lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-Id: <6D30FEF7-07E7-4851-A7A2-76649AD0B217@collabora.com>
Date: Fri, 5 Sep 2025 16:42:09 -0300
From: Daniel Almeida <daniel.almeida@...labora.com>
To: Onur Özkan <work@...rozkan.dev>
Cc: rust-for-linux@...r.kernel.org,
 linux-kernel@...r.kernel.org,
 lossin@...nel.org,
 lyude@...hat.com,
 ojeda@...nel.org,
 alex.gaynor@...il.com,
 boqun.feng@...il.com,
 gary@...yguo.net,
 a.hindborg@...nel.org,
 aliceryhl@...gle.com,
 tmgross@...ch.edu,
 dakr@...nel.org,
 peterz@...radead.org,
 mingo@...hat.com,
 will@...nel.org,
 longman@...hat.com,
 felipe_life@...e.com,
 daniel@...lak.dev,
 bjorn3_gh@...tonmail.com
Subject: Re: [PATCH v6 6/7] rust: ww_mutex/exec: add high-level API

Hi Onur,

> On 3 Sep 2025, at 10:13, Onur Özkan <work@...rozkan.dev> wrote:
> 
> `ExecContext` is a helper built on top of ww_mutex

Again, I wonder what people think about this particular name.

> that provides a retrying interface for lock acquisition.
> When `EDEADLK` is hit, it drops all held locks, resets
> the acquire context and retries the given (by the user)
> locking algorithm until it succeeds.
> 
> The API keeps track of acquired locks, cleans them up
> automatically and allows data access to the protected
> data through `with_locked()`. The `lock_all()` helper
> allows implementing multi-mutex algorithms in a simpler
> and less error-prone way while keeping the ww_mutex
> semantics.
> 

Great, this was exactly what I was looking for! :)

> Signed-off-by: Onur Özkan <work@...rozkan.dev>
> ---
> rust/kernel/sync/lock/ww_mutex.rs      |   2 +
> rust/kernel/sync/lock/ww_mutex/exec.rs | 176 +++++++++++++++++++++++++
> 2 files changed, 178 insertions(+)
> create mode 100644 rust/kernel/sync/lock/ww_mutex/exec.rs
> 
> diff --git a/rust/kernel/sync/lock/ww_mutex.rs b/rust/kernel/sync/lock/ww_mutex.rs
> index b415d6deae9b..7de6578513e5 100644
> --- a/rust/kernel/sync/lock/ww_mutex.rs
> +++ b/rust/kernel/sync/lock/ww_mutex.rs
> @@ -16,6 +16,8 @@
> use core::cell::UnsafeCell;
> use core::marker::PhantomData;
> 
> +pub mod exec;
> +
> /// Create static [`WwClass`] instances.
> ///
> /// # Examples
> diff --git a/rust/kernel/sync/lock/ww_mutex/exec.rs b/rust/kernel/sync/lock/ww_mutex/exec.rs
> new file mode 100644
> index 000000000000..2f1fc540f0b8
> --- /dev/null
> +++ b/rust/kernel/sync/lock/ww_mutex/exec.rs
> @@ -0,0 +1,176 @@
> +// SPDX-License-Identifier: GPL-2.0
> +
> +//! A high-level [`WwMutex`] execution helper.
> +//!
> +//! Provides a retrying lock mechanism on top of [`WwMutex`] and [`WwAcquireCtx`].
> +//! It detects [`EDEADLK`] and handles it by rolling back and retrying the
> +//! user-supplied locking algorithm until success.
> +
> +use crate::prelude::*;
> +use crate::sync::lock::ww_mutex::{WwAcquireCtx, WwClass, WwMutex, WwMutexGuard};
> +use core::ptr;
> +
> +/// High-level execution type for ww_mutex.
> +///
> +/// Tracks a series of locks acquired under a common [`WwAcquireCtx`].
> +/// It ensures proper cleanup and retry mechanism on deadlocks and provides
> +/// type-safe access to locked data via [`with_locked`].
> +///
> +/// Typical usage is through [`lock_all`], which retries a user-supplied
> +/// locking algorithm until it succeeds without deadlock.
> +pub struct ExecContext<'a> {
> +    class: &'a WwClass,
> +    acquire: Pin<KBox<WwAcquireCtx<'a>>>,
> +    taken: KVec<WwMutexGuard<'a, ()>>,
> +}
> +
> +impl<'a> Drop for ExecContext<'a> {
> +    fn drop(&mut self) {
> +        self.release_all_locks();

If we move this to the acquire context, then we can do away with this drop impl.

> +    }
> +}
> +
> +impl<'a> ExecContext<'a> {
> +    /// Creates a new [`ExecContext`] for the given lock class.
> +    ///
> +    /// All locks taken through this context must belong to the same class.
> +    ///
> +    /// TODO: Add some safety mechanism to ensure classes are not different.

core::ptr::eq()?

> +    pub fn new(class: &'a WwClass) -> Result<Self> {
> +        Ok(Self {
> +            class,
> +            acquire: KBox::pin_init(WwAcquireCtx::new(class), GFP_KERNEL)?,
> +            taken: KVec::new(),
> +        })
> +    }
> +
> +    /// Attempts to lock a [`WwMutex`] and records the guard.
> +    ///
> +    /// Returns [`EDEADLK`] if lock ordering would cause a deadlock.
> +    pub fn lock<T>(&mut self, mutex: &'a WwMutex<'a, T>) -> Result<()> {
> +        let guard = self.acquire.lock(mutex)?;
> +        // SAFETY: Type is erased for storage. Actual access uses `with_locked`
> +        // which safely casts back.

Why?

> +        let erased: WwMutexGuard<'a, ()> = unsafe { core::mem::transmute(guard) };

We should really try our very best to avoid transmuting things.

