From: Andreas Hindborg <a.hindborg@kernel.org>
To: "Benno Lossin" <lossin@kernel.org>
Cc: "Danilo Krummrich" <dakr@kernel.org>,
"Miguel Ojeda" <ojeda@kernel.org>,
"Alex Gaynor" <alex.gaynor@gmail.com>,
"Boqun Feng" <boqun.feng@gmail.com>,
"Gary Guo" <gary@garyguo.net>,
"Björn Roy Baron" <bjorn3_gh@protonmail.com>,
"Alice Ryhl" <aliceryhl@google.com>,
"Trevor Gross" <tmgross@umich.edu>,
"Bjorn Helgaas" <bhelgaas@google.com>,
"Krzysztof Wilczyński" <kwilczynski@kernel.org>,
"Greg Kroah-Hartman" <gregkh@linuxfoundation.org>,
"Rafael J. Wysocki" <rafael@kernel.org>,
"Tamir Duberstein" <tamird@gmail.com>,
"Viresh Kumar" <viresh.kumar@linaro.org>,
rust-for-linux@vger.kernel.org, linux-kernel@vger.kernel.org,
linux-pci@vger.kernel.org, "Maíra Canal" <mcanal@igalia.com>
Subject: Re: [PATCH] rust: types: add FOREIGN_ALIGN to ForeignOwnable
Date: Tue, 10 Jun 2025 11:27:28 +0200 [thread overview]
Message-ID: <87sek82bgf.fsf@kernel.org> (raw)
In-Reply-To: <DAFB0GKSGPSF.24BE695LGC28Z@kernel.org> (Benno Lossin's message of "Fri, 06 Jun 2025 10:23:21 +0200")
Hi Benno,
"Benno Lossin" <lossin@kernel.org> writes:
> The title should probably also mention that it removes `PointedTo`.
>
> On Thu Jun 5, 2025 at 9:55 PM CEST, Andreas Hindborg wrote:
>> The current implementation of `ForeignOwnable` is leaking the type of the
>> opaque pointer to consumers of the API. This allows consumers of the opaque
>> pointer to rely on the information that can be extracted from the pointer
>> type.
>>
>> To prevent this, change the API to the version suggested by Maira
>> Canal (link below): Remove `ForeignOwnable::PointedTo` in favor of a
>> constant, which specifies the alignment of the pointers returned by
>> `into_foreign`.
>>
>> Suggested-by: Alice Ryhl <aliceryhl@google.com>
>> Suggested-by: Maíra Canal <mcanal@igalia.com>
>> Link: https://lore.kernel.org/r/20240309235927.168915-3-mcanal@igalia.com
>> Signed-off-by: Andreas Hindborg <a.hindborg@kernel.org>
>
> A couple nits and documentation review below, with those fixed:
>
> Reviewed-by: Benno Lossin <lossin@kernel.org>
>
>> ---
>> rust/kernel/alloc/kbox.rs | 40 ++++++++++++++++++++++------------------
>> rust/kernel/miscdevice.rs | 10 +++++-----
>> rust/kernel/pci.rs | 2 +-
>> rust/kernel/platform.rs | 2 +-
>> rust/kernel/sync/arc.rs | 23 ++++++++++++-----------
>> rust/kernel/types.rs | 46 +++++++++++++++++++++-------------------------
>> rust/kernel/xarray.rs | 8 ++++----
>> 7 files changed, 66 insertions(+), 65 deletions(-)
>>
>> diff --git a/rust/kernel/alloc/kbox.rs b/rust/kernel/alloc/kbox.rs
>> index c386ff771d50..97f45bc4d74f 100644
>> --- a/rust/kernel/alloc/kbox.rs
>> +++ b/rust/kernel/alloc/kbox.rs
>> @@ -398,70 +398,74 @@ fn try_init<E>(init: impl Init<T, E>, flags: Flags) -> Result<Self, E>
>> }
>> }
>>
>> -// SAFETY: The `into_foreign` function returns a pointer that is well-aligned.
>> +// SAFETY: The pointer returned by `into_foreign` comes from a well aligned
>> +// pointer to `T`.
>> unsafe impl<T: 'static, A> ForeignOwnable for Box<T, A>
>> where
>> A: Allocator,
>> {
>> - type PointedTo = T;
>> + const FOREIGN_ALIGN: usize = core::mem::align_of::<T>();
>> type Borrowed<'a> = &'a T;
>> type BorrowedMut<'a> = &'a mut T;
>>
>> - fn into_foreign(self) -> *mut Self::PointedTo {
>> - Box::into_raw(self)
>> + fn into_foreign(self) -> *mut crate::ffi::c_void {
>
> How about we import the prelude, then you can just write `*mut c_void`
> everywhere instead of having to write `crate::ffi` all the time.
