Re: [RFC PATCH 0/5] Rust block device driver API and null block driver

From: Bart Van Assche
Date: Thu Mar 14 2024 - 13:04:05 EST

Next message: John Baldwin: "Re: [PATCH 1/1] x86/elf: Add a new .note section containing Xfeatures information to x86 core files"
Previous message: Clayton Craft: "Re: [PATCH] Revert "Bluetooth: hci_qca: Set BDA quirk bit if fwnode exists in DT""
In reply to: Philipp Stanner: "Re: [RFC PATCH 0/5] Rust block device driver API and null block driver"
Next in thread: Conor Dooley: "Re: [RFC PATCH 0/5] Rust block device driver API and null block driver"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 3/14/24 05:14, Philipp Stanner wrote:

On Wed, 2024-03-13 at 11:02 -0700, Bart Van Assche wrote:

On 3/13/24 04:05, Andreas Hindborg wrote:

This is the second version of the Rust block device driver API and
the Rust null
block driver. The context and motivation can be seen in cover
letter of the RFC
v1 [1]. If more context is required, a talk about this effort was
recorded at
LPC [2]. I hope to be able to discuss this series at LSF this year
[3].

Memory safety may land in C++ in the near future (see also
https://herbsutter.com/2024/03/). If memory-safe C++ or memory-safe C
would be adopted in the kernel, it would allow writing memory-safe
drivers without having to add complicated bindings between existing C
code and new Rust code.

Correct, but it would also most likely allow to just arbitrarily ignore
the "modern, memory safe C" (or C++) and write it the old way.

Linux kernel developers have the choice today between memory-unsafe C
and memory-safe Rust so they already have the freedom to ignore memory
safety by choosing for C. In my opinion a compiler option should be
introduced once memory-safe C or C++ is available that can be set per
source file and that makes the build fail for source files that
unintentionally do not follow the memory-safety rules.

The Kernel's C already has more memory safety than standardized C:
There's devres, and since last year there's the __cleanup attribute.
– but the thing is, you can just ignore it and do it the old way.

devres is controversial - see also Laurent Pinchart, "Why is
devm_kzalloc() harmful and what can we do about it", LPC, 2022
(https://lpc.events/event/16/contributions/1227/).

One of the stronger arguments behind the push for Rust is that the
language by design forces you to obey, because otherwise the compiler
will just reject building.

Rust has a very significant disadvantage that memory-safe C/C++ won't
have: supporting Rust means adding Rust bindings for all C functions
called from Rust code. This forces everyone who wants to change an
interface to also change the Rust bindings and hence will make it
harder to maintain the Linux kernel in its entirety.

Thanks,

Bart.

Next message: John Baldwin: "Re: [PATCH 1/1] x86/elf: Add a new .note section containing Xfeatures information to x86 core files"
Previous message: Clayton Craft: "Re: [PATCH] Revert "Bluetooth: hci_qca: Set BDA quirk bit if fwnode exists in DT""
In reply to: Philipp Stanner: "Re: [RFC PATCH 0/5] Rust block device driver API and null block driver"
Next in thread: Conor Dooley: "Re: [RFC PATCH 0/5] Rust block device driver API and null block driver"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]