From: Yury Norov <yury.norov@gmail.com>
To: Burak Emir <bqe@google.com>
Cc: "Rasmus Villemoes" <linux@rasmusvillemoes.dk>,
"Viresh Kumar" <viresh.kumar@linaro.org>,
"Miguel Ojeda" <ojeda@kernel.org>,
"Alex Gaynor" <alex.gaynor@gmail.com>,
"Boqun Feng" <boqun.feng@gmail.com>,
"Gary Guo" <gary@garyguo.net>,
"Björn Roy Baron" <bjorn3_gh@protonmail.com>,
"Benno Lossin" <benno.lossin@proton.me>,
"Andreas Hindborg" <a.hindborg@kernel.org>,
"Alice Ryhl" <aliceryhl@google.com>,
"Trevor Gross" <tmgross@umich.edu>,
rust-for-linux@vger.kernel.org, linux-kernel@vger.kernel.org
Subject: Re: [PATCH v6 3/4] rust: add bitmap API.
Date: Mon, 31 Mar 2025 12:58:58 -0400 [thread overview]
Message-ID: <Z-rJ0vMFsFIOP84B@thinkpad> (raw)
In-Reply-To: <CACQBu=VBYx+LoZnSjAsU7DJsnQJ0R1WEc3aJfgNxoU1zG4=emg@mail.gmail.com>
On Fri, Mar 28, 2025 at 11:36:51AM +0100, Burak Emir wrote:
> On Thu, Mar 27, 2025 at 5:16 PM Burak Emir <bqe@google.com> wrote:
> >
> > + /// Set bit with index `index`.
>
> I missed this, will change to /// Set `index` bit,
>
> > + ///
> > + /// # Panics
> > + ///
> > + /// Panics if `index` is greater than or equal to `self.nbits`.
> > + #[inline]
> > + pub fn set_bit(&mut self, index: usize) {
> > + assert!(
> > + index < self.nbits,
> > + "Bit `index` must be < {}, was {}",
> > + self.nbits,
> > + index
> > + );
> > + // SAFETY: Bit `index` is within bounds.
> > + unsafe { bindings::__set_bit(index as u32, self.as_mut_ptr()) };
> > + }
> > +
> > + /// Set bit with index `index`, atomically.
>
> dto, will change to /// Set `index` bit, atomically.
>
> > + ///
> > + /// WARNING: this is a relaxed atomic operation (no implied memory barriers).
>
> Is this the kind of warning you had in mind?
The __set_bit() in C and set_bit() in rust is a non-atomic function.
Relaxed atomic API has a different meaning. Please add something like
the following on top of 'pub fn set_bit()' implementation:
/// ATTENTION: Contrary to C, the rust set_bit() method is non-atomic.
/// This mismatches kernel naming convention and corresponds to the C
/// function __set_bit(). For atomicity, use the set_bit_atomic() method.
> > + ///
> > + /// # Panics
> > + ///
> > + /// Panics if `index` is greater than or equal to `self.nbits`.
> > + #[inline]
> > + pub fn set_bit_atomic(&self, index: usize) {
> > + assert!(
> > + index < self.nbits,
> > + "Bit `index` must be < {}, was {}",
> > + self.nbits,
> > + index
> > + );
> > + // SAFETY: `index` is within bounds and there cannot be any data races
> > + // because all non-atomic operations require exclusive access through
> > + // a &mut reference.
>
> I have considered marking set_bit_atomic as unsafe, but then come
> around to think that it is actually safe.
>
> I'd appreciate a review of the reasoning by my fellow Rust-for-Linux folks.
>
> What must be ensured is absence of data race, e.g. that an atomic op
> does not happen concurrently with a conflicting non-synchronized,
> non-atomic op.
> Do I need to worry about non-atomic accesses in the same thread
> (temporarily reborrowing a &mut to & in the same thread is a
> possibility)?
To me - no. Atomicity only works if everyone follow the same rules.
If someone accessed some data without grabbing a lock on it, and
ended up corrupting the kernel, it's not a problem of spinlock API.
Thanks,
Yury
next prev parent reply other threads:[~2025-03-31 16:59 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-03-27 16:16 [PATCH v6 0/4] rust: adds Bitmap API, ID pool and bindings Burak Emir
2025-03-27 16:16 ` [PATCH v6 1/4] rust: add bindings for bitmap.h Burak Emir
2025-03-27 16:16 ` [PATCH v6 2/4] rust: add bindings for bitops.h Burak Emir
2025-03-27 16:16 ` [PATCH v6 3/4] rust: add bitmap API Burak Emir
2025-03-28 10:36 ` Burak Emir
2025-03-31 16:58 ` Yury Norov [this message]
2025-03-27 16:16 ` [PATCH v6 4/4] rust: add dynamic ID pool abstraction for bitmap Burak Emir
2025-03-31 16:39 ` [PATCH v6 0/4] rust: adds Bitmap API, ID pool and bindings Yury Norov
2025-03-31 18:52 ` Miguel Ojeda
2025-04-23 12:00 ` Burak Emir
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=Z-rJ0vMFsFIOP84B@thinkpad \
--to=yury.norov@gmail.com \
--cc=a.hindborg@kernel.org \
--cc=alex.gaynor@gmail.com \
--cc=aliceryhl@google.com \
--cc=benno.lossin@proton.me \
--cc=bjorn3_gh@protonmail.com \
--cc=boqun.feng@gmail.com \
--cc=bqe@google.com \
--cc=gary@garyguo.net \
--cc=linux-kernel@vger.kernel.org \
--cc=linux@rasmusvillemoes.dk \
--cc=ojeda@kernel.org \
--cc=rust-for-linux@vger.kernel.org \
--cc=tmgross@umich.edu \
--cc=viresh.kumar@linaro.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.