| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <aTFPiTOIVmwGGEp-@google.com>
Date: Thu, 4 Dec 2025 09:08:25 +0000
From: Alice Ryhl <aliceryhl@...gle.com>
To: "Onur Özkan" <work@...rozkan.dev>
Cc: rust-for-linux@...r.kernel.org, lossin@...nel.org, lyude@...hat.com,
ojeda@...nel.org, alex.gaynor@...il.com, boqun.feng@...il.com,
gary@...yguo.net, a.hindborg@...nel.org, tmgross@...ch.edu, dakr@...nel.org,
peterz@...radead.org, mingo@...hat.com, will@...nel.org, longman@...hat.com,
felipe_life@...e.com, daniel@...lak.dev, daniel.almeida@...labora.com,
thomas.hellstrom@...ux.intel.com, linux-kernel@...r.kernel.org
Subject: Re: [PATCH v8 5/6] rust: ww_mutex: add Mutex, AcquireCtx and MutexGuard
On Wed, Dec 03, 2025 at 07:02:30PM +0300, Onur Özkan wrote:
> On Wed, 3 Dec 2025 13:26:23 +0000
> Alice Ryhl <aliceryhl@...gle.com> wrote:
>
> > On Mon, Dec 01, 2025 at 01:28:54PM +0300, Onur Özkan wrote:
> > > +/// Internal helper that unifies the different locking kinds.
> > > +///
> > > +/// Returns [`EINVAL`] if the [`Mutex`] has a different [`Class`].
> > > +fn lock_common<'a, T: ?Sized>(
> > > + mutex: &'a Mutex<'a, T>,
> > > + ctx: Option<&AcquireCtx<'_>>,
> > > + kind: LockKind,
> > > +) -> Result<MutexGuard<'a, T>> {
> > > + let mutex_ptr = mutex.inner.get();
> > > +
> > > + let ctx_ptr = match ctx {
> > > + Some(acquire_ctx) => {
> > > + let ctx_ptr = acquire_ctx.inner.get();
> > > +
> > > + // SAFETY: `ctx_ptr` is a valid pointer for the entire
> > > + // lifetime of `ctx`.
> > > + let ctx_class = unsafe { (*ctx_ptr).ww_class };
> > > +
> > > + // SAFETY: `mutex_ptr` is a valid pointer for the
> > > entire
> > > + // lifetime of `mutex`.
> > > + let mutex_class = unsafe { (*mutex_ptr).ww_class };
> > > +
> > > + // `ctx` and `mutex` must use the same class.
> > > + if ctx_class != mutex_class {
> > > + return Err(EINVAL);
> > > + }
> >
> > Hmm, this originates from the previous conversation:
> >
> > https://lore.kernel.org/all/20251124184928.30b8bbaf@nimda/
> > >>> + /// // SAFETY: Both `lock_set` and `mutex1` uses the
> > >>> same class.
> > >>> + /// unsafe { lock_set.lock(&mutex1)? };
> > >>> + ///
> > >>> + /// // SAFETY: Both `lock_set` and `mutex2` uses the
> > >>> same class.
> > >>> + /// unsafe { lock_set.lock(&mutex2)? };
> > >>
> > >> I wonder if there's some way we can get rid of the safety contract
> > >> here and verify this at compile time, it would be a shame if every
> > >> single lock invocation needed to be unsafe.
> > >>
> > >
> > > Yeah :(. We could get rid of them easily by keeping the class that
> > > was passed to the constructor functions but that becomes a problem
> > > for the from_raw implementations.
> > >
> > > I think the best solution would be to expose ww_class type from
> > > ww_acquire_ctx and ww_mutex unconditionally (right now it depends on
> > > DEBUG_WW_MUTEXES). That way we can just access the class and verify
> > > that the mutex and acquire_ctx classes match.
> > >
> > > What do you think? I can submit a patch for the C-side
> > > implementation. It should be straightforward and shouldn't have any
> > > runtime impact.
> >
> > I think there is a better solution. We can create a different type for
> > every single class, like how rust/kernel/sync/lock/global.rs creates a
> > different type for every single mutex. Then, you know that the classes
> > are the same since the class is part of the type.
>
> You can have same types but different memory addresses and that would
> break the ww_mutex logic we are trying to solve.
The entire idea behind rust/kernel/sync/lock/global.rs is one type per
memory address. Can you elaborate on the difficult case?
Alice
Powered by blists - more mailing lists