From: Boqun Feng <boqun.feng@gmail.com>
To: Andrew Lunn <andrew@lunn.ch>
Cc: FUJITA Tomonori <fujita.tomonori@gmail.com>,
netdev@vger.kernel.org, rust-for-linux@vger.kernel.org,
hkallweit1@gmail.com, tmgross@umich.edu, ojeda@kernel.org,
alex.gaynor@gmail.com, gary@garyguo.net,
bjorn3_gh@protonmail.com, benno.lossin@proton.me,
a.hindborg@samsung.com, aliceryhl@google.com,
anna-maria@linutronix.de, frederic@kernel.org,
tglx@linutronix.de, arnd@arndb.de, linux-kernel@vger.kernel.org
Subject: Re: [PATCH net-next v2 5/6] rust: Add read_poll_timeout function
Date: Mon, 7 Oct 2024 05:28:28 -0700 [thread overview]
Message-ID: <ZwPT7HZvG1aYONkQ@boqun-archlinux> (raw)
In-Reply-To: <e17c0b80-7518-4487-8278-f0d96fce9d8c@lunn.ch>
On Sun, Oct 06, 2024 at 04:45:21PM +0200, Andrew Lunn wrote:
[...]
> > > > + if sleep {
> > > > + // SAFETY: FFI call.
> > > > + unsafe { bindings::might_sleep() }
> > > > + }
> > >
> > > What is actually unsafe about might_sleep()? It is a void foo(void)
> >
> > Every extern "C" function is by default unsafe, because C doesn't have
> > the concept of safe/unsafe. If you want to avoid unsafe, you could
> > introduce a Rust's might_sleep() which calls into
> > `bindings::might_sleep()`:
> >
> > pub fn might_sleep() {
> > // SAFETY: ??
> > unsafe { bindings::might_sleep() }
> > }
> >
> > however, if you call a might_sleep() in a preemption disabled context
> > when CONFIG_DEBUG_ATOMIC_SLEEP=n and PREEMPT=VOLUNTERY, it could means
> > an unexpected RCU quiescent state, which results an early RCU grace
> > period, and that may mean a use-after-free. So it's not that safe as you
> > may expected.
>
> If you call might_sleep() in a preemption disabled context you code is
> already unsafe, since that is the whole point of it, to find bugs
Well, in Rust, the rule is: any type-checked (compiled successfully)
code that only calls safe Rust functions cannot be unsafe. So the fact
that calling might_sleep() in a preemption disabled context is unsafe
means that something has to be unsafe.
This eventually can turn into a "blaming game" in the design space: we
can either design the preemption disable function as unsafe or the
might_sleep() function as unsafe. But one of them has to be unsafe
function, otherwise we are breaking the safe code guarantee.
However, this is actually a special case: currently we want to use klint
[1] to detect all context mis-matches at compile time. So the above rule
extends for kernel: any type-checked *and klint-checked* code that only
calls safe Rust functions cannot be unsafe. I.e. we add additional
compile time checking for unsafe code. So if might_sleep() has the
proper klint annotation, and we actually enable klint for kernel code,
then we can make it safe (along with preemption disable functions being
safe).
> where you use a sleeping function in atomic context. Depending on why
> you are in atomic context, it might appear to work, until it does not
> actually work, and bad things happen. So it is not might_sleep() which
> is unsafe, it is the Rust code calling it.
The whole point of unsafe functions is that calling it may result into
unsafe code, so that's why all extern "C" functions are unsafe, so are
might_sleep() (without klint in the picture).
