lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20250626224355.GE213144@ziepe.ca>
Date: Thu, 26 Jun 2025 19:43:55 -0300
From: Jason Gunthorpe <jgg@...pe.ca>
To: Abdiel Janulgue <abdiel.janulgue@...il.com>
Cc: Alexandre Courbot <acourbot@...dia.com>, Lyude Paul <lyude@...hat.com>,
	dakr@...nel.org, Miguel Ojeda <ojeda@...nel.org>,
	Alex Gaynor <alex.gaynor@...il.com>,
	Boqun Feng <boqun.feng@...il.com>, Gary Guo <gary@...yguo.net>,
	Björn Roy Baron <bjorn3_gh@...tonmail.com>,
	Benno Lossin <benno.lossin@...ton.me>,
	Andreas Hindborg <a.hindborg@...nel.org>,
	Alice Ryhl <aliceryhl@...gle.com>, Trevor Gross <tmgross@...ch.edu>,
	Valentin Obst <kernel@...entinobst.de>,
	open list <linux-kernel@...r.kernel.org>,
	Marek Szyprowski <m.szyprowski@...sung.com>,
	Robin Murphy <robin.murphy@....com>, airlied@...hat.com,
	rust-for-linux@...r.kernel.org,
	"open list:DMA MAPPING HELPERS" <iommu@...ts.linux.dev>,
	Petr Tesarik <petr@...arici.cz>,
	Andrew Morton <akpm@...ux-foundation.org>,
	Herbert Xu <herbert@...dor.apana.org.au>,
	Sui Jingfeng <sui.jingfeng@...ux.dev>,
	Randy Dunlap <rdunlap@...radead.org>,
	Michael Kelley <mhklinux@...look.com>
Subject: Re: [PATCH 1/2] rust: add initial scatterlist bindings

On Thu, Jun 26, 2025 at 11:31:15PM +0300, Abdiel Janulgue wrote:
> Just commenting on this bit. From what I've seen, we don't actually leak
> anything. The cast only creates a reference to the original C `struct
> sg_table` object which was allocated and owned by whichever kernel subsystem
> called sg_alloc_table(). Rust doesn't even allow us to take ownership or to
> dereference the value, so this one is safe. Destructors are not called on
> those "casted" objects.

This does not seem the right kind of philosophy.

Every pointer out of the kernel APIs has some kind of implicit
lifetime contract.

Eg if you have
  b = get_b(a);

Then the lifetime of b might well be 'alive so long as a is alive'

Or if you have some function pointer callback
  void op_foo(a) {}

The lifetime of a might well be 'alive only within the function'

AFAICT rust needs to figure out these implicit rules and the compiler
needs to enforce them.

Eg

 a = make_a()
 b = get_b(a)
 destroy_a()
 do_something(b)

Should be something impossible.

Jason

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