From: "Eliot Courtney" <ecourtney@nvidia.com>
To: "Gary Guo" <gary@garyguo.net>,
"Alice Ryhl" <aliceryhl@google.com>,
"Eliot Courtney" <ecourtney@nvidia.com>
Cc: "David Airlie" <airlied@gmail.com>,
"Simona Vetter" <simona@ffwll.ch>,
"Danilo Krummrich" <dakr@kernel.org>,
"Miguel Ojeda" <ojeda@kernel.org>,
"Boqun Feng" <boqun@kernel.org>,
"Björn Roy Baron" <bjorn3_gh@protonmail.com>,
"Benno Lossin" <lossin@kernel.org>,
"Andreas Hindborg" <a.hindborg@kernel.org>,
"Trevor Gross" <tmgross@umich.edu>,
"Alexandre Courbot" <acourbot@nvidia.com>,
dri-devel@lists.freedesktop.org, rust-for-linux@vger.kernel.org,
linux-kernel@vger.kernel.org
Subject: Re: [PATCH] rust: drm: fix unsound initialization in drm::Device::new
Date: Fri, 01 May 2026 19:50:35 +0900 [thread overview]
Message-ID: <DI7A6EZFQCV8.L8KA3WNETXYW@nvidia.com> (raw)
In-Reply-To: <DI5LUYIPIYB5.1CY8G9M7R5W6H@garyguo.net>
On Wed Apr 29, 2026 at 8:34 PM JST, Gary Guo wrote:
> On Wed Apr 29, 2026 at 9:03 AM BST, Alice Ryhl wrote:
>>
>>> @@ -133,6 +140,10 @@ pub fn new(dev: &device::Device, data: impl PinInit<T::Data, Error>) -> Result<A
>>> .cast();
>>> let raw_drm = NonNull::new(from_err_ptr(raw_drm)?).ok_or(ENOMEM)?;
>>>
>>> + // SAFETY: `raw_drm` is a valid pointer to `Self`, given that `__drm_dev_alloc` was
>>> + // successful.
>>> + let drm_dev = unsafe { Self::into_drm_device(raw_drm) };
>>> +
>>> // SAFETY: `raw_drm` is a valid pointer to `Self`.
>>> let raw_data = unsafe { ptr::addr_of_mut!((*raw_drm.as_ptr()).data) };
>>>
>>> @@ -140,15 +151,14 @@ pub fn new(dev: &device::Device, data: impl PinInit<T::Data, Error>) -> Result<A
>>> // - `raw_data` is a valid pointer to uninitialized memory.
>>> // - `raw_data` will not move until it is dropped.
>>> unsafe { data.__pinned_init(raw_data) }.inspect_err(|_| {
>>> - // SAFETY: `raw_drm` is a valid pointer to `Self`, given that `__drm_dev_alloc` was
>>> - // successful.
>>> - let drm_dev = unsafe { Self::into_drm_device(raw_drm) };
>>> -
>>> // SAFETY: `__drm_dev_alloc()` was successful, hence `drm_dev` must be valid and the
>>> // refcount must be non-zero.
>>> unsafe { bindings::drm_dev_put(drm_dev) };
>>> })?;
>>>
>>> + // SAFETY: `drm_dev` is still private to this function.
>>> + unsafe { (*drm_dev).driver = &Self::VTABLE };
>>
>> It would be bad if this ended up being a reference to a local variable.
>> Please use `&const { Self::VTABLE }` so that it doesn't compile if this
>> occurs.
>
> Self::VTABLE and `const {}` are both just constants and there's no difference
> here.
>
> If you want to guaranteed static promotion it should be
>
> const { &Self::VTABLE }
>
> Best,
> Gary
Thanks all, I have done both of these things (const{&} + stack alloc).
The `drm_driver` struct is 200 bytes, for reference (w.r.t. stack
alloc).
prev parent reply other threads:[~2026-05-01 10:50 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-04-28 12:20 [PATCH] rust: drm: fix unsound initialization in drm::Device::new Eliot Courtney
2026-04-28 12:43 ` Danilo Krummrich
2026-04-28 12:50 ` Gary Guo
2026-04-28 13:13 ` Eliot Courtney
2026-04-29 8:03 ` Alice Ryhl
2026-04-29 11:34 ` Gary Guo
2026-05-01 10:50 ` Eliot Courtney [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=DI7A6EZFQCV8.L8KA3WNETXYW@nvidia.com \
--to=ecourtney@nvidia.com \
--cc=a.hindborg@kernel.org \
--cc=acourbot@nvidia.com \
--cc=airlied@gmail.com \
--cc=aliceryhl@google.com \
--cc=bjorn3_gh@protonmail.com \
--cc=boqun@kernel.org \
--cc=dakr@kernel.org \
--cc=dri-devel@lists.freedesktop.org \
--cc=gary@garyguo.net \
--cc=linux-kernel@vger.kernel.org \
--cc=lossin@kernel.org \
--cc=ojeda@kernel.org \
--cc=rust-for-linux@vger.kernel.org \
--cc=simona@ffwll.ch \
--cc=tmgross@umich.edu \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.