From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from mail-wr1-f73.google.com (mail-wr1-f73.google.com [209.85.221.73])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id ACBC23148B4
	for <linux-kernel@vger.kernel.org>; Wed, 18 Feb 2026 09:40:09 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.221.73
ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1771407612; cv=none; b=EBaRpYQbDyXBF/+oGYUuGyLHvIEEujSMpJVtWBqX3oGP0LQ+HRCepAraSf0xF/xm8GoU4XEr8tKTpcPdZfVFLaVtEkvaSbGbiGkByaVBIbdyhl+WPwe0TZfTcqG98YlczH9vMomlij31OOXCuVNQdSKB5IYMZbuepAmDghrvAXg=
ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1771407612; c=relaxed/simple;
	bh=xDMC0hVVm2NNH6STxgzemy2o3/+UeAEh8X9k1CBm1n0=;
	h=Date:In-Reply-To:Mime-Version:References:Message-ID:Subject:From:
	 To:Cc:Content-Type; b=nXFIkm7yezujy5yPGtrDMDraX7TLOMrO0SOuunXEpCqVZZOuWMkPotryQq4lb8xXZktQ5ZiJDFZdJ+rNxogEvVvcJdW7bRx7Z+oE2nZrssj2wI2GXBgjKhB+4xbyNDrQ5UROujZrwGPzAGfXvgKiGkZKyp968TA/l3uasOqdoGs=
ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com; spf=pass smtp.mailfrom=flex--aliceryhl.bounces.google.com; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b=ty/XDGI5; arc=none smtp.client-ip=209.85.221.73
Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com
Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=flex--aliceryhl.bounces.google.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="ty/XDGI5"
Received: by mail-wr1-f73.google.com with SMTP id ffacd0b85a97d-4362197d1easo4345136f8f.2
        for <linux-kernel@vger.kernel.org>; Wed, 18 Feb 2026 01:40:09 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20230601; t=1771407608; x=1772012408; darn=vger.kernel.org;
        h=cc:to:from:subject:message-id:references:mime-version:in-reply-to
         :date:from:to:cc:subject:date:message-id:reply-to;
        bh=+qgmQYzq/LwIvRAllD7t9G5Xcp/7gpl+R9gFqsKAeyw=;
        b=ty/XDGI5sf8ooG3BgE7md8dQXJ28xefPwGRLv/2FjUv+RtdYUDdQ9t8P/dmsk6v5Fe
         be2K2ezwSKBLmE7/BsP5IfuhpKyUi+7V2ofyYMFWtU+5clo8NA9I5JuZB1+Hs93o/yHW
         dmzlwlDnkXPlWaqqmUYFhSi/WQz/bJ7cK4+f6QQGAzNuOvj+BFjc85lYV6eJ6/VW73Nl
         sBAbWESdMcbd762A3zfCHce0GAKl8GkUQvcEu/dwHQLRUSrTnL5BCioIi7L/WeljKBUA
         diBc4FgbO6V/jqJ4+iO5fAgGAxRtKf351wZ7YOW7Omb97svjObB7EoufhdUZDW6hxTSp
         LNcQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1771407608; x=1772012408;
        h=cc:to:from:subject:message-id:references:mime-version:in-reply-to
         :date:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to;
        bh=+qgmQYzq/LwIvRAllD7t9G5Xcp/7gpl+R9gFqsKAeyw=;
        b=qnxWPSYv1eLa8uB+QywqT8oFuGal3h9MDGFN7VnhIIQnvFVwjhGYXzwtkNlCLLiMT9
         JJteyRAdpc+Ym2u8V6sEp1+ywrqwdyW82ptIvce2rFwv/SkVmop7NSbPoNi0JcazQeec
         U2CFkaCcldm9VVj/QmGDC7VV/seT0jBlzkt7iGW4gYj5tCIxqBwSkppDTZhmNAyAbwS4
         qpgKlQ2JuTulXf3xlWLN6ScB7kokHb61Qic3eKAazuuXBeS6juvn8e7TTcYvos0hbqWR
         5rlq7eOCeHivk2ZeRYkKr7i4fAo7izpIm/LpMH/3Ua7sX7fj6JH4ox4ELpmRgNjHqGv0
         InwQ==
X-Forwarded-Encrypted: i=1; AJvYcCUaFBNRSbXxU/cVp+++BuH6v+jEip0iq8Qxh4Go61ko+5aiUy8qupdnrN7P2VtCr9lebwnMk/hW3NIWdY0=@vger.kernel.org
X-Gm-Message-State: AOJu0Yxm1nbXR9IcCUdcs3ot8fg5BUcw+DY0jRxADm+1v0qXRp6v63GG
	qGtFbk9HxZyz46XdbQv4HFN9ppJ9BaNu0Hibye0SYc0QfQOGi4jrl6rVSntcx2zcEUh8U93XNAY
	p6tSbPTPSjuniHNknzQ==
X-Received: from wrbdr6.prod.google.com ([2002:a5d:5f86:0:b0:437:6ebe:6e58])
 (user=aliceryhl job=prod-delivery.src-stubby-dispatcher) by
 2002:a05:6000:2dca:b0:437:6e63:9172 with SMTP id ffacd0b85a97d-43958df3516mr2229518f8f.4.1771407607843;
 Wed, 18 Feb 2026 01:40:07 -0800 (PST)
Date: Wed, 18 Feb 2026 09:40:07 +0000
In-Reply-To: <67aea464d25c8cafb3113eea62c8221b@garyguo.net>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
Mime-Version: 1.0
References: <20260213-page-volatile-io-v3-1-d60487b04d40@kernel.org>
 <aZRY9HthKwVJrAf1@google.com> <67aea464d25c8cafb3113eea62c8221b@garyguo.net>
Message-ID: <aZWI9zGIO6rtlCCg@google.com>
Subject: Re: [PATCH v3] rust: page: add byte-wise atomic memory copy methods
From: Alice Ryhl <aliceryhl@google.com>
To: Gary Guo <gary@garyguo.net>
Cc: Andreas Hindborg <a.hindborg@kernel.org>, Lorenzo Stoakes <lorenzo.stoakes@oracle.com>, 
	"Liam R. Howlett" <Liam.Howlett@oracle.com>, Miguel Ojeda <ojeda@kernel.org>, 
	Boqun Feng <boqun.feng@gmail.com>, 
	"=?utf-8?B?QmrDtnJu?= Roy Baron" <bjorn3_gh@protonmail.com>, Benno Lossin <lossin@kernel.org>, 
	Trevor Gross <tmgross@umich.edu>, Danilo Krummrich <dakr@kernel.org>, Will Deacon <will@kernel.org>, 
	Peter Zijlstra <peterz@infradead.org>, Mark Rutland <mark.rutland@arm.com>, linux-mm@kvack.org, 
	rust-for-linux@vger.kernel.org, linux-kernel@vger.kernel.org
Content-Type: text/plain; charset="utf-8"

