Re: [PATCH v4 3/3] rust: revocable: split revoke_internal into revoke and revoke_nosync

All of lore.kernel.org
 help / color / mirror / Atom feed

From: "Benno Lossin" <lossin@kernel.org>
To: "Marcelo Moreira" <marcelomoreira1905@gmail.com>,
	<dakr@kernel.org>, <ojeda@kernel.org>,
	<rust-for-linux@vger.kernel.org>, <skhan@linuxfoundation.org>,
	<linux-kernel-mentees@lists.linuxfoundation.org>,
	<~lkcamp/patches@lists.sr.ht>
Subject: Re: [PATCH v4 3/3] rust: revocable: split revoke_internal into revoke and revoke_nosync
Date: Thu, 12 Jun 2025 11:06:56 +0200	[thread overview]
Message-ID: <DAKFP38LXT84.QN50NZ2QB4WU@kernel.org> (raw)
In-Reply-To: <20250602232842.144304-4-marcelomoreira1905@gmail.com>

On Tue Jun 3, 2025 at 1:26 AM CEST, Marcelo Moreira wrote:
> This commit refactors the revocation mechanism by removing the generic
> `revoke_internal` function. Its logic is now directly integrated into
> two distinct public functions: `revoke()` and `revoke_nosync()`.
>
> `revoke_nosync()` is an `unsafe` function that requires the caller to
> guarantee no concurrent users, thus avoiding an RCU grace period.
> `revoke()` is a safe function that internally waits for the RCU grace
> period to ensure all concurrent accesses have completed before dropping
> the wrapped object.
>
> This change improves API clarity and simplifies associated `SAFETY`
> comments by making the synchronization behavior explicit in the function
> signatures.
>
> Suggested-by: Benno Lossin <lossin@kernel.org>
> Suggested-by: Danilo Krummrich <dakr@kernel.org>
> Signed-off-by: Marcelo Moreira <marcelomoreira1905@gmail.com>

One comment below, with that fixed:

Reviewed-by: Benno Lossin <lossin@kernel.org>

> ---
>  rust/kernel/revocable.rs | 38 +++++++++++++++-----------------------
>  1 file changed, 15 insertions(+), 23 deletions(-)
>
> diff --git a/rust/kernel/revocable.rs b/rust/kernel/revocable.rs
> index 43cc9bdc94f4..daf22e3a7d20 100644
> --- a/rust/kernel/revocable.rs
> +++ b/rust/kernel/revocable.rs
> @@ -126,22 +126,6 @@ pub fn try_access_with_guard<'a>(&'a self, _guard: &'a rcu::Guard) -> Option<&'a
>          }
>      }
>  
> -    /// # Safety
> -    ///
> -    /// Callers must ensure that there are no more concurrent users of the revocable object.
> -    unsafe fn revoke_internal<const SYNC: bool>(&self) {
> -        if self.is_available.swap(false, Ordering::Relaxed) {
> -            if SYNC {
> -                // SAFETY: Just an FFI call, there are no further requirements.
> -                unsafe { bindings::synchronize_rcu() };
> -            }
> -
> -            // SAFETY: We know `self.data` is valid because only one CPU can succeed the
> -            // `compare_exchange` above that takes `is_available` from `true` to `false`.
> -            unsafe { drop_in_place(self.data.get()) };
> -        }
> -    }
> -
>      /// Revokes access to and drops the wrapped object.
>      ///
>      /// Access to the object is revoked immediately to new callers of [`Revocable::try_access`],
> @@ -151,10 +135,12 @@ unsafe fn revoke_internal<const SYNC: bool>(&self) {
>      ///
>      /// Callers must ensure that there are no more concurrent users of the revocable object.
>      pub unsafe fn revoke_nosync(&self) {
> -        // SAFETY: By the safety requirement of this function, the caller ensures that nobody is
> -        // accessing the data anymore and hence we don't have to wait for the grace period to
> -        // finish.
> -        unsafe { self.revoke_internal::<false>() }
> +        if self.is_available.swap(false, Ordering::Relaxed) {
> +            // SAFETY: `Self::data` is valid for writes because of `Self`'s type invariants,
> +            // as `Self::is_available` is false due to the atomic swap, and by the safety

Please also use `self.data`/`self.is_available` here (& below) instead
of `Self::`.

