lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-Id: <20251031-bounded_ints-v1-0-e2dbcd8fda71@nvidia.com>
Date: Fri, 31 Oct 2025 22:39:56 +0900
From: Alexandre Courbot <acourbot@...dia.com>
To: Alice Ryhl <aliceryhl@...gle.com>, Danilo Krummrich <dakr@...nel.org>, 
 Miguel Ojeda <ojeda@...nel.org>, Joel Fernandes <joelagnelf@...dia.com>, 
 Yury Norov <yury.norov@...il.com>, Jesung Yang <y.j3ms.n@...il.com>, 
 Boqun Feng <boqun.feng@...il.com>, Gary Guo <gary@...yguo.net>, 
 Björn Roy Baron <bjorn3_gh@...tonmail.com>, 
 Benno Lossin <lossin@...nel.org>, Andreas Hindborg <a.hindborg@...nel.org>, 
 Trevor Gross <tmgross@...ch.edu>
Cc: linux-kernel@...r.kernel.org, rust-for-linux@...r.kernel.org, 
 Alexandre Courbot <acourbot@...dia.com>
Subject: [PATCH 0/2] rust: add BitInt type and use in Nova's bitfield macro

I think this code is mature enough to be moved out of RFC, thanks for
all the feedback so far.

This series provides `BitInt`, a wrapper type for primitive integers
that guarantees that only a given number of bits are used to represent
values. This is particularly useful when working with bitfields, as the
guarantee that a given value fits within the number of assigned bits can
be enforced by the type system, saving cumbersome runtime checks, or
(worse) stripping data when bits are silently dropped.

Don't worry about the size; half of the code is actually rustdoc. :)

Example use (from the rustdoc):

    use kernel::num::BitInt;

    // An unsigned 8-bit integer, of which only the 4 LSBs can ever be set.
    // The value `15` is statically validated to fit within the specified number of bits.
    let v = BitInt::<u8, 4>::new::<15>();
    assert_eq!(v.get(), 15);

    let v = BitInt::<i8, 4>::new::<-8>();
    assert_eq!(v.get(), -8);

    // This doesn't build: a `u8` is smaller than the requested 9 bits.
    // let _ = BitInt::<u8, 9>::new::<10>();

    // This also doesn't build: the requested value doesn't fit within the requested bits.
    // let _ = BitInt::<i8, 4>::new::<8>();

    // Values can also be validated at runtime. This succeeds because `15` can be represented
    // with 4 bits.
    assert!(BitInt::<u8, 4>::try_new(15).is_some());
    // This fails because `16` cannot be represented with 4 bits.
    assert!(BitInt::<u8, 4>::try_new(16).is_none());

    // Non-constant expressions can also be validated at build-time thanks to compiler
    // optimizations. This should be used as a last resort though.
    let v = BitInt::<u8, 4>::from_expr(15);

    // Common operations are supported against the backing type.
    assert_eq!(v + 5, 20);
    assert_eq!(v / 3, 5);

    // The backing type can be changed while preserving the number of bits used for representation.
    assert_eq!(v.cast::<u32>(), BitInt::<u32, 4>::new::<15>());

    // We can safely extend the number of bits...
    assert_eq!(v.extend::<5>(), BitInt::<u8, 5>::new::<15>());
    // ... but reducing the number of bits fails here as the value doesn't fit anymore.
    assert_eq!(v.try_shrink::<3>(), None);

    // Conversion into primitive types is dependent on the number of useful bits, not the backing
    // type.
    //
    // Event though its backing type is `u32`, this `BitInt` only uses 8 bits and thus can safely
    // be converted to a `u8`.
    assert_eq!(u8::from(BitInt::<u32, 8>::new::<128>()), 128u8);

    // The same applies to signed values.
    assert_eq!(i8::from(BitInt::<i32, 8>::new::<127>()), 127i8);

    // This however is not allowed, as 10 bits won't fit into a `u8` (regardless of the actually
    // contained value).
    // let _ = u8::from(BitInt::<u32, 10>::new::<10>());

