Received: by 2002:a05:6359:c8b:b0:c7:702f:21d4 with SMTP id go11csp2895375rwb; Mon, 19 Sep 2022 11:35:58 -0700 (PDT) X-Google-Smtp-Source: AMsMyM7byS2pIJKTXSSCMU2tTpq3hsaX/PHeM6s1zBBzHFhg+F/p7Ywi21AeqhRoIWplidUHwjKl X-Received: by 2002:a17:906:fd8d:b0:780:997:8b7b with SMTP id xa13-20020a170906fd8d00b0078009978b7bmr13953498ejb.635.1663612558570; Mon, 19 Sep 2022 11:35:58 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1663612558; cv=none; d=google.com; s=arc-20160816; b=j+8fbdY4DIzngT5RvMYhvzYZapdoBTA5H+b9qh43UezgFxHUEHtrUABPE+GuPZ8YS6 8d1RNPRjleYJzEV2TTgmNJ0a4goeTGS4tXpKqsAEGItbLlOR0hJ3LSxM7nytlfXxp/Co Xc7Th4rm8cY7zgMX6Zd8ehDfcfVq13JPgTCao68UklVmpiOYF/C9+R8c+dbUUUiUh5UI 4NaCmpPry3S2HAC0xkkMbxUyeDI3Zyj8lDOOvH22xDb9A+imMWSq0LmzON5hG9xTl0IQ NGUMpWpoNt7diUKgvL01CqeiHx5tqCoAnCf3bt18qLr/VYONZko51IQbN4lnKTpIqioW aalA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:in-reply-to:content-disposition:mime-version :references:message-id:subject:cc:to:from:date:dkim-signature; bh=vb/BXICUNW5+h3UQtwzUqhGAHWrBZN2A+UXNfCT8Pqc=; b=j1wQSKRGSFxA7+kFDaxSbLHwJUqYAEDz7mIJgJlLbrI4A8pv2mxoVcx4Eke+NcPx1x 6RZ/38BpgaN9O4HBWii4H/jMQUqznRgsa6VTJDdz2PvQmd1svXyXj1NeyT94b/tNvBgU hi8j2brpX4RdyCd/Q3sgPkkczpnlKXaKUzQee92yysDAkTrY3kNdANkVbpWQuUllCgii 1TjVDbogWHurC2bR+FCNndXBfpYc7BzRkBxQS6jE/H8jSvgpZ19az0YdslhkZiT8No1g ARJ1TboTsXBU6FmUASxd4sz35mBx2Iy50vjjz1ffpAzJgrC5jmhDmQPH/QjuKxCVkB3V VWWA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20210112 header.b=Ns9exaZ9; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id dz21-20020a0564021d5500b004405af7da47si11325651edb.564.2022.09.19.11.35.31; Mon, 19 Sep 2022 11:35:58 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20210112 header.b=Ns9exaZ9; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230060AbiISSFe (ORCPT + 99 others); Mon, 19 Sep 2022 14:05:34 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:57770 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229971AbiISSFa (ORCPT ); Mon, 19 Sep 2022 14:05:30 -0400 Received: from mail-wr1-x42d.google.com (mail-wr1-x42d.google.com [IPv6:2a00:1450:4864:20::42d]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 062D8E0D3; Mon, 19 Sep 2022 11:05:29 -0700 (PDT) Received: by mail-wr1-x42d.google.com with SMTP id y5so401909wrh.3; Mon, 19 Sep 2022 11:05:28 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=in-reply-to:content-disposition:mime-version:references:message-id :subject:cc:to:from:date:from:to:cc:subject:date; bh=vb/BXICUNW5+h3UQtwzUqhGAHWrBZN2A+UXNfCT8Pqc=; b=Ns9exaZ9YtultAtWZhCFpGg1KR2dHcqO6XVgDCwr+eBGnRvIT8NEw/A/jkKbMICRJN vyk9IGJ2CvNUhq1AooQQQabinD7v2+YVXYuUueA0LikjHOLgB0FCY/YztXTwzkwb6sio ddGcL7vDyMmCiRLvD+CX99sYNptj+i7rzzHoJS2gt+R3uMGbTs26GZNlSP95RJoH1l8B Ga4gG1adKUtjr8QwtnFsh1H8wC2KLkLD4xYZrIzizvvo0cILv6a3Gojc4WYS2ntF2p3t lqMIkKZ6g4mr1NDoZ+jTX0r/wt9v9WbnUYFSJyGR++cOu5S4otfkRSklsQv1oljWKyud OpLA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=in-reply-to:content-disposition:mime-version:references:message-id :subject:cc:to:from:date:x-gm-message-state:from:to:cc:subject:date; bh=vb/BXICUNW5+h3UQtwzUqhGAHWrBZN2A+UXNfCT8Pqc=; b=TGr6fCjgrSKenxMW8Onm9spn+UOcEKs+1h2EK59hF7Lbqi/9l6LJFABn60NidLwoco kDoWt0iyxJ06EgaphxG92B3HqjAYmlKGo7pQ77LU9qf1oIQJC1fbj1Z+YnPcctjUtLAU n5kOqrOlMoEV8qyFcgaVj3/jFBG/rLUXh1+aHU5xjIns33Z1GSstUPvbqe7KI7ir8R8r C8CcF4MqhGoGYn0K3G+y/RoC8i8FcajtQq0ZgWIHDaU5EBjyw4H/sxZgPJ7bg0/4V++h