From: Andreas Hindborg <a.hindborg@kernel.org>
To: Miguel Ojeda <ojeda@kernel.org>, Miguel Ojeda <ojeda@kernel.org>,
Alex Gaynor <alex.gaynor@gmail.com>,
Nathan Chancellor <nathan@kernel.org>
Cc: "Boqun Feng" <boqun.feng@gmail.com>,
"Gary Guo" <gary@garyguo.net>,
"Björn Roy Baron" <bjorn3_gh@protonmail.com>,
"Benno Lossin" <benno.lossin@proton.me>,
"Alice Ryhl" <aliceryhl@google.com>,
"Trevor Gross" <tmgross@umich.edu>,
rust-for-linux@vger.kernel.org,
"Nick Desaulniers" <ndesaulniers@google.com>,
"Bill Wendling" <morbo@google.com>,
"Justin Stitt" <justinstitt@google.com>,
llvm@lists.linux.dev, linux-kernel@vger.kernel.org,
patches@lists.linux.dev, "Aaron Ballman" <aaron@aaronballman.com>,
"Bill Wendling" <isanbard@gmail.com>,
"Cole Nixon" <nixontcole@gmail.com>,
"Connor Kuehl" <cipkuehl@gmail.com>,
"Fangrui Song" <i@maskray.me>,
"James Foster" <jafosterja@gmail.com>,
"Jeff Takahashi" <jeffrey.takahashi@gmail.com>,
"Jordan Cantrell" <jordan.cantrell@mail.com>,
"Matthew Maurer" <mmaurer@google.com>,
"Nikk Forbus" <nicholas.forbus@gmail.com>,
"Qing Zhao" <qing.zhao@oracle.com>,
"Sami Tolvanen" <samitolvanen@google.com>,
"Tim Pugh" <nwtpugh@gmail.com>, "Kees Cook" <kees@kernel.org>
Subject: Re: [RFC PATCH] rust: allow Clang-native `RANDSTRUCT` configs
Date: Tue, 17 Mar 2026 09:42:04 +0100 [thread overview]
Message-ID: <871phisv8j.fsf@t14s.mail-host-address-is-not-set> (raw)
In-Reply-To: <20241119185747.862544-1-ojeda@kernel.org>
"Miguel Ojeda" <ojeda@kernel.org> writes:
> The kernel supports `RANDSTRUCT_FULL` with Clang 16+, and `bindgen`
> (which uses `libclang` under the hood) inherits the information, so the
> generated bindings look correct.
>
> For instance, running:
>
> bindgen x.h -- -frandomize-layout-seed=100
>
> with:
>
> struct S1 {
> int a;
> int b;
> };
>
> struct S2 {
> int a;
> int b;
> } __attribute__((randomize_layout));
>
> struct S3 {
> void (*a)(void);
> void (*b)(void);
> };
>
> struct S4 {
> void (*a)(void);
> void (*b)(void);
> } __attribute__((no_randomize_layout));
>
> may swap `S2`'s and `S3`'s members, but not `S1`'s nor `S4`'s:
>
> pub struct S1 {
> pub a: ::std::os::raw::c_int,
> pub b: ::std::os::raw::c_int,
> }
>
> pub struct S2 {
> pub b: ::std::os::raw::c_int,
> pub a: ::std::os::raw::c_int,
> }
>
> pub struct S3 {
> pub b: ::std::option::Option<unsafe extern "C" fn()>,
> pub a: ::std::option::Option<unsafe extern "C" fn()>,
> }
>
> pub struct S4 {
> pub a: ::std::option::Option<unsafe extern "C" fn()>,
> pub b: ::std::option::Option<unsafe extern "C" fn()>,
> }
>
> Thus allow those configurations by requiring a Clang compiler to use
> `RANDSTRUCT`. In addition, remove the `!GCC_PLUGIN_RANDSTRUCT` check
> since it is not needed.
>
> A simpler alternative would be to remove the `!RANDSTRUCT` check (keeping
> the `!GCC_PLUGIN_RANDSTRUCT` one). However, if in the future GCC starts
> supporting `RANDSTRUCT` natively, it would be likely that it would not
> work unless GCC and Clang agree on the exact semantics of the flag. And,
> as far as I can see, so far the randomization in Clang does not seem to be
> guaranteed to remain stable across versions or platforms, i.e. only for a
> given compiler Clang binary, given it is not documented and that LLVM's
> `HEAD` has the revert in place for the expected field names in the test
> (LLVM commit 8dbc6b560055 ("Revert "[randstruct] Check final randomized
> layout ordering"")) [1][2]. And the GCC plugin definitely does not match,
> e.g. its RNG is different (`std::mt19937` vs Bob Jenkins').
>
> And given it is not supposed to be guaranteed to remain stable across
> versions, it is a good idea to match the Clang and `bindgen`'s
> `libclang` versions -- we already have a warning for that in
> `scripts/rust_is_available.sh`. In the future, it would also be good to
> have a build test to double-check layouts do actually match (but that
> is true regardless of this particular feature).
>
> Finally, make a required small change to take into account the anonymous
> struct used in `randomized_struct_fields_*` in `struct task_struct`.
>
> Cc: Aaron Ballman <aaron@aaronballman.com>
> Cc: Bill Wendling <isanbard@gmail.com>
> Cc: Cole Nixon <nixontcole@gmail.com>
> Cc: Connor Kuehl <cipkuehl@gmail.com>
> Cc: Fangrui Song <i@maskray.me>
> Cc: James Foster <jafosterja@gmail.com>
> Cc: Jeff Takahashi <jeffrey.takahashi@gmail.com>
> Cc: Jordan Cantrell <jordan.cantrell@mail.com>
> Cc: Justin Stitt <justinstitt@google.com>
> Cc: Matthew Maurer <mmaurer@google.com>
> Cc: Nathan Chancellor <nathan@kernel.org>
> Cc: Nikk Forbus <nicholas.forbus@gmail.com>
> Cc: Qing Zhao <qing.zhao@oracle.com>
> Cc: Sami Tolvanen <samitolvanen@google.com>
> Cc: Tim Pugh <nwtpugh@gmail.com>
> Link: https://reviews.llvm.org/D121556
> Link: https://github.com/llvm/llvm-project/commit/8dbc6b560055ff5068ff45b550482ba62c36b5a5 [1]
> Link: https://reviews.llvm.org/D124199 [2]
> Reviewed-by: Kees Cook <kees@kernel.org>
> Signed-off-by: Miguel Ojeda <ojeda@kernel.org>
Tested-by: Andreas Hindborg <a.hindborg@kernel.org>
Tested with the rust null block driver patch series [1]. I did a
few functional verification tests and a set of performance tests.
For the rnull driver, enabling randstruct with this patch gives no
statistically significant change to the average performance of the set
of 120 workloads that we publish on [2]. Individual configurations see
around 10% change in throughput, both directions.
Best regards,
Andreas Hindborg
[1] https://lore.kernel.org/rust-for-linux/20260216-rnull-v6-19-rc5-send-v1-0-de9a7af4b469@kernel.org/
[2] https://rust-for-linux.com/null-block-driver
prev parent reply other threads:[~2026-03-17 8:42 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <GYMB6vN7uKNVSwQPEtPg0kZPHUkxHQbQe3ZIUqOGZm8ZGwCUE6-iRxJdUQ5xB_qV2bLZVauIZtAGbK1iduefTw==@protonmail.internalid>
2024-11-19 18:57 ` [RFC PATCH] rust: allow Clang-native `RANDSTRUCT` configs Miguel Ojeda
2025-01-09 14:51 ` Miguel Ojeda
2025-04-29 13:19 ` Miguel Ojeda
2025-04-29 13:40 ` Andreas Hindborg
2025-04-29 13:48 ` Miguel Ojeda
2026-03-23 13:06 ` Miguel Ojeda
2025-12-10 7:21 ` Kees Cook
2026-03-10 11:09 ` Miguel Ojeda
2026-03-17 8:42 ` Andreas Hindborg [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=871phisv8j.fsf@t14s.mail-host-address-is-not-set \
--to=a.hindborg@kernel.org \
--cc=aaron@aaronballman.com \
--cc=alex.gaynor@gmail.com \
--cc=aliceryhl@google.com \
--cc=benno.lossin@proton.me \
--cc=bjorn3_gh@protonmail.com \
--cc=boqun.feng@gmail.com \
--cc=cipkuehl@gmail.com \
--cc=gary@garyguo.net \
--cc=i@maskray.me \
--cc=isanbard@gmail.com \
--cc=jafosterja@gmail.com \
--cc=jeffrey.takahashi@gmail.com \
--cc=jordan.cantrell@mail.com \
--cc=justinstitt@google.com \
--cc=kees@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=llvm@lists.linux.dev \
--cc=mmaurer@google.com \
--cc=morbo@google.com \
--cc=nathan@kernel.org \
--cc=ndesaulniers@google.com \
--cc=nicholas.forbus@gmail.com \
--cc=nixontcole@gmail.com \
--cc=nwtpugh@gmail.com \
--cc=ojeda@kernel.org \
--cc=patches@lists.linux.dev \
--cc=qing.zhao@oracle.com \
--cc=rust-for-linux@vger.kernel.org \
--cc=samitolvanen@google.com \
--cc=tmgross@umich.edu \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox