From 56b9ef46bbcad945dd583bdae62ad75ac3f66ff7 Mon Sep 17 00:00:00 2001
From: Viresh Kumar <viresh.kumar@linaro.org>
Date: Tue, 8 Nov 2022 13:17:09 +0530
Subject: [PATCH] Add SAFETY comments

Add SAFETY comments to fix clippy warnings.

Signed-off-by: Viresh Kumar <viresh.kumar@linaro.org>
---
 crates/gpio/src/gpio.rs              |  6 ++++++
 crates/gpio/src/vhu_gpio.rs          | 10 ++++++++++
 crates/i2c/src/i2c.rs                | 12 ++++++------
 crates/i2c/src/vhu_i2c.rs            |  4 ++++
 crates/vsock/src/thread_backend.rs   |  9 +++++++--
 crates/vsock/src/txbuf.rs            |  4 ++++
 crates/vsock/src/vhu_vsock.rs        |  2 ++
 crates/vsock/src/vhu_vsock_thread.rs |  1 +
 8 files changed, 40 insertions(+), 8 deletions(-)

diff --git a/crates/gpio/src/gpio.rs b/crates/gpio/src/gpio.rs
index 5171983..1f7a991 100644
--- a/crates/gpio/src/gpio.rs
+++ b/crates/gpio/src/gpio.rs
@@ -87,6 +87,8 @@ pub(crate) struct VirtioGpioConfig {
     pub(crate) gpio_names_size: Le32,
 }
 
+// SAFETY: The layout of the structure is fixed and can be initialized by
+// reading its content from byte array.
 unsafe impl ByteValued for VirtioGpioConfig {}
 
 /// Trait that represents an GPIO Device.
@@ -123,7 +125,11 @@ pub(crate) struct PhysDevice {
     state: Vec<RwLock<PhysLineState>>,
 }
 
+// SAFETY: Safe as the structure can be sent to another thread.
 unsafe impl Send for PhysDevice {}
+
+// SAFETY: Safe as the structure can be shared with another thread as the state
+// is protected with a lock.
 unsafe impl Sync for PhysDevice {}
 
 impl GpioDevice for PhysDevice {
diff --git a/crates/gpio/src/vhu_gpio.rs b/crates/gpio/src/vhu_gpio.rs
index 406c4ca..ea259df 100644
--- a/crates/gpio/src/vhu_gpio.rs
+++ b/crates/gpio/src/vhu_gpio.rs
@@ -92,6 +92,8 @@ struct VirtioGpioRequest {
     gpio: Le16,
     value: Le32,
 }
+// SAFETY: The layout of the structure is fixed and can be initialized by
+// reading its content from byte array.
 unsafe impl ByteValued for VirtioGpioRequest {}
 
 /// Virtio GPIO IRQ Request / Response
@@ -99,6 +101,8 @@ unsafe impl ByteValued for VirtioGpioRequest {}
 struct VirtioGpioIrqRequest {
     gpio: Le16,
 }
+// SAFETY: The layout of the structure is fixed and can be initialized by
+// reading its content from byte array.
 unsafe impl ByteValued for VirtioGpioIrqRequest {}
 
 #[derive(Copy, Clone, Default)]
@@ -106,6 +110,8 @@ struct VirtioGpioIrqResponse {
     #[allow(dead_code)]
     status: u8,
 }
+// SAFETY: The layout of the structure is fixed and can be initialized by
+// reading its content from byte array.
 unsafe impl ByteValued for VirtioGpioIrqResponse {}
 
 /// Possible values of the interrupt status field
@@ -401,6 +407,8 @@ impl<D: 'static + GpioDevice + Sync + Send> VhostUserBackendMut<VringRwLock, ()>
     }
 
     fn get_config(&self, offset: u32, size: u32) -> Vec<u8> {
+        // SAFETY: The layout of the structure is fixed and can be initialized by
+        // reading its content from byte array.
         unsafe {
             from_raw_parts(
                 self.controller
@@ -1127,6 +1135,8 @@ mod tests {
 
         assert_eq!(
             backend.get_config(0, size_of::<VirtioGpioConfig>() as u32),
+            // SAFETY: The layout of the structure is fixed and can be initialized by
+            // reading its content from byte array.
             unsafe {
                 from_raw_parts(
                     &config as *const _ as *const _,
diff --git a/crates/i2c/src/i2c.rs b/crates/i2c/src/i2c.rs
index 43d6d41..14b0ca8 100644
--- a/crates/i2c/src/i2c.rs
+++ b/crates/i2c/src/i2c.rs
@@ -145,12 +145,12 @@ union I2cSmbusData {
 
 impl I2cSmbusData {
     fn read_byte(&self) -> u8 {
-        // Safe as we will only read the relevant bytes
+        // SAFETY: Safe as we will only read the relevant bytes.
         unsafe { self.byte }
     }
 
     fn read_word(&self) -> u16 {
-        // Safe as we will only read the relevant bytes
+        // SAFETY: Safe as we will only read the relevant bytes.
         unsafe { self.word }
     }
 }
@@ -342,7 +342,7 @@ impl I2cDevice for PhysDevice {
     fn funcs(&mut self) -> Result<u64> {
         let mut func: u64 = 0;
 
-        // Safe as the file is a valid I2C adapter, the kernel will only
+        // SAFETY: Safe as the file is a valid I2C adapter, the kernel will only
         // update the correct amount of memory in func.
         let ret = unsafe { ioctl(self.file.as_raw_fd(), I2C_FUNCS, &mut func) };
 
@@ -375,7 +375,7 @@ impl I2cDevice for PhysDevice {
             nmsgs: len as u32,
         };
 
-        // Safe as the file is a valid I2C adapter, the kernel will only
+        // SAFETY: Safe as the file is a valid I2C adapter, the kernel will only
         // update the correct amount of memory in data.
         let ret = unsafe { ioctl(self.file.as_raw_fd(), I2C_RDWR, &mut data) };
 
@@ -397,7 +397,7 @@ impl I2cDevice for PhysDevice {
             },
         };
 
-        // Safe as the file is a valid I2C adapter, the kernel will only
+        // SAFETY: Safe as the file is a valid I2C adapter, the kernel will only
         // update the correct amount of memory in data.
         let ret = unsafe { ioctl(self.file.as_raw_fd(), I2C_SMBUS, &mut smbus_data) };
 
@@ -409,7 +409,7 @@ impl I2cDevice for PhysDevice {
     }
 
     fn slave(&self, addr: u64) -> Result<()> {
-        // Safe as the file is a valid I2C adapter.
+        // SAFETY: Safe as the file is a valid I2C adapter.
         let ret = unsafe { ioctl(self.file.as_raw_fd(), I2C_SLAVE, addr as c_ulong) };
 
         if ret == -1 {
diff --git a/crates/i2c/src/vhu_i2c.rs b/crates/i2c/src/vhu_i2c.rs
index 09072eb..3d68eaa 100644
--- a/crates/i2c/src/vhu_i2c.rs
+++ b/crates/i2c/src/vhu_i2c.rs
@@ -84,6 +84,8 @@ struct VirtioI2cOutHdr {
     padding: Le16,
     flags: Le32,
 }
+// SAFETY: The layout of the structure is fixed and can be initialized by
+// reading its content from byte array.
 unsafe impl ByteValued for VirtioI2cOutHdr {}
 
 /// VirtioI2cOutHdr Flags
@@ -94,6 +96,8 @@ const VIRTIO_I2C_FLAGS_M_RD: u32 = 1 << 1;
 struct VirtioI2cInHdr {
     status: u8,
 }
+// SAFETY: The layout of the structure is fixed and can be initialized by
+// reading its content from byte array.
 unsafe impl ByteValued for VirtioI2cInHdr {}
 
 pub(crate) struct VhostUserI2cBackend<D: I2cDevice> {
diff --git a/crates/vsock/src/thread_backend.rs b/crates/vsock/src/thread_backend.rs
index 1f4be84..f32df28 100644
--- a/crates/vsock/src/thread_backend.rs
+++ b/crates/vsock/src/thread_backend.rs
@@ -222,8 +222,12 @@ impl VsockThreadBackend {
             .insert(ConnMapKey::new(pkt.dst_port(), pkt.src_port()), conn);
         self.backend_rxq
             .push_back(ConnMapKey::new(pkt.dst_port(), pkt.src_port()));
-        self.stream_map
-            .insert(stream_fd, unsafe { UnixStream::from_raw_fd(stream_fd) });
+
+        self.stream_map.insert(
+            stream_fd,
+            // SAFETY: Safe as the file descriptor is guaranteed to be valid.
+            unsafe { UnixStream::from_raw_fd(stream_fd) },
+        );
         self.local_port_set.insert(pkt.dst_port());
 
         VhostUserVsockThread::epoll_register(
@@ -269,6 +273,7 @@ mod tests {
         let mut pkt_raw = [0u8; PKT_HEADER_SIZE + DATA_LEN];
         let (hdr_raw, data_raw) = pkt_raw.split_at_mut(PKT_HEADER_SIZE);
 
+        // SAFETY: Safe as hdr_raw and data_raw are guaranteed to be valid.
         let mut packet = unsafe { VsockPacket::new(hdr_raw, Some(data_raw)).unwrap() };
 
         assert_eq!(
diff --git a/crates/vsock/src/txbuf.rs b/crates/vsock/src/txbuf.rs
index f7b4119..ff55cd8 100644
--- a/crates/vsock/src/txbuf.rs
+++ b/crates/vsock/src/txbuf.rs
@@ -132,6 +132,7 @@ mod tests {
     fn test_txbuf_push() {
         let mut loc_tx_buf = LocalTxBuf::new();
         let mut buf = [0; CONN_TX_BUF_SIZE as usize];
+        // SAFETY: Safe as the buffer is guaranteed to be valid here.
         let data = unsafe { VolatileSlice::new(buf.as_mut_ptr(), buf.len()) };
 
         // push data into empty tx buffer
@@ -152,6 +153,7 @@ mod tests {
 
         // only tail wraps at full
         let mut buf = vec![1; 4];
+        // SAFETY: Safe as the buffer is guaranteed to be valid here.
         let data = unsafe { VolatileSlice::new(buf.as_mut_ptr(), buf.len()) };
         let mut cmp_data = vec![1; 4];
         cmp_data.append(&mut vec![0; (CONN_TX_BUF_SIZE - 4) as usize]);
@@ -170,6 +172,7 @@ mod tests {
 
         // data to be flushed
         let mut buf = vec![1; CONN_TX_BUF_SIZE as usize];
+        // SAFETY: Safe as the buffer is guaranteed to be valid here.
         let data = unsafe { VolatileSlice::new(buf.as_mut_ptr(), buf.len()) };
 
         // target to which data is flushed
@@ -194,6 +197,7 @@ mod tests {
         // wrapping head flush
         let mut buf = vec![0; (CONN_TX_BUF_SIZE / 2) as usize];
         buf.append(&mut vec![1; (CONN_TX_BUF_SIZE / 2) as usize]);
+        // SAFETY: Safe as the buffer is guaranteed to be valid here.
         let data = unsafe { VolatileSlice::new(buf.as_mut_ptr(), buf.len()) };
 
         loc_tx_buf.head = Wrapping(0);
diff --git a/crates/vsock/src/vhu_vsock.rs b/crates/vsock/src/vhu_vsock.rs
index 3427a9c..9436020 100644
--- a/crates/vsock/src/vhu_vsock.rs
+++ b/crates/vsock/src/vhu_vsock.rs
@@ -196,6 +196,8 @@ struct VirtioVsockConfig {
     pub guest_cid: Le64,
 }
 
+// SAFETY: The layout of the structure is fixed and can be initialized by
+// reading its content from byte array.
 unsafe impl ByteValued for VirtioVsockConfig {}
 
 pub(crate) struct VhostUserVsockBackend {
diff --git a/crates/vsock/src/vhu_vsock_thread.rs b/crates/vsock/src/vhu_vsock_thread.rs
index e086f7a..cbbc289 100644
--- a/crates/vsock/src/vhu_vsock_thread.rs
+++ b/crates/vsock/src/vhu_vsock_thread.rs
@@ -68,6 +68,7 @@ impl VhostUserVsockThread {
             .map_err(Error::UnixBind)?;
 
         let epoll_fd = epoll::create(true).map_err(Error::EpollFdCreate)?;
+        // SAFETY: Safe as the fd is guaranteed to be valid here.
         let epoll_file = unsafe { File::from_raw_fd(epoll_fd) };
 
         let host_raw_fd = host_sock.as_raw_fd();