) are needed to ensure soundness. >>> +/// >>> +/// Similar to [`UnsafeCell`], [`UnsafePinned`] will not usually show up in >>> +/// the public API of a library. It is an internal implementation detail of libraries that need to >>> +/// support aliasing mutable references. >>> +/// >>> +/// Further note that this does *not* lift the requirement that shared references must be read-only! >>> +/// Use [`UnsafeCell`] for that. >> >> The upstream rust PR [0] that changes this was just merged. So now `UnsafePinned` includes >> `UnsafeCell` semantics. It's probably best to also change this in the kernel docs. >> Though it's still the case that removing the guarantee is simpler than adding it back later, >> so let me know what you all think. > > Depends on how "stable" this decision is. I haven't followed the > discussion, but given that this once changed to the "non-backwards" > compatible case it feels permanent. It seems pretty permanent, from what I understand its hard to define the exact semantics `UnsafePinned` without `UnsafeCell` in a way that is sound and because of some interactions with `Pin::deref` it would have some backwards compatibility issues. See this comment by Ralf on github [1]. [1]: https://github.com/rust-lang/rust/pull/137043#discussion_r1973978597 > > How close is it to stabilization? > > If it's close-ish, then I'd suggest we change this to reflect the new > semantics. If not, then we should leave it as-is. It's pretty new, I'm not sure how long it's going to stay in nightly, but it's probably going to be quite some time. I wouldn't change it if it would already be in the kernel, but I think its probably good to add the current state of the feature. This would also reduce the difference between docs and implementation. Cheers Christian
Powered by blists - more mailing lists