| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20260127215744.332380fe.zhiw@nvidia.com>
Date: Tue, 27 Jan 2026 21:57:44 +0200
From: Zhi Wang <zhiw@...dia.com>
To: Jason Gunthorpe <jgg@...dia.com>
CC: <rust-for-linux@...r.kernel.org>, <linux-pci@...r.kernel.org>,
<linux-kernel@...r.kernel.org>, <dakr@...nel.org>, <aliceryhl@...gle.com>,
<bhelgaas@...gle.com>, <kwilczynski@...nel.org>, <ojeda@...nel.org>,
<alex.gaynor@...il.com>, <boqun.feng@...il.com>, <gary@...yguo.net>,
<bjorn3_gh@...tonmail.com>, <lossin@...nel.org>, <a.hindborg@...nel.org>,
<tmgross@...ch.edu>, <markus.probst@...teo.de>, <helgaas@...nel.org>,
<cjia@...dia.com>, <smitra@...dia.com>, <ankita@...dia.com>,
<aniketa@...dia.com>, <kwankhede@...dia.com>, <targupta@...dia.com>,
<acourbot@...dia.com>, <joelagnelf@...dia.com>, <jhubbard@...dia.com>,
<zhiwang@...nel.org>, <daniel.almeida@...labora.com>
Subject: Re: [PATCH v2 1/2] rust: introduce abstractions for fwctl
On Mon, 26 Jan 2026 14:19:12 -0400
Jason Gunthorpe <jgg@...dia.com> wrote:
> On Thu, Jan 22, 2026 at 10:42:30PM +0200, Zhi Wang wrote:
> > --- a/drivers/fwctl/Kconfig
> > +++ b/drivers/fwctl/Kconfig
> > @@ -8,6 +8,18 @@ menuconfig FWCTL
> > manipulating device FLASH, debugging, and other activities
> > that don't fit neatly into an existing subsystem.
> >
snip
> > +/// Represents a fwctl device type.
> > +///
> > +/// This enum corresponds to the C `enum fwctl_device_type` and is
> > used to identify +/// the specific firmware control interface
> > implemented by a device. +#[repr(u32)]
> > +#[derive(Copy, Clone, Debug, Eq, PartialEq)]
> > +pub enum DeviceType {
> > + /// Error/invalid device type.
> > + Error = bindings::fwctl_device_type_FWCTL_DEVICE_TYPE_ERROR,
> > + /// MLX5 device type.
> > + Mlx5 = bindings::fwctl_device_type_FWCTL_DEVICE_TYPE_MLX5,
> > + /// CXL device type.
> > + Cxl = bindings::fwctl_device_type_FWCTL_DEVICE_TYPE_CXL,
> > + /// PDS device type.
> > + Pds = bindings::fwctl_device_type_FWCTL_DEVICE_TYPE_PDS,
> > + /// Rust fwctl test device type.
> > + RustFwctlTest =
> > bindings::fwctl_device_type_FWCTL_DEVICE_TYPE_RUST_FWCTL_TEST, +}
>
> Do we really need these contentless comments?
>
I will try to remove them if the compiler allows me to do that in the next
re-spin.
> > +impl Device {
> > + /// # Safety
> > + ///
> > + /// `ptr` must be a valid pointer to a `struct fwctl_device`.
> > + unsafe fn from_raw<'a>(ptr: *mut bindings::fwctl_device) -> &'a
> > Self {
> > + // CAST: `Self` is a transparent wrapper around
> > `bindings::fwctl_device`.
> > + // SAFETY: By the safety requirement, `ptr` is valid.
> > + unsafe { &*ptr.cast() }
> > + }
snip
> > + // ensuring it remains valid during allocation.
> > + let dev = unsafe {
> > + bindings::_fwctl_alloc_device(
> > + parent.as_raw(),
> > + ops,
> > + core::mem::size_of::<bindings::fwctl_device>(),
> > + )
> > + };
> > +
> > + if dev.is_null() {
> > + return Err(ENOMEM);
> > + }
> > +
> > + // SAFETY: dev is guaranteed to be a valid pointer from
> > `_fwctl_alloc_device()`.
> > + let ret = unsafe { bindings::fwctl_register(dev) };
> > + if ret != 0 {
> > + // SAFETY: dev is guaranteed to be a valid pointer
> > from `_fwctl_alloc_device()`.
> > + unsafe {
> > + bindings::fwctl_put(dev);
> > + }
> > + return Err(Error::from_errno(ret));
> > + }
>
> This looks weirdly sequenced, the driver's object has to be fully
> initialized before you can call register, so it is quite strange to
> see a wrapper that does both alloc and register in one function.
>
The fwctl_alloc_device() helper allocates a raw struct fwctl_device
without private driver data here. The Rust driver object should be
already allocated and initialized separately before reaching this
point.
We rely on the standard dev->parent chain to access the rust driver
object from the fwctl callbacks.
> > + bindings::_fwctl_alloc_device(
> > + parent.as_raw(),
> > + ops,
> > + core::mem::size_of::<bindings::fwctl_device>(),
> > +// SAFETY: `Registration` can be sent to other threads because:
> > +// - It only contains a `NonNull<fwctl_device>` pointer and a
> > PhantomData marker +// - The underlying C fwctl_device is thread-safe
> > with internal locking +// - `Drop` calls
> > `fwctl_unregister()/fwctl_put()` which are safe from any sleepable
> > context
>
> fwctl_unregister is not safe from any context, it must be called
> while the Device is still bound.
>
The registration is wrapped in Devres<> in the sample driver, which
guarantees that drop is called while the Device is still bound.
I agree that the current abstraction itself does not strictly enforce this
(e.g., if the object is moved out of Devres). I will investigate an
approach to enforce this requirement in the next re-spin.
Z.
> Jason
>
Powered by blists - more mailing lists