| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20250122145653.4ce76a01.gary@garyguo.net>
Date: Wed, 22 Jan 2025 14:56:53 +0000
From: Gary Guo <gary@...yguo.net>
To: Danilo Krummrich <dakr@...nel.org>
Cc: Fiona Behrens <me@...enk.dev>, Miguel Ojeda <ojeda@...nel.org>, Alex
Gaynor <alex.gaynor@...il.com>, Boqun Feng <boqun.feng@...il.com>,
Björn Roy Baron <bjorn3_gh@...tonmail.com>, Benno Lossin
<benno.lossin@...ton.me>, Andreas Hindborg <a.hindborg@...nel.org>, Alice
Ryhl <aliceryhl@...gle.com>, Trevor Gross <tmgross@...ch.edu>, Daniel
Almeida <daniel.almeida@...labora.com>, Greg Kroah-Hartman
<gregkh@...uxfoundation.org>, rust-for-linux@...r.kernel.org,
linux-kernel@...r.kernel.org
Subject: Re: [PATCH] rust: io: move offset_valid and io_addr(_assert) to
IoRaw
On Wed, 22 Jan 2025 15:22:27 +0100
Danilo Krummrich <dakr@...nel.org> wrote:
> On Wed, Jan 22, 2025 at 01:38:09PM +0100, Fiona Behrens wrote:
> > Move the helper functions `offset_valid`, `io_addr` and
> > `io_addr_asset` from `Io` to `IoRaw`. This allows `IoRaw` to be reused
> > if other abstractions with different write/read functions are
> > needed (e.g. `writeb` vs `iowrite` vs `outb`).
> >
> > Make this functions public as well so they can be used from other
> > modules if you aquire a `IoRaw`.
>
> I don't think they should be public. Instead the abstraction for I/O ports
> should be in this file, just like `Io` is.
>
> Another option could also be to just extend the existing `Io` abstraction for
> I/O ports.
>
> >
> > Signed-off-by: Fiona Behrens <me@...enk.dev>
> > ---
> > rust/kernel/io.rs | 98 +++++++++++++++++++++++++++++++++++--------------------
> > 1 file changed, 63 insertions(+), 35 deletions(-)
> >
> > diff --git a/rust/kernel/io.rs b/rust/kernel/io.rs
> > index d4a73e52e3ee68f7b558749ed0108acde92ae5fe..a6d026f458608626113fd194ee5a8616b4ef76fe 100644
> > --- a/rust/kernel/io.rs
> > +++ b/rust/kernel/io.rs
> > @@ -15,6 +15,11 @@
> > /// Instead, the bus specific MMIO implementation must convert this raw representation into an `Io`
> > /// instance providing the actual memory accessors. Only by the conversion into an `Io` structure
> > /// any guarantees are given.
> > +///
> > +/// # Invariant
>
> You phrased this invariant as if it would be a requirement, but it's more like a
> something that's always uphold. I'd phrase it as a fact that can be relied on.
I thinkt the use of `Invariant` here is correct, as this needs to be
uphold by the constructors (and only then it can be relied on). However
the patch doesn't clearly indicate that.
>
> > +///
> > +/// `addr` plus `maxsize` has to fit in memory (smaller than [`usize::MAX`])
>
> "fit in memory" sounds a bit misleading. I think you want to say they have to be
> in the range of some address space (e.g. PIO).
>
> Besides that, why do we need this at all in this patch? I think it's fine to
> add, but then it should be separate patch I think.
>
> > +/// and `maxsize` has to be smaller or equal to `SIZE`.
>
> That's wrong, it's the other way around.
Yeah, this is wrong.
>
> > pub struct IoRaw<const SIZE: usize = 0> {
> > addr: usize,
> > maxsize: usize,
> > @@ -23,7 +28,7 @@ pub struct IoRaw<const SIZE: usize = 0> {
> > impl<const SIZE: usize> IoRaw<SIZE> {
> > /// Returns a new `IoRaw` instance on success, an error otherwise.
> > pub fn new(addr: usize, maxsize: usize) -> Result<Self> {
> > - if maxsize < SIZE {
> > + if maxsize < SIZE || addr.checked_add(maxsize).is_none() {
> > return Err(EINVAL);
> > }
Best,
Gary
Powered by blists - more mailing lists