From: Alice Ryhl <aliceryhl@google.com>
To: Boqun Feng <boqun@kernel.org>
Cc: linux-kernel@vger.kernel.org, rust-for-linux@vger.kernel.org,
rcu@vger.kernel.org, "Miguel Ojeda" <ojeda@kernel.org>,
"Gary Guo" <gary@garyguo.net>,
"Björn Roy Baron" <bjorn3_gh@protonmail.com>,
"Benno Lossin" <lossin@kernel.org>,
"Andreas Hindborg" <a.hindborg@kernel.org>,
"Trevor Gross" <tmgross@umich.edu>,
"Danilo Krummrich" <dakr@kernel.org>,
"Liam R. Howlett" <liam@infradead.org>,
"Andrew Ballance" <andrewjballance@gmail.com>,
"Paul E. McKenney" <paulmck@kernel.org>,
"Frederic Weisbecker" <frederic@kernel.org>,
"Neeraj Upadhyay" <neeraj.upadhyay@kernel.org>,
"Joel Fernandes" <joelagnelf@nvidia.com>,
"Josh Triplett" <josh@joshtriplett.org>,
"Uladzislau Rezki" <urezki@gmail.com>,
"Steven Rostedt" <rostedt@goodmis.org>,
"Mathieu Desnoyers" <mathieu.desnoyers@efficios.com>,
"Lai Jiangshan" <jiangshanlai@gmail.com>,
Zqiang <qiang.zhang@linux.dev>,
"Sumit Semwal" <sumit.semwal@linaro.org>,
"Christian König" <christian.koenig@amd.com>,
maple-tree@lists.infradead.org, linux-mm@kvack.org,
linux-media@vger.kernel.org, dri-devel@lists.freedesktop.org,
"Philipp Stanner" <phasta@kernel.org>,
"Lyude Paul" <lyude@redhat.com>,
"Daniel Almeida" <daniel.almeida@collabora.com>,
"Onur Özkan" <work@onurozkan.dev>
Subject: Re: [RFC PATCH 3/3] rust: rcu: Introduce RcuFreeBox
Date: Fri, 5 Jun 2026 14:04:08 +0000 [thread overview]
Message-ID: <aiLXWHg22P6OTb7O@google.com> (raw)
In-Reply-To: <20260605133541.22569-6-boqun@kernel.org>
On Fri, Jun 05, 2026 at 06:35:41AM -0700, Boqun Feng wrote:
> The current RcuBox will call the `drop()` function after a grace period
> inside an RCU callback. This suffices for maintaining a RCU-protected
> object:
>
> RcuBox::drop():
> call_rcu(
> |..| { // <- call back after one grace period.
> T::drop(); // <- call the destructor of the inner object.
> }
> )
>
> However, to support a different RCU usage pattern as below we need to
> extend RcuBox:
>
> 1. clean up the object, and unshare it from future RCU readers.
> 2. wait for an RCU grace period.
> 3. no other RCU readers, we can free the memory.
>
> An `RcuFreeBox<T: RcuFreeSafe>` is introduced to provide support for
> this:
>
> RcuFreeBox::drop():
> T::drop_before_gp(); // clean up and ushare.
> kfree_call_rcu(..); // free it after one grace period.
>
> Signed-off-by: Boqun Feng <boqun@kernel.org>
> ---
> rust/kernel/sync/rcu.rs | 31 +++++++++++++++
> rust/kernel/sync/rcu/rcu_box.rs | 68 +++++++++++++++++++++++++++++++--
> 2 files changed, 95 insertions(+), 4 deletions(-)
>
> diff --git a/rust/kernel/sync/rcu.rs b/rust/kernel/sync/rcu.rs
> index 7da6b8d22277..7c26591bb318 100644
> --- a/rust/kernel/sync/rcu.rs
> +++ b/rust/kernel/sync/rcu.rs
> @@ -4,6 +4,8 @@
> //!
> //! C header: [`include/linux/rcupdate.h`](srctree/include/linux/rcupdate.h)
>
> +use core::pin::Pin;
> +
> use crate::{
> bindings,
> types::{
> @@ -82,3 +84,32 @@ pub trait ForeignOwnableRcu: ForeignOwnable {
> /// [`from_foreign`]: ForeignOwnable::from_foreign
> unsafe fn rcu_borrow<'a>(ptr: *mut ffi::c_void) -> Self::RcuBorrowed<'a>;
> }
> +
> +/// Declares a struct is safe to free after a grace period if all readers are guarded by RCU.
