From: sashiko-bot@kernel.org
To: "Gary Guo" <gary@garyguo.net>
Cc: dri-devel@lists.freedesktop.org, linux-pci@vger.kernel.org,
ojeda@kernel.org, "Danilo Krummrich" <dakr@kernel.org>,
"Alexandre Courbot" <acourbot@nvidia.com>
Subject: Re: [PATCH v3 12/19] rust: io: add projection macro and methods
Date: Mon, 08 Jun 2026 20:13:59 +0000 [thread overview]
Message-ID: <20260608201400.7147A1F00893@smtp.kernel.org> (raw)
In-Reply-To: <20260608-io_projection-v3-12-c5cde13a5ec4@garyguo.net>
Thank you for your contribution! Sashiko AI review found 2 potential issue(s) to consider:
- [High] Unsound `AsBytes` implementation for `Region<SIZE>` leading to undefined behavior due to alignment padding.
- [Low] Incorrect use of `#[inline(always)]` on `ProjectHelper` methods, violating subsystem coding guidelines.
--
commit ab6f2e99706c5568aaec1a417178b7f6d1435b90
Author: Gary Guo <gary@garyguo.net>
rust: io: add projection macro and methods
Add a io_project!() macro allows projection from Io to a subview of it,
using the pointer projection mechanism to perform compile-time checks.
For cases where type-casting is required, the try_cast() function may be
used where the size and alignment checks are performed at runtime.
> diff --git a/rust/kernel/io.rs b/rust/kernel/io.rs
> index 9c2ea17ca87b5..173f8c0ba2d6c 100644
> --- a/rust/kernel/io.rs
> +++ b/rust/kernel/io.rs
[ ... ]
> @@ -92,6 +96,11 @@ fn size(p: *const Self) -> usize {
> }
> }
>
> +// SAFETY: I/O regions can compose of arbitrary bytes.
> +unsafe impl<const SIZE: usize> kernel::transmute::FromBytes for Region<SIZE> {}
> +// SAFETY: Values read from I/O are always treated as initialized.
> +unsafe impl<const SIZE: usize> kernel::transmute::AsBytes for Region<SIZE> {}
[Severity: High]
Does this implementation of AsBytes for Region<SIZE> introduce undefined
behavior due to alignment padding?
Region<SIZE> is defined with an alignment constraint and contains an
unsized [u8] field. Because core::mem::size_of_val for dynamically sized
types rounds the size up to a multiple of the alignment, a Region created
with a size that is not a multiple of 8 (on 64-bit systems) will include
trailing padding bytes.
Since AsBytes::as_bytes() relies on size_of_val(self) to slice the memory,
calling it on &Region<SIZE> could produce a &[u8] that extends past the
actual allocated length into out-of-bounds or uninitialized memory.
> +
> /// Raw representation of an MMIO region.
> ///
> /// `MmioRaw<T>` is equivalent to `T __iomem *` in C.
[ ... ]
> @@ -983,3 +1039,78 @@ pub fn relaxed(self) -> RelaxedMmio<'a, T> {
> // MMIO regions on 64-bit systems also support 64-bit accesses.
> #[cfg(CONFIG_64BIT)]
> impl_mmio_io_capable!(RelaxedMmioBackend, u64, readq_relaxed, writeq_relaxed);
> +
> +// This helper turns associated functions to methods so it can be invoked in macro.
> +// Used by `io_project!()` only.
> +#[doc(hidden)]
> +#[derive(Clone, Copy)]
> +pub struct ProjectHelper<T>(pub T);
> +
> +impl<'a, T> ProjectHelper<T>
> +where
> + T: Io<'a, Backend: IoBackend<View<'a, T::Target> = T>>,
> +{
> + // These helper methods must not have symbols present in binary to avoid confusion.
> + #[inline(always)]
> + pub fn as_ptr(self) -> *mut T::Target {
[Severity: Low]
This isn't a bug, but should this use #[inline] instead of #[inline(always)]?
According to the rust subsystem guidelines, functions that are small or
forwarding to a binding call in abstractions should be annotated with
#[inline].
The #[inline(always)] annotation should be reserved for functions using
build_assert!() that depend on function parameters.
> + T::Backend::as_ptr(self.0)
> + }
> +
> + /// # Safety
> + ///
> + /// Same as `IoBackend::project_view`
> + #[inline(always)]
> + pub unsafe fn project_view<U: ?Sized + KnownSize>(
[Severity: Low]
This isn't a bug, but should this use #[inline] instead of #[inline(always)]?
According to the rust subsystem guidelines, functions that are small or
forwarding to a binding call in abstractions should be annotated with
#[inline].
The #[inline(always)] annotation should be reserved for functions using
build_assert!() that depend on function parameters.
> + self,
> + ptr: *mut U,
> + ) -> <T::Backend as IoBackend>::View<'a, U> {
> + // SAFETY: Per safety requirement.
> + unsafe { T::Backend::project_view::<T::Target, _>(self.0, ptr) }
> + }
> +}
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260608-io_projection-v3-0-c5cde13a5ec4@garyguo.net?part=12
next prev parent reply other threads:[~2026-06-08 20:14 UTC|newest]
Thread overview: 31+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-08 19:58 [PATCH v3 00/19] rust: I/O type generalization and projection Gary Guo
2026-06-08 19:58 ` [PATCH v3 01/19] rust: io: add dynamically-sized `Region` type Gary Guo
2026-06-08 23:52 ` Gary Guo
2026-06-08 19:58 ` [PATCH v3 02/19] rust: io: add missing safety requirement in `IoCapable` methods Gary Guo
2026-06-08 20:13 ` sashiko-bot
2026-06-08 19:59 ` [PATCH v3 03/19] rust: io: restrict untyped IO access and `register!` to `Region` Gary Guo
2026-06-08 19:59 ` [PATCH v3 04/19] rust: io: implement `Io` on reference types instead Gary Guo
2026-06-08 19:59 ` [PATCH v3 05/19] rust: io: generalize `MmioRaw` to pointer to arbitrary type Gary Guo
2026-06-08 20:14 ` sashiko-bot
2026-06-08 19:59 ` [PATCH v3 06/19] rust: io: rename `Mmio` to `MmioOwned` Gary Guo
2026-06-08 19:59 ` [PATCH v3 07/19] rust: io: implement `Mmio` as view type Gary Guo
2026-06-08 20:15 ` sashiko-bot
2026-06-08 19:59 ` [PATCH v3 08/19] rust: pci: io: make `ConfigSpace` a view Gary Guo
2026-06-08 20:11 ` sashiko-bot
2026-06-08 19:59 ` [PATCH v3 09/19] rust: io: use view types instead of addresses for `Io` Gary Guo
2026-06-08 19:59 ` [PATCH v3 10/19] rust: io: remove `MmioOwned` Gary Guo
2026-06-08 20:12 ` sashiko-bot
2026-06-08 19:59 ` [PATCH v3 11/19] rust: io: move `Io` methods to extension trait Gary Guo
2026-06-08 19:59 ` [PATCH v3 12/19] rust: io: add projection macro and methods Gary Guo
2026-06-08 20:13 ` sashiko-bot [this message]
2026-06-08 19:59 ` [PATCH v3 13/19] rust: io: add I/O backend for system memory with volatile access Gary Guo
2026-06-08 20:09 ` sashiko-bot
2026-06-08 19:59 ` [PATCH v3 14/19] rust: io: implement a view type for `Coherent` Gary Guo
2026-06-08 20:18 ` sashiko-bot
2026-06-08 19:59 ` [PATCH v3 15/19] rust: io: add `read_val` and `write_val` function on `Io` Gary Guo
2026-06-08 19:59 ` [PATCH v3 16/19] gpu: nova-core: use I/O projection for cleaner encapsulation Gary Guo
2026-06-08 19:59 ` [PATCH v3 17/19] rust: dma: drop `dma_read!` and `dma_write!` API Gary Guo
2026-06-08 19:59 ` [PATCH v3 18/19] rust: io: add copying methods Gary Guo
2026-06-08 20:20 ` sashiko-bot
2026-06-08 19:59 ` [PATCH v3 19/19] rust: io: implement `Io` for `Either` Gary Guo
2026-06-08 21:22 ` [PATCH v3 00/19] rust: I/O type generalization and projection Danilo Krummrich
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260608201400.7147A1F00893@smtp.kernel.org \
--to=sashiko-bot@kernel.org \
--cc=acourbot@nvidia.com \
--cc=dakr@kernel.org \
--cc=dri-devel@lists.freedesktop.org \
--cc=gary@garyguo.net \
--cc=linux-pci@vger.kernel.org \
--cc=ojeda@kernel.org \
--cc=sashiko-reviews@lists.linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.