On Tue, 26 May 2026 08:33:58 -0700 Boqun Feng <[email protected]> wrote:
> On Mon, May 25, 2026 at 08:55:50PM +0300, Onur Özkan wrote: > > Add a Rust abstraction for sleepable RCU (SRCU), backed by C srcu_struct. > > Provide FFI helpers and a safe wrapper with a guard-based API for read-side > > critical sections. > > > > Cleanup is handled via `PinnedDrop`, which explicitly drains pending grace > > periods and callbacks via `synchronize_srcu` and `srcu_barrier` before > > executing `cleanup_srcu_struct` to guarantee memory safety e.g. when there > > are leaked guards (via `mem::forget($guard)`). > > > > Signed-off-by: Onur Özkan <[email protected]> > > --- > > rust/helpers/srcu.c | 10 +++ > > rust/kernel/sync.rs | 2 + > > rust/kernel/sync/srcu.rs | 158 +++++++++++++++++++++++++++++++++++++++ > > 3 files changed, 170 insertions(+) > > create mode 100644 rust/kernel/sync/srcu.rs > > > > diff --git a/rust/helpers/srcu.c b/rust/helpers/srcu.c > > index e9f723d7f8c9..79dd24a104ef 100644 > > --- a/rust/helpers/srcu.c > > +++ b/rust/helpers/srcu.c > > @@ -22,3 +22,13 @@ __rust_helper void rust_helper_srcu_read_unlock(struct > > srcu_struct *ssp, int idx > > { > > srcu_read_unlock(ssp, idx); > > } > > + > > +__rust_helper void rust_helper_srcu_barrier(struct srcu_struct *ssp) > > +{ > > + srcu_barrier(ssp); > > +} > > + > > +__rust_helper void rust_helper_synchronize_srcu_expedited(struct > > srcu_struct *ssp) > > +{ > > + synchronize_srcu_expedited(ssp); > > +} > > diff --git a/rust/kernel/sync.rs b/rust/kernel/sync.rs > > index 993dbf2caa0e..0d6a5f1300c3 100644 > > --- a/rust/kernel/sync.rs > > +++ b/rust/kernel/sync.rs > > @@ -21,6 +21,7 @@ > > pub mod rcu; > > mod refcount; > > mod set_once; > > +pub mod srcu; > > > > pub use arc::{Arc, ArcBorrow, UniqueArc}; > > pub use completion::Completion; > > @@ -31,6 +32,7 @@ > > pub use locked_by::LockedBy; > > pub use refcount::Refcount; > > pub use set_once::SetOnce; > > +pub use srcu::Srcu; > > > > /// Represents a lockdep class. > > /// > > diff --git a/rust/kernel/sync/srcu.rs b/rust/kernel/sync/srcu.rs > > new file mode 100644 > > index 000000000000..655ecddd1320 > > --- /dev/null > > +++ b/rust/kernel/sync/srcu.rs > > @@ -0,0 +1,158 @@ > > +// SPDX-License-Identifier: GPL-2.0 > > + > > +//! Sleepable read-copy update (SRCU) support. > > +//! > > +//! C header: [`include/linux/srcu.h`](srctree/include/linux/srcu.h) > > + > > +use crate::{ > > + bindings, > > + error::to_result, > > + prelude::*, > > + sync::LockClassKey, > > + types::{ > > + NotThreadSafe, > > + Opaque, // > > + }, > > +}; > > + > > +use pin_init::pin_data; > > + > > +/// Creates an [`Srcu`] initialiser with the given name and a > > newly-created lock class. > > +#[doc(hidden)] > > +#[macro_export] > > +macro_rules! new_srcu { > > + ($($name:literal)?) => { > > + $crate::sync::Srcu::new($crate::optional_name!($($name)?), > > $crate::static_lock_class!()) > > + }; > > +} > > +pub use new_srcu; > > + > > +/// Sleepable read-copy update primitive. > > +/// > > +/// SRCU readers may sleep while holding the read-side guard. > > +/// > > +/// The destructor waits for active readers and callbacks, so it may sleep. > > +/// If a read-side guard has been leaked, dropping an [`Srcu`] may never > > return. > > +/// > > +/// # Invariants > > +/// > > +/// This represents a valid `struct srcu_struct` initialized by the C SRCU > > API > > +/// and it remains pinned and valid until the pinned destructor runs. > > +#[repr(transparent)] > > +#[pin_data(PinnedDrop)] > > +pub struct Srcu { > > + #[pin] > > + inner: Opaque<bindings::srcu_struct>, > > +} > > + > > +impl Srcu { > > + /// Creates a new SRCU instance. > > + #[inline] > > + pub fn new(name: &'static CStr, key: Pin<&'static LockClassKey>) -> > > impl PinInit<Self, Error> { > > + try_pin_init!