From: Benno Lossin <benno.lossin@proton.me>
To: Alice Ryhl <alice@ryhl.io>, Wedson Almeida Filho <wedsonaf@gmail.com>
Cc: Alexander Viro <viro@zeniv.linux.org.uk>,
Christian Brauner <brauner@kernel.org>,
Matthew Wilcox <willy@infradead.org>,
Kent Overstreet <kent.overstreet@gmail.com>,
Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
linux-fsdevel@vger.kernel.org, rust-for-linux@vger.kernel.org,
Wedson Almeida Filho <walmeida@microsoft.com>
Subject: Re: [RFC PATCH 04/19] rust: fs: introduce `FileSystem::super_params`
Date: Mon, 30 Oct 2023 08:21:04 +0000 [thread overview]
Message-ID: <5479e7c1-6616-4930-b33c-0075772c266e@proton.me> (raw)
In-Reply-To: <4b19dd7d-b946-4a5c-8746-f7e9c2f55d25@ryhl.io>
On 28.10.23 18:39, Alice Ryhl wrote:
> On 10/18/23 18:34, Benno Lossin wrote:>> + from_result(|| {
>>> + // SAFETY: The C callback API guarantees that `fc_ptr` is valid.
>>> + let fc = unsafe { &mut *fc_ptr };
>>
>> This safety comment is not enough, the pointer needs to be unique and
>> pointing to a valid value for this to be ok. I would recommend to do
>> this instead:
>>
>> unsafe { addr_of_mut!((*fc_ptr).ops).write(&Tables::<T>::CONTEXT) };
>
> It doesn't really need to be unique. Or at least, that wording gives the
> wrong intuition even if it's technically correct when you use the right
> definition of "unique".
>
> To clarify what I mean: Using `ptr::write` on a raw pointer is valid if
> and only if creating a mutable reference and using that to write is
> valid. (Assuming the type has no destructor.)
I tried looking in the nomicon and UCG, but was not able to find this
statement, where is it from?
> Of course, in this case you *also* have the difference of whether you
> create a mutable to the entire struct or just the field.
>>> + // SAFETY: This is a newly-created inode. No other references to it exist, so it is
>>> + // safe to mutably dereference it.
>>> + let inode = unsafe { &mut *inode };
>>
>> The inode also needs to be initialized and have valid values as its fields.
>> Not sure if this is kept and it would probably be better to keep using raw
>> pointers here.
>
> My understanding is that this is just a safety invariant, and not a
> validity invariant, so as long as the uninitialized memory is not read,
> it's fine.
>
> See e.g.:
> https://github.com/rust-lang/unsafe-code-guidelines/issues/346
I'm not so sure that that discussion is finished and agreed upon. The
nomicon still writes "It is illegal to construct a reference to
uninitialized data" [1].
Using this pattern (&mut uninit to initialize data) is also dangerous
if the underlying type has drop impls, since then by doing
`foo.bar = baz;` you drop the old uninitialized value. Sure in
our bindings there are no types that implement drop (AFAIK) so
it is less of an issue.
If we decide to do this, we should have a comment that explains that
this reference might point to uninitialized memory. Since otherwise
it might be easy to give the reference to another safe function that
then e.g. reads a bool.
