| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <CC11C4AC-A37C-4BB7-820B-7AC257D719D2@nvidia.com>
Date: Sat, 20 Sep 2025 09:33:46 +0000
From: Joel Fernandes <joelagnelf@...dia.com>
To: John Hubbard <jhubbard@...dia.com>
CC: Yury Norov <yury.norov@...il.com>, "linux-kernel@...r.kernel.org"
<linux-kernel@...r.kernel.org>, "dri-devel@...ts.freedesktop.org"
<dri-devel@...ts.freedesktop.org>, "dakr@...nel.org" <dakr@...nel.org>,
Alexandre Courbot <acourbot@...dia.com>, Alistair Popple
<apopple@...dia.com>, Miguel Ojeda <ojeda@...nel.org>, Alex Gaynor
<alex.gaynor@...il.com>, Boqun Feng <boqun.feng@...il.com>, Gary Guo
<gary@...yguo.net>, "bjorn3_gh@...tonmail.com" <bjorn3_gh@...tonmail.com>,
Benno Lossin <lossin@...nel.org>, Andreas Hindborg <a.hindborg@...nel.org>,
Alice Ryhl <aliceryhl@...gle.com>, Trevor Gross <tmgross@...ch.edu>, David
Airlie <airlied@...il.com>, Simona Vetter <simona@...ll.ch>, Maarten
Lankhorst <maarten.lankhorst@...ux.intel.com>, Maxime Ripard
<mripard@...nel.org>, Thomas Zimmermann <tzimmermann@...e.de>, Timur Tabi
<ttabi@...dia.com>, "joel@...lfernandes.org" <joel@...lfernandes.org>, Elle
Rhumsaa <elle@...thered-steel.dev>, Daniel Almeida
<daniel.almeida@...labora.com>, "nouveau@...ts.freedesktop.org"
<nouveau@...ts.freedesktop.org>
Subject: Re: [PATCH v3 5/5] rust: Add KUNIT tests for bitfield
Hello, John,
> On Sep 20, 2025, at 2:52 AM, John Hubbard <jhubbard@...dia.com> wrote:
>
> On 9/19/25 5:39 PM, Joel Fernandes wrote:
>> On Tue, Sep 16, 2025 at 05:59:18AM -0400, Joel Fernandes wrote:
>> [...]
>>>>> In C also this is valid. If you passed a higher value than what the
>>>>> bitfield can hold, the compiler will still just use the bits that it
>>>>> needs and ignore the rest.
>>>>
>>>> In C we've got FIELD_{PREP,GET,MODIFY}, implementing the checks.
>>>> So those who want to stay on safe side have a choice.
>>>
>>> Ah ok. We can add these checks then for the accessors, I will do so in v4.
>>
>> The C checks use BUILD_BUG_ON, in rust-for-linux we have build_assert but it
>> is fragile and depends on the value being a constant. Since the setter API
>> accepts a run-time value and not a constant, we cannot use this.
>>
>> Or, we can fail at runtime, but that requires changing the set_* to try_set_*
>> and returning a Result instead of Self. Alternatively, we can have a debug
>> option that panics if the setter API is misued.
>
> Please no...
True, it requires significant complication.
>
>>
>> Thoughts?
>>
>> Or for the moment, we can keep it simple and filter out / ignore extra bits
>> of the larger value passed (which is what nova-core's register macro bitfield
>> implementation currently does anyway).
>>
>
> Yes. Assuming that I'm not completely lost here, you are proposing to
> simply truncate to the size of the bitfield--no panics, no warnings. And
> that's perfectly fine here IMHO.
Ok, thanks. Yeah truncate. This is what register macro also currently does for its bitfields. To the point Jury is making though, the C equivalents do have build checks. We could do that once he have a better build_assert in rust but until then.. hopefully this suffices.
I am currently also research better ways of implementing build_assert.
- Joel
>
> thanks,
> --
> John Hubbard
>
Powered by blists - more mailing lists