Received: by 2002:a05:6358:11c7:b0:104:8066:f915 with SMTP id i7csp1328236rwl; Fri, 7 Apr 2023 14:01:51 -0700 (PDT) X-Google-Smtp-Source: AKy350ZBlIY+v1jVZIMw5QgYaPH1G2f+E7jcUBatR1xYvEmP1OTnDZguOvaz7mvh7zeZSYhS+LH5 X-Received: by 2002:a62:6546:0:b0:627:f9ac:8a33 with SMTP id z67-20020a626546000000b00627f9ac8a33mr2924465pfb.13.1680901311328; Fri, 07 Apr 2023 14:01:51 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1680901311; cv=none; d=google.com; s=arc-20160816; b=RxUPhrrd7VZzOrAfyfksR8VCHpSdCVkmyfWx1CQp3J/GEZ75KZ3nc+262PiBhy6hK2 PCw8uG7fBFphAYDCtWlHUNce2rhmLz5AGc7rAGWV4EevTXEHTZfKQ1/ohsTt9yV04nee ZxbqNt6JiibfmEmUHIeRRaMzvcMA/GFSw+wxk+TpaBslKxhWZ56QbyAzjV0CwQDZ1+Lq /01jBrWPJh75x5KhhzFxNl7GtmUNVJ2P4diWrrarONkD3Z460EvNDa4EgN0rgQOP3TDl DLxurbeKYb9UAU0CB5FLy6QeG2rNP6mbzg1oSneMbC0S4IhJilRA6vgScRLIvU0oz/9l 4t6w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :feedback-id:references:in-reply-to:message-id:subject:cc:from:to :dkim-signature:date; bh=4IoVoYHk/m+r33Ey5oyqbrK9BhCHBjy9lr54Zr+fTow=; b=Og7GtvpNuv+1OMh/kdGNvLIkDA1DxIu+619CelZ5VGSSpm9WkbycU5nGOtsz3OzY0s T61yQdwPwlc7Noh0L8owpWxKb6F537OS41ZhDp+A+Cn85rm5IMjtQCtbZMcdGBMj4ow2 kugEfX1Vd7ntqegXtBuMrGLUmg7epGDAFo2HmVIPqdm3jVEHBf3hWY8N6Utgsx0J2TiM pHRsxq4MsIme7O/KB7swYx0j/M48gEqM/HI6GerU6EtEOi7YSeGkTpoIFVs/Y6vdwLsp 7FqjhcMFARJb/SehPU1opabVPB/1FzcvwwHxAZG/5ww3o2bAv5EQK+YiTgZizkJ+FU2c zOMw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@protonmail.com header.s=protonmail3 header.b=IXMpZwoC; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=protonmail.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id t7-20020a6549c7000000b0051369870273si4477343pgs.11.2023.04.07.14.01.39; Fri, 07 Apr 2023 14:01:51 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@protonmail.com header.s=protonmail3 header.b=IXMpZwoC; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=protonmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230492AbjDGVBC (ORCPT + 99 others); Fri, 7 Apr 2023 17:01:02 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:51030 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231311AbjDGVA5 (ORCPT ); Fri, 7 Apr 2023 17:00:57 -0400 Received: from mail-40134.protonmail.ch (mail-40134.protonmail.ch [185.70.40.134]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id ADBBFBB95 for ; Fri, 7 Apr 2023 14:00:52 -0700 (PDT) Date: Fri, 07 Apr 2023 21:00:33 +0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=protonmail.com; s=protonmail3; t=1680901250; x=1681160450; bh=4IoVoYHk/m+r33Ey5oyqbrK9BhCHBjy9lr54Zr+fTow=; h=Date:To:From:Cc:Subject:Message-ID:In-Reply-To:References: Feedback-ID:From:To:Cc:Date:Subject:Reply-To:Feedback-ID: Message-ID:BIMI-Selector; b=IXMpZwoCjpN56q0H8V5aJJNlFIIONima/PlYClX/FGZGwy/6tUK448uAMF/t9SkWJ ErUVMCKnAhx2VLFz4N1feeMkYu7vtOEGexEK0JrfzA6V9QHT4sx4qBo3lR78V5R8IU J7I5SC3j+9iZV0oTBnfrB1kP0SAGPPYv1TWGzsFLPzekD0JMDGHonBnk8LrZP/A8oa RQE4eo21OOk+LptJ38zz2Auq10KQFwcgL/ATZr5k8z/sgzgxPayU7mH5tCm7PW9EIp nClnf9XCZGw3cJnkv3am/ukoOIqXBB0AM4WK1HNCiebJerdT+ljwuT5v1BgjGXF19g 5qLoKi2q0qTiw== To: Wedson Almeida Filho , rust-for-linux@vger.kernel.org From: Benno Lossin Cc: Miguel Ojeda , Alex Gaynor , Boqun Feng , Gary Guo , =?utf-8?Q?Bj=C3=B6rn_Roy_Baron?= , linux-kernel@vger.kernel.org, Wedson Almeida Filho Subject: Re: [PATCH v2 13/13] rust: sync: introduce `LockedBy` Message-ID: <68b859ca-f67b-07dd-c5c7-7f8884e5b9f1@protonmail.com> In-Reply-To: <20230405175111.5974-13-wedsonaf@gmail.com> References: <20230405175111.5974-1-wedsonaf@gmail.com> <20230405175111.5974-13-wedsonaf@gmail.com> Feedback-ID: 40624463:user:proton MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Spam-Status: No, score=-0.2 required=5.0 tests=DKIM_SIGNED,DKIM_VALID, DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_FROM,RCVD_IN_MSPIKE_H2, SPF_HELO_PASS,SPF_PASS autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 05.04.23 19:51, Wedson Almeida Filho wrote: > From: Wedson Almeida Filho > > This allows us to have data protected by a lock despite not being > wrapped by it. Access is granted by providing evidence that the lock is > held by the caller. > > Signed-off-by: Wedson Almeida Filho > --- > v1 -> v2: Added build_assert to rule out zero-sized types > > rust/kernel/sync.rs | 2 + > rust/kernel/sync/lock.rs | 2 +- > rust/kernel/sync/locked_by.rs | 128 ++++++++++++++++++++++++++++++++++ > 3 files changed, 131 insertions(+), 1 deletion(-) > create mode 100644 rust/kernel/sync/locked_by.rs > > diff --git a/rust/kernel/sync.rs b/rust/kernel/sync.rs > index d6dd0e2c1678..f8edb6d0d794 100644 > --- a/rust/kernel/sync.rs > +++ b/rust/kernel/sync.rs > @@ -10,10 +10,12 @@ use crate::types::Opaque; > mod arc; > mod condvar; > pub mod lock; > +mod locked_by; > > pub use arc::{Arc, ArcBorrow, UniqueArc}; > pub use condvar::CondVar; > pub use lock::{mutex::Mutex, spinlock::SpinLock}; > +pub use locked_by::LockedBy; > > /// Represents a lockdep class. It's a wrapper around C's `lock_class_k= ey`. > #[repr(transparent)] > diff --git a/rust/kernel/sync/lock.rs b/rust/kernel/sync/lock.rs > index f52ba9ab1b70..51c996ca2109 100644 > --- a/rust/kernel/sync/lock.rs > +++ b/rust/kernel/sync/lock.rs > @@ -111,7 +111,7 @@ pub struct Lock { > _pin: PhantomPinned, > > /// The data protected by the lock. > - data: UnsafeCell, > + pub(crate) data: UnsafeCell, > } > > // SAFETY: `Lock` can be transferred across thread boundaries iff the d= ata it protects can. > diff --git a/rust/kernel/sync/locked_by.rs b/rust/kernel/sync/locked_by.r= s > new file mode 100644 > index 000000000000..191e37d804e5 > --- /dev/null > +++ b/rust/kernel/sync/locked_by.rs > @@ -0,0 +1,128 @@ > +// SPDX-License-Identifier: GPL-2.0 > + > +//! A wrapper for data protected by a lock that does not wrap it. > + > +use super::{lock::Backend, lock::Lock}; > +use core::{cell::UnsafeCell, ptr}; > + > +/// Allows access to some data to be serialised by a lock that does not = wrap it. > +/// > +/// In most cases, data protected by a lock is wrapped by the appropriat= e lock type, e.g., > +/// [`super::Mutex`] or [`super::SpinLock`]. [`LockedBy`] is meant for c= ases when this is not > +/// possible. For example, if a container has a lock and some data in th= e contained elements needs > +/// to be protected by the same lock. > +/// > +/// [`LockedBy`] wraps the data in lieu of another locking primitive, an= d only allows access to it > +/// when the caller shows evidence that the 'external' lock is locked. > +/// Maybe add that the `access`/`access_mut` functions panic when the supplied external value is not the correct one. > +/// # Examples > +/// > +/// The following is an example for illustrative purposes: `InnerDirecto= ry::bytes_used` is an > +/// aggregate of all `InnerFile::bytes_used` and must be kept consistent= ; so we wrap `InnerFile` in > +/// a `LockedBy` so that it shares a lock with `InnerDirectory`. This al= lows us to enforce at > +/// compile-time that access to `InnerFile` is only granted when an `Inn= erDirectory` is also > +/// locked; we enforce at run time that the right `InnerDirectory` is lo= cked. > +/// > +/// ``` > +/// use kernel::sync::{LockedBy, Mutex}; > +/// > +/// struct InnerFile { > +/// bytes_used: u64, > +/// } > +/// > +/// struct File { > +/// _ino: u32, > +/// inner: LockedBy, > +/// } > +/// > +/// struct InnerDirectory { > +/// /// The sum of the bytes used by all files. > +/// bytes_used: u64, > +/// _files: Vec, > +/// } > +/// > +/// struct Directory { > +/// _ino: u32, > +/// inner: Mutex, > +/// } > +/// > +/// /// Prints `bytes_used` from both the directory and file. > +/// fn print_bytes_used(dir: &Directory, file: &File) { > +/// let guard =3D dir.inner.lock(); > +/// let inner_file =3D file.inner.access(&guard); > +/// pr_info!("{} {}", guard.bytes_used, inner_file.bytes_used); > +/// } > +/// > +/// /// Increments `bytes_used` for both the directory and file. > +/// fn inc_bytes_used(dir: &Directory, file: &File) { > +/// let mut guard =3D dir.inner.lock(); > +/// guard.bytes_used +=3D 10; > +/// > +/// let file_inner =3D file.inner.access_mut(&mut guard); > +/// file_inner.bytes_used +=3D 10; > +/// } > +/// > +/// /// Creates a new file. > +/// fn new_file(ino: u32, dir: &Directory) -> File { > +/// File { > +/// _ino: ino, > +/// inner: LockedBy::new(&dir.inner, InnerFile { bytes_used: 0 }= ), > +/// } > +/// } > +/// ``` > +pub struct LockedBy { > + owner: *const U, > + data: UnsafeCell, > +} > + > +// SAFETY: `LockedBy` can be transferred across thread boundaries iff th= e data it protects can. > +unsafe impl Send for LockedBy {} > + > +// SAFETY: `LockedBy` serialises the interior mutability it provides, so= it is `Sync` as long as the > +// data it protects is `Send`. > +unsafe impl Sync for LockedBy {} > + > +impl LockedBy { > + /// Constructs a new instance of [`LockedBy`]. > + /// > + /// It stores a raw pointer to the owner that is never dereferenced.= It is only used to ensure > + /// that the right owner is being used to access the protected data.= If the owner is freed, the > + /// data becomes inaccessible; if another instance of the owner is a= llocated *on the same > + /// memory location*, the data becomes accessible again: none of thi= s affects memory safety > + /// because in any case at most one thread (or CPU) can access the p= rotected data at a time. > + pub fn new(owner: &Lock, data: T) -> Self { I think it would be sensible to also do the ZST check here, then it will fail immediately on construction (but also keep the other location, as it does not add any runtime cost). Also, I think you should mention in the documentation that ZSTs are not supported. And it would be good to have an explaining comment on the `build_assert!` why we disallow ZSTs here. > + Self { > + owner: owner.data.get(), > + data: UnsafeCell::new(data), > + } > + } > +} > + > +impl LockedBy { > + /// Returns a reference to the protected data when the caller provid= es evidence (via a > + /// reference) that the owner is locked. Maybe add a `# Panic` section, also for `access_mut`. -- Cheers, Benno > + pub fn access<'a>(&'a self, owner: &'a U) -> &'a T { > + crate::build_assert!(core::mem::size_of::() > 0); > + if !ptr::eq(owner, self.owner) { > + panic!("mismatched owners"); > + } > + > + // SAFETY: `owner` is evidence that the owner is locked. > + unsafe { &*self.data.get() } > + } > + > + /// Returns a mutable reference to the protected data when the calle= r provides evidence (via a > + /// mutable owner) that the owner is locked mutably. > + /// > + /// Showing a mutable reference to the owner is sufficient because w= e know no other references > + /// can exist to it. > + pub fn access_mut<'a>(&'a self, owner: &'a mut U) -> &'a mut T { > + crate::build_assert!(core::mem::size_of::() > 0); > + if !ptr::eq(owner, self.owner) { > + panic!("mismatched owners"); > + } > + > + // SAFETY: `owner` is evidence that there is only one reference = to the owner. > + unsafe { &mut *self.data.get() } > + } > +} > -- > 2.34.1 >