---
Cheers,
Benno

> +            // requirements of this function, no thread is accessing `data` anymore.
> +            unsafe { drop_in_place(self.data.get()) };
> +        }
>      }
>  
>      /// Revokes access to and drops the wrapped object.
> @@ -165,9 +151,15 @@ pub unsafe fn revoke_nosync(&self) {
>      /// [`Revocable::try_access`] beforehand and still haven't dropped the returned guard), this
>      /// function waits for the concurrent access to complete before dropping the wrapped object.
>      pub fn revoke(&self) {
> -        // SAFETY: By passing `true` we ask `revoke_internal` to wait for the grace period to
> -        // finish.
> -        unsafe { self.revoke_internal::<true>() }
> +        if self.is_available.swap(false, Ordering::Relaxed) {
> +            // SAFETY: Just an FFI call, there are no further requirements.
> +            unsafe { bindings::synchronize_rcu() };
> +
> +            // SAFETY: `Self::data` is valid for writes because of `Self`'s type invariants,
> +            // as `Self::is_available` is false due to the atomic swap, and `synchronize_rcu`
> +            // ensures all prior RCU read-side critical sections have completed.
> +            unsafe { drop_in_place(self.data.get()) };
> +        }
>      }
>  }
>

next prev parent reply	other threads:[~2025-06-12  9:07 UTC|newest]

Thread overview: 27+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2025-06-02 23:26 [PATCH v4 0/3] rust: revocable: documentation and refactorings Marcelo Moreira
2025-06-02 23:26 ` [PATCH v4 1/3] rust: revocable: update write invariant and fix safety comments Marcelo Moreira
2025-06-12  9:02   ` Benno Lossin
2025-06-12 19:22     ` Marcelo Moreira
2025-06-14 18:05       ` Benno Lossin
2025-06-14 23:11         ` Marcelo Moreira
2025-06-15  8:38           ` Miguel Ojeda
2025-06-16  0:36             ` Marcelo Moreira
2025-06-16  7:15               ` Benno Lossin
2025-06-17  2:49                 ` Marcelo Moreira
2025-06-17  7:18                   ` Benno Lossin
2025-06-26 16:59                     ` Marcelo Moreira
2025-06-13 14:08     ` Danilo Krummrich
2025-06-02 23:26 ` [PATCH v4 2/3] rust: revocable: simplify RevocableGuard for internal safety Marcelo Moreira
2025-06-12  9:04   ` Benno Lossin
2025-06-12  9:28   ` Alice Ryhl
2025-06-12  9:52     ` Benno Lossin
2025-06-12 18:52       ` Marcelo Moreira
2025-06-14 18:04         ` Benno Lossin
2025-06-13 14:11     ` Danilo Krummrich
2025-06-14 17:00       ` Benno Lossin
2025-06-02 23:26 ` [PATCH v4 3/3] rust: revocable: split revoke_internal into revoke and revoke_nosync Marcelo Moreira
2025-06-12  9:06   ` Benno Lossin [this message]
2025-06-12 19:29     ` Marcelo Moreira
2025-06-13 14:09     ` Danilo Krummrich
2025-06-16 10:26 ` [PATCH v4 0/3] rust: revocable: documentation and refactorings Danilo Krummrich
2025-06-16 19:33   ` Miguel Ojeda

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=DAKFP38LXT84.QN50NZ2QB4WU@kernel.org \
    --to=lossin@kernel.org \
    --cc=dakr@kernel.org \
    --cc=linux-kernel-mentees@lists.linuxfoundation.org \
    --cc=marcelomoreira1905@gmail.com \
    --cc=ojeda@kernel.org \
    --cc=rust-for-linux@vger.kernel.org \
    --cc=skhan@linuxfoundation.org \
    --cc=~lkcamp/patches@lists.sr.ht \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.