Why can’t you store a KVec<MutexGuard<‘a, T>>? Seems straightforward if
you add a T parameter to ExecContext.

Also, someone correct me if I am wrong, but users can explicitly have T be
e.g.: KBox<dyn SomeTrait> if they want to.

> +        self.taken.push(erased, GFP_KERNEL)?;
> +
> +        Ok(())
> +    }
> +
> +    /// Runs `locking_algorithm` until success with retrying on deadlock.
> +    ///
> +    /// `locking_algorithm` should attempt to acquire all needed locks.
> +    /// If [`EDEADLK`] is detected, this function will roll back, reset
> +    /// the context and retry automatically.
> +    ///
> +    /// Once all locks are acquired successfully, `on_all_locks_taken` is
> +    /// invoked for exclusive access to the locked values. Afterwards, all
> +    /// locks are released.
> +    ///
> +    /// # Example
> +    ///
> +    /// ```
> +    /// use kernel::alloc::KBox;
> +    /// use kernel::c_str;
> +    /// use kernel::prelude::*;
> +    /// use kernel::sync::Arc;
> +    /// use kernel::sync::lock::ww_mutex;
> +    /// use pin_init::stack_pin_init;
> +    ///
> +    /// stack_pin_init!(let class = ww_mutex::WwClass::new_wound_wait(c_str!("lock_all_example")));
> +    ///
> +    /// let mutex1 = Arc::pin_init(ww_mutex::WwMutex::new(0, &class), GFP_KERNEL)?;
> +    /// let mutex2 = Arc::pin_init(ww_mutex::WwMutex::new(0, &class), GFP_KERNEL)?;
> +    /// let mut ctx = KBox::pin_init(ww_mutex::exec::ExecContext::new(&class)?, GFP_KERNEL)?;
> +    ///
> +    /// ctx.lock_all(
> +    ///     |ctx| {
> +    ///         // Try to lock both mutexes.
> +    ///         ctx.lock(&mutex1)?;
> +    ///         ctx.lock(&mutex2)?;
> +    ///
> +    ///         Ok(())
> +    ///     },
> +    ///     |ctx| {
> +    ///         // Safely mutate both values while holding the locks.
> +    ///         ctx.with_locked(&mutex1, |v| *v += 1)?;
> +    ///         ctx.with_locked(&mutex2, |v| *v += 1)?;
> +    ///
> +    ///         Ok(())
> +    ///     },
> +    /// )?;

Can you add intermediary variables to hold the closures, just for extra clarity?

i.e.:

let locking_algorithm = …;
let on_all_locks_taken = …;

This is of course identical, but it conveys the meaning just a bit better.

> +    ///
> +    /// # Ok::<(), Error>(())
> +    /// ```
> +    pub fn lock_all<T, Y, Z>(
> +        &mut self,
> +        mut locking_algorithm: T,
> +        mut on_all_locks_taken: Y,
> +    ) -> Result<Z>
> +    where
> +        T: FnMut(&mut ExecContext<'a>) -> Result<()>,

Just “Result”.

> +        Y: FnMut(&mut ExecContext<'a>) -> Result<Z>,
> +    {
> +        loop {
> +            match locking_algorithm(self) {
> +                Ok(()) => {
> +                    // All locks in `locking_algorithm` succeeded.
> +                    // The user can now safely use them in `on_all_locks_taken`.
> +                    let res = on_all_locks_taken(self);
> +                    self.release_all_locks();
> +
> +                    return res;
> +                }
> +                Err(e) if e == EDEADLK => {
> +                    // Deadlock detected, retry from scratch.
> +                    self.cleanup_on_deadlock()?;
> +                    continue;
> +                }
> +                Err(e) => {
> +                    return Err(e);
> +                }
> +            }
> +        }
> +    }

This apparently looks ok.

> +
> +    /// Executes `f` with a mutable reference to the data behind `mutex`.
> +    ///
> +    /// Fails with [`EINVAL`] if the mutex was not locked in this context.
> +    pub fn with_locked<T, Y>(
> +        &mut self,
> +        mutex: &'a WwMutex<'a, T>,
> +        f: impl FnOnce(&mut T) -> Y,
> +    ) -> Result<Y> {
> +        // Find the matching guard.
> +        for guard in &mut self.taken {
> +            if mutex.as_ptr() == guard.mutex.as_ptr() {

core::ptr::eq() ?

> +                // SAFETY: We know this guard belongs to `mutex` and holds the lock.
> +                let typed = unsafe { &mut *ptr::from_mut(guard).cast::<WwMutexGuard<'a, T>>() };
> +                return Ok(f(&mut **typed));

This doesn’t look good, but it will probably improve once we get rid of the transmute.

 Also, can you find a comparable use-case for this in the C code?

> +            }
> +        }
> +
> +        // `mutex` isn't locked in this `ExecContext`.
> +        Err(EINVAL)
> +    }
> +
> +    /// Releases all currently held locks in this context.
> +    ///
> +    /// It is intended to be used for internal implementation only.
> +    fn release_all_locks(&mut self) {
> +        self.taken.clear();
> +    }
> +
> +    /// Resets this context after a deadlock detection.
> +    ///
> +    /// Drops all held locks and reinitializes the [`WwAcquireCtx`].
> +    ///
> +    /// It is intended to be used for internal implementation only.

^ This last line can go away as this is private.

> +    fn cleanup_on_deadlock(&mut self) -> Result {
> +        self.release_all_locks();
> +        // Re-init fresh `WwAcquireCtx`.
> +        self.acquire = KBox::pin_init(WwAcquireCtx::new(self.class), GFP_KERNEL)?;

This will require one allocation per rollback.

> +
> +        Ok(())
> +    }
> +}
> --
> 2.50.0
> 


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