| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <F1EA22CF-1C01-495D-97ED-59D51A45A8B0@collabora.com>
Date: Tue, 8 Jul 2025 14:43:33 -0300
From: Daniel Almeida <daniel.almeida@...labora.com>
To: Alice Ryhl <aliceryhl@...gle.com>
Cc: Miguel Ojeda <ojeda@...nel.org>,
Alex Gaynor <alex.gaynor@...il.com>,
Boqun Feng <boqun.feng@...il.com>,
Gary Guo <gary@...yguo.net>,
Björn Roy Baron <bjorn3_gh@...tonmail.com>,
Andreas Hindborg <a.hindborg@...nel.org>,
Trevor Gross <tmgross@...ch.edu>,
Danilo Krummrich <dakr@...nel.org>,
Greg Kroah-Hartman <gregkh@...uxfoundation.org>,
"Rafael J. Wysocki" <rafael@...nel.org>,
Andrew Morton <akpm@...ux-foundation.org>,
Andy Shevchenko <andriy.shevchenko@...ux.intel.com>,
Ilpo Järvinen <ilpo.jarvinen@...ux.intel.com>,
Bjorn Helgaas <bhelgaas@...gle.com>,
Mika Westerberg <mika.westerberg@...ux.intel.com>,
Ying Huang <huang.ying.caritas@...il.com>,
Benno Lossin <lossin@...nel.org>,
linux-kernel@...r.kernel.org,
rust-for-linux@...r.kernel.org,
Fiona Behrens <me@...enk.dev>
Subject: Re: [PATCH v12 1/3] rust: io: add resource abstraction
Hi Alice,
[…]
>> +
>> +impl Resource {
>> + /// Creates a reference to a [`Resource`] from a valid pointer.
>> + ///
>> + /// # Safety
>> + ///
>> + /// The caller must ensure that for the duration of 'a, the pointer will
>> + /// point at a valid `bindings::resource`.
>> + ///
>> + /// The caller must also ensure that the [`Resource`] is only accessed via the
>> + /// returned reference for the duration of 'a.
>> + pub(crate) const unsafe fn as_ref<'a>(ptr: *mut bindings::resource) -> &'a Self {
>
> We usually call this method `from_raw`.
Hmm, pretty sure I have seen the exact opposite being asked. In fact, this was
discussed a bit at length a while ago. See the thread starting at [0] for context.
>
>> + )
>> + };
>> +
>> + Some(Region(NonNull::new(region)?))
>> + }
>> +
>> + /// Returns the size of the resource.
>> + pub fn size(&self) -> ResourceSize {
>> + let inner = self.0.get();
>> + // SAFETY: safe as per the invariants of `Resource`.
>> + unsafe { bindings::resource_size(inner) }
>> + }
>> +
>> + /// Returns the start address of the resource.
>> + pub fn start(&self) -> u64 {
>> + let inner = self.0.get();
>> + // SAFETY: safe as per the invariants of `Resource`.
>> + unsafe { *inner }.start
>
> This needs to be
>
> unsafe { (*inner).start }
>
> What you wrote is not equivalent. (*inner) is a place expression, but
> when you write `unsafe { <place expr> }` that turns it into a value
> expression by reading the value. So this code copies the entire struct
> to the stack, and then you read `start` from the copy on the stack.
To be honest, I've seen a bug where the opposite was going on, a field was
being written on the value that was copied to the stack, leaving the original unchanged.
In any case, I thought this would be optimized away by the compiler. Also, IMHO
there should be a lint for this, because it does not make sense to copy a struct
just to read a field if we can just read the original location.
Thanks for catching that though, I will fix it on the next iteration :)
[…]
Thanks for the other comments,
— Daniel
[0] https://lore.kernel.org/rust-for-linux/B3564D77-9E26-4019-9B75-B0C53B26B64F@collabora.com/
Powered by blists - more mailing lists