From: "Benno Lossin" <lossin@kernel.org>
To: "Andreas Hindborg" <a.hindborg@kernel.org>,
"Miguel Ojeda" <ojeda@kernel.org>,
"Alex Gaynor" <alex.gaynor@gmail.com>,
"Boqun Feng" <boqun.feng@gmail.com>,
"Gary Guo" <gary@garyguo.net>,
"Björn Roy Baron" <bjorn3_gh@protonmail.com>,
"Benno Lossin" <benno.lossin@proton.me>,
"Alice Ryhl" <aliceryhl@google.com>,
"Trevor Gross" <tmgross@umich.edu>,
"Danilo Krummrich" <dakr@kernel.org>
Cc: "Oliver Mangold" <oliver.mangold@pm.me>,
<rust-for-linux@vger.kernel.org>, <linux-kernel@vger.kernel.org>
Subject: Re: [PATCH v2] rust: elaborate safety requirements for `AlwaysReferenceCounted`
Date: Wed, 07 May 2025 10:35:16 +0200 [thread overview]
Message-ID: <D9PSH8MJ48JO.3OOA3Z3NSBGC9@kernel.org> (raw)
In-Reply-To: <20250506-aref-from-raw-v2-1-5a35e47f4ec2@kernel.org>
On Tue May 6, 2025 at 10:29 AM CEST, Andreas Hindborg wrote:
> diff --git a/rust/kernel/types.rs b/rust/kernel/types.rs
> index 9d0471afc964..52683d686c8a 100644
> --- a/rust/kernel/types.rs
> +++ b/rust/kernel/types.rs
> @@ -409,6 +409,10 @@ pub const fn raw_get(this: *const Self) -> *mut T {
> /// Implementers must also ensure that all instances are reference-counted. (Otherwise they
> /// won't be able to honour the requirement that [`AlwaysRefCounted::inc_ref`] keep the object
> /// alive.)
> +///
> +/// Implementers of this trait must ensure that values of types implementing this trait can never be
> +/// owned by value. Instead, values must be owned and used through a pointer type. That is, a type
> +/// that implements [`Deref`].
I don't think this covers every case, if I modify your example above
with Alice's suggestion and using `Box` instead of the stack, I get the
same problem:
struct Empty {}
unsafe impl AlwaysRefCounted for Empty {
fn inc_ref(&self) {}
unsafe fn dec_ref(_obj: NonNull<Self>) {}
}
fn unsound() -> ARef<Empty> {
use kernel::types::{ARef, RefCounted};
let data = Box::new(Empty {});
let aref = ARef::from(&data);
aref
}
The same should be true if one uses `Arc` instead of `Box`. So, even
though we store it in a "pointer type that implements `Deref`", it is
unsound.
I think that types that implement `AlwaysRefCounted` must only be store
inside of `ARef<T>`. So something like "Values of this trait must only
be exposed as `ARef<Self>` or `&Self`." I'm not satisfied with the
wording 'exposed', maybe you have a better word or can expand the
sentence.
---
Cheers,
Benno
> pub unsafe trait AlwaysRefCounted {
> /// Increments the reference count on the object.
> fn inc_ref(&self);
>
> ---
> base-commit: b4432656b36e5cc1d50a1f2dc15357543add530e
> change-id: 20250502-aref-from-raw-e110b3e6dbf5
>
> Best regards,
next prev parent reply other threads:[~2025-05-07 8:35 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-05-06 8:29 [PATCH v2] rust: elaborate safety requirements for `AlwaysReferenceCounted` Andreas Hindborg
2025-05-06 14:10 ` Boqun Feng
2025-05-06 14:45 ` Andreas Hindborg
2025-05-07 6:24 ` Alice Ryhl
2025-05-07 8:35 ` Benno Lossin [this message]
2025-05-07 8:41 ` Alice Ryhl
2025-05-07 9:19 ` Andreas Hindborg
2025-05-07 11:26 ` Benno Lossin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=D9PSH8MJ48JO.3OOA3Z3NSBGC9@kernel.org \
--to=lossin@kernel.org \
--cc=a.hindborg@kernel.org \
--cc=alex.gaynor@gmail.com \
--cc=aliceryhl@google.com \
--cc=benno.lossin@proton.me \
--cc=bjorn3_gh@protonmail.com \
--cc=boqun.feng@gmail.com \
--cc=dakr@kernel.org \
--cc=gary@garyguo.net \
--cc=linux-kernel@vger.kernel.org \
--cc=ojeda@kernel.org \
--cc=oliver.mangold@pm.me \
--cc=rust-for-linux@vger.kernel.org \
--cc=tmgross@umich.edu \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.