On Mon, May 25, 2026 at 08:55:50PM +0300, Onur Özkan wrote:
> Add a Rust abstraction for sleepable RCU (SRCU), backed by C srcu_struct.
> Provide FFI helpers and a safe wrapper with a guard-based API for read-side
> critical sections.
>
> Cleanup is handled via `PinnedDrop`, which explicitly drains pending grace
> periods and callbacks via `synchronize_srcu` and `srcu_barrier` before
> executing `cleanup_srcu_struct` to guarantee memory safety e.g. when there
> are leaked guards (via `mem::forget($guard)`).
>
> Signed-off-by: Onur Özkan <[email protected]>
> ---
> rust/helpers/srcu.c | 10 +++
> rust/kernel/sync.rs | 2 +
> rust/kernel/sync/srcu.rs | 158 +++++++++++++++++++++++++++++++++++++++
> 3 files changed, 170 insertions(+)
> create mode 100644 rust/kernel/sync/srcu.rs
>
> diff --git a/rust/helpers/srcu.c b/rust/helpers/srcu.c
> index e9f723d7f8c9..79dd24a104ef 100644
> --- a/rust/helpers/srcu.c
> +++ b/rust/helpers/srcu.c
> @@ -22,3 +22,13 @@ __rust_helper void rust_helper_srcu_read_unlock(struct
> srcu_struct *ssp, int idx
> {
> srcu_read_unlock(ssp, idx);
> }
> +
> +__rust_helper void rust_helper_srcu_barrier(struct srcu_struct *ssp)
> +{
> + srcu_barrier(ssp);
> +}
> +
> +__rust_helper void rust_helper_synchronize_srcu_expedited(struct srcu_struct
> *ssp)
> +{
> + synchronize_srcu_expedited(ssp);
> +}
> diff --git a/rust/kernel/sync.rs b/rust/kernel/sync.rs
> index 993dbf2caa0e..0d6a5f1300c3 100644
> --- a/rust/kernel/sync.rs
> +++ b/rust/kernel/sync.rs
> @@ -21,6 +21,7 @@
> pub mod rcu;
> mod refcount;
> mod set_once;
> +pub mod srcu;
>
> pub use arc::{Arc, ArcBorrow, UniqueArc};
> pub use completion::Completion;
> @@ -31,6 +32,7 @@
> pub use locked_by::LockedBy;
> pub use refcount::Refcount;
> pub use set_once::SetOnce;
> +pub use srcu::Srcu;
>
> /// Represents a lockdep class.
> ///
> diff --git a/rust/kernel/sync/srcu.rs b/rust/kernel/sync/srcu.rs
> new file mode 100644
> index 000000000000..655ecddd1320
> --- /dev/null
> +++ b/rust/kernel/sync/srcu.rs
> @@ -0,0 +1,158 @@
> +// SPDX-License-Identifier: GPL-2.0
> +
> +//! Sleepable read-copy update (SRCU) support.
> +//!
> +//! C header: [`include/linux/srcu.h`](srctree/include/linux/srcu.h)
> +
> +use crate::{
> + bindings,
> + error::to_result,
> + prelude::*,
> + sync::LockClassKey,
> + types::{
> + NotThreadSafe,
> + Opaque, //
> + },
> +};
> +
> +use pin_init::pin_data;
> +
> +/// Creates an [`Srcu`] initialiser with the given name and a newly-created
> lock class.
> +#[doc(hidden)]
> +#[macro_export]
> +macro_rules! new_srcu {
> + ($($name:literal)?) => {
> + $crate::sync::Srcu::new($crate::optional_name!($($name)?),
> $crate::static_lock_class!())
> + };
> +}
> +pub use new_srcu;
> +
> +/// Sleepable read-copy update primitive.
> +///
> +/// SRCU readers may sleep while holding the read-side guard.
> +///
> +/// The destructor waits for active readers and callbacks, so it may sleep.
> +/// If a read-side guard has been leaked, dropping an [`Srcu`] may never
> return.
> +///
> +/// # Invariants
> +///
> +/// This represents a valid `struct srcu_struct` initialized by the C SRCU
> API
> +/// and it remains pinned and valid until the pinned destructor runs.
> +#[repr(transparent)]
> +#[pin_data(PinnedDrop)]
> +pub struct Srcu {
> + #[pin]
> + inner: Opaque<bindings::srcu_struct>,
> +}
> +
> +impl Srcu {
> + /// Creates a new SRCU instance.
> + #[inline]
> + pub fn new(name: &'static CStr, key: Pin<&'static LockClassKey>) -> impl
> PinInit<Self, Error> {
> + try_pin_init!(Self {
> + // INVARIANT: On success, the C initializer creates a valid
> `srcu_struct` and
> + // it remains pinned until `PinnedDrop` runs.
> + inner <- Opaque::try_ffi_init(|ptr: *mut bindings::srcu_struct| {
> + // SAFETY: `ptr` points to valid uninitialised memory for a
> `srcu_struct`.