(Self { > > + // INVARIANT: On success, the C initializer creates a valid > > `srcu_struct` and > > + // it remains pinned until `PinnedDrop` runs. > > + inner <- Opaque::try_ffi_init(|ptr: *mut > > bindings::srcu_struct| { > > + // SAFETY: `ptr` points to valid uninitialised memory for > > a `srcu_struct`. > > + to_result(unsafe { > > + bindings::init_srcu_struct_with_key(ptr, > > name.as_char_ptr(), key.as_ptr()) > > + }) > > + }), > > + }) > > + } > > + > > + /// Enters an SRCU read-side critical section. > > + /// > > + /// Leaking the returned [`Guard`] leaves the SRCU read-side critical > > + /// section active and makes `drop` sleep forever. > > + #[inline] > > + pub fn read_lock(&self) -> Guard<'_> { > > + // SAFETY: By the type invariants, `self` contains a valid `struct > > srcu_struct`. > > + let idx = unsafe { bindings::srcu_read_lock(self.inner.get()) }; > > + > > + // INVARIANT: `idx` was returned by `srcu_read_lock()` for this > > `Srcu`. > > + Guard { > > + srcu: self, > > + idx, > > + _not_send: NotThreadSafe, > > + } > > + } > > + > > + /// Waits until all pre-existing SRCU readers have completed. > > + #[inline] > > + pub fn synchronize(&self) { > > + // SAFETY: By the type invariants, `self` contains a valid `struct > > srcu_struct`. > > + unsafe { bindings::synchronize_srcu(self.inner.get()) }; > > + } > > + > > + /// Waits until all pre-existing SRCU readers have completed, > > expedited. > > + /// > > + /// This requests a lower-latency grace period than > > [`Srcu::synchronize`] typically > > + /// at the cost of higher system-wide overhead. Prefer > > [`Srcu::synchronize`] by default > > + /// and use this variant only when reducing reset or teardown latency > > is more important > > + /// than the extra cost. > > + #[inline] > > + pub fn synchronize_expedited(&self) { > > + // SAFETY: By the type invariants, `self` contains a valid `struct > > srcu_struct`. > > + unsafe { bindings::synchronize_srcu_expedited(self.inner.get()) }; > > + } > > +} > > + > > +#[pinned_drop] > > +impl PinnedDrop for Srcu { > > + fn drop(self: Pin<&mut Self>) { > > + let ptr = self.inner.get(); > > + > > + // `cleanup_srcu_struct()` may return early if readers are still > > active. Because `Srcu` > > + // owns the embedded `srcu_struct`, returning from `drop` in that > > state could free memory > > + // that is still referenced by the C side. > > + // > > + // Wait for all readers to complete first. If any `Guard` was > > leaked, `synchronize_srcu()` > > + // will sleep forever. > > + // > > + // SAFETY: By the type invariants, `self` contains a valid and > > pinned `struct srcu_struct`. > > + unsafe { bindings::synchronize_srcu(ptr) }; > > Sorry for being slow on this. But I think your approach is the right one > here. However, even though this makes Srcu safe, it's still undesired if > an Srcu::drop() blocks forever *silently*. I think we should call > srcu_active_readers() here and throw a warning if a leaked `Guard` is > detected. Sure, makes sense. I will send another version with this change. Thanks, Onur > > The rest of the patch set looks good to me. > > Regards, > Boqun > > > + > > + // Ensure all SRCU callbacks have been finished before freeing. > > + // SAFETY: By the type invariants, `self` contains a valid and > > pinned `struct srcu_struct`. > > + unsafe { bindings::srcu_barrier(ptr) }; > > + > > + // SAFETY: By the type invariants, `self` contains a valid and > > pinned `struct srcu_struct`. > > + unsafe { bindings::cleanup_srcu_struct(ptr) }; > > + } > > +} > > + > > +// SAFETY: `srcu_struct` may be shared and used across threads. > > +unsafe impl Send for Srcu {} > > +// SAFETY: `srcu_struct` may be shared and used concurrently. > > +unsafe impl Sync for Srcu {} > > + > > +/// Guard for an active SRCU read-side critical section on a particular > > [`Srcu`]. > > +/// > > +/// Leaking this guard with [`core::mem::forget`] leaves the SRCU read-side > > +/// critical section active and makes dropping the associated [`Srcu`] > > sleep forever. > > +/// > > +/// # Invariants > > +/// > > +/// `idx` is the index returned by `srcu_read_lock()` for `srcu`. > > +#[must_use = "if unused, the lock will be immediately unlocked"] > > +pub struct Guard<'a> { > > + srcu: &'a Srcu, > > + idx: i32, > > + _not_send: NotThreadSafe, > > +} > > + > > +impl Guard<'_> { > > + /// Explicitly releases the SRCU read-side critical section. > > + #[inline] > > + pub fn unlock(self) {} > > +} > > + > > +impl Drop for Guard<'_> { > > + #[inline] > > + fn drop(&mut self) { > > + // SAFETY: `Guard` is only constructible through > > `Srcu::read_lock()`, > > + // which returns a valid index for the SRCU instance. > > + unsafe { bindings::srcu_read_unlock(self.srcu.inner.get(), > > self.idx) }; > > + } > > +} > > -- > > 2.51.2 > >
