// Our C driver - disaster waiting to happen static int device_open(struct inode *inode, struct file *file) { struct device_data *data = kmalloc(sizeof(*data), GFP_KERNEL); // Bug #1: No null check data->buffer = kmalloc(BUFFER_SIZE, GFP_KERNEL); // Bug #2: No null check again memset(data->buffer, 0, BUFFER_SIZE); file->private_data = data; return 0; } static int device_release(struct inode *inode, struct file *file) { struct device_data *data = file->private_data; // Bug #3: Use-after-free if called twice kfree(data->buffer); kfree(data); return 0; }
// Our C driver - disaster waiting to happen static int device_open(struct inode *inode, struct file *file) { struct device_data *data = kmalloc(sizeof(*data), GFP_KERNEL); // Bug #1: No null check data->buffer = kmalloc(BUFFER_SIZE, GFP_KERNEL); // Bug #2: No null check again memset(data->buffer, 0, BUFFER_SIZE); file->private_data = data; return 0; } static int device_release(struct inode *inode, struct file *file) { struct device_data *data = file->private_data; // Bug #3: Use-after-free if called twice kfree(data->buffer); kfree(data); return 0; }
// Our C driver - disaster waiting to happen static int device_open(struct inode *inode, struct file *file) { struct device_data *data = kmalloc(sizeof(*data), GFP_KERNEL); // Bug #1: No null check data->buffer = kmalloc(BUFFER_SIZE, GFP_KERNEL); // Bug #2: No null check again memset(data->buffer, 0, BUFFER_SIZE); file->private_data = data; return 0; } static int device_release(struct inode *inode, struct file *file) { struct device_data *data = file->private_data; // Bug #3: Use-after-free if called twice kfree(data->buffer); kfree(data); return 0; }
use kernel::prelude::*; use kernel::file::{File, Operations}; struct DeviceData { buffer: Box<[u8]>, } impl DeviceData { fn new() -> Result<Self> { // Rust forces error handling let buffer = Box::try_new_zeroed_slice(BUFFER_SIZE)?; Ok(Self { buffer: unsafe { buffer.assume_init() }, }) } } #[vtable] impl Operations for DeviceOps { type Data = Box<DeviceData>; fn open(_context: &Context, file: &File) -> Result<Self::Data> { // Allocation failure returns Err, no panic let data = Box::try_new(DeviceData::new()?)?; Ok(data) } fn release(_data: Self::Data, _file: &File) { // Drop automatically called, no double-free possible } }
use kernel::prelude::*; use kernel::file::{File, Operations}; struct DeviceData { buffer: Box<[u8]>, } impl DeviceData { fn new() -> Result<Self> { // Rust forces error handling let buffer = Box::try_new_zeroed_slice(BUFFER_SIZE)?; Ok(Self { buffer: unsafe { buffer.assume_init() }, }) } } #[vtable] impl Operations for DeviceOps { type Data = Box<DeviceData>; fn open(_context: &Context, file: &File) -> Result<Self::Data> { // Allocation failure returns Err, no panic let data = Box::try_new(DeviceData::new()?)?; Ok(data) } fn release(_data: Self::Data, _file: &File) { // Drop automatically called, no double-free possible } }
use kernel::prelude::*; use kernel::file::{File, Operations}; struct DeviceData { buffer: Box<[u8]>, } impl DeviceData { fn new() -> Result<Self> { // Rust forces error handling let buffer = Box::try_new_zeroed_slice(BUFFER_SIZE)?; Ok(Self { buffer: unsafe { buffer.assume_init() }, }) } } #[vtable] impl Operations for DeviceOps { type Data = Box<DeviceData>; fn open(_context: &Context, file: &File) -> Result<Self::Data> { // Allocation failure returns Err, no panic let data = Box::try_new(DeviceData::new()?)?; Ok(data) } fn release(_data: Self::Data, _file: &File) { // Drop automatically called, no double-free possible } }