> +///
> +/// # Safety
> +///
> +/// Implementation must guarantee `drop_before_gp()` makes sure no future RCU reader will access
> +/// any part of [`Self`], as a result, after `drop_before_gp()` return + one grace period, no RCU
> +/// reader will be on the object, and it's safe to free it.
> +///
> +/// Notes for implementators: implementing this trait in general requires `Self` being a
> +/// [`UnsafePinned`], i.e. a `&mut Self` is not a noalias reference if `Self` has non-trivial
> +/// `drop()` function.
> +pub unsafe trait RcuFreeSafe {
> + fn drop_before_gp(self: Pin<&mut Self>);
> +}
Should this have an associated type for the rcu-safe view?
pub unsafe trait RcuFreeSafe {
type RcuView<'a>;
/// Access this value in a manner that is safe after
/// `drop_before_gp` for one grace period.
fn rcu_view<'a>(self: Pin<&'a Self>, _rcu: &'a RcuGuard) -> Self::RcuView<'a>;
/// Drop this value in a manner where it may still be accessed via
/// `rcu_view` for one grace period.
///
/// # Safety
///
/// All other accesses to this value must happen before the call to this
/// method, except for accesses using `rcu_view`.
fn drop_before_gp(self: Pin<&mut Self>);
}
The idea being that once you call `drop_before_gp()`, the value
immediately becomes unusable as the type itself, but you can still use
it via `rcu_view`. The `RcuView` type can then be a type that has a
subset of the type's methods that is safe to use for one grace period
after `drop_before_gp`.
If you define the trait like this, then PollCondVar becomes RcuFreeSafe.
It can't be RcuFreeSafe today because you must not create new waiters after
`drop_before_gp()` is called. With this modified trait, it can simply
not provide methods for registering new waiters from the RcuView type.
Alice
next prev parent reply other threads:[~2026-06-05 14:04 UTC|newest]
Thread overview: 19+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-05 13:35 [PATCH 0/3] rust: sync: Introduce Rcu*Box Boqun Feng
2026-06-05 13:35 ` [PATCH 1/3] rust: rcu: add RcuBox type Boqun Feng
2026-06-05 13:38 ` Boqun Feng
2026-06-05 13:49 ` sashiko-bot
2026-06-05 13:58 ` Boqun Feng
2026-06-05 14:41 ` Boqun Feng
2026-06-05 14:54 ` Alice Ryhl
2026-06-05 15:33 ` Boqun Feng
2026-06-05 13:35 ` [PATCH 1/3] rust: rcu: Add " Boqun Feng
2026-06-05 13:35 ` [PATCH 2/3] rust: maple_tree: add load_rcu() Boqun Feng
2026-06-05 13:38 ` Boqun Feng
2026-06-05 13:51 ` sashiko-bot
2026-06-05 13:35 ` [PATCH 2/3] rust: maple_tree: Add load_rcu() Boqun Feng
2026-06-05 13:35 ` [RFC PATCH 3/3] rust: rcu: Introduce RcuFreeBox Boqun Feng
2026-06-05 13:46 ` sashiko-bot
2026-06-05 14:04 ` Alice Ryhl [this message]
2026-06-05 14:20 ` Boqun Feng
2026-06-05 14:54 ` Alice Ryhl
2026-06-05 14:04 ` Boqun Feng
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=aiLXWHg22P6OTb7O@google.com \
--to=aliceryhl@google.com \
--cc=a.hindborg@kernel.org \
--cc=andrewjballance@gmail.com \
--cc=bjorn3_gh@protonmail.com \
--cc=boqun@kernel.org \
--cc=christian.koenig@amd.com \
--cc=dakr@kernel.org \
--cc=daniel.almeida@collabora.com \
--cc=dri-devel@lists.freedesktop.org \
--cc=frederic@kernel.org \
--cc=gary@garyguo.net \
--cc=jiangshanlai@gmail.com \
--cc=joelagnelf@nvidia.com \
--cc=josh@joshtriplett.org \
--cc=liam@infradead.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-media@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=lossin@kernel.org \
--cc=lyude@redhat.com \
--cc=maple-tree@lists.infradead.org \
--cc=mathieu.desnoyers@efficios.com \
--cc=neeraj.upadhyay@kernel.org \
--cc=ojeda@kernel.org \
--cc=paulmck@kernel.org \
--cc=phasta@kernel.org \
--cc=qiang.zhang@linux.dev \
--cc=rcu@vger.kernel.org \
--cc=rostedt@goodmis.org \
--cc=rust-for-linux@vger.kernel.org \
--cc=sumit.semwal@linaro.org \
--cc=tmgross@umich.edu \
--cc=urezki@gmail.com \
--cc=work@onurozkan.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.