lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <D8VPQ5XL5NJZ.26OGZ3YML4QN3@proton.me>
Date: Wed, 02 Apr 2025 00:05:56 +0000
From: Benno Lossin <benno.lossin@...ton.me>
To: Danilo Krummrich <dakr@...nel.org>
Cc: Greg KH <gregkh@...uxfoundation.org>, bhelgaas@...gle.com, rafael@...nel.org, ojeda@...nel.org, alex.gaynor@...il.com, boqun.feng@...il.com, gary@...yguo.net, bjorn3_gh@...tonmail.com, a.hindborg@...nel.org, aliceryhl@...gle.com, tmgross@...ch.edu, linux-pci@...r.kernel.org, rust-for-linux@...r.kernel.org, linux-kernel@...r.kernel.org
Subject: Re: [PATCH v4 2/3] rust: pci: impl TryFrom<&Device> for &pci::Device

On Tue Apr 1, 2025 at 3:51 PM CEST, Danilo Krummrich wrote:
> On Mon, Mar 24, 2025 at 06:32:53PM +0000, Benno Lossin wrote:
>> On Mon Mar 24, 2025 at 7:13 PM CET, Danilo Krummrich wrote:
>> > On Mon, Mar 24, 2025 at 05:36:45PM +0000, Benno Lossin wrote:
>> >> On Mon Mar 24, 2025 at 5:49 PM CET, Danilo Krummrich wrote:
>> >> > On Mon, Mar 24, 2025 at 04:39:25PM +0000, Benno Lossin wrote:
>> >> >> On Sun Mar 23, 2025 at 11:10 PM CET, Danilo Krummrich wrote:
>> >> >> > On Sat, Mar 22, 2025 at 11:10:57AM +0100, Danilo Krummrich wrote:
>> >> >> >> On Fri, Mar 21, 2025 at 08:25:07PM -0700, Greg KH wrote:
>> >> >> >> > Along these lines, if you can convince me that this is something that we
>> >> >> >> > really should be doing, in that we should always be checking every time
>> >> >> >> > someone would want to call to_pci_dev(), that the return value is
>> >> >> >> > checked, then why don't we also do this in C if it's going to be
>> >> >> >> > something to assure people it is going to be correct?  I don't want to
>> >> >> >> > see the rust and C sides get "out of sync" here for things that can be
>> >> >> >> > kept in sync, as that reduces the mental load of all of us as we travers
>> >> >> >> > across the boundry for the next 20+ years.
>> >> >> >> 
>> >> >> >> I think in this case it is good when the C and Rust side get a bit
>> >> >> >> "out of sync":
>> >> >> >
>> >> >> > A bit more clarification on this:
>> >> >> >
>> >> >> > What I want to say with this is, since we can cover a lot of the common cases
>> >> >> > through abstractions and the type system, we're left with the not so common
>> >> >> > ones, where the "upcasts" are not made in the context of common and well
>> >> >> > established patterns, but, for instance, depend on the semantics of the driver;
>> >> >> > those should not be unsafe IMHO.
>> >> >> 
>> >> >> I don't think that we should use `TryFrom` for stuff that should only be
>> >> >> used seldomly. A function that we can document properly is a much better
>> >> >> fit, since we can point users to the "correct" API.
>> >> >
>> >> > Most of the cases where drivers would do this conversion should be covered by
>> >> > the abstraction to already provide that actual bus specific device, rather than
>> >> > a generic one or some priv pointer, etc.
>> >> >
>> >> > So, the point is that the APIs we design won't leave drivers with a reason to
>> >> > make this conversion in the first place. For the cases where they have to
>> >> > (which should be rare), it's the right thing to do. There is not an alternative
>> >> > API to point to.
>> >> 
>> >> Yes, but for such a case, I wouldn't want to use `TryFrom`, since that
>> >> trait to me is a sign of a canonical way to convert a value.
>> >
>> > Well, it is the canonical way to convert, it's just that by the design of other
>> > abstractions drivers should very rarely get in the situation of needing it in
>> > the first place.
>> 
>> I'd still prefer it though, since one can spot a
>> 
>>     let dev = CustomDevice::checked_from(dev)?
>> 
>> much better in review than the `try_from` conversion. It also prevents
>> one from giving it to a generic interface expecting the `TryFrom` trait.
>
> (I plan to rebase this on my series introducing the Bound device context [1].)
>
> I thought about this for a while and I still think TryFrom is fine here.

What reasoning do you have?

> At some point I want to replace this implementation with a macro, since the code
> is pretty similar for bus specific devices. I think that's a bit cleaner with
> TryFrom compared to with a custom method, since we'd need the bus specific
> device to call the macro from the generic impl, i.e.
>
> 	impl<Ctx: DeviceContext> Device<Ctx>
>
> rather than a specific one, which we can't control. We can control it for
> TryFrom though.

We could have our own trait for that. Also it's not as controllable as
you think: anyone can implement `TryFrom<&device::Device> for &MyType`.

> However, I also do not really object to your proposal, hence I'm willing to make
> the change.
>
> Do you want to make a proposal for the corresponding doc comment switching to a
> custom method?

I think have too little context what `device::Device` and `pci::Device`
are. But I can give it a try:

    /// Tries to converts a generic [`Device`](device::Device) into a [`pci::Device`].
    ///
    /// Normally, one wouldn't need to call this function, because APIs should directly expose the
    /// concrete device type.

Then I think another sentence about a valid use-case of this function
would make a lot of sense, but I don't know any.

---
Cheers,
Benno

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