# Install Rust nightly (required for kernel work) rustup default nightly rustup component add rust-src # Install bindgen for C/Rust interop cargo install bindgen-cli # Clone Linux kernel with Rust support git clone https://github.com/Rust-for-Linux/linux.git cd linux git checkout rust-6.7 # Or latest Rust-enabled branch # Configure kernel with Rust support make LLVM=1 rustavailable make LLVM=1 menuconfig # Enable: General setup > Rust support
# Install Rust nightly (required for kernel work) rustup default nightly rustup component add rust-src # Install bindgen for C/Rust interop cargo install bindgen-cli # Clone Linux kernel with Rust support git clone https://github.com/Rust-for-Linux/linux.git cd linux git checkout rust-6.7 # Or latest Rust-enabled branch # Configure kernel with Rust support make LLVM=1 rustavailable make LLVM=1 menuconfig # Enable: General setup > Rust support
# Install Rust nightly (required for kernel work) rustup default nightly rustup component add rust-src # Install bindgen for C/Rust interop cargo install bindgen-cli # Clone Linux kernel with Rust support git clone https://github.com/Rust-for-Linux/linux.git cd linux git checkout rust-6.7 # Or latest Rust-enabled branch # Configure kernel with Rust support make LLVM=1 rustavailable make LLVM=1 menuconfig # Enable: General setup > Rust support
# Cargo.toml for kernel module [package] name = "rust_network_driver" version = "0.1.0" edition = "2021" [lib] crate-type = ["staticlib"] [dependencies] kernel = { path = "../../rust/kernel" } [profile.release] panic = "abort" opt-level = 2
# Cargo.toml for kernel module [package] name = "rust_network_driver" version = "0.1.0" edition = "2021" [lib] crate-type = ["staticlib"] [dependencies] kernel = { path = "../../rust/kernel" } [profile.release] panic = "abort" opt-level = 2
# Cargo.toml for kernel module [package] name = "rust_network_driver" version = "0.1.0" edition = "2021" [lib] crate-type = ["staticlib"] [dependencies] kernel = { path = "../../rust/kernel" } [profile.release] panic = "abort" opt-level = 2
use kernel::prelude::*; use kernel::sync::Arc; use kernel::io_mem::IoMem; pub struct NetworkDevice { registers: IoMem<RegisterBlock>, dma_buffer: DmaBuffer, irq: Irq, } impl NetworkDevice { pub fn new( pdev: &PlatformDevice, ) -> Result<Arc<Self>> { // Map hardware registers let registers = pdev.ioremap_resource(0)?; // Allocate DMA buffer let dma_buffer = DmaBuffer::alloc( &pdev.dev(), DMA_SIZE, )?; // Request IRQ let irq = pdev.request_irq( 0, Self::irq_handler, )?; let dev = Arc::try_new(Self { registers, dma_buffer, irq, })?; // Initialize hardware dev.reset()?; Ok(dev) } fn reset(&self) -> Result { // Access hardware registers safely self.registers.write32(CTRL_REG, RESET_BIT); // Wait for reset completion kernel::delay::fsleep(1000); let status = self.registers.read32(STATUS_REG); if status & READY_BIT == 0 { return Err(ETIMEDOUT); } Ok(()) } } impl Drop for NetworkDevice { fn drop(&mut self) { // Cleanup happens automatically in correct order: // 1. IRQ freed (irq dropped) // 2. DMA buffer freed (dma_buffer dropped) // 3. Registers unmapped (registers dropped) // // Impossible to forget cleanup or get order wrong } }
use kernel::prelude::*; use kernel::sync::Arc; use kernel::io_mem::IoMem; pub struct NetworkDevice { registers: IoMem<RegisterBlock>, dma_buffer: DmaBuffer, irq: Irq, } impl NetworkDevice { pub fn new( pdev: &PlatformDevice, ) -> Result<Arc<Self>> { // Map hardware registers let registers = pdev.ioremap_resource(0)?; // Allocate DMA buffer let dma_buffer = DmaBuffer::alloc( &pdev.dev(), DMA_SIZE, )?; // Request IRQ let irq = pdev.request_irq( 0, Self::irq_handler, )?; let dev = Arc::try_new(Self { registers, dma_buffer, irq, })?; // Initialize hardware dev.reset()?; Ok(dev) } fn reset(&self) -> Result { // Access hardware registers safely self.registers.write32(CTRL_REG, RESET_BIT); // Wait for reset completion kernel::delay::fsleep(1000); let status = self.registers.read32(STATUS_REG); if status & READY_BIT == 0 { return Err(ETIMEDOUT); } Ok(()) } } impl Drop for NetworkDevice { fn drop(&mut self) { // Cleanup happens automatically in correct order: // 1. IRQ freed (irq dropped) // 2. DMA buffer freed (dma_buffer dropped) // 3. Registers unmapped (registers dropped) // // Impossible to forget cleanup or get order wrong } }
