Gitiles
Code Review Sign In
gerrit.omnirom.org / android_packages_modules_Virtualization / a0e4296f0418b5f155cc21fb9d0d432a8462081d^! / . / pvmfw / src / entry.rs
commita0e4296f0418b5f155cc21fb9d0d432a8462081d[log] [tgz]
authorAlan Stokes <alanstokes@google.com>Fri Apr 14 17:59:50 2023 +0100
committerAlan Stokes <alanstokes@google.com>Fri Apr 21 12:00:55 2023 +0100
tree23223c714aedd3da513121da5360672b0f2f8b1b
parent1ef22bcff03bab7ad07138e16d814a884931bbc1 [diff] [blame]
Require unsafe blocks in unsafe functions

Some hopefully harmless refactoring. Only minor behavioral changes are
introduced.

Turn on the unsafe_op_in_unsafe_fn lint, treated as an error, for all
our low-level code, to ensure that unsafe code is properly highlighted
& commented even inside unsafe functions. I've moved the setting from
the code to the blueprint in order to make it the default for new
code, and reduce clutter.

Add unsafe blocks as required to fix all the errors that this
surfaced, with appropriate safety comments. I've tried to keep them as
small as possible.

Slightly to my surprise I removed the unsafe marker from malloc_ (and
renamed it in passing); I believe it has no preconditions and is
always safe - although doing anything with the returned memory
wouldn't be.

Bug: 275693559
Test: flash pvmfw, atest MicrodroidTests
Change-Id: Ia6f39102caea05c6517bc7500914b7fe7025286c

diff --git a/pvmfw/src/entry.rs b/pvmfw/src/entry.rs
index 1309d73..f625f1a 100644
--- a/pvmfw/src/entry.rs
+++ b/pvmfw/src/entry.rs

@@ -309,7 +309,9 @@
     // pvmfw is contained in a 2MiB region so the payload can't be larger than the 2MiB alignment.
     let size = helpers::align_up(base, helpers::SIZE_2MB).unwrap() - base;
 
-    slice::from_raw_parts_mut(base as *mut u8, size)
+    // SAFETY: This region is mapped and the linker script prevents it from overlapping with other
+    // objects.
+    unsafe { slice::from_raw_parts_mut(base as *mut u8, size) }
 }
 
 enum AppendedConfigType {
@@ -328,8 +330,13 @@
 impl<'a> AppendedPayload<'a> {
     /// SAFETY - 'data' should respect the alignment of config::Header.
     unsafe fn new(data: &'a mut [u8]) -> Option<Self> {
-        match Self::guess_config_type(data) {
-            AppendedConfigType::Valid => Some(Self::Config(config::Config::new(data).unwrap())),
+        // Safety: This fn has the same constraint as us.
+        match unsafe { Self::guess_config_type(data) } {
+            AppendedConfigType::Valid => {
+                // Safety: This fn has the same constraint as us.
+                let config = unsafe { config::Config::new(data) };
+                Some(Self::Config(config.unwrap()))
+            }
             AppendedConfigType::NotFound if cfg!(feature = "legacy") => {
                 const BCC_SIZE: usize = helpers::SIZE_4KB;
                 warn!("Assuming the appended data at {:?} to be a raw BCC", data.as_ptr());
@@ -339,11 +346,14 @@
         }
     }
 
+    /// SAFETY - 'data' should respect the alignment of config::Header.
     unsafe fn guess_config_type(data: &mut [u8]) -> AppendedConfigType {
         // This function is necessary to prevent the borrow checker from getting confused
         // about the ownership of data in new(); see https://users.rust-lang.org/t/78467.
         let addr = data.as_ptr();
-        match config::Config::new(data) {
+
+        // Safety: This fn has the same constraint as us.
+        match unsafe { config::Config::new(data) } {
             Err(config::Error::InvalidMagic) => {
                 warn!("No configuration data found at {addr:?}");
                 AppendedConfigType::NotFound