Received: by 2002:a05:6359:c8b:b0:c7:702f:21d4 with SMTP id go11csp2244104rwb; Sun, 2 Oct 2022 19:08:54 -0700 (PDT) X-Google-Smtp-Source: AMsMyM7kht/llSCQp3XHjEFhY+t+bhBoERFlWa21cY+bpmx8wWLiCchwYZN+uPMFW+hruLcvfCe/ X-Received: by 2002:a65:41ca:0:b0:434:f92f:d711 with SMTP id b10-20020a6541ca000000b00434f92fd711mr17273266pgq.151.1664762934243; Sun, 02 Oct 2022 19:08:54 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1664762934; cv=none; d=google.com; s=arc-20160816; b=BJe3AAs8Yj9a7bttHN69aY4w27g3p3tUtmwhhtioiFJvMZmXC9ufENFcwq+XPBBQCZ 3lRTSpjFYbONQiI/5bGgd+M3PIzwwnw3LVivC9/ODuN0SSWtHchM3o9lGOtro75U/kzp vQL98Oup+9P7P09OzIM4dYiyJi7wdwHiYuB2L2zepyRKeLBntGFKH15Yec5jdEC6ASri +ghEkAQwY8H3MLnoRdmECmzaFv+FIu7mW0a4lA9x/G7zaNgG7mT5vVRwo+Ggd2YqzFbQ mlwUYAXhgETx+TD1e8y1VibE1JqdZlkLJy0pQLcW4Xbme1DhWTIzZqOi0F3jCrYKEl2V EQ/g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:to:references:message-id :content-transfer-encoding:cc:date:in-reply-to:from:subject :mime-version:dkim-signature; bh=lbUBLwLrU+qNu9qKx+IuhKwkfyVt1vaaIOK0cPSiuDg=; b=0hp5M7Cx6mAXyJg9dU4dr3oE9TF6yqwSDHtuP84jSlF3TGVCyRZtnsrkps6yIzdS9A GBJvVASLWoHq5ZRJdcUDR1w3mFw5n8lTcXUSXMCKhPR2RMouHVkZZp/lhDtAJ5jAffNL Hv0BBh34ius0iOUSjnbme/0ebnJf/irgewFotL8U+1XxW+jFicsAHLbavMIf1yoIww0G 9kPmPtM6cCJAW1J5xUUWjLgpAyMz49KTHSujjh4u0g2boeFEZOljpRZZejUEJkNpkmx4 +f2zTAYP91GZc6yzyiR1+fISfb+OUlrYgd461XuYVI5+FiU/2SKfG3bss9ZaH7ht1Wkz PEpQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20210112 header.b=HioAWnuO; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id i1-20020a654d01000000b0043961d06b6fsi9521239pgt.598.2022.10.02.19.08.42; Sun, 02 Oct 2022 19:08:54 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20210112 header.b=HioAWnuO; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229436AbiJCCEl (ORCPT + 99 others); Sun, 2 Oct 2022 22:04:41 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:49868 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229479AbiJCCEj (ORCPT ); Sun, 2 Oct 2022 22:04:39 -0400 Received: from mail-io1-xd2e.google.com (mail-io1-xd2e.google.com [IPv6:2607:f8b0:4864:20::d2e]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 35ABEFF4; Sun, 2 Oct 2022 19:04:37 -0700 (PDT) Received: by mail-io1-xd2e.google.com with SMTP id y189so5312222iof.5; Sun, 02 Oct 2022 19:04:37 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=to:references:message-id:content-transfer-encoding:cc:date :in-reply-to:from:subject:mime-version:from:to:cc:subject:date; bh=lbUBLwLrU+qNu9qKx+IuhKwkfyVt1vaaIOK0cPSiuDg=; b=HioAWnuOfe/FTNbLJL3xtog2XmNCRt3JV4vjJCHLn9bcukhXukL3J+iUzT4mRbvCYw cpyDCaVDR0jip5ywnHSP7OQrhxaFTe3Sogqb2uBJxP2KAE0xh8FNKiP6qD1EGmbawJeu psAmHfd4YryOosDz0caKncABwhAPRCHcHJh/cm1zPfp5/UxfTZNUCKuoFMsr/8Nyxopm yUhp3qhnczAf1rcJxUJELG3PMsepwNBL2S9a4iqXK1d21YoLKWALOIn+6QIJgg2K0aT0 6E1TOEz118QCOMD2OXlt5GkMqsp2ggrv9wWqBvSvQd89wSbcXrFyWblKNdwv0J2bAY4u 686Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=to:references:message-id:content-transfer-encoding:cc:date :in-reply-to:from:subject:mime-version:x-gm-message-state:from:to:cc :subject:date; bh=lbUBLwLrU+qNu9qKx+IuhKwkfyVt1vaaIOK0cPSiuDg=; b=e3/mGiQFz0Z8uAlJKslHbsWwflAlrI+OMkdBY4aUZBLdSCV+RwArC/p6jFaLIg8F53 oXqFF4xhzQ4/1klz2L2/L1ppRwzTfktwCoOav3EgzE22YfRcmBEQDh3QopPaXetRGql5 sxpI1FGTAFmO0wRb89MUxo3DUCt7MbgXztuxB1iiWkvoXDRpE1D1u/lwl6vd8vfvFLnd nEW7FKTqpywUJ5j2W9b5Hfv9k6je8Gnu+O2Pc2Co7TL+jCkKrVnS4OCVDQsUp4gWwf6p yh4rJjBXnU/mgOU+2J8uy+R8e0Vuvi1flitpo1sBmNFKrIDryLeBbHsKY3zjaSBhrzk0 9j5A== X-Gm-Message-State: ACrzQf3aLrj9HNI3SMc9zPE9a3VvLqXVEcaCIjUw7Ir9Lk0Q1irbzOit PNIWRqzsNl/UmOWoU1Gj4VM= X-Received: by 2002:a02:a682:0:b0:34c:14fc:b490 with SMTP id j2-20020a02a682000000b0034c14fcb490mr9437006jam.196.1664762676359; Sun, 02 Oct 2022 19:04:36 -0700 (PDT) Received: from smtpclient.apple ([75.104.65.53]) by smtp.gmail.com with ESMTPSA id o21-20020a02c6b5000000b0035ada363720sm3710373jan.23.2022.10.02.19.03.45 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Sun, 02 Oct 2022 19:04:35 -0700 (PDT) Content-Type: text/plain; charset=utf-8 Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3696.120.41.1.1\)) Subject: Re: [PATCH v9 12/27] rust: add `kernel` crate From: comex In-Reply-To: Date: Sun, 2 Oct 2022 22:03:22 -0400 Cc: Gary Guo , "Eric W. Biederman" , Linus Torvalds , Alex Gaynor , Wedson Almeida Filho , Matthew Wilcox , Kees Cook , Miguel Ojeda , Konstantin Shelekhin , ojeda@kernel.org, ark.email@gmail.com, bjorn3_gh@protonmail.com, bobo1239@web.de, bonifaido@gmail.com, davidgow@google.com, dev@niklasmohrin.de, dsosnowski@dsosnowski.pl, foxhlchen@gmail.com, geofft@ldpreload.com, gregkh@linuxfoundation.org, jarkko@kernel.org, john.m.baublitz@gmail.com, leseulartichaut@gmail.com, linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org, me@kloenk.de, milan@mdaverde.com, mjmouse9999@gmail.com, patches@lists.linux.dev, rust-for-linux@vger.kernel.org, thesven73@gmail.com, viktor@v-gar.de, Andreas Hindborg Content-Transfer-Encoding: quoted-printable Message-Id: References: <87a66uxcpc.fsf@email.froward.int.ebiederm.org> <20220920233947.0000345c@garyguo.net> To: Boqun Feng X-Mailer: Apple Mail (2.3696.120.41.1.1) X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_FROM, RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org >> On the other hand, it ought to be feasible to implement that kind of >> =E2=80=99negative reasoning' as a custom lint. It might not work as = well as >> something built into the language, but it should work decently well, >> and could serve as a prototype for a future built-in feature. >=20 > Interesting, do you have an example somewhere? >=20 > Regards, > Boqun After some searching, I found this, which someone wrote several years = ago for a very similar purpose: https://github.com/thepowersgang/tag_safe/ > This is a linter designed originally for use with a kernel, where = functions > need to be marked as "IRQ safe" (meaning they are safe to call within = an IRQ > handler, and handle the case where they may interrupt themselves). > If a function is annotated with #[req_safe(ident)] (where ident can be > anything, and defines the type of safety) this linter will check that = all > functions called by that function are either annotated with the same > annotation or #[is_safe(ident)], OR they do not call functions with = the > reverse #[is_unsafe(ident)] annotation. Note that the code won't work as-is with recent rustc. rustc's API for = custom lints is not stable, and in fact rustc has deprecated linter plugins = entirely [1], though there are alternative approaches to using custom lints [2]. = Still, it's a good example of the approach. One fundamental caveat is that it doesn't seem to have the = sophistication needed to be sound with respect to indirect calls. For example, suppose you have a function that fetches a callback from = some structure and calls it. Whether this function is IRQ-safe depends on = whether the callback is expected to be IRQ-safe, so in order to safety-check = this, you would need an annotation on either the callback field or the function = pointer type. This is more complex than just putting annotations on function definitions. Or suppose you have the following code: fn foo() { bar(|| do_something_not_irq_safe()); } If `foo` is expected to be IRQ-safe, this may or may not be sound, = depending on whether `bar` calls the callback immediately or saves it for later. If = `bar` saves it for later, then it could be marked unconditionally IRQ-safe. = But if `bar` calls it immediately, then it's neither IRQ-safe nor IRQ-unsafe, = but effectively generic over IRQ safety. You could pessimistically mark it IRQ-unsafe, but Rust has tons of basic helper methods that accept = callbacks and call them immediately; not being able to use any of them in an IRQ-safe = context would be quite limiting. In short, a fully sound approach requires not just checking which = functions call which, but having some kind of integration with the type system. = This is the kind of issue that I was thinking of when I said a custom lint may = not work as well as something built into the language. However, I do think it's *possible* to handle it soundly from a lint, especially if it focuses on typical use cases and relies on manual = annotations for the rest. Alternately, even an unsound lint would be a good first = step. It wouldn't really comport with Rust's ethos of making safety guarantees ironclad rather than heuristic, but it would serve as a good proof of = concept for a future language feature, while likely being helpful in practice in = the short term. [1] https://github.com/rust-lang/rust/pull/64675/files [2] = https://www.trailofbits.com/post/write-rust-lints-without-forking-clippy