[1]: https://doc.rust-lang.org/nomicon/unchecked-uninit.html
--
Cheers,
Benno
next prev parent reply other threads:[~2023-10-30 8:21 UTC|newest]
Thread overview: 125+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-10-18 12:24 [RFC PATCH 00/19] Rust abstractions for VFS Wedson Almeida Filho
2023-10-18 12:25 ` [RFC PATCH 01/19] rust: fs: add registration/unregistration of file systems Wedson Almeida Filho
2023-10-18 15:38 ` Benno Lossin
2024-01-10 18:32 ` Wedson Almeida Filho
2024-01-25 9:15 ` Benno Lossin
2023-10-18 12:25 ` [RFC PATCH 02/19] rust: fs: introduce the `module_fs` macro Wedson Almeida Filho
2023-10-18 12:25 ` [RFC PATCH 03/19] samples: rust: add initial ro file system sample Wedson Almeida Filho
2023-10-28 16:18 ` Alice Ryhl
2024-01-10 18:25 ` Wedson Almeida Filho
2023-10-18 12:25 ` [RFC PATCH 04/19] rust: fs: introduce `FileSystem::super_params` Wedson Almeida Filho
2023-10-18 16:34 ` Benno Lossin
2023-10-28 16:39 ` Alice Ryhl
2023-10-30 8:21 ` Benno Lossin [this message]
2023-10-30 21:36 ` Alice Ryhl
2023-10-20 15:04 ` Ariel Miculas (amiculas)
2024-01-03 12:25 ` Andreas Hindborg (Samsung)
2023-10-18 12:25 ` [RFC PATCH 05/19] rust: fs: introduce `INode<T>` Wedson Almeida Filho
2023-10-28 18:00 ` Alice Ryhl
2024-01-03 12:45 ` Andreas Hindborg (Samsung)
2024-01-03 12:54 ` Andreas Hindborg (Samsung)
2024-01-04 5:20 ` Darrick J. Wong
2024-01-04 9:57 ` Andreas Hindborg (Samsung)
2024-01-10 9:45 ` Benno Lossin
2024-01-04 5:14 ` Darrick J. Wong
2024-01-24 18:17 ` Wedson Almeida Filho
2023-10-18 12:25 ` [RFC PATCH 06/19] rust: fs: introduce `FileSystem::init_root` Wedson Almeida Filho
2023-10-19 14:30 ` Benno Lossin
2023-10-20 0:52 ` Boqun Feng
2023-10-21 13:48 ` Benno Lossin
2023-10-21 15:57 ` Boqun Feng
2023-10-21 17:01 ` Matthew Wilcox
2023-10-21 19:33 ` Boqun Feng
2023-10-23 5:29 ` Dave Chinner
2023-10-23 12:55 ` Wedson Almeida Filho
2023-10-30 2:29 ` Dave Chinner
2023-10-31 20:49 ` Wedson Almeida Filho
2023-11-08 4:54 ` Dave Chinner
2023-11-08 6:15 ` Wedson Almeida Filho
2023-10-20 0:30 ` Boqun Feng
2023-10-23 12:36 ` Wedson Almeida Filho
2024-01-03 13:29 ` Andreas Hindborg (Samsung)
2024-01-24 4:07 ` Wedson Almeida Filho
2023-10-18 12:25 ` [RFC PATCH 07/19] rust: fs: introduce `FileSystem::read_dir` Wedson Almeida Filho
2023-10-21 8:33 ` Benno Lossin
2024-01-03 14:09 ` Andreas Hindborg (Samsung)
2024-01-21 21:00 ` Askar Safin
2024-01-21 21:51 ` Dave Chinner
2023-10-18 12:25 ` [RFC PATCH 08/19] rust: fs: introduce `FileSystem::lookup` Wedson Almeida Filho
2023-10-18 12:25 ` [RFC PATCH 09/19] rust: folio: introduce basic support for folios Wedson Almeida Filho
2023-10-18 17:17 ` Matthew Wilcox
2023-10-18 18:32 ` Wedson Almeida Filho
2023-10-18 19:21 ` Matthew Wilcox
2023-10-19 13:25 ` Wedson Almeida Filho
2023-10-20 4:11 ` Matthew Wilcox
2023-10-20 15:17 ` Matthew Wilcox
2023-10-23 12:32 ` Wedson Almeida Filho
2023-10-23 10:48 ` Andreas Hindborg (Samsung)
2023-10-23 14:28 ` Matthew Wilcox
2023-10-24 15:04 ` Ariel Miculas (amiculas)
2023-10-23 12:29 ` Wedson Almeida Filho
2023-10-21 9:21 ` Benno Lossin
2023-10-18 12:25 ` [RFC PATCH 10/19] rust: fs: introduce `FileSystem::read_folio` Wedson Almeida Filho
2023-11-07 22:18 ` Matthew Wilcox
2023-11-07 22:22 ` Al Viro
2023-11-08 0:35 ` Wedson Almeida Filho
