Re: [PATCH v8 5/6] rust: ww_mutex: add Mutex, AcquireCtx and MutexGuard

[Alice Ryhl <aliceryhl@google.com>]

On Wed, Dec 03, 2025 at 07:02:30PM +0300, Onur Özkan wrote:
> On Wed, 3 Dec 2025 13:26:23 +0000
> Alice Ryhl <aliceryhl@google.com> wrote:
> 
> > On Mon, Dec 01, 2025 at 01:28:54PM +0300, Onur Özkan wrote:
> > > +/// Internal helper that unifies the different locking kinds.
> > > +///
> > > +/// Returns [`EINVAL`] if the [`Mutex`] has a different [`Class`].
> > > +fn lock_common<'a, T: ?Sized>(
> > > +    mutex: &'a Mutex<'a, T>,
> > > +    ctx: Option<&AcquireCtx<'_>>,
> > > +    kind: LockKind,
> > > +) -> Result<MutexGuard<'a, T>> {
> > > +    let mutex_ptr = mutex.inner.get();
> > > +
> > > +    let ctx_ptr = match ctx {
> > > +        Some(acquire_ctx) => {
> > > +            let ctx_ptr = acquire_ctx.inner.get();
> > > +
> > > +            // SAFETY: `ctx_ptr` is a valid pointer for the entire
> > > +            // lifetime of `ctx`.
> > > +            let ctx_class = unsafe { (*ctx_ptr).ww_class };
> > > +
> > > +            // SAFETY: `mutex_ptr` is a valid pointer for the
> > > entire
> > > +            // lifetime of `mutex`.
> > > +            let mutex_class = unsafe { (*mutex_ptr).ww_class };
> > > +
> > > +            // `ctx` and `mutex` must use the same class.
> > > +            if ctx_class != mutex_class {
> > > +                return Err(EINVAL);
> > > +            }
> > 
> > Hmm, this originates from the previous conversation:
> > 
> > https://lore.kernel.org/all/20251124184928.30b8bbaf@nimda/
> > >>> +    ///         // SAFETY: Both `lock_set` and `mutex1` uses the
> > >>> same class.
> > >>> +    ///         unsafe { lock_set.lock(&mutex1)? };
> > >>> +    ///
> > >>> +    ///         // SAFETY: Both `lock_set` and `mutex2` uses the
> > >>> same class.
> > >>> +    ///         unsafe { lock_set.lock(&mutex2)? };
> > >> 
> > >> I wonder if there's some way we can get rid of the safety contract
> > >> here and verify this at compile time, it would be a shame if every
> > >> single lock invocation needed to be unsafe.
> > >> 
> > > 
> > > Yeah :(. We could get rid of them easily by keeping the class that
> > > was passed to the constructor functions but that becomes a problem
> > > for the from_raw implementations.
> > > 
> > > I think the best solution would be to expose ww_class type from
> > > ww_acquire_ctx and ww_mutex unconditionally (right now it depends on
> > > DEBUG_WW_MUTEXES). That way we can just access the class and verify
> > > that the mutex and acquire_ctx classes match.
> > > 
> > > What do you think? I can submit a patch for the C-side
> > > implementation. It should be straightforward and shouldn't have any
> > > runtime impact.
> > 
> > I think there is a better solution. We can create a different type for
> > every single class, like how rust/kernel/sync/lock/global.rs creates a
> > different type for every single mutex. Then, you know that the classes
> > are the same since the class is part of the type.
> 
> You can have same types but different memory addresses and that would
> break the ww_mutex logic we are trying to solve.

The entire idea behind rust/kernel/sync/lock/global.rs is one type per
memory address. Can you elaborate on the difficult case?

Alice