On Fri, 29 May 2026 08:36:16 -0700 "Paul E. McKenney" <[email protected]> wrote:
> On Thu, May 28, 2026 at 01:23:39PM +0100, Gary Guo wrote: > > On Thu May 28, 2026 at 9:35 AM BST, Onur Özkan wrote: > > > On Thu, 28 May 2026 11:20:10 +0300 > > > Onur Özkan <[email protected]> wrote: > > > > > >> On Thu, 28 May 2026 09:27:35 +0300 > > >> Onur Özkan <[email protected]> wrote: > > >> > > >> > Add a Rust abstraction for sleepable RCU (SRCU), backed by C > > >> > srcu_struct. > > >> > Provide FFI helpers and a safe wrapper with a guard-based API for > > >> > read-side > > >> > critical sections. > > >> > > > >> > Cleanup is handled via `PinnedDrop`, which explicitly drains pending > > >> > grace > > >> > periods and callbacks via `synchronize_srcu` and `srcu_barrier` before > > >> > executing `cleanup_srcu_struct` to guarantee memory safety e.g. when > > >> > there > > >> > are leaked guards (via `mem::forget($guard)`). > > >> > > > >> > Signed-off-by: Onur Özkan <[email protected]> > > >> > --- > > >> > rust/kernel/sync.rs | 2 + > > >> > rust/kernel/sync/srcu.rs | 166 +++++++++++++++++++++++++++++++++++++++ > > >> > 2 files changed, 168 insertions(+) > > >> > create mode 100644 rust/kernel/sync/srcu.rs > > >> > > > >> > diff --git a/rust/kernel/sync.rs b/rust/kernel/sync.rs > > >> > index 993dbf2caa0e..0d6a5f1300c3 100644 > > >> > --- a/rust/kernel/sync.rs > > >> > +++ b/rust/kernel/sync.rs > > >> > @@ -21,6 +21,7 @@ > > >> > pub mod rcu; > > >> > mod refcount; > > >> > mod set_once; > > >> > +pub mod srcu; > > >> > > > >> > pub use arc::{Arc, ArcBorrow, UniqueArc}; > > >> > pub use completion::Completion; > > >> > @@ -31,6 +32,7 @@ > > >> > pub use locked_by::LockedBy; > > >> > pub use refcount::Refcount; > > >> > pub use set_once::SetOnce; > > >> > +pub use srcu::Srcu; > > >> > > > >> > /// Represents a lockdep class. > > >> > /// > > >> > diff --git a/rust/kernel/sync/srcu.rs b/rust/kernel/sync/srcu.rs > > >> > new file mode 100644 > > >> > index 000000000000..343f00d070c7 > > >> > --- /dev/null > > >> > +++ b/rust/kernel/sync/srcu.rs > > >> > @@ -0,0 +1,166 @@ > > >> > +// SPDX-License-Identifier: GPL-2.0 > > >> > + > > >> > +//! Sleepable read-copy update (SRCU) support. > > >> > +//! > > >> > +//! C header: [`include/linux/srcu.h`](srctree/include/linux/srcu.h) > > >> > + > > >> > +use crate::{ > > >> > + bindings, > > >> > + error::to_result, > > >> > + prelude::*, > > >> > + sync::LockClassKey, > > >> > + types::{ > > >> > + NotThreadSafe, > > >> > + Opaque, // > > >> > + }, > > >> > +}; > > >> > + > > >> > +use pin_init::pin_data; > > >> > + > > >> > +/// Creates an [`Srcu`] initialiser with the given name and a > > >> > newly-created lock class. > > >> > +#[doc(hidden)] > > >> > +#[macro_export] > > >> > +macro_rules! new_srcu { > > >> > + ($($name:literal)?) => { > > >> > + $crate::sync::Srcu::new($crate::optional_name!($($name)?), > > >> > $crate::static_lock_class!()) > > >> > + }; > > >> > +} > > >> > +pub use new_srcu; > > >> > + > > >> > +/// Sleepable read-copy update primitive. > > >> > +/// > > >> > +/// SRCU readers may sleep while holding the read-side guard. > > >> > +/// > > >> > +/// The destructor waits for active readers and callbacks, so it may > > >> > sleep. > > >> > +/// If a read-side guard has been leaked, dropping an [`Srcu`] may > > >> > never return. > > >> > +/// > > >> > +/// # Invariants > > >> > +/// > > >> > +/// This represents a valid `struct srcu_struct` initialized by the C > > >> > SRCU API > > >> > +/// and it remains pinned and valid until the pinned destructor runs. > > >> > +#[repr(transparent)] > > >> > +#[pin_data(PinnedDrop)] > > >> > +pub struct Srcu { > > >> > + #[pin] > > >> > + inner: Opaque<bindings::srcu_struct>, > > >> > +} > > >> > + > > >> > +impl Srcu { > > >> > + /// Creates a new SRCU instance. > > >> > + #[inline] > > >> > + pub fn new(name: &'static CStr, key: Pin<&'static LockClassKey>) > > >> > -> impl PinInit<Self, Error> { > > >> > + try_pin_init!(Self { > > >> > + // INVARIANT: On success, the C initializer creates a > > >> > valid `srcu_struct` and > > >> > + // it remains pinned until `PinnedDrop` runs. > > >> > + inner <- Opaque::try_ffi_init(|ptr: *mut > > >> > bindings::srcu_struct| { > > >> > + // SAFETY: `ptr` points to valid uninitialised memory > > >> > for a `srcu_struct`. > > >> > + to_result(unsafe { > > >> > + bindings::init_srcu_struct_with_key(ptr, > > >> > name.as_char_ptr(), key.as_ptr()) > > >> > + }) > > >> > + }), > > >> > + }) > > >> > + } > > >> > + > > >> > + /// Enters an SRCU read-side critical section. > > >> > + /// > > >> > + /// Leaking the returned [`Guard`] leaves the SRCU read-side > > >> > critical > > >> > + /// section active and makes `drop` sleep forever. > > >> > + #[inline] > > >> > + pub fn read_lock(&self) -> Guard<'_> { > > >> > + // SAFETY: By the type invariants, `self` contains a valid > > >> > `struct srcu_struct`. > > >> > + let idx = unsafe { bindings::srcu_read_lock(self.inner.get()) > > >> > }; > > >> > + > > >> > + // INVARIANT: `idx` was returned by `srcu_read_lock()` for > > >> > this `Srcu`. > > >> > + Guard { > > >> > + srcu: self, > > >> > + idx, > > >> > + _not_send: NotThreadSafe, > > >> > + } > > >> > + } > > >> > + > > >> > + /// Waits until all pre-existing SRCU readers have completed. > > >> > + #[inline] > > >> > + pub fn synchronize(&self) { > > >> > + // SAFETY: By the type invariants, `self` contains a valid > > >> > `struct srcu_struct`. > > >> > + unsafe { bindings::synchronize_srcu(self.inner.get()) }; > > >> > + } > > >> > + > > >> > + /// Waits until all pre-existing SRCU readers have completed, > > >> > expedited. > > >> > + /// > > >> > + /// This requests a lower-latency grace period than > > >> > [`Srcu::synchronize`] typically > > >> > + /// at the cost of higher system-wide overhead. Prefer > > >> > [`Srcu::synchronize`] by default > > >> > + /// and use this variant only when reducing reset or teardown > > >> > latency is more important > > >> > + /// than the extra cost. > > >> > + #[inline] > > >> > + pub fn synchronize_expedited(&self) { > > >> > + // SAFETY: By the type invariants, `self` contains a valid > > >> > `struct srcu_struct`. > > >> > + unsafe { > > >> > bindings::synchronize_srcu_expedited(self.inner.get()) }; > > >> > + } > > >> > +} > > >> > + > > >> > +#[pinned_drop] > > >> > +impl PinnedDrop for Srcu { > > >> > + fn drop(self: Pin<&mut Self>) { > > >> > + let ptr = self.inner.get(); > > >> > + > > >> > + // SAFETY: By the type invariants, `self` contains a valid > > >> > and pinned `struct srcu_struct` > > >> > + // and `srcu_readers_active()` only checks the active reader > > >> > count. > > >> > + if unsafe { bindings::srcu_readers_active(ptr) } { > > >> > + crate::pr_warn!( > > >> > + "Leaked `Guard` detected while dropping SRCU; drop > > >> > will block forever.\n" > > >> > + ); > > > > I think this could be a `warn_on` similar to how cleanup_srcu_struct handle > > the > > condition. > > > > >> > + } > > >> > + > > >> > + // `cleanup_srcu_struct()` may return early if readers are > > >> > still active. Because `Srcu` > > >> > + // owns the embedded `srcu_struct`, returning from `drop` in > > >> > that state could free memory > > >> > + // that is still referenced by the C side. > > >> > + // > > >> > + // Wait for all readers to complete first. If any `Guard` was > > >> > leaked, `synchronize_srcu()` > > >> > + // will sleep forever. > > >> > + // > > >> > + // SAFETY: By the type invariants, `self` contains a valid > > >> > and pinned `struct srcu_struct`. > > >> > + unsafe { bindings::synchronize_srcu(ptr) }; > > >> > > >> Sashiko got a good point here which is calling synchronize_srcu() only > > >> if there > > >> are active readers. That's a nice low-effort improvement we can have in > > >> the next > > >> version. > > >> > > >> Onur > > > > > > Actually, now I am now thinking about whether we can come up with a better > > > approach when we detect leaked guards. Initially I came up with the > > > synchronize_srcu() solution because it would handle leaked guards > > > automatically > > > without requiring any additional checks. But now that we can actually > > > detect > > > whether guards are leaked the question becomes: > > > > > > "Is there a better option than effectively sleeping forever when leaked > > > guards are detected?" > > > > > > I have no plans for tomorrow other than finalizing this series including > > > the > > > question above. > > > > The best solution is to proceed cleanups anyway, given Rust rules ensure > > that > > these are actual leaks and not just srcu read-side critical section that > > failed > > to synchronize with the destruction of SRCU. > > > > This obviously require changes to the SRCU code though. > > Right now, the C-language SRCU code would splat and leak the srcu_struct > structure. Of course, we *could* provide something that zeroed the > reader counts to avoid the splat and leak, but yikes! Or is there a > way to make such a function available *only* to the Rust code associated > with cleanup_srcu_struct(), and not to other C/Rust code? > Anyone can use them if they want from `bindings::` once it's exposed to Rust. Regards, Onur > Thanx, Paul
