lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-Id: <20251102-bounded_ints-v2-0-7ef0c26b1d36@nvidia.com>
Date: Sun, 02 Nov 2025 23:24:41 +0900
From: Alexandre Courbot <acourbot@...dia.com>
To: Alice Ryhl <aliceryhl@...gle.com>, Danilo Krummrich <dakr@...nel.org>, 
 Miguel Ojeda <ojeda@...nel.org>, Joel Fernandes <joelagnelf@...dia.com>, 
 Yury Norov <yury.norov@...il.com>, Jesung Yang <y.j3ms.n@...il.com>, 
 Boqun Feng <boqun.feng@...il.com>, Gary Guo <gary@...yguo.net>, 
 Björn Roy Baron <bjorn3_gh@...tonmail.com>, 
 Benno Lossin <lossin@...nel.org>, Andreas Hindborg <a.hindborg@...nel.org>, 
 Trevor Gross <tmgross@...ch.edu>
Cc: linux-kernel@...r.kernel.org, rust-for-linux@...r.kernel.org, 
 Alexandre Courbot <acourbot@...dia.com>
Subject: [PATCH v2 0/2] rust: add BitInt type and use in Nova's bitfield
 macro

Second non-RFC, with quite a few improvements - notably, the `From`
implementations from and to primitive types have been simplified, and I
guess that's the best I can do without the `generic_const_exprs`
feature. Another improvement is that the type invariants are now
enforced from a single place.

This series provides `BitInt`, a wrapper type for primitive integers
that guarantees that only a given number of bits are used to represent
values. This is particularly useful when working with bitfields, as the
guarantee that a given value fits within the number of assigned bits can
be enforced by the type system, saving cumbersome runtime checks, or
(worse) stripping data when bits are silently dropped.

Don't worry too much about the size; a lot of it is rustdoc. :)

For a basic usage, please see the rustdoc of the `BitInt` type on the
first patch.

The first use of this will be to represent bitfields in Nova register
types to guarantee that no data is ever stripped when manipulating them.
This should eventually allow the `bitfield` and `register` macros to
move out of Nova and into the kernel crate.

The second patch is here to illustrate the use of this module; it is not
intended to be merged this cycle as it would likely result in big merge
conflicts with the drm tree.

This series applies on top of drm-rust-next for the needs of the second
patch. The first patch should apply cleanly on rust-next. A branch with
this series and its dependencies is available here:

https://github.com/Gnurou/linux/tree/b4/bounded_ints

Signed-off-by: Alexandre Courbot <acourbot@...dia.com>
---
Changes in v2:
- Move type invariants of `BitInt` to a centralizing private
  constructor.
- Simplify `From` implementations to and from primitive types.
- Remove ability to convert between unsigned and signed types as it was
  buggy, and its utility doubtful.
- Use macro to implement `Integer` and avoid repeating code.
- Fix a few typos.
- More doctests, and split them into different paragraphs in the
  `BitInt` main doccomment.
- Fix build with Rust 1.78.
- Finish implementing relevant `core::ops` traits.
- Link to v1: https://lore.kernel.org/r/20251031-bounded_ints-v1-0-e2dbcd8fda71@nvidia.com

Changes in v1:
- Rebase on top of `drm-rust-next`.
- Rename `BoundedInt` to `BitInt` (thanks Yury!).
- Add lots of documentation.
- Use shifts to validate bounds, as it works with both unsigned and
  signed types contrary to the mask method.
- Support signed types (albeit with some bugs).
- Use `new` for the const static constructor and make it the preferred
  way to build values (thanks Alice and Joel!).
- Rename `LargerThanX` into `AtLeastX` (thanks Joel!).
- Support basic arithmetic operations (+, -, etc.) against the backing
  type.
- Add `Deref` implementation as alternative to the `get` method.
- Write correct `Default` implementation for bitfields.
- Make the new bitfield accessors `inline(always)`.
- Update bitfield documentation to the new usage.
- Link to RFC v2: https://lore.kernel.org/r/20251009-bounded_ints-v2-0-ff3d7fee3ffd@nvidia.com

Changes in RFC v2:
- Thorough implementation of `BoundedInt`.
- nova-core fully adapted to use `BoundedInt`.
- Link to RFC v1: https://lore.kernel.org/r/20251002-bounded_ints-v1-0-dd60f5804ea4@nvidia.com

---
Alexandre Courbot (2):
      rust: add BitInt integer wrapping type
      [FOR REFERENCE] gpu: nova-core: use BitInt for bitfields

 drivers/gpu/nova-core/bitfield.rs         |  366 ++++++-----
 drivers/gpu/nova-core/falcon.rs           |  134 ++--
 drivers/gpu/nova-core/falcon/hal/ga102.rs |    5 +-
 drivers/gpu/nova-core/fb/hal/ga100.rs     |    3 +-
 drivers/gpu/nova-core/gpu.rs              |    9 +-
 drivers/gpu/nova-core/regs.rs             |  139 ++--
 rust/kernel/lib.rs                        |    1 +
 rust/kernel/num.rs                        |   50 ++
 rust/kernel/num/bitint.rs                 | 1001 +++++++++++++++++++++++++++++
 9 files changed, 1405 insertions(+), 303 deletions(-)
---
base-commit: 9a3c2f8a4f84960a48c056d0da88de3d09e6d622
change-id: 20251001-bounded_ints-1d0457d9ae26

Best regards,
-- 
Alexandre Courbot <acourbot@...dia.com>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