From: sashiko-bot@kernel.org
To: "Gary Guo" <gary@garyguo.net>
Cc: dri-devel@lists.freedesktop.org, linux-pci@vger.kernel.org,
ojeda@kernel.org, "Danilo Krummrich" <dakr@kernel.org>,
"Alexandre Courbot" <acourbot@nvidia.com>
Subject: Re: [PATCH v3 12/19] rust: io: add projection macro and methods
Date: Mon, 08 Jun 2026 20:13:59 +0000 [thread overview]
Message-ID: <20260608201400.7147A1F00893@smtp.kernel.org> (raw)
In-Reply-To: <20260608-io_projection-v3-12-c5cde13a5ec4@garyguo.net>
Thank you for your contribution! Sashiko AI review found 2 potential issue(s) to consider:
- [High] Unsound `AsBytes` implementation for `Region<SIZE>` leading to undefined behavior due to alignment padding.
- [Low] Incorrect use of `#[inline(always)]` on `ProjectHelper` methods, violating subsystem coding guidelines.
--
commit ab6f2e99706c5568aaec1a417178b7f6d1435b90
Author: Gary Guo <gary@garyguo.net>
rust: io: add projection macro and methods
Add a io_project!() macro allows projection from Io to a subview of it,
using the pointer projection mechanism to perform compile-time checks.
For cases where type-casting is required, the try_cast() function may be
used where the size and alignment checks are performed at runtime.
> diff --git a/rust/kernel/io.rs b/rust/kernel/io.rs
> index 9c2ea17ca87b5..173f8c0ba2d6c 100644
> --- a/rust/kernel/io.rs
> +++ b/rust/kernel/io.rs
[ ... ]
> @@ -92,6 +96,11 @@ fn size(p: *const Self) -> usize {
> }
> }
>
> +// SAFETY: I/O regions can compose of arbitrary bytes.
> +unsafe impl<const SIZE: usize> kernel::transmute::FromBytes for Region<SIZE> {}
> +// SAFETY: Values read from I/O are always treated as initialized.
> +unsafe impl<const SIZE: usize> kernel::transmute::AsBytes for Region<SIZE> {}
[Severity: High]
Does this implementation of AsBytes for Region<SIZE> introduce undefined
behavior due to alignment padding?
Region<SIZE> is defined with an alignment constraint and contains an
unsized [u8] field. Because core::mem::size_of_val for dynamically sized
types rounds the size up to a multiple of the alignment, a Region created
with a size that is not a multiple of 8 (on 64-bit systems) will include
trailing padding bytes.
Since AsBytes::as_bytes() relies on size_of_val(self) to slice the memory,
calling it on &Region<SIZE> could produce a &[u8] that extends past the
actual allocated length into out-of-bounds or uninitialized memory.
> +
> /// Raw representation of an MMIO region.
> ///
> /// `MmioRaw<T>` is equivalent to `T __iomem *` in C.
[ ... ]
> @@ -983,3 +1039,78 @@ pub fn relaxed(self) -> RelaxedMmio<'a, T> {
> // MMIO regions on 64-bit systems also support 64-bit accesses.
> #[cfg(CONFIG_64BIT)]
> impl_mmio_io_capable!(RelaxedMmioBackend, u64, readq_relaxed, writeq_relaxed);
> +
> +// This helper turns associated functions to methods so it can be invoked in macro.
> +// Used by `io_project!()` only.
> +#[doc(hidden)]
> +#[derive(Clone, Copy)]
> +pub struct ProjectHelper<T>(pub T);
> +
> +impl<'a, T> ProjectHelper<T>
> +where
> + T: Io<'a, Backend: IoBackend<View<'a, T::Target> = T>>,
> +{
> + // These helper methods must not have symbols present in binary to avoid confusion.
> + #[inline(always)]
> + pub fn as_ptr(self) -> *mut T::Target {
[Severity: Low]
This isn't a bug, but should this use #[inline] instead of #[inline(always)]?
According to the rust subsystem guidelines, functions that are small or
forwarding to a binding call in abstractions should be annotated with
#[inline].
The #[inline(always)] annotation should be reserved for functions using
build_assert!() that depend on function parameters.
> + T::Backend::as_ptr(self.0)
> + }
> +
> + /// # Safety
> + ///
> + /// Same as `IoBackend::project_view`
> + #[inline(always)]
> + pub unsafe fn project_view<U: ?Sized + KnownSize>(
[Severity: Low]
This isn't a bug, but should this use #[inline] instead of #[inline(always)]?
According to the rust subsystem guidelines, functions that are small or
forwarding to a binding call in abstractions should be annotated with
#[inline].
The #[inline(always)] annotation should be reserved for functions using
build_assert!() that depend on function parameters.
> + self,
> + ptr: *mut U,
> + ) -> <T::Backend as IoBackend>::View<'a, U> {
> + // SAFETY: Per safety requirement.
> + unsafe { T::Backend::project_view::<T::Target, _>(self.0, ptr) }
> + }
> +}
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260608-io_projection-v3-0-c5cde13a5ec4@garyguo.net?part=12
next prev parent reply other threads:[~2026-06-08 20:14 UTC|newest]
Thread overview: 31+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-08 19:58 [PATCH v3 00/19] rust: I/O type generalization and projection Gary Guo
2026-06-08 19:58 ` [PATCH v3 01/19] rust: io: add dynamically-sized `Region` type Gary Guo
2026-06-08 23:52 ` Gary Guo
2026-06-08 19:58 ` [PATCH v3 02/19] rust: io: add missing safety requirement in `IoCapable` methods Gary Guo
2026-06-08 20:13 ` sashiko-bot
2026-06-08 19:59 ` [PATCH v3 03/19] rust: io: restrict untyped IO access and `register!` to `Region` Gary Guo
2026-06-08 19:59 ` [PATCH v3 04/19] rust: io: implement `Io` on reference types instead Gary Guo
2026-06-08 19:59 ` [PATCH v3 05/19] rust: io: generalize `MmioRaw` to pointer to arbitrary type Gary Guo
2026-06-08 20:14 ` sashiko-bot
2026-06-08 19:59 ` [PATCH v3 06/19] rust: io: rename `Mmio` to `MmioOwned` Gary Guo
2026-06-08 19:59 ` [PATCH v3 07/19] rust: io: implement `Mmio` as view type Gary Guo
2026-06-08 20:15 ` sashiko-bot
2026-06-08 19:59 ` [PATCH v3 08/19] rust: pci: io: make `ConfigSpace` a view Gary Guo
2026-06-08 20:11 ` sashiko-bot
2026-06-08 19:59 ` [PATCH v3 09/19] rust: io: use view types instead of addresses for `Io` Gary Guo
2026-06-08 19:59 ` [PATCH v3 10/19] rust: io: remove `MmioOwned` Gary Guo
2026-06-08 20:12 ` sashiko-bot
2026-06-08 19:59 ` [PATCH v3 11/19] rust: io: move `Io` methods to extension trait Gary Guo
2026-06-08 19:59 ` [PATCH v3 12/19] rust: io: add projection macro and methods Gary Guo
2026-06-08 20:13 ` sashiko-bot [this message]
2026-06-08 19:59 ` [PATCH v3 13/19] rust: io: add I/O backend for system memory with volatile access Gary Guo
2026-06-08 20:09 ` sashiko-bot
2026-06-08 19:59 ` [PATCH v3 14/19] rust: io: implement a view type for `Coherent` Gary Guo
2026-06-08 20:18 ` sashiko-bot
2026-06-08 19:59 ` [PATCH v3 15/19] rust: io: add `read_val` and `write_val` function on `Io` Gary Guo
2026-06-08 19:59 ` [PATCH v3 16/19] gpu: nova-core: use I/O projection for cleaner encapsulation Gary Guo
2026-06-08 19:59 ` [PATCH v3 17/19] rust: dma: drop `dma_read!` and `dma_write!` API Gary Guo
2026-06-08 19:59 ` [PATCH v3 18/19] rust: io: add copying methods Gary Guo
2026-06-08 20:20 ` sashiko-bot
2026-06-08 19:59 ` [PATCH v3 19/19] rust: io: implement `Io` for `Either` Gary Guo
2026-06-08 21:22 ` [PATCH v3 00/19] rust: I/O type generalization and projection Danilo Krummrich
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260608201400.7147A1F00893@smtp.kernel.org \
--to=sashiko-bot@kernel.org \
--cc=acourbot@nvidia.com \
--cc=dakr@kernel.org \
--cc=dri-devel@lists.freedesktop.org \
--cc=gary@garyguo.net \
--cc=linux-pci@vger.kernel.org \
--cc=ojeda@kernel.org \
--cc=sashiko-reviews@lists.linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox