[PATCH] rust: io: require proper alignment in the safety contracts of `IoCapable`

Rust for Linux List
 help / color / mirror / Atom feed

* [PATCH] rust: io: require proper alignment in the safety contracts of `IoCapable`
@ 2026-06-08  8:14 Alexandre Courbot
  2026-06-08 10:33 ` Gary Guo
  0 siblings, 1 reply; 3+ messages in thread
From: Alexandre Courbot @ 2026-06-08  8:14 UTC (permalink / raw)
  To: Danilo Krummrich, Alice Ryhl, Daniel Almeida, Miguel Ojeda,
	Boqun Feng, Gary Guo, Björn Roy Baron, Benno Lossin,
	Andreas Hindborg, Trevor Gross
  Cc: driver-core, rust-for-linux, linux-kernel, Alexandre Courbot

The addresses passed to `io_read` and `io_write` must be properly
aligned, but the safety contract only mentions a valid range as a
requirement.

Add alignment to the requirements. The existing call sites already
obtain the address through `io_addr()` or `io_addr_assert(),` which
both check alignment, so no code changes are needed to them.

Signed-off-by: Alexandre Courbot <acourbot@nvidia.com>
---
I noticed this when reviewing the GEM SHMEM series; it is probably better to
explicitly mention this requirement.
---
 rust/kernel/io.rs | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/rust/kernel/io.rs b/rust/kernel/io.rs
index fcc7678fd9e3..854932d1cb72 100644
--- a/rust/kernel/io.rs
+++ b/rust/kernel/io.rs
@@ -166,14 +166,16 @@ pub trait IoCapable<T> {
     ///
     /// # Safety
     ///
-    /// The range `[address..address + size_of::<T>()]` must be within the bounds of `Self`.
+    /// - The range `[address..address + size_of::<T>()]` must be within the bounds of `Self`.
+    /// - `address` must be properly aligned for `T`.
     unsafe fn io_read(&self, address: usize) -> T;
 
     /// Performs an I/O write of `value` at `address`.
     ///
     /// # Safety
     ///
-    /// The range `[address..address + size_of::<T>()]` must be within the bounds of `Self`.
+    /// - The range `[address..address + size_of::<T>()]` must be within the bounds of `Self`.
+    /// - `address` must be properly aligned for `T`.
     unsafe fn io_write(&self, value: T, address: usize);
 }
 

---
base-commit: 46def663dd34da36464ba059f7cfeacf29d98e5e
change-id: 20260607-iocapable-align-fa8bf1ac7208

Best regards,
--  
Alexandre Courbot <acourbot@nvidia.com>


^ permalink raw reply related	[flat|nested] 3+ messages in thread

* Re: [PATCH] rust: io: require proper alignment in the safety contracts of `IoCapable`
  2026-06-08  8:14 [PATCH] rust: io: require proper alignment in the safety contracts of `IoCapable` Alexandre Courbot
@ 2026-06-08 10:33 ` Gary Guo
  2026-06-09 11:30   ` Alexandre Courbot
  0 siblings, 1 reply; 3+ messages in thread
From: Gary Guo @ 2026-06-08 10:33 UTC (permalink / raw)
  To: Alexandre Courbot, Danilo Krummrich, Alice Ryhl, Daniel Almeida,
	Miguel Ojeda, Boqun Feng, Gary Guo, Björn Roy Baron,
	Benno Lossin, Andreas Hindborg, Trevor Gross
  Cc: driver-core, rust-for-linux, linux-kernel

On Mon Jun 8, 2026 at 9:14 AM BST, Alexandre Courbot wrote:
> The addresses passed to `io_read` and `io_write` must be properly
> aligned, but the safety contract only mentions a valid range as a
> requirement.
>
> Add alignment to the requirements. The existing call sites already
> obtain the address through `io_addr()` or `io_addr_assert(),` which
> both check alignment, so no code changes are needed to them.
>
> Signed-off-by: Alexandre Courbot <acourbot@nvidia.com>

There is
https://lore.kernel.org/rust-for-linux/20260421-io_projection-v2-4-4c251c692ef4@garyguo.net/.

Although this patch will be gone from v3, as `IoCapable` is not going to be
unsafe anymore.

Best,
Gary

> ---
> I noticed this when reviewing the GEM SHMEM series; it is probably better to
> explicitly mention this requirement.
> ---
>  rust/kernel/io.rs | 6 ++++--
>  1 file changed, 4 insertions(+), 2 deletions(-)
>
> diff --git a/rust/kernel/io.rs b/rust/kernel/io.rs
> index fcc7678fd9e3..854932d1cb72 100644
> --- a/rust/kernel/io.rs
> +++ b/rust/kernel/io.rs
> @@ -166,14 +166,16 @@ pub trait IoCapable<T> {
>      ///
>      /// # Safety
>      ///
> -    /// The range `[address..address + size_of::<T>()]` must be within the bounds of `Self`.
> +    /// - The range `[address..address + size_of::<T>()]` must be within the bounds of `Self`.
> +    /// - `address` must be properly aligned for `T`.
>      unsafe fn io_read(&self, address: usize) -> T;
>  
>      /// Performs an I/O write of `value` at `address`.
>      ///
>      /// # Safety
>      ///
> -    /// The range `[address..address + size_of::<T>()]` must be within the bounds of `Self`.
> +    /// - The range `[address..address + size_of::<T>()]` must be within the bounds of `Self`.
> +    /// - `address` must be properly aligned for `T`.
>      unsafe fn io_write(&self, value: T, address: usize);
>  }
>  
>
> ---
> base-commit: 46def663dd34da36464ba059f7cfeacf29d98e5e
> change-id: 20260607-iocapable-align-fa8bf1ac7208
>
> Best regards,
> --  
> Alexandre Courbot <acourbot@nvidia.com>



^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: [PATCH] rust: io: require proper alignment in the safety contracts of `IoCapable`
  2026-06-08 10:33 ` Gary Guo
@ 2026-06-09 11:30   ` Alexandre Courbot
  0 siblings, 0 replies; 3+ messages in thread
From: Alexandre Courbot @ 2026-06-09 11:30 UTC (permalink / raw)
  To: Gary Guo
  Cc: Danilo Krummrich, Alice Ryhl, Daniel Almeida, Miguel Ojeda,
	Boqun Feng, Björn Roy Baron, Benno Lossin, Andreas Hindborg,
	Trevor Gross, driver-core, rust-for-linux, linux-kernel

On Mon Jun 8, 2026 at 7:33 PM JST, Gary Guo wrote:
> On Mon Jun 8, 2026 at 9:14 AM BST, Alexandre Courbot wrote:
>> The addresses passed to `io_read` and `io_write` must be properly
>> aligned, but the safety contract only mentions a valid range as a
>> requirement.
>>
>> Add alignment to the requirements. The existing call sites already
>> obtain the address through `io_addr()` or `io_addr_assert(),` which
>> both check alignment, so no code changes are needed to them.
>>
>> Signed-off-by: Alexandre Courbot <acourbot@nvidia.com>
>
> There is
> https://lore.kernel.org/rust-for-linux/20260421-io_projection-v2-4-4c251c692ef4@garyguo.net/.
>
> Although this patch will be gone from v3, as `IoCapable` is not going to be
> unsafe anymore.

Ah, perfect! Dropping this patch then.

^ permalink raw reply	[flat|nested] 3+ messages in thread

end of thread, other threads:[~2026-06-09 11:30 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-06-08  8:14 [PATCH] rust: io: require proper alignment in the safety contracts of `IoCapable` Alexandre Courbot
2026-06-08 10:33 ` Gary Guo
2026-06-09 11:30   ` Alexandre Courbot

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox