lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20260106181201.22806712.gary@garyguo.net>
Date: Tue, 6 Jan 2026 18:12:01 +0000
From: Gary Guo <gary@...yguo.net>
To: Peter Zijlstra <peterz@...radead.org>
Cc: Alice Ryhl <aliceryhl@...gle.com>, Boqun Feng <boqun.feng@...il.com>,
 Will Deacon <will@...nel.org>, Richard Henderson
 <richard.henderson@...aro.org>, Matt Turner <mattst88@...il.com>, Magnus
 Lindholm <linmag7@...il.com>, Catalin Marinas <catalin.marinas@....com>,
 Miguel Ojeda <ojeda@...nel.org>, Björn Roy Baron
 <bjorn3_gh@...tonmail.com>, Benno Lossin <lossin@...nel.org>, Andreas
 Hindborg <a.hindborg@...nel.org>, Trevor Gross <tmgross@...ch.edu>, Danilo
 Krummrich <dakr@...nel.org>, Mark Rutland <mark.rutland@....com>, FUJITA
 Tomonori <fujita.tomonori@...il.com>, Frederic Weisbecker
 <frederic@...nel.org>, Lyude Paul <lyude@...hat.com>, Thomas Gleixner
 <tglx@...utronix.de>, Anna-Maria Behnsen <anna-maria@...utronix.de>, John
 Stultz <jstultz@...gle.com>, Stephen Boyd <sboyd@...nel.org>, Alexander
 Viro <viro@...iv.linux.org.uk>, Christian Brauner <brauner@...nel.org>, Jan
 Kara <jack@...e.cz>, linux-kernel@...r.kernel.org,
 linux-alpha@...r.kernel.org, linux-arm-kernel@...ts.infradead.org,
 rust-for-linux@...r.kernel.org, linux-fsdevel@...r.kernel.org
Subject: Re: [PATCH 3/5] rust: sync: support using bool with READ_ONCE

On Tue, 6 Jan 2026 13:43:26 +0100
Peter Zijlstra <peterz@...radead.org> wrote:

> On Wed, Dec 31, 2025 at 12:22:27PM +0000, Alice Ryhl wrote:
> > Normally it is undefined behavior for a bool to take any value other
> > than 0 or 1. However, in the case of READ_ONCE(some_bool) is used, this
> > UB seems dangerous and unnecessary. I can easily imagine some Rust code
> > that looks like this:
> > 
> > 	if READ_ONCE(&raw const (*my_c_struct).my_bool_field) {
> > 	    ...
> > 	}
> > 
> > And by making an analogy to what the equivalent C code is, anyone
> > writing this probably just meant to treat any non-zero value as true.
> > 
> > For WRITE_ONCE no special logic is required.
> > 
> > Signed-off-by: Alice Ryhl <aliceryhl@...gle.com>
> > ---
> >  rust/kernel/sync/rwonce.rs | 19 +++++++++++++++++++
> >  1 file changed, 19 insertions(+)
> > 
> > diff --git a/rust/kernel/sync/rwonce.rs b/rust/kernel/sync/rwonce.rs
> > index a1660e43c9ef94011812d1816713cf031a73de1d..73477f53131926996614df573b2d50fff98e624f 100644
> > --- a/rust/kernel/sync/rwonce.rs
> > +++ b/rust/kernel/sync/rwonce.rs
> > @@ -163,6 +163,7 @@ unsafe fn write_once(ptr: *mut Self, val: Self) {
> >  // sizes, so picking the wrong helper should lead to a build error.
> >  
> >  impl_rw_once_type! {
> > +    bool, read_once_bool, write_once_1;
> >      u8,   read_once_1, write_once_1;
> >      i8,   read_once_1, write_once_1;
> >      u16,  read_once_2, write_once_2;
> > @@ -186,3 +187,21 @@ unsafe fn write_once(ptr: *mut Self, val: Self) {
> >      usize, read_once_8, write_once_8;
> >      isize, read_once_8, write_once_8;
> >  }
> > +
> > +/// Read an integer as a boolean once.
> > +///
> > +/// Returns `true` if the value behind the pointer is non-zero. Otherwise returns `false`.
> > +///
> > +/// # Safety
> > +///
> > +/// It must be safe to `READ_ONCE` the `ptr` with type `u8`.
> > +#[inline(always)]
> > +#[track_caller]
> > +unsafe fn read_once_bool(ptr: *const bool) -> bool {
> > +    // Implement `read_once_bool` in terms of `read_once_1`. The arch-specific logic is inside
> > +    // of `read_once_1`.
> > +    //
> > +    // SAFETY: It is safe to `READ_ONCE` the `ptr` with type `u8`.
> > +    let byte = unsafe { read_once_1(ptr.cast::<u8>()) };
> > +    byte != 0u8
> > +}  
> 
> Does this hardcode that sizeof(_Bool) == 1? There are ABIs where this is
> not the case.

Hi Peter,

Do you have a concrete example on which ABI/arch this is not true?

I know that the C spec doesn't mandate _Bool and char are of the same size
but we have tons of assumptions that is not guaranteed by standard C..

Best,
Gary

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