[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-Id: <20250930144537.3559207-10-joelagnelf@nvidia.com>
Date: Tue, 30 Sep 2025 10:45:37 -0400
From: Joel Fernandes <joelagnelf@...dia.com>
To: linux-kernel@...r.kernel.org,
rust-for-linux@...r.kernel.org,
dri-devel@...ts.freedesktop.org,
dakr@...nel.org,
acourbot@...dia.com
Cc: Alistair Popple <apopple@...dia.com>,
Miguel Ojeda <ojeda@...nel.org>,
Alex Gaynor <alex.gaynor@...il.com>,
Boqun Feng <boqun.feng@...il.com>,
Gary Guo <gary@...yguo.net>,
bjorn3_gh@...tonmail.com,
Benno Lossin <lossin@...nel.org>,
Andreas Hindborg <a.hindborg@...nel.org>,
Alice Ryhl <aliceryhl@...gle.com>,
Trevor Gross <tmgross@...ch.edu>,
David Airlie <airlied@...il.com>,
Simona Vetter <simona@...ll.ch>,
Maarten Lankhorst <maarten.lankhorst@...ux.intel.com>,
Maxime Ripard <mripard@...nel.org>,
Thomas Zimmermann <tzimmermann@...e.de>,
John Hubbard <jhubbard@...dia.com>,
Joel Fernandes <joelagnelf@...dia.com>,
Timur Tabi <ttabi@...dia.com>,
joel@...lfernandes.org,
Elle Rhumsaa <elle@...thered-steel.dev>,
Yury Norov <yury.norov@...il.com>,
Daniel Almeida <daniel.almeida@...labora.com>,
Andrea Righi <arighi@...dia.com>,
nouveau@...ts.freedesktop.org
Subject: [PATCH v5 9/9] rust: bitfield: Add hardening for undefined bits
When creating a new bitfield, it is possible that the value contains
bits set. Such usage can be the result of an error in the usage of the
bitfield. Print an error in regular configs, and assert in a hardened config
(CONFIG_RUST_BITFIELD_HARDENED). If the design is deliberate, the user may
silence these errors or assertions by defining the bitfield as reserved.
Suggested-by: Yury Norov <yury.norov@...il.com>
Signed-off-by: Joel Fernandes <joelagnelf@...dia.com>
---
rust/kernel/bitfield.rs | 20 +++++++++++++++++++-
1 file changed, 19 insertions(+), 1 deletion(-)
diff --git a/rust/kernel/bitfield.rs b/rust/kernel/bitfield.rs
index 655f940479f1..606494bf4245 100644
--- a/rust/kernel/bitfield.rs
+++ b/rust/kernel/bitfield.rs
@@ -117,7 +117,9 @@ macro_rules! bitfield_assert {
/// ```
///
/// This generates a struct with:
-/// - Constructor: `new(value)` - creates a bitfield from a raw value, zeroing undefined bits
+/// - Constructor: `new(value)` - creates a bitfield from a raw value, zeroing undefined bits.
+/// If any of the bits passed are set, but not defined as a bitfield, an error is printed.
+/// To silence these errors, either define all fields or initialize the bit positions to 0.
/// - Raw accessor: `raw()` - returns the underlying raw value
/// - Field accessors: `mode()`, `state()`, etc.
/// - Field setters: `set_mode()`, `set_state()`, etc. (supports chaining with builder pattern).
@@ -236,6 +238,10 @@ impl $name {
/// This constructor zeros out all bits that are not defined by any field,
/// ensuring only valid field bits are preserved. This is to prevent UB
/// when raw() is used to retrieve undefined bits.
+ ///
+ /// If any of the bits passed are set, but not defined as a bitfield,
+ /// an error is printed. To silence these errors, either define all fields
+ /// or initialize the respective bit positions to 0.
#[inline(always)]
$vis fn new(value: $storage) -> Self {
// Calculate mask for all defined fields
@@ -245,6 +251,18 @@ impl $name {
mask |= Self::[<$field:upper _MASK>];
);
)*
+
+ // Check if any undefined bits are set
+ $crate::bitfield_assert!(
+ (value & !mask) == 0,
+ concat!(
+ "Value 0x{:x} has bits set outside of defined field ranges ",
+ "(mask: 0x{:x}). To avoid this assertion, either define all ",
+ "fields or initialize unused bits to 0."
+ ),
+ value, mask
+ );
+
// Zero out undefined bits and wrap in BitfieldInternalStorage
Self(::kernel::bitfield::BitfieldInternalStorage::from_raw(value & mask))
}
--
2.34.1
Powered by blists - more mailing lists