[1]: https://lwn.net/Articles/951550/
Regards,
Boqun
>
> Andrew
>
>
>
>
next prev parent reply other threads:[~2024-10-07 12:29 UTC|newest]
Thread overview: 63+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-10-05 12:25 [PATCH net-next v2 0/6] rust: Add IO polling FUJITA Tomonori
2024-10-05 12:25 ` [PATCH net-next v2 1/6] rust: time: Implement PartialEq and PartialOrd for Ktime FUJITA Tomonori
2024-10-06 10:28 ` Fiona Behrens
2024-10-07 5:37 ` FUJITA Tomonori
2024-10-07 8:28 ` Fiona Behrens
2024-10-07 8:41 ` Alice Ryhl
2024-10-07 9:29 ` FUJITA Tomonori
2024-10-07 13:15 ` Andrew Lunn
2024-10-07 13:59 ` Alice Ryhl
2024-10-05 12:25 ` [PATCH net-next v2 2/6] rust: time: Introduce Delta type FUJITA Tomonori
2024-10-05 18:02 ` Andrew Lunn
2024-10-05 18:16 ` Miguel Ojeda
2024-10-07 6:01 ` FUJITA Tomonori
2024-10-07 13:33 ` Andrew Lunn
2024-10-09 14:00 ` FUJITA Tomonori
2024-10-12 18:56 ` Gary Guo
2024-10-13 0:48 ` FUJITA Tomonori
2024-10-15 12:12 ` FUJITA Tomonori
2024-10-05 21:09 ` Andrew Lunn
2024-10-05 12:25 ` [PATCH net-next v2 3/6] rust: time: Implement addition of Ktime and Delta FUJITA Tomonori
2024-10-05 18:07 ` Andrew Lunn
2024-10-06 10:45 ` Fiona Behrens
2024-10-07 6:06 ` FUJITA Tomonori
2024-10-05 18:36 ` Miguel Ojeda
2024-10-07 6:17 ` FUJITA Tomonori
2024-10-07 14:24 ` Alice Ryhl
2024-10-09 12:50 ` FUJITA Tomonori
2024-10-05 12:25 ` [PATCH net-next v2 4/6] rust: time: add wrapper for fsleep function FUJITA Tomonori
2024-10-07 12:24 ` Alice Ryhl
2024-10-09 13:28 ` FUJITA Tomonori
2024-10-05 12:25 ` [PATCH net-next v2 5/6] rust: Add read_poll_timeout function FUJITA Tomonori
2024-10-05 18:32 ` Andrew Lunn
2024-10-05 22:22 ` Boqun Feng
2024-10-06 14:45 ` Andrew Lunn
2024-10-07 6:24 ` FUJITA Tomonori
2024-10-07 12:28 ` Boqun Feng [this message]
2024-10-07 13:48 ` Andrew Lunn
2024-10-07 14:06 ` Boqun Feng
2024-10-07 14:08 ` Alice Ryhl
2024-10-07 14:13 ` Boqun Feng
2024-10-07 14:16 ` Alice Ryhl
2024-10-07 14:19 ` Boqun Feng
2024-10-07 14:38 ` Boqun Feng
2024-10-07 17:13 ` Andrew Lunn
2024-10-07 23:12 ` Boqun Feng
2024-10-08 12:12 ` Andrew Lunn
2024-10-08 12:48 ` Boqun Feng
2024-10-08 13:14 ` Miguel Ojeda
2024-10-08 17:16 ` Andrew Lunn
2024-10-08 21:53 ` Boqun Feng
2024-10-08 21:57 ` Boqun Feng
2024-10-08 22:26 ` Andrew Lunn
2024-10-08 22:42 ` Boqun Feng
2024-10-15 3:36 ` FUJITA Tomonori
2024-10-05 12:25 ` [PATCH net-next v2 6/6] net: phy: qt2025: wait until PHY becomes ready FUJITA Tomonori
2024-10-12 15:29 ` [PATCH net-next v2 0/6] rust: Add IO polling Boqun Feng
2024-10-13 1:15 ` FUJITA Tomonori
2024-10-13 2:50 ` FUJITA Tomonori
2024-10-13 3:16 ` Boqun Feng
2024-10-13 5:15 ` FUJITA Tomonori
2024-10-13 9:48 ` Miguel Ojeda
2024-10-14 21:18 ` Boqun Feng
2024-10-15 3:16 ` FUJITA Tomonori
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=ZwPT7HZvG1aYONkQ@boqun-archlinux \
--to=boqun.feng@gmail.com \
--cc=a.hindborg@samsung.com \
--cc=alex.gaynor@gmail.com \
--cc=aliceryhl@google.com \
--cc=andrew@lunn.ch \
--cc=anna-maria@linutronix.de \
--cc=arnd@arndb.de \
--cc=benno.lossin@proton.me \
--cc=bjorn3_gh@protonmail.com \
--cc=frederic@kernel.org \
--cc=fujita.tomonori@gmail.com \
--cc=gary@garyguo.net \
--cc=hkallweit1@gmail.com \
--cc=linux-kernel@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=ojeda@kernel.org \
--cc=rust-for-linux@vger.kernel.org \
--cc=tglx@linutronix.de \
--cc=tmgross@umich.edu \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).