| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <CAH5fLgiNikpTfm6nvyEJaEspPkMNRQSX2XmBXvXktpXQLutDPg@mail.gmail.com>
Date: Wed, 11 Jun 2025 14:24:31 +0200
From: Alice Ryhl <aliceryhl@...gle.com>
To: Andreas Hindborg <a.hindborg@...nel.org>
Cc: Benno Lossin <lossin@...nel.org>, Danilo Krummrich <dakr@...nel.org>, Miguel Ojeda <ojeda@...nel.org>,
Alex Gaynor <alex.gaynor@...il.com>, Boqun Feng <boqun.feng@...il.com>,
Gary Guo <gary@...yguo.net>, Björn Roy Baron <bjorn3_gh@...tonmail.com>,
Trevor Gross <tmgross@...ch.edu>, Bjorn Helgaas <bhelgaas@...gle.com>,
Krzysztof Wilczyński <kwilczynski@...nel.org>,
Greg Kroah-Hartman <gregkh@...uxfoundation.org>, "Rafael J. Wysocki" <rafael@...nel.org>,
Tamir Duberstein <tamird@...il.com>, Viresh Kumar <viresh.kumar@...aro.org>,
rust-for-linux@...r.kernel.org, linux-kernel@...r.kernel.org,
linux-pci@...r.kernel.org, Maíra Canal <mcanal@...lia.com>
Subject: Re: [PATCH v2] rust: types: add FOREIGN_ALIGN to ForeignOwnable
On Wed, Jun 11, 2025 at 2:14 PM Andreas Hindborg <a.hindborg@...nel.org> wrote:
>
> "Benno Lossin" <lossin@...nel.org> writes:
>
> > On Wed Jun 11, 2025 at 12:43 PM CEST, Andreas Hindborg wrote:
> >> "Benno Lossin" <lossin@...nel.org> writes:
> >>
> >>> On Tue Jun 10, 2025 at 4:15 PM CEST, Alice Ryhl wrote:
> >>>> On Tue, Jun 10, 2025 at 4:10 PM Andreas Hindborg <a.hindborg@...nel.org> wrote:
> >>>>>
> >>>>> "Benno Lossin" <lossin@...nel.org> writes:
> >>>>>
> >>>>> > On Tue Jun 10, 2025 at 1:30 PM CEST, Andreas Hindborg wrote:
> >>>>> >> diff --git a/rust/kernel/types.rs b/rust/kernel/types.rs
> >>>>> >> index 22985b6f6982..0ccef6b5a20a 100644
> >>>>> >> --- a/rust/kernel/types.rs
> >>>>> >> +++ b/rust/kernel/types.rs
> >>>>> >> @@ -21,15 +21,11 @@
> >>>>> >> ///
> >>>>> >> /// # Safety
> >>>>> >> ///
> >>>>> >> -/// Implementers must ensure that [`into_foreign`] returns a pointer which meets the alignment
> >>>>> >> -/// requirements of [`PointedTo`].
> >>>>> >> -///
> >>>>> >> -/// [`into_foreign`]: Self::into_foreign
> >>>>> >> -/// [`PointedTo`]: Self::PointedTo
> >>>>> >> +/// Implementers must ensure that [`Self::into_foreign`] returns pointers aligned to
> >>>>> >> +/// [`Self::FOREIGN_ALIGN`].
> >>>>> >> pub unsafe trait ForeignOwnable: Sized {
> >>>>> >> - /// Type used when the value is foreign-owned. In practical terms only defines the alignment of
> >>>>> >> - /// the pointer.
> >>>>> >> - type PointedTo;
> >>>>> >> + /// The alignment of pointers returned by `into_foreign`.
> >>>>> >> + const FOREIGN_ALIGN: usize;
> >>>>> >>
> >>>>> >> /// Type used to immutably borrow a value that is currently foreign-owned.
> >>>>> >> type Borrowed<'a>;
> >>>>> >> @@ -39,18 +35,20 @@ pub unsafe trait ForeignOwnable: Sized {
> >>>>> >>
> >>>>> >> /// Converts a Rust-owned object to a foreign-owned one.
> >>>>> >> ///
> >>>>> >> + /// The foreign representation is a pointer to void. Aside from the guarantees listed below,
> >>>>> >
> >>>>> > I feel like this reads better:
> >>>>> >
> >>>>> > s/guarantees/ones/
> >>>>> >
> >>>>> >> + /// there are no other guarantees for this pointer. For example, it might be invalid, dangling
> >>>>> >
> >>>>> > We should also mention that it could be null. (or is that assumption
> >>>>> > wrong?)
> >>>>>
> >>>>> It is probably not going to be null, but it is allowed to. I can add it.
> >>>>>
> >>>>> The list does not claim to be exhaustive, and a null pointer is just a
> >>>>> special case of an invalid pointer.
> >>>>
> >>>> We probably should not allow null pointers. If we do, then
> >>>> try_from_foreign does not make sense.
> >>>
> >>> That's a good point. Then let's add that as a safety requirement for the
> >>> trait.
> >>
> >> I disagree. It does not matter for the safety of the trait.
> >>
> >> From the point of the user, the pointer is opaque and can be any value.
> >> In fact, one could do a safe implementation where the returned value is
> >> a key into some mapping structure. Probably not super fast, but the user
> >> should not care.
> >
> > Then we'll have to remove `try_from_foreign`.
>
> Oh, I see. OK, it is a safety requirement. Should I just add it to this patch?
Sure, this patch is fine.
Powered by blists - more mailing lists