Received: by 2002:a05:6a10:17d3:0:0:0:0 with SMTP id hz19csp414421pxb; Fri, 16 Apr 2021 08:40:29 -0700 (PDT) X-Google-Smtp-Source: ABdhPJwd47uw+913C/ezGULjKDEC3/vjLhhWnIoe7KwUCR7an1sLMO0D11szHZmBfD44qaUusPOZ X-Received: by 2002:a63:41c6:: with SMTP id o189mr8734263pga.118.1618587628712; Fri, 16 Apr 2021 08:40:28 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1618587628; cv=none; d=google.com; s=arc-20160816; b=v2lcvmGxS/cgzA8WWY3W3xLpov8E8P358IvfL0U7/Vqlo8KuJPXf4q2Rcd4Z9e8z7t 7anWTwadrZxyovDA/FZzeJPvruTKpBZTNw5SXsa+8UvFctxZYaUGPOyeG0bR7KCrqtlW A5FAvTQ0ZLH8K5IODEsaS3PZ0AQZOYturTwE1Huhx2sWD6Tcseeov//H50C4tfPuGBX4 tYtakv4Ut7VbZDSdQp2iiRyxoa/N1mzkN4rphoUn5JZSHNec8MEkAt8UdfOAd3FSaTPy 86VLc/bmmxlDqQfHKrUbeUui6WDpn9lUB5XdJnWuXfOBrnwEiiRwRMrkXpty/yupgUzY iwMg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:in-reply-to:content-disposition:mime-version :references:message-id:subject:cc:to:from:date:dkim-signature; bh=psVJK99+O+tg8o2EaxMtjg4ibnxyJog9/VVbDGGEZIs=; b=rtixKA+BSVZ0RJ1u18KRfvFFUZgjanqdGTqMXIxrDUPfmxSl+Pb4jFwZHdtwRndC6S uaoLgrc3yQseWD6Td7cFXE3Wkqc9t5xOTK34veOWcxy6DMGYDcKhp20wtVmJC9s9po95 Yl1oJL5TMTT1ASrjlRBTYthAk1cp/2JWkwkUnbpd+w7ScyEZWg+Y+K9kHDhB3JUnSMm4 a3tSgaL/FwDZHKEb04nDR0KvOUO6duRUTSveYU1XNe9q7dCcwh752G7miYL9KviPnuWZ bhbD1iliM5bbR44YpcSF1+WvZupJUrw9rdpfbpdM2Jkt82wJ2+eUFj6hTZgUU4IdnpJv 4TYA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=HEsPoJ6Y; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id r37si7145599pgm.65.2021.04.16.08.40.03; Fri, 16 Apr 2021 08:40:28 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=HEsPoJ6Y; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S242950AbhDPNIV (ORCPT + 99 others); Fri, 16 Apr 2021 09:08:21 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:53330 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S235252AbhDPNIV (ORCPT ); Fri, 16 Apr 2021 09:08:21 -0400 Received: from mail-wr1-x431.google.com (mail-wr1-x431.google.com [IPv6:2a00:1450:4864:20::431]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 27D9CC061760 for ; Fri, 16 Apr 2021 06:07:56 -0700 (PDT) Received: by mail-wr1-x431.google.com with SMTP id r7so14640659wrm.1 for ; Fri, 16 Apr 2021 06:07:56 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=date:from:to:cc:subject:message-id:references:mime-version :content-disposition:in-reply-to; bh=psVJK99+O+tg8o2EaxMtjg4ibnxyJog9/VVbDGGEZIs=; b=HEsPoJ6YAVzWWqR1SCDlnvGiezGJnRRw8xMA4Xg7MXvS7rWpxv67ia56OEkyrAhzWc wTiJjiUv3kVWpu6g5CfXcXANH1cemqZ/2RJQeaccz+uUkdedSkn140/84Z8/TClHPMWV EC/yujIDYcLnK7nnQ4nrvbt14NHy2YSQN/Ev+Ohz24lvSsobDMnGKRPL12lXquxjBDGC +UzCtGEJKS5JhhHfOqnLFzCOTMoFtkc/R2BanM1wcjEQSbsYtlsBE/UemULWIXB0cELw GaYZNdqLwgJyJpiKiI+aqqoVgheSGnCYQDrIqlrTwcImg9A0Xv7xgX0QnLMt+IRjH603 YDZg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:cc:subject:message-id:references :mime-version:content-disposition:in-reply-to; bh=psVJK99+O+tg8o2EaxMtjg4ibnxyJog9/VVbDGGEZIs=; b=Hj/1+6v/AeGpdXEJr/sJvczlCmCGrTww1CE2LKV3cE6Nq8DoMLf51mVoLKE+xsk3Hc jRcGg109BmGFYQvvPhzATuQJ5oMOfqfuy/YznYvTMPEQB85AB+xz+4o8zyqQo9ey/U+M 3JNVd4a239esui/58rErIvc4Nff9uH1AG97vG4nWzES64iT3CVk0WDJvdIQ1rcfmqwUq SWT2AHg8eHNYimel6L2kETiVUIN9vCrjBqsfBpBBzyhXzG3t7+iyB7Pr5jzjqEfEd9N8 zciVZUwkq9ltfW8SEk4Y9HN/e1iHj4OdE69ST/9eCQ15+MMiEOcYsGbYdLAW9VDWqReX aayQ== X-Gm-Message-State: AOAM533eNSP8x3GZnNd265gHMsBWRD+ftDTyA4foxyj4PPGSDRzpQL6f TfEPAhq7jzFKzOOKi0+Z7QyG X-Received: by 2002:a5d:424a:: with SMTP id s10mr9468441wrr.70.1618578474684; Fri, 16 Apr 2021 06:07:54 -0700 (PDT) Received: from google.com ([2a00:79e0:d:209:51db:fb7a:d252:e3c1]) by smtp.gmail.com with ESMTPSA id h81sm10295477wmf.41.2021.04.16.06.07.54 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 16 Apr 2021 06:07:54 -0700 (PDT) Date: Fri, 16 Apr 2021 14:07:49 +0100 From: Wedson Almeida Filho To: Peter Zijlstra Cc: ojeda@kernel.org, Linus Torvalds , Greg Kroah-Hartman , rust-for-linux@vger.kernel.org, linux-kbuild@vger.kernel.org, linux-doc@vger.kernel.org, linux-kernel@vger.kernel.org Subject: Re: [PATCH 00/13] [RFC] Rust support Message-ID: References: <20210414184604.23473-1-ojeda@kernel.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Fri, Apr 16, 2021 at 01:24:23PM +0200, Peter Zijlstra wrote: > On Wed, Apr 14, 2021 at 08:45:51PM +0200, ojeda@kernel.org wrote: > > - Featureful language: sum types, pattern matching, generics, > > RAII, lifetimes, shared & exclusive references, modules & > > visibility, powerful hygienic and procedural macros... > > IMO RAII is over-valued, but just in case you care, the below seems to > work just fine. No fancy new language needed, works today. Similarly you > can create refcount_t guards, or with a little more work full blown > smart_ptr crud. Peter, we do care, thank you for posting this. It's a great example for us to discuss some of the minutiae of what we think Rust brings to the table in addition to what's already possible in C. > > --- > diff --git a/include/linux/mutex.h b/include/linux/mutex.h > index e19323521f9c..f03a72dd8cea 100644 > --- a/include/linux/mutex.h > +++ b/include/linux/mutex.h > @@ -197,4 +197,22 @@ extern void mutex_unlock(struct mutex *lock); > > extern int atomic_dec_and_mutex_lock(atomic_t *cnt, struct mutex *lock); > > +struct mutex_guard { > + struct mutex *mutex; > +}; > + > +static inline struct mutex_guard mutex_guard_lock(struct mutex *mutex) > +{ > + mutex_lock(mutex); > + return (struct mutex_guard){ .mutex = mutex, }; > +} > + > +static inline void mutex_guard_unlock(struct mutex_guard *guard) > +{ > + mutex_unlock(guard->mutex); > +} > + > +#define DEFINE_MUTEX_GUARD(name, lock) \ > + struct mutex_guard __attribute__((__cleanup__(mutex_guard_unlock))) name = mutex_guard_lock(lock) > + > #endif /* __LINUX_MUTEX_H */ > diff --git a/kernel/events/core.c b/kernel/events/core.c > index 8ee3249de2f0..603d197a83b8 100644 > --- a/kernel/events/core.c > +++ b/kernel/events/core.c > @@ -5715,16 +5715,15 @@ static long perf_compat_ioctl(struct file *file, unsigned int cmd, > > int perf_event_task_enable(void) > { > + DEFINE_MUTEX_GUARD(event_mutex, ¤t->perf_event_mutex); There is nothing in C forcing developers to actually use DEFINE_MUTEX_GUARD. So someone may simply forget (or not know that they need) to lock current->perf_event_mutex and directly access some field protected by it. This is unlikely to happen when one first writes the code, but over time as different people modify the code and invariants change, it is possible for this to happen. In Rust, this isn't possible: the data protected by a lock is only accessible when the lock is locked. So developers cannot accidentally make mistakes of this kind. And since the enforcement happens at compile time, there is no runtime cost. This, we believe, is fundamental to the discussion: we agree that many of these idioms can be implemented in C (albeit in this case with a compiler extension), but their use is optional, people can (and do) still make mistakes that lead to vulnerabilities; Rust disallows classes of mistakes by construction. Another scenario: suppose within perf_event_task_enable you need to call a function that requires the mutex to be locked and that will unlock it for you on error (or unconditionally, doesn't matter). How would you do that in C? In Rust, there is a clean idiomatic way of transferring ownership of a guard (or any other object) such that the previous owner cannot continue to use it after ownership is transferred. Again, this is enforced at compile time. I'm happy to provide a small example if that would help. Again, thanks for bringing this up. And please keep your concerns and feedback coming, we very much want to have these discussions and try to improve what we have based on feedback from the community. > struct perf_event_context *ctx; > struct perf_event *event; > > - mutex_lock(¤t->perf_event_mutex); > list_for_each_entry(event, ¤t->perf_event_list, owner_entry) { > ctx = perf_event_ctx_lock(event); > perf_event_for_each_child(event, _perf_event_enable); > perf_event_ctx_unlock(event, ctx); > } > - mutex_unlock(¤t->perf_event_mutex); > > return 0; > }