Re: [PATCH v2 3/4] rust: sync: add `CondVar::wait_timeout`

[Boqun Feng <boqun.feng@gmail.com>]

On Wed, Dec 20, 2023 at 11:31:05AM +0000, Benno Lossin wrote:
> On 12/16/23 16:31, Alice Ryhl wrote:
> > @@ -102,7 +105,12 @@ pub fn new(name: &'static CStr, key: &'static LockClassKey) -> impl PinInit<Self
> >          })
> >      }
> > 
> > -    fn wait_internal<T: ?Sized, B: Backend>(&self, wait_state: u32, guard: &mut Guard<'_, T, B>) {
> > +    fn wait_internal<T: ?Sized, B: Backend>(
> > +        &self,
> > +        wait_state: u32,
> > +        guard: &mut Guard<'_, T, B>,
> > +        timeout: c_long,
> > +    ) -> c_long {
> >          let wait = Opaque::<bindings::wait_queue_entry>::uninit();
> > 
> >          // SAFETY: `wait` points to valid memory.
> > @@ -113,11 +121,13 @@ fn wait_internal<T: ?Sized, B: Backend>(&self, wait_state: u32, guard: &mut Guar
> >              bindings::prepare_to_wait_exclusive(self.wait_list.get(), wait.get(), wait_state as _)
> >          };
> > 
> > -        // SAFETY: No arguments, switches to another thread.
> > -        guard.do_unlocked(|| unsafe { bindings::schedule() });
> > +        // SAFETY: Switches to another thread. The timeout can be any number.
> > +        let ret = guard.do_unlocked(|| unsafe { bindings::schedule_timeout(timeout) });
> 
> I am not sure what exactly the safety requirements of `schedule_timeout`
> are. I looked at the function and saw that the timout should not be
> negative. But aside from that only the the context switching should be
> relevant. What things are not allowed to do when calling `schedule`
> (aside from the stuff that klint catches)?

One thing is that you probably don't want to call `schedule` with task
state being TASK_DEAD, if so the `schedule` would be counted as
`ARef<Task>::drop()`, see __schedule() -> context_switch() ->
finish_context_switch(), and the task may be freed after that, which
free the stack of the task, and anything that references a object on the
stack would be a UAF. On the other hand, if the task state is not
TASK_DEAD, `schedule*()` should be a no-op regarding memory safety.

> Because if there are none, then I would put the "switches to another
> thread" part into a normal comment.
> 

I think it's possible to make schedule_timeout() a safe function: we can
define setting task state TASK_DEAD as an unsafe operation, whose safety
requirement is something like: "Must ensure that if some code can
reference a memory object that belongs to the task (e.g. a stack
variable) after the task calls a followed `schedule()`, the code must
also hold an additional reference count to the task."

Yes, it might be out of the scope of this patchset though.

Regards,
Boqun

> -- 
> Cheers,
> Benno
> 
> > 
> >          // SAFETY: Both `wait` and `wait_list` point to valid memory.
> >          unsafe { bindings::finish_wait(self.wait_list.get(), wait.get()) };
> > +
> > +        ret
> >      }
>