OK.
>
>> diff --git a/rust/kernel/sync/arc.rs b/rust/kernel/sync/arc.rs
>> index c7af0aa48a0a..6603079b05af 100644
>> --- a/rust/kernel/sync/arc.rs
>> +++ b/rust/kernel/sync/arc.rs
>> @@ -140,10 +140,9 @@ pub struct Arc<T: ?Sized> {
>> _p: PhantomData<ArcInner<T>>,
>> }
>>
>> -#[doc(hidden)]
>> #[pin_data]
>> #[repr(C)]
>> -pub struct ArcInner<T: ?Sized> {
>> +struct ArcInner<T: ?Sized> {
>
> I agree with this change, but let's mention it in the commit message.
Right.
>
>> refcount: Opaque<bindings::refcount_t>,
>> data: T,
>> }
>
>> diff --git a/rust/kernel/types.rs b/rust/kernel/types.rs
>> index 22985b6f6982..025c619a2195 100644
>> --- a/rust/kernel/types.rs
>> +++ b/rust/kernel/types.rs
>> @@ -21,15 +21,11 @@
>> ///
>> /// # Safety
>> ///
>> -/// Implementers must ensure that [`into_foreign`] returns a pointer which meets the alignment
>> -/// requirements of [`PointedTo`].
>> -///
>> -/// [`into_foreign`]: Self::into_foreign
>> -/// [`PointedTo`]: Self::PointedTo
>> +/// Implementers must ensure that [`Self::into_foreign`] return pointers with alignment that is an
>
> s/return/returns/
Thanks.
>
>> +/// integer multiple of [`Self::FOREIGN_ALIGN`].
>
> I would just write "returns pointers aligned to [`Self::FOREIGN_ALIGN`]".
OK.
>
>> pub unsafe trait ForeignOwnable: Sized {
>> - /// Type used when the value is foreign-owned. In practical terms only defines the alignment of
>> - /// the pointer.
>> - type PointedTo;
>> + /// The alignment of pointers returned by `into_foreign`.
>> + const FOREIGN_ALIGN: usize;
>>
>> /// Type used to immutably borrow a value that is currently foreign-owned.
>> type Borrowed<'a>;
>> @@ -39,18 +35,17 @@ pub unsafe trait ForeignOwnable: Sized {
>>
>> /// Converts a Rust-owned object to a foreign-owned one.
>> ///
>> - /// # Guarantees
>
> Why remove this section? I think we should streamline it, (make it use
> bullet points, shorten the sentences etc). We can keep the paragraph you
> wrote below as normal docs.
Not sure exactly what you are going for here. How is this:
Converts a Rust-owned object to a foreign-owned one.
The foreign representation is a pointer to void.
# Guarantees
- Minimum alignment of returned pointer is [`Self::FOREIGN_ALIGN`].
There are no other guarantees for this pointer. For example, it might be invalid, dangling
or pointing to uninitialized memory. Using it in any way except for [`from_foreign`],
[`try_from_foreign`], [`borrow`], or [`borrow_mut`] can result in undefined behavior.
Best regards,
Andreas Hindborg
next prev parent reply other threads:[~2025-06-10 9:27 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-06-05 19:55 [PATCH] rust: types: add FOREIGN_ALIGN to ForeignOwnable Andreas Hindborg
2025-06-05 20:33 ` Danilo Krummrich
2025-06-06 8:23 ` Benno Lossin
2025-06-10 9:27 ` Andreas Hindborg [this message]
2025-06-10 9:58 ` Benno Lossin
2025-06-10 10:25 ` Andreas Hindborg
2025-06-10 15:19 ` Alice Ryhl
2025-06-11 10:45 ` Andreas Hindborg
2025-06-11 11:08 ` Alice Ryhl
2025-06-11 12:15 ` Andreas Hindborg
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87sek82bgf.fsf@kernel.org \
--to=a.hindborg@kernel.org \
--cc=alex.gaynor@gmail.com \
--cc=aliceryhl@google.com \
--cc=bhelgaas@google.com \
--cc=bjorn3_gh@protonmail.com \
--cc=boqun.feng@gmail.com \
--cc=dakr@kernel.org \
--cc=gary@garyguo.net \
--cc=gregkh@linuxfoundation.org \
--cc=kwilczynski@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-pci@vger.kernel.org \
--cc=lossin@kernel.org \
--cc=mcanal@igalia.com \
--cc=ojeda@kernel.org \
--cc=rafael@kernel.org \
--cc=rust-for-linux@vger.kernel.org \
--cc=tamird@gmail.com \
--cc=tmgross@umich.edu \
--cc=viresh.kumar@linaro.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.