| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <aGhh-TvNOWhkt0JG@Mac.home>
Date: Fri, 4 Jul 2025 16:21:29 -0700
From: Boqun Feng <boqun.feng@...il.com>
To: Benno Lossin <lossin@...nel.org>
Cc: Gary Guo <gary@...yguo.net>, linux-kernel@...r.kernel.org,
rust-for-linux@...r.kernel.org, lkmm@...ts.linux.dev,
linux-arch@...r.kernel.org, Miguel Ojeda <ojeda@...nel.org>,
Alex Gaynor <alex.gaynor@...il.com>,
Björn Roy Baron <bjorn3_gh@...tonmail.com>,
Andreas Hindborg <a.hindborg@...nel.org>,
Alice Ryhl <aliceryhl@...gle.com>, Trevor Gross <tmgross@...ch.edu>,
Danilo Krummrich <dakr@...nel.org>, Will Deacon <will@...nel.org>,
Peter Zijlstra <peterz@...radead.org>,
Mark Rutland <mark.rutland@....com>,
Wedson Almeida Filho <wedsonaf@...il.com>,
Viresh Kumar <viresh.kumar@...aro.org>,
Lyude Paul <lyude@...hat.com>, Ingo Molnar <mingo@...nel.org>,
Mitchell Levy <levymitchell0@...il.com>,
"Paul E. McKenney" <paulmck@...nel.org>,
Greg Kroah-Hartman <gregkh@...uxfoundation.org>,
Linus Torvalds <torvalds@...ux-foundation.org>,
Thomas Gleixner <tglx@...utronix.de>
Subject: Re: [PATCH v5 04/10] rust: sync: atomic: Add generic atomics
On Sat, Jul 05, 2025 at 12:49:09AM +0200, Benno Lossin wrote:
> On Sat Jul 5, 2025 at 12:30 AM CEST, Boqun Feng wrote:
> > On Sat, Jul 05, 2025 at 12:05:48AM +0200, Benno Lossin wrote:
> > [..]
> >> >>
> >> >> I don't think there is a big difference between `Opaque<T>` and
> >> >> `Opaque<T::Repr>` if we have the transmute equivalence between the two.
> >> >> From a safety perspective, you don't gain or lose anything by using the
> >> >> first over the second one. They both require the invariant that they are
> >> >> valid (as `Opaque` removes that... we should really be using
> >> >> `UnsafeCell` here instead... why aren't we doing that?).
> >> >>
> >> >
> >> > I need the `UnsafePinned`-like behavior of `Atomic<*mut T>` to support
> >> > Rcu<T>, and I will replace it with `UnsafePinned`, once that's is
> >> > available.
> >>
> >> Can you expand on this? What do you mean by "`UnsafePinned`-like
> >> behavior"? And what does `Rcu<T>` have to do with atomics?
> >>
> >
> > `Rcu<T>` is an RCU protected (atomic) pointer, the its definition is
> >
> > pub struct Rcu<T>(Atomic<*mut T>);
> >
> > I need Pin<&mut Rcu<T>> and &Rcu<T> able to co-exist: an updater will
> > have the access to Pin<&mut Rcu<T>>, and all the readers will have the
> > access to &Rcu<T>, for that I need `Atomic<*mut T>` to be
> > `UnsafePinned`, because `Pin<&mut Rcu<T>>` cannot imply noalias.
>
> Then `Rcu` should be
>
> pub struct Rcu<T>(UnsafePinned<Atomic<*mut T>>);
>
> And `Atomic` shouldn't wrap `UnsafePinned<T>`. Because that prevents
> `&mut Atomic<i32>` to be tagged with `noalias` and that should be fine.
> You should only pay for what you need :)
>
Fair enough. Changing it to UnsafeCell then.
> >> > Maybe that also means `UnsafePinned<T>` make more sense? Because if `T`
> >> > is a pointer, it's easy to prove the provenance is there. (Note a
> >> > `&Atomic<*mut T>` may come from a `*mut *mut T`, may be a field in C
> >> > struct)
> >>
> >> Also don't understand this.
> >>
> >
> > One of the usage of the atomic is being able to communicate with C side,
> > for example, if we have a struct foo:
> >
> > struct foo {
> > struct bar *b;
> > }
> >
> > and writer can do this at C side:
> >
> > struct foo *f = ...;
> > struct bar *b = kcalloc(*b, ...);
> >
> > // init b;
> >
> > smp_store_release(&f->b, b);
> >
> > and a reader at Rust side can do:
> >
> > #[repr(transparent)]
> > struct Bar(binding::bar);
> > struct Foo(Opaque<bindings::foo>);
> >
> > fn get_bar(foo: &Foo) {
> > let foo_ptr = foo.0.get();
> >
> > let b: *mut *mut Bar = unsafe { &raw mut (*foo_ptr).b }.cast();
> > // SAFETY: C side accessing this pointer with atomics.
> > let b = unsafe { Atomic::<*mut Bar>::from_ptr(b) };
> >
> > // Acquire pairs with the Release from C side;
> > let bar_ptr = b.load(Acquire);
> >
> > // accessing bar.
> > }
>
> This is a nice example, might be a good idea to put this on
> `Atomic::from_ptr`.
>
I have something similar in the doc comment of `Atomic::from_ptr()`,
just not an `Atomic<*mut T>`.
> > This is the case we must support if we want to write any non-trivial
> > synchronization code communicate with C side.
> >
> > And in this case, it's generally easier to reason why we can convert a
> > *mut *mut Bar to &UnsafePinned<*mut Bar>.
>
> What does that have to do with `UnsafePinned`? `UnsafeCell` should
> suffice.
>
I was talking about things like UnsafeCell<*mut T> vs UnsafeCell<isize>
not comparing between UnsafePinned and UnsafeCell.
Regards,
Boqun
> Also where does the provenance interact with `UnsafePinned`?
>
> ---
> Cheers,
> Benno
Powered by blists - more mailing lists