On Tue, Feb 17, 2026 at 11:10:15PM +0000, Gary Guo wrote:
> On 2026-02-17 12:03, Alice Ryhl wrote:
> > On Fri, Feb 13, 2026 at 07:42:53AM +0100, Andreas Hindborg wrote:
> > > When copying data from buffers that are mapped to user space, it is
> > > impossible to guarantee absence of concurrent memory operations on
> > > those
> > > buffers. Copying data to/from `Page` from/to these buffers would be
> > > undefined behavior if no special considerations are made.
> > > 
> > > Add methods on `Page` to read and write the contents using byte-wise
> > > atomic
> > > operations.
> > > 
> > > Also improve clarity by specifying additional requirements on
> > > `read_raw`/`write_raw` methods regarding concurrent operations on
> > > involved
> > > buffers.
> > > 
> > > Signed-off-by: Andreas Hindborg <a.hindborg@kernel.org>
> > 
> > > +/// Copy `len` bytes from `src` to `dst` using byte-wise atomic
> > > operations.
> > > +///
> > > +/// This copy operation is volatile.
> > > +///
> > > +/// # Safety
> > > +///
> > > +/// Callers must ensure that:
> > > +///
> > > +/// - `src` is valid for reads for `len` bytes for the duration of
> > > the call.
> > > +/// - `dst` is valid for writes for `len` bytes for the duration of
> > > the call.
> > > +/// - For the duration of the call, other accesses to the areas
> > > described by `src`, `dst` and `len`,
> > > +///   must not cause data races (defined by [`LKMM`]) against
> > > atomic operations executed by this
> > > +///   function. Note that if all other accesses are atomic, then
> > > this safety requirement is
> > > +///   trivially fulfilled.
> > > +///
> > > +/// [`LKMM`]: srctree/tools/memory-model
> > > +pub unsafe fn atomic_per_byte_memcpy(src: *const u8, dst: *mut u8,
> > > len: usize) {
> > > +    // SAFETY: By the safety requirements of this function, the
> > > following operation will not:
> > > +    //  - Trap.
> > > +    //  - Invalidate any reference invariants.
> > > +    //  - Race with any operation by the Rust AM, as
> > > `bindings::memcpy` is a byte-wise atomic
> > > +    //    operation and all operations by the Rust AM to the
> > > involved memory areas use byte-wise
> > > +    //    atomic semantics.
> > > +    unsafe {
> > > +        bindings::memcpy(
> > > +            dst.cast::<kernel::ffi::c_void>(),
> > > +            src.cast::<kernel::ffi::c_void>(),
> > > +            len,
> > 
> > Are we sure that LLVM will not say "memcpy is a special function name, I
> > know what it means" and optimize this like a non-atomic memcpy?
> 
> This "treating special symbol name as intrinsics" logic is done in Clang,
> and won't be performed once lower to LLVM IR, so Rust is immune to that
> (even
> when LTO'ed together with Clang generated IR). So calling to bindings is
> fine.

Ok, that's good! Then I'm less concerned.

Though I guess it means that even if it's known to be e.g. an 8-byte
aligned memcpy of length 8, then it still can't optimize it to e.g. a
movq instruction.

> > I think we should consider using the
> > 
> > 	std::intrinsics::volatile_copy_nonoverlapping_memory
> > 
> > intrinsic until Rust stabilizes a built-in atomic per-byte memcpy. Yes I
> > know the intrinsic is unstable, but we should at least ask the Rust
> > folks about it. They are plausibly ok with this particular usage.
> 
> If we have this in stable, I think it's sufficient for LKMM. However for
> Rust/C11 MM
> says that volatile ops are not atomic and use them for concurrency is UB.

I'm well aware of that! Yet, Rust currently provides no alternative
whatsoever, even on nightly, and has already told us in other situations
they're ok with Linux using volatile for this purpose in limited
situations. That is why I suggest doing this temporarily, and after
asking the rustc compiler folks about it.

> I recall in last Rust all hands the vibe at discussion is that it's
> desirable to define
> volatile as being byte-wise atomic, so if that actually happens, this would
> indeed be
> what we want (but I think semantics w.r.t. mixed-size atomics need to be
> figured out first).

Yes, that's right.

Alice