From: Alice Ryhl <aliceryhl@google.com>
To: Marcelo Moreira <marcelomoreira1905@gmail.com>
Cc: lossin@kernel.org, dakr@kernel.org, ojeda@kernel.org,
rust-for-linux@vger.kernel.org, skhan@linuxfoundation.org,
linux-kernel-mentees@lists.linuxfoundation.org,
~lkcamp/patches@lists.sr.ht
Subject: Re: [PATCH v4 2/3] rust: revocable: simplify RevocableGuard for internal safety
Date: Thu, 12 Jun 2025 09:28:26 +0000 [thread overview]
Message-ID: <aEqdur4JTFa1V20U@google.com> (raw)
In-Reply-To: <20250602232842.144304-3-marcelomoreira1905@gmail.com>
On Mon, Jun 02, 2025 at 08:26:23PM -0300, Marcelo Moreira wrote:
> This commit refactors `RevocableGuard` to hold a direct reference
> (`&'a T`) instead of a raw pointer (`*const T`). This makes the guard
> internally safe, reducing the need for `unsafe` blocks in its usage
> and simplifying its implementation.
>
> The `try_access` function is updated to leverage `try_access_with_guard`
> and `map` to construct the `RevocableGuard` in a more idiomatic and safe
> Rust way, avoiding manual pointer operations. The associated invariants
> and `SAFETY` comments for `RevocableGuard` itself are removed as its
> safety is now guaranteed by its type definition.
>
> Suggested-by: Benno Lossin <lossin@kernel.org>
> Suggested-by: Danilo Krummrich <dakr@kernel.org>
> Signed-off-by: Marcelo Moreira <marcelomoreira1905@gmail.com>
> ---
> rust/kernel/revocable.rs | 26 ++++++--------------------
> 1 file changed, 6 insertions(+), 20 deletions(-)
>
> diff --git a/rust/kernel/revocable.rs b/rust/kernel/revocable.rs
> index d14f9052f1ac..43cc9bdc94f4 100644
> --- a/rust/kernel/revocable.rs
> +++ b/rust/kernel/revocable.rs
> @@ -105,13 +105,7 @@ pub fn new(data: impl PinInit<T>) -> impl PinInit<Self> {
> /// because another CPU may be waiting to complete the revocation of this object.
> pub fn try_access(&self) -> Option<RevocableGuard<'_, T>> {
> let guard = rcu::read_lock();
> - if self.is_available.load(Ordering::Relaxed) {
> - // Since `self.is_available` is true, data is initialised and has to remain valid
> - // because the RCU read side lock prevents it from being dropped.
> - Some(RevocableGuard::new(self.data.get(), guard))
> - } else {
> - None
> - }
> + self.try_access_with_guard(&guard).map(|data| RevocableGuard::new(data, guard))
> }
>
> /// Tries to access the revocable wrapped object.
> @@ -198,22 +192,16 @@ fn drop(self: Pin<&mut Self>) {
> ///
> /// CPUs may not sleep while holding on to [`RevocableGuard`] because it's in atomic context
> /// holding the RCU read-side lock.
> -///
> -/// # Invariants
> -///
> -/// The RCU read-side lock is held while the guard is alive.
> pub struct RevocableGuard<'a, T> {
> - data_ref: *const T,
> + data: &'a T,
> _rcu_guard: rcu::Guard,
> - _p: PhantomData<&'a ()>,
> }
I don't think this change is valid. Consider this code:
fn takes_guard(arg: RevocableGuard<'_, i32>) {
drop(arg);
// rcu guard is dropped, so `arg.data` may become dangling now
}
This violates the requirement that references that appear in function
arguments are valid for the entire function call, see:
https://perso.crans.org/vanille/treebor/protectors.html
Or the LLVM perspective: When Rust sees a reference in a function
argument, it adds the LLVM attribute dereferencable to it, which implies
that the pointer must be valid for *the entire function call*. If the
memory becomes dangling after the rcu guard is dropped, then this is
violated and the compiler could perform optimizations that are not
correct.
Alice
next prev parent reply other threads:[~2025-06-12 9:28 UTC|newest]
Thread overview: 27+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-06-02 23:26 [PATCH v4 0/3] rust: revocable: documentation and refactorings Marcelo Moreira
2025-06-02 23:26 ` [PATCH v4 1/3] rust: revocable: update write invariant and fix safety comments Marcelo Moreira
2025-06-12 9:02 ` Benno Lossin
2025-06-12 19:22 ` Marcelo Moreira
2025-06-14 18:05 ` Benno Lossin
2025-06-14 23:11 ` Marcelo Moreira
2025-06-15 8:38 ` Miguel Ojeda
2025-06-16 0:36 ` Marcelo Moreira
2025-06-16 7:15 ` Benno Lossin
2025-06-17 2:49 ` Marcelo Moreira
2025-06-17 7:18 ` Benno Lossin
2025-06-26 16:59 ` Marcelo Moreira
2025-06-13 14:08 ` Danilo Krummrich
2025-06-02 23:26 ` [PATCH v4 2/3] rust: revocable: simplify RevocableGuard for internal safety Marcelo Moreira
2025-06-12 9:04 ` Benno Lossin
2025-06-12 9:28 ` Alice Ryhl [this message]
2025-06-12 9:52 ` Benno Lossin
2025-06-12 18:52 ` Marcelo Moreira
2025-06-14 18:04 ` Benno Lossin
2025-06-13 14:11 ` Danilo Krummrich
2025-06-14 17:00 ` Benno Lossin
2025-06-02 23:26 ` [PATCH v4 3/3] rust: revocable: split revoke_internal into revoke and revoke_nosync Marcelo Moreira
2025-06-12 9:06 ` Benno Lossin
2025-06-12 19:29 ` Marcelo Moreira
2025-06-13 14:09 ` Danilo Krummrich
2025-06-16 10:26 ` [PATCH v4 0/3] rust: revocable: documentation and refactorings Danilo Krummrich
2025-06-16 19:33 ` Miguel Ojeda
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=aEqdur4JTFa1V20U@google.com \
--to=aliceryhl@google.com \
--cc=dakr@kernel.org \
--cc=linux-kernel-mentees@lists.linuxfoundation.org \
--cc=lossin@kernel.org \
--cc=marcelomoreira1905@gmail.com \
--cc=ojeda@kernel.org \
--cc=rust-for-linux@vger.kernel.org \
--cc=skhan@linuxfoundation.org \
--cc=~lkcamp/patches@lists.sr.ht \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox