Re: [PATCH] rust: types: add FOREIGN_ALIGN to ForeignOwnable

["Benno Lossin" <lossin@kernel.org>]

The title should probably also mention that it removes `PointedTo`. 

On Thu Jun 5, 2025 at 9:55 PM CEST, Andreas Hindborg wrote:
> The current implementation of `ForeignOwnable` is leaking the type of the
> opaque pointer to consumers of the API. This allows consumers of the opaque
> pointer to rely on the information that can be extracted from the pointer
> type.
>
> To prevent this, change the API to the version suggested by Maira
> Canal (link below): Remove `ForeignOwnable::PointedTo` in favor of a
> constant, which specifies the alignment of the pointers returned by
> `into_foreign`.
>
> Suggested-by: Alice Ryhl <aliceryhl@google.com>
> Suggested-by: Maíra Canal <mcanal@igalia.com>
> Link: https://lore.kernel.org/r/20240309235927.168915-3-mcanal@igalia.com
> Signed-off-by: Andreas Hindborg <a.hindborg@kernel.org>

A couple nits and documentation review below, with those fixed:

Reviewed-by: Benno Lossin <lossin@kernel.org>

> ---
>  rust/kernel/alloc/kbox.rs | 40 ++++++++++++++++++++++------------------
>  rust/kernel/miscdevice.rs | 10 +++++-----
>  rust/kernel/pci.rs        |  2 +-
>  rust/kernel/platform.rs   |  2 +-
>  rust/kernel/sync/arc.rs   | 23 ++++++++++++-----------
>  rust/kernel/types.rs      | 46 +++++++++++++++++++++-------------------------
>  rust/kernel/xarray.rs     |  8 ++++----
>  7 files changed, 66 insertions(+), 65 deletions(-)
>
> diff --git a/rust/kernel/alloc/kbox.rs b/rust/kernel/alloc/kbox.rs
> index c386ff771d50..97f45bc4d74f 100644
> --- a/rust/kernel/alloc/kbox.rs
> +++ b/rust/kernel/alloc/kbox.rs
> @@ -398,70 +398,74 @@ fn try_init<E>(init: impl Init<T, E>, flags: Flags) -> Result<Self, E>
>      }
>  }
>  
> -// SAFETY: The `into_foreign` function returns a pointer that is well-aligned.
> +// SAFETY: The pointer returned by `into_foreign` comes from a well aligned
> +// pointer to `T`.
>  unsafe impl<T: 'static, A> ForeignOwnable for Box<T, A>
>  where
>      A: Allocator,
>  {
> -    type PointedTo = T;
> +    const FOREIGN_ALIGN: usize = core::mem::align_of::<T>();
>      type Borrowed<'a> = &'a T;
>      type BorrowedMut<'a> = &'a mut T;
>  
> -    fn into_foreign(self) -> *mut Self::PointedTo {
> -        Box::into_raw(self)
> +    fn into_foreign(self) -> *mut crate::ffi::c_void {

How about we import the prelude, then you can just write `*mut c_void`
everywhere instead of having to write `crate::ffi` all the time.

> diff --git a/rust/kernel/sync/arc.rs b/rust/kernel/sync/arc.rs
> index c7af0aa48a0a..6603079b05af 100644
> --- a/rust/kernel/sync/arc.rs
> +++ b/rust/kernel/sync/arc.rs
> @@ -140,10 +140,9 @@ pub struct Arc<T: ?Sized> {
>      _p: PhantomData<ArcInner<T>>,
>  }
>  
> -#[doc(hidden)]
>  #[pin_data]
>  #[repr(C)]
> -pub struct ArcInner<T: ?Sized> {
> +struct ArcInner<T: ?Sized> {

I agree with this change, but let's mention it in the commit message.

>      refcount: Opaque<bindings::refcount_t>,
>      data: T,
>  }

> diff --git a/rust/kernel/types.rs b/rust/kernel/types.rs
> index 22985b6f6982..025c619a2195 100644
> --- a/rust/kernel/types.rs
> +++ b/rust/kernel/types.rs
> @@ -21,15 +21,11 @@
>  ///
>  /// # Safety
>  ///
> -/// Implementers must ensure that [`into_foreign`] returns a pointer which meets the alignment
> -/// requirements of [`PointedTo`].
> -///
> -/// [`into_foreign`]: Self::into_foreign
> -/// [`PointedTo`]: Self::PointedTo
> +/// Implementers must ensure that [`Self::into_foreign`] return pointers with alignment that is an

s/return/returns/

> +/// integer multiple of [`Self::FOREIGN_ALIGN`].

I would just write "returns pointers aligned to [`Self::FOREIGN_ALIGN`]".

>  pub unsafe trait ForeignOwnable: Sized {
> -    /// Type used when the value is foreign-owned. In practical terms only defines the alignment of
> -    /// the pointer.
> -    type PointedTo;
> +    /// The alignment of pointers returned by `into_foreign`.
> +    const FOREIGN_ALIGN: usize;
>  
>      /// Type used to immutably borrow a value that is currently foreign-owned.
>      type Borrowed<'a>;
> @@ -39,18 +35,17 @@ pub unsafe trait ForeignOwnable: Sized {
>  
>      /// Converts a Rust-owned object to a foreign-owned one.
>      ///
> -    /// # Guarantees

Why remove this section? I think we should streamline it, (make it use
bullet points, shorten the sentences etc). We can keep the paragraph you
wrote below as normal docs.

> -    ///
> -    /// The return value is guaranteed to be well-aligned, but there are no other guarantees for
> -    /// this pointer. For example, it might be null, dangling, or point to uninitialized memory.
> -    /// Using it in any way except for [`ForeignOwnable::from_foreign`], [`ForeignOwnable::borrow`],
> -    /// [`ForeignOwnable::try_from_foreign`] can result in undefined behavior.
> +    /// The foreign representation is a pointer to void. The minimum alignment of the returned
> +    /// pointer is [`Self::FOREIGN_ALIGN`]. There are no other guarantees for this pointer. For
> +    /// example, it might be invalid, dangling or pointing to uninitialized memory. Using it in any
> +    /// way except for [`from_foreign`], [`try_from_foreign`], [`borrow`], or [`borrow_mut`] can
> +    /// result in undefined behavior.
>      ///
>      /// [`from_foreign`]: Self::from_foreign
>      /// [`try_from_foreign`]: Self::try_from_foreign
>      /// [`borrow`]: Self::borrow
>      /// [`borrow_mut`]: Self::borrow_mut
> -    fn into_foreign(self) -> *mut Self::PointedTo;
> +    fn into_foreign(self) -> *mut crate::ffi::c_void;