Received: by 2002:ab2:1149:0:b0:1f3:1f8c:d0c6 with SMTP id z9csp1644821lqz; Mon, 1 Apr 2024 12:28:28 -0700 (PDT) X-Forwarded-Encrypted: i=3; AJvYcCXkH3DBGO3TXc3gwKvGGOxZVZ5gkVfsZFEw7PRFTk+EKRdBOBXN8z+kpAECArTEV6oJBolrQ5RVfZgfJ+t6lnntBCatd958seG4qZ8TJA== X-Google-Smtp-Source: AGHT+IGXstStPCZ8h7RLTT9sH8uXgo7CWRxKu8Zfns+N6LmFk0UXFGZPDb3c6TUyO0tJRhQR/6HV X-Received: by 2002:a17:90a:8d10:b0:29c:570d:7f5d with SMTP id c16-20020a17090a8d1000b0029c570d7f5dmr15191719pjo.9.1711999708528; Mon, 01 Apr 2024 12:28:28 -0700 (PDT) ARC-Seal: i=2; a=rsa-sha256; t=1711999708; cv=pass; d=google.com; s=arc-20160816; b=sksEzmhAsKzKq2cc1h6OOeaYzzrJKRiQdhNB64cTLhaUEim82dmmEpdkXjCz9e2Hwt hEMyCoyCd2igM+pTsiWNB2Y8+XpT+UKopmoXjtsT13fh36EE3tkqQJUUy4Um3//J+QwS HV1+abb3GdyKJIrS5xrMqlcv5YT1XmFPSbpePWwpGNMcr4KA9lF0oRK65VQkz7swE/r6 c3xAwMKJSVGkWxTsqztfW/nPJDuEeihkq0WFxUmvY7R7aLT8gjWAi+MAwB1063D3QsXy 8l+mqdKJJ3bp37CjskdFZ7MRkF6Gpo/ZR8JXTANjToBamteubSQ4T7ca9BRaW2W8/6nQ mN3A== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=content-transfer-encoding:mime-version:list-unsubscribe :list-subscribe:list-id:precedence:feedback-id:references :in-reply-to:message-id:subject:cc:from:to:date:dkim-signature; bh=a6gs8Co461eG3wpA5ckHsQcQV9C3iIwIFI/gKjKHzRo=; fh=P4quBinulthQn5hiRWEmiz+qUs1NaHyILMacydKehGk=; b=r2ZOhfKBDgJCPSk7C5ZN42oxaHbuo6mRlTgLZMFmzjqcYUrysR9q8WjmHiSaAJS4RP ugd3qnUD/Y0HxUuWUjrMs5HIuyf3T6is34MWyp5biNU6P97YKBha+p1BgsQu96hzH2S8 c//67Rcwzk7Zkm/T75gyNr9eLiG8NPPOK5Kbrx4nFOeJRcW3chbRiZKUqcHs8FZxaYn1 LeZ33D0lrJz6NVoRkr8df6OOd2LuQc6Xdy2d3lkgklBW28wMrS9gOaCDPMSbbLG30C4C s1V6PVSrd2B+yrv88nQMbXCN0c1OXIfMB3oRq55HcXZ41B4OwJb2nJv/pSuqbQN4SRJL GTMg==; dara=google.com ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@proton.me header.s=wclaxxtrgfhp5fwlzubutvdnoi.protonmail header.b=Cd+rwCHl; arc=pass (i=1 spf=pass spfdomain=proton.me dkim=pass dkdomain=proton.me dmarc=pass fromdomain=proton.me); spf=pass (google.com: domain of linux-kernel+bounces-126989-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45e3:2400::1 as permitted sender) smtp.mailfrom="linux-kernel+bounces-126989-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=proton.me Return-Path: Received: from sv.mirrors.kernel.org (sv.mirrors.kernel.org. [2604:1380:45e3:2400::1]) by mx.google.com with ESMTPS id q23-20020a17090ad39700b002a2225c5d0csi6227710pju.178.2024.04.01.12.28.28 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 01 Apr 2024 12:28:28 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel+bounces-126989-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45e3:2400::1 as permitted sender) client-ip=2604:1380:45e3:2400::1; Authentication-Results: mx.google.com; dkim=pass header.i=@proton.me header.s=wclaxxtrgfhp5fwlzubutvdnoi.protonmail header.b=Cd+rwCHl; arc=pass (i=1 spf=pass spfdomain=proton.me dkim=pass dkdomain=proton.me dmarc=pass fromdomain=proton.me); spf=pass (google.com: domain of linux-kernel+bounces-126989-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45e3:2400::1 as permitted sender) smtp.mailfrom="linux-kernel+bounces-126989-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=proton.me Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by sv.mirrors.kernel.org (Postfix) with ESMTPS id 0BE7F282B7D for ; Mon, 1 Apr 2024 19:28:28 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 78D134D9F2; Mon, 1 Apr 2024 19:28:25 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=proton.me header.i=@proton.me header.b="Cd+rwCHl" Received: from mail-0201.mail-europe.com (mail-0201.mail-europe.com [51.77.79.158]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 4D10247A76 for ; Mon, 1 Apr 2024 19:28:22 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=51.77.79.158 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1711999704; cv=none; b=QoxpY4Wz816OO4YTuipDPBImTMfj25lRkLWlafsnOvTK2LMjE/Mkf2ytKupU6LN9jtEobrSSa2KSFWBqUDO02NyXXQeYSP3+3xOiA2KKPYjka91LFgq5gVdoORcuaTUgucevZvQkS8u/qVyYFZicofXGYor5rAU7LRyX3Y+x6R8= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1711999704; c=relaxed/simple; bh=FtZFlGzW0MUxmZa/IKg7XcCyUtT2vw1AULuLvoBCx/g=; h=Date:To:From:Cc:Subject:Message-ID:In-Reply-To:References: MIME-Version:Content-Type; b=plzRNzzS5J+3jMHXxnS5DIxS17TCUQE6lT9nIY7mzSD6Zk2mTaG2ONa1xV8yRM+8uKIQlxGSgbUTVc3vxJABdkBqhgz+BarQcEQElsseS1vWoEvrJJj5dUvIktcGjwKIQm1dzqyZ36MTV8qBbu40+pxM+fz6/XW5zThjhUt5wGE= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=proton.me; spf=pass smtp.mailfrom=proton.me; dkim=pass (2048-bit key) header.d=proton.me header.i=@proton.me header.b=Cd+rwCHl; arc=none smtp.client-ip=51.77.79.158 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=proton.me Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=proton.me DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=proton.me; s=wclaxxtrgfhp5fwlzubutvdnoi.protonmail; t=1711999686; x=1712258886; bh=a6gs8Co461eG3wpA5ckHsQcQV9C3iIwIFI/gKjKHzRo=; h=Date:To:From:Cc:Subject:Message-ID:In-Reply-To:References: Feedback-ID:From:To:Cc:Date:Subject:Reply-To:Feedback-ID: Message-ID:BIMI-Selector; b=Cd+rwCHlBl14MRIpQhRV9HbmzaYxp/tFS5svfZDZDwebUa2Aa9wHWHXQGHEFF1hbv 4rull/MuQxtGHt1O5EjUEwUfcMSynpPf3WF9HiXOfp9USq8Qyytk4mz1CUNV7cwvSv f6/wZNwtJUny4v11TYz0Tp7QR+G1qx2qxFOSUNtrOUvt5HO+9tsEien0xhhNxY8G4X tNxRNFgZEXzuPd9+fkqcmv5BFrbXR0rxZyB5kwP4ehApq4tIMS/rdDyrJt18MjlUDG X7iMhQXdsEGFYxBrlTdRni77tVGRefpp1nWHk6BYOscBAKHX2p3cu6r/352HMgq1vP PDh4axXklOC5A== Date: Mon, 01 Apr 2024 19:27:52 +0000 To: Wedson Almeida Filho From: Benno Lossin Cc: Miguel Ojeda , Alex Gaynor , Boqun Feng , Gary Guo , =?utf-8?Q?Bj=C3=B6rn_Roy_Baron?= , Andreas Hindborg , Alice Ryhl , Martin Rodriguez Reboredo , Asahi Lina , Eric Curtin , Neal Gompa , Thomas Bertschinger , Andrea Righi , Sumera Priyadarsini , Finn Behrens , Adam Bratschi-Kaye , stable@vger.kernel.org, Daniel Xu , rust-for-linux@vger.kernel.org, linux-kernel@vger.kernel.org Subject: Re: [PATCH] rust: macros: fix soundness issue in `module!` macro Message-ID: <06d5ccdb-a5c3-4630-9f97-9a7bdf7b7a48@proton.me> In-Reply-To: References: <20240327160346.22442-1-benno.lossin@proton.me> Feedback-ID: 71780778:user:proton Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable On 01.04.24 21:10, Wedson Almeida Filho wrote: > On Sun, 31 Mar 2024 at 07:27, Benno Lossin wrote= : >> >> On 31.03.24 03:00, Wedson Almeida Filho wrote: >>> On Wed, 27 Mar 2024 at 13:04, Benno Lossin wro= te: >>>> - fn __init() -> core::ffi::c_int {{ >>>> - match <{type_} as kernel::Module>::init(&THIS_MODULE)= {{ >>>> - Ok(m) =3D> {{ >>>> + /// # Safety >>>> + /// >>>> + /// This function must >>>> + /// - only be called once, >>>> + /// - be called after `__init`, >>>> + /// - not be called concurrently with `__init`. >>> >>> The second item is incomplete: it must be called after `__init` *succee= ds*. >> >> Indeed. >> >>> >>> With that added (which is a different precondition), I think the third >>> item can be dropped because if you have to wait to see whether >>> `__init` succeeded or failed before you can call `__exit`, then >>> certainly you cannot call it concurrently with `__init`. >> >> I would love to drop that requirement, but I am not sure we can. With >> that requirement, I wanted to ensure that no data race on `__MOD` can >> happen. If you need to verify that `__init` succeeded, one might think >> that it is not possible to call `__exit` such that a data race occurs, >> but I think it could theoretically be done if the concrete `Module` >> implementation never failed. >=20 > I see. If you're concerned about compiler reordering, then we need > compiler barriers. >=20 >> Do you have any suggestion for what I could add to the "be called after >> `__init` was called and returned `0`" requirement to make a data race >> impossible? >=20 > If you're concerned with reordering from the processor as well, then > we need cpu barriers. You'd have to say that the cpu/thread executing > `__init` must have a release barrier after `__init` completes, and the > thread/cpu doing `__exit` must have an acquire barrier before starting > `__exit`. >=20 > But I'm not sure we need to go that far. Mostly because C is going to > guarantee that ordering for us, so I'd say we can just omit this or > perhaps say "This function must only be called from the exit module > implementation". Yeah, though I do not exactly know where or what the "exit module implementation" is. If you are happy with v2, then I think we can go with that. This piece of code is also not really something people will need to read. --=20 Cheers, Benno