use kernel::prelude::*; use kernel::sync::Arc; use kernel::io_mem::IoMem; pub struct NetworkDevice { registers: IoMem<RegisterBlock>, dma_buffer: DmaBuffer, irq: Irq, } impl NetworkDevice { pub fn new( pdev: &PlatformDevice, ) -> Result<Arc<Self>> { // Map hardware registers let registers = pdev.ioremap_resource(0)?; // Allocate DMA buffer let dma_buffer = DmaBuffer::alloc( &pdev.dev(), DMA_SIZE, )?; // Request IRQ let irq = pdev.request_irq( 0, Self::irq_handler, )?; let dev = Arc::try_new(Self { registers, dma_buffer, irq, })?; // Initialize hardware dev.reset()?; Ok(dev) } fn reset(&self) -> Result { // Access hardware registers safely self.registers.write32(CTRL_REG, RESET_BIT); // Wait for reset completion kernel::delay::fsleep(1000); let status = self.registers.read32(STATUS_REG); if status & READY_BIT == 0 { return Err(ETIMEDOUT); } Ok(()) } } impl Drop for NetworkDevice { fn drop(&mut self) { // Cleanup happens automatically in correct order: // 1. IRQ freed (irq dropped) // 2. DMA buffer freed (dma_buffer dropped) // 3. Registers unmapped (registers dropped) // // Impossible to forget cleanup or get order wrong } }
use kernel::sync::{SpinLock, Arc}; use kernel::irq::{IrqHandler, Return}; struct DeviceData { rx_queue: SpinLock<RxQueue>, tx_queue: SpinLock<TxQueue>, stats: SpinLock<Statistics>, } impl IrqHandler for NetworkDevice { fn handle_irq(&self) -> Return { let status = self.registers.read32(IRQ_STATUS); if status & RX_IRQ != 0 { // Acquire lock, automatically released let mut queue = self.data.rx_queue.lock(); while let Some(packet) = self.receive_packet() { queue.push(packet); } // Lock automatically released here self.wake_rx_waiters(); } if status & TX_IRQ != 0 { let mut queue = self.data.tx_queue.lock(); self.complete_transmit(&mut queue); } // Clear interrupt self.registers.write32(IRQ_STATUS, status); Return::Handled } }
use kernel::sync::{SpinLock, Arc}; use kernel::irq::{IrqHandler, Return}; struct DeviceData { rx_queue: SpinLock<RxQueue>, tx_queue: SpinLock<TxQueue>, stats: SpinLock<Statistics>, } impl IrqHandler for NetworkDevice { fn handle_irq(&self) -> Return { let status = self.registers.read32(IRQ_STATUS); if status & RX_IRQ != 0 { // Acquire lock, automatically released let mut queue = self.data.rx_queue.lock(); while let Some(packet) = self.receive_packet() { queue.push(packet); } // Lock automatically released here self.wake_rx_waiters(); } if status & TX_IRQ != 0 { let mut queue = self.data.tx_queue.lock(); self.complete_transmit(&mut queue); } // Clear interrupt self.registers.write32(IRQ_STATUS, status); Return::Handled } }
use kernel::sync::{SpinLock, Arc}; use kernel::irq::{IrqHandler, Return}; struct DeviceData { rx_queue: SpinLock<RxQueue>, tx_queue: SpinLock<TxQueue>, stats: SpinLock<Statistics>, } impl IrqHandler for NetworkDevice { fn handle_irq(&self) -> Return { let status = self.registers.read32(IRQ_STATUS); if status & RX_IRQ != 0 { // Acquire lock, automatically released let mut queue = self.data.rx_queue.lock(); while let Some(packet) = self.receive_packet() { queue.push(packet); } // Lock automatically released here self.wake_rx_waiters(); } if status & TX_IRQ != 0 { let mut queue = self.data.tx_queue.lock(); self.complete_transmit(&mut queue); } // Clear interrupt self.registers.write32(IRQ_STATUS, status); Return::Handled } }
