Skip to content

rust: make Lock trait unsafe. #519

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Oct 15, 2021
Merged

rust: make Lock trait unsafe. #519

merged 1 commit into from
Oct 15, 2021

Conversation

wedsonaf
Copy link

Without this, one could implement a lock that doesn't really provide
mutual exclusion, which could result in UB. For example, a no-op Lock
implementation could provide guards from two different threads
concurrently, which could be used by LockedBy to generate two mutable
references to the same underlying object.

Marking Lock unsafe has no implication on driver code because all
implementations are expected to come from the kernel crate anyway.

Signed-off-by: Wedson Almeida Filho [email protected]

@wedsonaf
rust: make Lock trait unsafe.
2c1e84a 
Without this, one could implement a lock that doesn't really provide
mutual exclusion, which could result in UB. For example, a no-op `Lock`
implementation could provide guards from two different threads
concurrently, which could be used by `LockedBy` to generate two mutable
references to the same underlying object.

Marking `Lock` unsafe has no implication on driver code because all
implementations are expected to come from the `kernel` crate anyway.

Signed-off-by: Wedson Almeida Filho <[email protected]>
nbdd0121
nbdd0121 approved these changes Oct 15, 2021
View reviewed changes
Copy link
Member

@nbdd0121 nbdd0121 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah, this definitely has to be unsafe.

I wonder if we should also separate the UnsafeCell from the lock itself, essentially create RawMutex and RawSpinLock like lock_api do https://docs.rs/lock_api/0.4.5/lock_api/trait.RawMutex.html. (Just an idea, no need to address for this PR)

@wedsonaf
Copy link
Author

Yeah, this definitely has to be unsafe.

I wonder if we should also separate the UnsafeCell from the lock itself, essentially create RawMutex and RawSpinLock like lock_api do https://docs.rs/lock_api/0.4.5/lock_api/trait.RawMutex.html. (Just an idea, no need to address for this PR)

The goal would be to reduce duplication of some of the boiler plate code around UnsafeCell?

@wedsonaf wedsonaf merged commit a6d4c3f into Rust-for-Linux:rust Oct 15, 2021
@wedsonaf wedsonaf deleted the lock-unsafe branch October 15, 2021 16:17
@nbdd0121
Copy link
Member

The goal would be to reduce duplication of some of the boiler plate code around UnsafeCell?

Yes, and it should also allow us to make Guard covariant. (The use of projection L::Inner would make L invariant). This would allow us to "usize" the guard (thouhg this would require the unstable CoerceUnsized). I have recently used the unsizing of core::cell::Ref in my personal project and I find it quite useful in some circumstances.

@ojeda
Copy link
Member

ojeda commented Oct 15, 2021

(We are already using coerce_unsized for Ref)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@nbdd0121 nbdd0121 nbdd0121 approved these changes

@kloenk kloenk kloenk approved these changes

Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@wedsonaf @nbdd0121 @ojeda @kloenk