| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <A309C141-E390-44C1-A2B7-A7A9CDB132D7@collabora.com> Date: Wed, 6 Nov 2024 20:44:35 -0300 From: Daniel Almeida <daniel.almeida@...labora.com> To: Alice Ryhl <aliceryhl@...gle.com> Cc: Danilo Krummrich <dakr@...nel.org>, gregkh@...uxfoundation.org, rafael@...nel.org, bhelgaas@...gle.com, ojeda@...nel.org, alex.gaynor@...il.com, boqun.feng@...il.com, gary@...yguo.net, bjorn3_gh@...tonmail.com, benno.lossin@...ton.me, tmgross@...ch.edu, a.hindborg@...sung.com, airlied@...il.com, fujita.tomonori@...il.com, lina@...hilina.net, pstanner@...hat.com, ajanulgu@...hat.com, lyude@...hat.com, robh@...nel.org, saravanak@...gle.com, rust-for-linux@...r.kernel.org, linux-kernel@...r.kernel.org, linux-pci@...r.kernel.org, devicetree@...r.kernel.org Subject: Re: [PATCH v3 09/16] rust: add `io::Io` base type Sorry, I didn’t see this: > On 29 Oct 2024, at 07:18, Alice Ryhl <aliceryhl@...gle.com> wrote: > > What you're doing now is a bit awkward to use. You have to make sure > that it never escapes the struct it's created for, so e.g. you can't > give out a mutable reference as the user could otherwise `mem::swap` > it with another Io. Similarly, the Io can never be in a public field. > Your safety comment on Io::new really needs to say something like > "while this struct exists, the `addr` must be a valid I/O region", > since I assume such regions are not valid forever? Similarly if we Io is meant to be a private member within a wrapper type that actually acquires the underlying I/O region, like `pci::Bar` or `Platform::IoMem`. Doesn’t that fix the above? > look at [1], the I/O region actually gets unmapped *before* the Io is > destroyed since IoMem::drop runs before the fields of IoMem are > destroyed, so you really need something like "until the last use of > this Io" and not "until this Io is destroyed" in the safety comment. > > If you compare similar cases in Rust, then they also do what I > suggested. For example, Vec<T> holds a raw pointer, and it uses unsafe > to assert that it's valid on each use of the raw pointer - it does not > create e.g. an `&'static mut [T]` to hold in a field of the Vec<T>. > Having an IoRaw<S> and an Io<'a, S> corresponds to what Vec<T> does > with IoRaw being like NonNull<T> and Io<'a, S> being like &'a T. > > [1]: https://lore.kernel.org/all/20241024-topic-panthor-rs-platform_io_support-v1-1-3d1addd96e30@collabora.com/ What I was trying to say in my last message is that the wrapper type, i.e.: IoMem and so on, should not have a lifetime parameter, but IIUC this is not what you’re suggesting here, right? — Daniel
Powered by blists - more mailing lists