    // Conversely, `BitInt` types large enough to contain a given primitive type can be created
    // directly from it:
    //
    // This `BitInt` has 8 bits, so it can represent any `u8`.
    let _ = BitInt::<u32, 8>::from(128u8);

    // This `BitInt` has 8 bits, so it can represent any `i8`.
    let _ = BitInt::<i32, 8>::from(127i8);

    // This is not allowed, as this 6-bit `BitInt` does not have enough capacity to represent a
    // `u8` (regardless of the passed value).
    // let _ = BitInt::<u32, 6>::from(10u8);

    // A `u8` can be converted to an `i16` if we allow at least 9 bits to be used.
    let _ = BitInt::<i16, 9>::from(255u8);
    // ... but 8 bits aren't enough as the MSB is used for the sign, so this doesn't build.
    // let _ = BitInt::<i16, 8>::from(255u8);

There are still a few things I hope to simplify: notably the many
implementations from and to primitive types. I have added an basic
`Integer` trait to allow writing generic code against integer types,
which simplifies things a bit, but it is still a bit too complex to my
taste. Suggestions are welcome.

The first use of this will be to represent bitfields in Nova register
types to guarantee that no data is ever stripped when manipulating them.
This should eventually allow the `bitfield` and `register` macros to
move out of Nova and into the kernel crate.

The second patch is here to illustrate the use of this module; it is not
intended to be merged this cycle as it would likely result in big merge
conflicts with the drm tree.

This series applies on top of drm-rust-next for the needs of the second
patch. The first patch should apply cleanly on rust-next. A branch with
this series and its dependencies is available here:

https://github.com/Gnurou/linux/tree/b4/bounded_ints

Signed-off-by: Alexandre Courbot <acourbot@...dia.com>
---
Changes in v1:
- Rebase on top of `drm-rust-next`.
- Rename `BoundedInt` to `BitInt` (thanks Yury!).
- Add lots of documentation.
- Use shifts to validate bounds, as it works with both unsigned and
  signed types contrary to the mask method.
- Support signed types (albeit with some bugs).
- Use `new` for the const static constructor and make it the preferred
  way to build values (thanks Alice and Joel!).
- Rename `LargerThanX` into `AtLeastX` (thanks Joel!).
- Support basic arithmetic operations (+, -, etc.) against the backing
  type.
- Add `Deref` implementation as alternative to the `get` method.
- Write correct `Default` implementation for bitfields.
- Make the new bitfield accessors `inline(always)`.
- Update bitfield documentation to the new usage.
- Link to RFC v2: https://lore.kernel.org/r/20251009-bounded_ints-v2-0-ff3d7fee3ffd@nvidia.com

Changes in RFC v2:
- Thorough implementation of `BoundedInt`.
- nova-core fully adapted to use `BoundedInt`.
- Link to RFC v1: https://lore.kernel.org/r/20251002-bounded_ints-v1-0-dd60f5804ea4@nvidia.com

---
Alexandre Courbot (2):
      rust: add BitInt integer wrapping type
      [FOR REFERENCE] gpu: nova-core: use BitInt for bitfields

 drivers/gpu/nova-core/bitfield.rs         | 366 ++++++------
 drivers/gpu/nova-core/falcon.rs           | 134 ++---
 drivers/gpu/nova-core/falcon/hal/ga102.rs |   5 +-
 drivers/gpu/nova-core/fb/hal/ga100.rs     |   3 +-
 drivers/gpu/nova-core/gpu.rs              |   9 +-
 drivers/gpu/nova-core/regs.rs             | 139 ++---
 rust/kernel/lib.rs                        |   1 +
 rust/kernel/num.rs                        |  75 +++
 rust/kernel/num/bitint.rs                 | 896 ++++++++++++++++++++++++++++++
 9 files changed, 1325 insertions(+), 303 deletions(-)
---
base-commit: 9a3c2f8a4f84960a48c056d0da88de3d09e6d622
change-id: 20251001-bounded_ints-1d0457d9ae26

Best regards,
-- 
Alexandre Courbot <acourbot@...dia.com>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