From: Miguel Ojeda <miguel.ojeda.sandonis@gmail.com>
To: FUJITA Tomonori <tomo@exabit.dev>
Cc: rust-for-linux@vger.kernel.org, aliceryhl@google.com,
andrew@lunn.ch, fujita.tomonori@gmail.com
Subject: Re: [PATCH v2 1/5] rust: core abstractions for network device drivers
Date: Mon, 12 Jun 2023 15:26:24 +0200 [thread overview]
Message-ID: <CANiq72nW4+dL-7516ARPg371rmOejSZaa6veQrUG77una7xBig@mail.gmail.com> (raw)
In-Reply-To: <01010188adfdd516-4ddbccb3-ec96-4a6d-b3eb-976adc591ba3-000000@us-west-2.amazonses.com>
On Mon, Jun 12, 2023 at 7:04 AM FUJITA Tomonori <tomo@exabit.dev> wrote:
>
> Sorry, obviously, I didn't understand comments about safety. Aded `#
> Invariants` section to both structures.
>
> I've updated the comments and put the fixed version at the end. Can
> you check again? If it looks fine, I'll update the comments in the
> rest of patches.
Looks better now (without having checked if they are correct w.r.t.
what the C side guarantees) -- thanks! A couple comments below.
> + /// Gets a pointer to network device private data.
> + ///
> + /// A driver in C uses contiguous memory `struct net_device` and its private data.
> + /// A driver in Rust contiguous memory `struct net_device` and a pointer to its private data.
> + /// So a driver in Rust pays extra cost to access to its private data.
> + /// A device driver passes an properly initialized private data and the kernel saves
> + /// its pointer.
> + fn priv_data_ptr(&self) -> *const c_void {
> + // SAFETY: The type invariants guarantee that `self.0` is valid.
> + unsafe { core::ptr::read(bindings::netdev_priv(self.0) as *const *const c_void) }
> + }
Part of the docs of this function should probably be moved to the
`SAFETY` comment, since it is needed to justify the `ptr::read` (and
it is an implementation detail): `self.0` is valid here, but we need
to justify why reading from the returned pointer from `netdev_priv` is
OK, and for that one needs to know the layout explained in the docs
above.
Also, in general, please always aim to minimize what `unsafe` blocks
cover. For instance, here there should be two blocks: one for the FFI
call, and the other for the pointer read. Splitting such blocks makes
it very clear that there are two different proofs needed here.
> + // SAFETY: `ptr` is valid and non-null since `alloc_etherdev_mqs()`
> + // returned a valid pointer which was null-checked.
> + let dev = unsafe {
> + let priv_ptr = bindings::netdev_priv(ptr) as *mut *const c_void;
> + core::ptr::write(priv_ptr, data.into_foreign());
> + Device::from_ptr(ptr)
> + };
Similarly here, i.e. the `SAFETY` comment does not mention why is
`priv_ptr` valid for the `ptr::write`.
Cheers,
Miguel
next prev parent reply other threads:[~2023-06-12 13:26 UTC|newest]
Thread overview: 24+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <20230610071848.3722492-1-tomo@exabit.dev>
2023-06-10 7:20 ` [PATCH v2 1/5] rust: core abstractions for network device drivers FUJITA Tomonori
2023-06-10 14:11 ` Andrew Lunn
2023-06-11 8:03 ` Alice Ryhl
2023-06-11 15:30 ` Andrew Lunn
2023-06-11 17:48 ` Miguel Ojeda
2023-06-12 6:47 ` FUJITA Tomonori
2023-06-12 12:46 ` Andrew Lunn
2023-06-10 19:49 ` Miguel Ojeda
2023-06-12 5:04 ` FUJITA Tomonori
2023-06-12 13:26 ` Miguel Ojeda [this message]
2023-06-10 7:20 ` [PATCH v2 3/5] rust: add support for get_stats64 in struct net_device_ops FUJITA Tomonori
2023-06-10 7:20 ` [PATCH v2 5/5] samples: rust: add dummy network driver FUJITA Tomonori
2023-06-10 16:59 ` Andrew Lunn
2023-06-12 7:02 ` FUJITA Tomonori
2023-06-10 19:14 ` Miguel Ojeda
2023-06-10 7:20 ` [PATCH v2 2/5] rust: add support for ethernet operations FUJITA Tomonori
2023-06-10 16:48 ` Andrew Lunn
2023-06-12 6:51 ` FUJITA Tomonori
2023-06-10 19:14 ` Miguel Ojeda
2023-06-12 8:51 ` FUJITA Tomonori
2023-06-12 13:35 ` Miguel Ojeda
2023-06-10 7:20 ` [PATCH v2 4/5] rust: add methods for configure net_device FUJITA Tomonori
2023-07-10 7:36 [PATCH v2 0/5] Rust abstractions for network device drivers FUJITA Tomonori
2023-07-10 7:36 ` [PATCH v2 1/5] rust: core " FUJITA Tomonori
2023-07-14 18:59 ` Benno Lossin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CANiq72nW4+dL-7516ARPg371rmOejSZaa6veQrUG77una7xBig@mail.gmail.com \
--to=miguel.ojeda.sandonis@gmail.com \
--cc=aliceryhl@google.com \
--cc=andrew@lunn.ch \
--cc=fujita.tomonori@gmail.com \
--cc=rust-for-linux@vger.kernel.org \
--cc=tomo@exabit.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).