NaBh6ug3HhsRYAiLMTK4srLJFanwLkme9zyq+cwenHEKP4hgsx4xU9+pSeAMKn6zXWe3 1MfA== X-Gm-Message-State: ACrzQf3jRZAPeUtqgaBn0W2ivXinySmdImr8tYsHRp4InnBtFf/Y4dCk j1e9ukkvjXU+Qb0yWUvsIjY= X-Received: by 2002:a05:6000:14c:b0:22a:c14a:29f8 with SMTP id r12-20020a056000014c00b0022ac14a29f8mr11434021wrx.588.1663610727419; Mon, 19 Sep 2022 11:05:27 -0700 (PDT) Received: from wedsonaf-dev ([81.2.152.129]) by smtp.gmail.com with ESMTPSA id s10-20020a5d510a000000b002252884cc91sm14494873wrt.43.2022.09.19.11.05.24 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 19 Sep 2022 11:05:26 -0700 (PDT) Date: Mon, 19 Sep 2022 19:05:23 +0100 From: Wedson Almeida Filho To: Linus Torvalds Cc: Matthew Wilcox , Kees Cook , Miguel Ojeda , Konstantin Shelekhin , ojeda@kernel.org, alex.gaynor@gmail.com, ark.email@gmail.com, bjorn3_gh@protonmail.com, bobo1239@web.de, bonifaido@gmail.com, boqun.feng@gmail.com, davidgow@google.com, dev@niklasmohrin.de, dsosnowski@dsosnowski.pl, foxhlchen@gmail.com, gary@garyguo.net, geofft@ldpreload.com, gregkh@linuxfoundation.org, jarkko@kernel.org, john.m.baublitz@gmail.com, leseulartichaut@gmail.com, linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org, m.falkowski@samsung.com, me@kloenk.de, milan@mdaverde.com, mjmouse9999@gmail.com, patches@lists.linux.dev, rust-for-linux@vger.kernel.org, thesven73@gmail.com, viktor@v-gar.de, Andreas Hindborg Subject: Re: [PATCH v9 12/27] rust: add `kernel` crate Message-ID: References: <20220805154231.31257-13-ojeda@kernel.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_FROM, RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Mon, Sep 19, 2022 at 10:20:52AM -0700, Linus Torvalds wrote: > On Mon, Sep 19, 2022 at 9:09 AM Linus Torvalds > wrote: > > > > The whole "really know what context this code is running within" is > > really important. You may want to write very explicit comments about > > it. > > Side note: a corollary of this is that people should avoid "dynamic > context" things like the plague, because it makes for such pain when > the context isn't statically obvious. As you know, we're trying to guarantee the absence of undefined behaviour for code written in Rust. And the context is _really_ important, so important that leaving it up to comments isn't enough. I don't care as much about allocation flags as I do about sleeping in an rcu read-side critical region. When CONFIG_PREEMPT=n, if some CPU makes the mistake of sleeping between rcu_read_lock()/rcu_read_unlock(), RCU will take that as a quiescent state, which may cause unsuspecting code waiting for a grace period to wake up too early and potentially free memory that is still in use, which is obviously undefined behaviour. We generally have two routes to avoid undefined behaviour: detect at compile time (and fail compilation) or at runtime (and stop things before they go too far). The former, while feasible, would require some static analysi or passing tokens as arguments to guarantee that we're in sleepable context when sleeping (all ellided at compile time, so zero-cost in terms of run-time performance), but likely painful to program use. Always having preempt_count would allow us to detect such issues in RCU at runtime (for both C and Rust) and prevent user-after-frees. Do you have an opinion on the above? Cheers, -Wedson