lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <878qlyzd9a.fsf@kernel.org>
Date: Wed, 11 Jun 2025 14:14:25 +0200
From: Andreas Hindborg <a.hindborg@...nel.org>
To: "Benno Lossin" <lossin@...nel.org>
Cc: "Alice Ryhl" <aliceryhl@...gle.com>,  "Danilo Krummrich"
 <dakr@...nel.org>,  "Miguel Ojeda" <ojeda@...nel.org>,  "Alex Gaynor"
 <alex.gaynor@...il.com>,  "Boqun Feng" <boqun.feng@...il.com>,  "Gary Guo"
 <gary@...yguo.net>,  Björn Roy Baron
 <bjorn3_gh@...tonmail.com>,  "Trevor
 Gross" <tmgross@...ch.edu>,  "Bjorn Helgaas" <bhelgaas@...gle.com>,
  Krzysztof Wilczyński <kwilczynski@...nel.org>,  "Greg
 Kroah-Hartman"
 <gregkh@...uxfoundation.org>,  "Rafael J. Wysocki" <rafael@...nel.org>,
  "Tamir Duberstein" <tamird@...il.com>,  "Viresh Kumar"
 <viresh.kumar@...aro.org>,  <rust-for-linux@...r.kernel.org>,
  <linux-kernel@...r.kernel.org>,  <linux-pci@...r.kernel.org>,
  Maíra
 Canal <mcanal@...lia.com>
Subject: Re: [PATCH v2] rust: types: add FOREIGN_ALIGN to ForeignOwnable

"Benno Lossin" <lossin@...nel.org> writes:

> On Wed Jun 11, 2025 at 12:43 PM CEST, Andreas Hindborg wrote:
>> "Benno Lossin" <lossin@...nel.org> writes:
>>
>>> On Tue Jun 10, 2025 at 4:15 PM CEST, Alice Ryhl wrote:
>>>> On Tue, Jun 10, 2025 at 4:10 PM Andreas Hindborg <a.hindborg@...nel.org> wrote:
>>>>>
>>>>> "Benno Lossin" <lossin@...nel.org> writes:
>>>>>
>>>>> > On Tue Jun 10, 2025 at 1:30 PM CEST, Andreas Hindborg wrote:
>>>>> >> diff --git a/rust/kernel/types.rs b/rust/kernel/types.rs
>>>>> >> index 22985b6f6982..0ccef6b5a20a 100644
>>>>> >> --- a/rust/kernel/types.rs
>>>>> >> +++ b/rust/kernel/types.rs
>>>>> >> @@ -21,15 +21,11 @@
>>>>> >>  ///
>>>>> >>  /// # Safety
>>>>> >>  ///
>>>>> >> -/// Implementers must ensure that [`into_foreign`] returns a pointer which meets the alignment
>>>>> >> -/// requirements of [`PointedTo`].
>>>>> >> -///
>>>>> >> -/// [`into_foreign`]: Self::into_foreign
>>>>> >> -/// [`PointedTo`]: Self::PointedTo
>>>>> >> +/// Implementers must ensure that [`Self::into_foreign`] returns pointers aligned to
>>>>> >> +/// [`Self::FOREIGN_ALIGN`].
>>>>> >>  pub unsafe trait ForeignOwnable: Sized {
>>>>> >> -    /// Type used when the value is foreign-owned. In practical terms only defines the alignment of
>>>>> >> -    /// the pointer.
>>>>> >> -    type PointedTo;
>>>>> >> +    /// The alignment of pointers returned by `into_foreign`.
>>>>> >> +    const FOREIGN_ALIGN: usize;
>>>>> >>
>>>>> >>      /// Type used to immutably borrow a value that is currently foreign-owned.
>>>>> >>      type Borrowed<'a>;
>>>>> >> @@ -39,18 +35,20 @@ pub unsafe trait ForeignOwnable: Sized {
>>>>> >>
>>>>> >>      /// Converts a Rust-owned object to a foreign-owned one.
>>>>> >>      ///
>>>>> >> +    /// The foreign representation is a pointer to void. Aside from the guarantees listed below,
>>>>> >
>>>>> > I feel like this reads better:
>>>>> >
>>>>> > s/guarantees/ones/
>>>>> >
>>>>> >> +    /// there are no other guarantees for this pointer. For example, it might be invalid, dangling
>>>>> >
>>>>> > We should also mention that it could be null. (or is that assumption
>>>>> > wrong?)
>>>>>
>>>>> It is probably not going to be null, but it is allowed to. I can add it.
>>>>>
>>>>> The list does not claim to be exhaustive, and a null pointer is just a
>>>>> special case of an invalid pointer.
>>>>
>>>> We probably should not allow null pointers. If we do, then
>>>> try_from_foreign does not make sense.
>>>
>>> That's a good point. Then let's add that as a safety requirement for the
>>> trait.
>>
>> I disagree. It does not matter for the safety of the trait.
>>
>> From the point of the user, the pointer is opaque and can be any value.
>> In fact, one could do a safe implementation where the returned value is
>> a key into some mapping structure. Probably not super fast, but the user
>> should not care.
>
> Then we'll have to remove `try_from_foreign`.

Oh, I see. OK, it is a safety requirement. Should I just add it to this patch?


Best regards,
Andreas Hindborg

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