2023-11-08 0:56 ` Al Viro
2023-11-08 2:39 ` Wedson Almeida Filho
2023-10-18 12:25 ` [RFC PATCH 11/19] rust: fs: introduce `FileSystem::read_xattr` Wedson Almeida Filho
2023-10-18 13:06 ` Ariel Miculas (amiculas)
2023-10-19 13:35 ` Wedson Almeida Filho
2023-10-18 12:25 ` [RFC PATCH 12/19] rust: fs: introduce `FileSystem::statfs` Wedson Almeida Filho
2024-01-03 14:13 ` Andreas Hindborg (Samsung)
2024-01-04 5:33 ` Darrick J. Wong
2024-01-24 4:24 ` Wedson Almeida Filho
2023-10-18 12:25 ` [RFC PATCH 13/19] rust: fs: introduce more inode types Wedson Almeida Filho
2023-10-18 12:25 ` [RFC PATCH 14/19] rust: fs: add per-superblock data Wedson Almeida Filho
2023-10-25 15:51 ` Ariel Miculas (amiculas)
2023-10-26 13:46 ` Ariel Miculas (amiculas)
2024-01-03 14:16 ` Andreas Hindborg (Samsung)
2023-10-18 12:25 ` [RFC PATCH 15/19] rust: fs: add basic support for fs buffer heads Wedson Almeida Filho
2024-01-03 14:17 ` Andreas Hindborg (Samsung)
2023-10-18 12:25 ` [RFC PATCH 16/19] rust: fs: allow file systems backed by a block device Wedson Almeida Filho
2023-10-21 13:39 ` Benno Lossin
2024-01-24 4:14 ` Wedson Almeida Filho
2024-01-03 14:38 ` Andreas Hindborg (Samsung)
2023-10-18 12:25 ` [RFC PATCH 17/19] rust: fs: allow per-inode data Wedson Almeida Filho
2023-10-21 13:57 ` Benno Lossin
2024-01-03 14:39 ` Andreas Hindborg (Samsung)
2023-10-18 12:25 ` [RFC PATCH 18/19] rust: fs: export file type from mode constants Wedson Almeida Filho
2023-10-18 12:25 ` [RFC PATCH 19/19] tarfs: introduce tar fs Wedson Almeida Filho
2023-10-18 16:57 ` Matthew Wilcox
2023-10-18 17:05 ` Wedson Almeida Filho
2023-10-18 17:20 ` Matthew Wilcox
2023-10-18 18:07 ` Wedson Almeida Filho
2024-01-24 5:05 ` Matthew Wilcox
2024-01-24 5:23 ` Matthew Wilcox
2024-01-24 18:26 ` Wedson Almeida Filho
2024-01-24 21:05 ` Dave Chinner
2024-01-24 21:28 ` Matthew Wilcox
2024-01-24 5:34 ` Gao Xiang
2023-10-18 13:40 ` [RFC PATCH 00/19] Rust abstractions for VFS Ariel Miculas (amiculas)
2023-10-18 17:12 ` Wedson Almeida Filho
2023-10-29 20:31 ` Matthew Wilcox
2023-10-31 20:14 ` Wedson Almeida Filho
2024-01-03 18:02 ` Matthew Wilcox
2024-01-03 19:04 ` Wedson Almeida Filho
2024-01-03 19:53 ` Al Viro
2024-01-03 20:38 ` Kent Overstreet
2024-01-04 1:49 ` Matthew Wilcox
2024-01-09 18:25 ` Wedson Almeida Filho
2024-01-09 19:30 ` Matthew Wilcox
2024-01-03 19:14 ` Kent Overstreet
2024-01-03 20:41 ` Al Viro
2024-01-09 19:13 ` Wedson Almeida Filho
2024-01-09 19:25 ` Matthew Wilcox
2024-01-09 19:32 ` Greg Kroah-Hartman
2024-01-10 7:49 ` Wedson Almeida Filho
2024-01-10 7:57 ` Greg Kroah-Hartman
2024-01-10 12:56 ` Matthew Wilcox
2024-01-09 22:19 ` Dave Chinner
2024-01-10 19:19 ` Kent Overstreet
2024-01-24 13:08 ` FUJITA Tomonori
2024-01-24 19:49 ` Kent Overstreet
2024-01-05 0:04 ` David Howells
2024-01-05 15:54 ` Jarkko Sakkinen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=5479e7c1-6616-4930-b33c-0075772c266e@proton.me \
--to=benno.lossin@proton.me \
--cc=alice@ryhl.io \
--cc=brauner@kernel.org \
--cc=gregkh@linuxfoundation.org \
--cc=kent.overstreet@gmail.com \
--cc=linux-fsdevel@vger.kernel.org \
--cc=rust-for-linux@vger.kernel.org \
--cc=viro@zeniv.linux.org.uk \
--cc=walmeida@microsoft.com \
--cc=wedsonaf@gmail.com \
--cc=willy@infradead.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).