> + to_result(unsafe {
> + bindings::init_srcu_struct_with_key(ptr,
> name.as_char_ptr(), key.as_ptr())
> + })
> + }),
> + })
> + }
> +
> + /// Enters an SRCU read-side critical section.
> + ///
> + /// Leaking the returned [`Guard`] leaves the SRCU read-side critical
> + /// section active and makes `drop` sleep forever.
> + #[inline]
> + pub fn read_lock(&self) -> Guard<'_> {
> + // SAFETY: By the type invariants, `self` contains a valid `struct
> srcu_struct`.
> + let idx = unsafe { bindings::srcu_read_lock(self.inner.get()) };
> +
> + // INVARIANT: `idx` was returned by `srcu_read_lock()` for this
> `Srcu`.
> + Guard {
> + srcu: self,
> + idx,
> + _not_send: NotThreadSafe,
> + }
> + }
> +
> + /// Waits until all pre-existing SRCU readers have completed.
> + #[inline]
> + pub fn synchronize(&self) {
> + // SAFETY: By the type invariants, `self` contains a valid `struct
> srcu_struct`.
> + unsafe { bindings::synchronize_srcu(self.inner.get()) };
> + }
> +
> + /// Waits until all pre-existing SRCU readers have completed, expedited.
> + ///
> + /// This requests a lower-latency grace period than
> [`Srcu::synchronize`] typically
> + /// at the cost of higher system-wide overhead. Prefer
> [`Srcu::synchronize`] by default
> + /// and use this variant only when reducing reset or teardown latency is
> more important
> + /// than the extra cost.
> + #[inline]
> + pub fn synchronize_expedited(&self) {
> + // SAFETY: By the type invariants, `self` contains a valid `struct
> srcu_struct`.
> + unsafe { bindings::synchronize_srcu_expedited(self.inner.get()) };
> + }
> +}
> +
> +#[pinned_drop]
> +impl PinnedDrop for Srcu {
> + fn drop(self: Pin<&mut Self>) {
> + let ptr = self.inner.get();
> +
> + // `cleanup_srcu_struct()` may return early if readers are still
> active. Because `Srcu`
> + // owns the embedded `srcu_struct`, returning from `drop` in that
> state could free memory
> + // that is still referenced by the C side.
> + //
> + // Wait for all readers to complete first. If any `Guard` was
> leaked, `synchronize_srcu()`
> + // will sleep forever.
> + //
> + // SAFETY: By the type invariants, `self` contains a valid and
> pinned `struct srcu_struct`.
> + unsafe { bindings::synchronize_srcu(ptr) };
Sorry for being slow on this. But I think your approach is the right one
here. However, even though this makes Srcu safe, it's still undesired if
an Srcu::drop() blocks forever *silently*. I think we should call
srcu_active_readers() here and throw a warning if a leaked `Guard` is
detected.
The rest of the patch set looks good to me.
Regards,
Boqun
> +
> + // Ensure all SRCU callbacks have been finished before freeing.
> + // SAFETY: By the type invariants, `self` contains a valid and
> pinned `struct srcu_struct`.
> + unsafe { bindings::srcu_barrier(ptr) };
> +
> + // SAFETY: By the type invariants, `self` contains a valid and
> pinned `struct srcu_struct`.
> + unsafe { bindings::cleanup_srcu_struct(ptr) };
> + }
> +}
> +
> +// SAFETY: `srcu_struct` may be shared and used across threads.
> +unsafe impl Send for Srcu {}
> +// SAFETY: `srcu_struct` may be shared and used concurrently.
> +unsafe impl Sync for Srcu {}
> +
> +/// Guard for an active SRCU read-side critical section on a particular
> [`Srcu`].
> +///
> +/// Leaking this guard with [`core::mem::forget`] leaves the SRCU read-side
> +/// critical section active and makes dropping the associated [`Srcu`] sleep
> forever.
> +///
> +/// # Invariants
> +///
> +/// `idx` is the index returned by `srcu_read_lock()` for `srcu`.
> +#[must_use = "if unused, the lock will be immediately unlocked"]
> +pub struct Guard<'a> {
> + srcu: &'a Srcu,
> + idx: i32,
> + _not_send: NotThreadSafe,
> +}
> +
> +impl Guard<'_> {
> + /// Explicitly releases the SRCU read-side critical section.
> + #[inline]
> + pub fn unlock(self) {}
> +}
> +
> +impl Drop for Guard<'_> {
> + #[inline]
> + fn drop(&mut self) {
> + // SAFETY: `Guard` is only constructible through `Srcu::read_lock()`,
> + // which returns a valid index for the SRCU instance.
> + unsafe { bindings::srcu_read_unlock(self.srcu.inner.get(), self.idx)
> };
> + }
> +}
> --
> 2.51.2
>