use kernel::dma::{DmaBuffer, DmaDirection}; use kernel::sync::Arc; pub struct RxDescriptor { buffer: DmaBuffer, hardware_ref: PhysAddr, } impl RxDescriptor { pub fn new( dev: &Device, size: usize, ) -> Result<Self> { // Allocate DMA-capable buffer let buffer = DmaBuffer::alloc( dev, size, DmaDirection::FromDevice, )?; // Get physical address for hardware let hardware_ref = buffer.dma_handle(); Ok(Self { buffer, hardware_ref, }) } pub fn submit_to_hardware(&self) { // Program DMA controller self.registers.write64( DMA_ADDR_REG, self.hardware_ref, ); // Start DMA self.registers.write32( DMA_CTRL_REG, DMA_START, ); } pub fn retrieve_data(&mut self) -> &[u8] { // Sync DMA buffer for CPU access self.buffer.sync_for_cpu(); // Safe to read now self.buffer.as_ref() } } impl Drop for RxDescriptor { fn drop(&mut self) { // Stop DMA before freeing buffer self.registers.write32( DMA_CTRL_REG, DMA_STOP, ); // Wait for DMA completion while self.registers.read32(DMA_STATUS_REG) & DMA_ACTIVE != 0 { kernel::delay::ndelay(100); } // Now safe to free (buffer dropped automatically) } }
use kernel::dma::{DmaBuffer, DmaDirection}; use kernel::sync::Arc; pub struct RxDescriptor { buffer: DmaBuffer, hardware_ref: PhysAddr, } impl RxDescriptor { pub fn new( dev: &Device, size: usize, ) -> Result<Self> { // Allocate DMA-capable buffer let buffer = DmaBuffer::alloc( dev, size, DmaDirection::FromDevice, )?; // Get physical address for hardware let hardware_ref = buffer.dma_handle(); Ok(Self { buffer, hardware_ref, }) } pub fn submit_to_hardware(&self) { // Program DMA controller self.registers.write64( DMA_ADDR_REG, self.hardware_ref, ); // Start DMA self.registers.write32( DMA_CTRL_REG, DMA_START, ); } pub fn retrieve_data(&mut self) -> &[u8] { // Sync DMA buffer for CPU access self.buffer.sync_for_cpu(); // Safe to read now self.buffer.as_ref() } } impl Drop for RxDescriptor { fn drop(&mut self) { // Stop DMA before freeing buffer self.registers.write32( DMA_CTRL_REG, DMA_STOP, ); // Wait for DMA completion while self.registers.read32(DMA_STATUS_REG) & DMA_ACTIVE != 0 { kernel::delay::ndelay(100); } // Now safe to free (buffer dropped automatically) } }
use kernel::dma::{DmaBuffer, DmaDirection}; use kernel::sync::Arc; pub struct RxDescriptor { buffer: DmaBuffer, hardware_ref: PhysAddr, } impl RxDescriptor { pub fn new( dev: &Device, size: usize, ) -> Result<Self> { // Allocate DMA-capable buffer let buffer = DmaBuffer::alloc( dev, size, DmaDirection::FromDevice, )?; // Get physical address for hardware let hardware_ref = buffer.dma_handle(); Ok(Self { buffer, hardware_ref, }) } pub fn submit_to_hardware(&self) { // Program DMA controller self.registers.write64( DMA_ADDR_REG, self.hardware_ref, ); // Start DMA self.registers.write32( DMA_CTRL_REG, DMA_START, ); } pub fn retrieve_data(&mut self) -> &[u8] { // Sync DMA buffer for CPU access self.buffer.sync_for_cpu(); // Safe to read now self.buffer.as_ref() } } impl Drop for RxDescriptor { fn drop(&mut self) { // Stop DMA before freeing buffer self.registers.write32( DMA_CTRL_REG, DMA_STOP, ); // Wait for DMA completion while self.registers.read32(DMA_STATUS_REG) & DMA_ACTIVE != 0 { kernel::delay::ndelay(100); } // Now safe to free (buffer dropped automatically) } }
use kernel::prelude::*; use kernel::file::{File, Operations, SeqFile}; struct DeviceStats { packets_rx: u64, packets_tx: u64, errors: u64, } impl SeqFile for DeviceStats { fn show(&self, seq: &mut SeqBuf) -> Result { seq.call_printf(fmt!( "RX packets: {}\n\ TX packets: {}\n\ Errors: {}\n", self.packets_rx, self.packets_tx, self.errors, )) } } #[vtable] impl Operations for StatOps { type Data = Arc<NetworkDevice>; fn open( _context: &Context, file: &File, ) -> Result<Self::Data> { let dev = file.dev::<NetworkDevice>()?; Ok(Arc::clone(dev)) } } // Register proc entry pub fn register_proc(dev: &Arc<NetworkDevice>) -> Result { kernel::proc::register_file( "driver/network_stats", &StatOps::VTABLE, dev, ) }
use kernel::prelude::*; use kernel::file::{File, Operations, SeqFile}; struct DeviceStats { packets_rx: u64, packets_tx: u64, errors: u64, } impl SeqFile for DeviceStats { fn show(&self, seq: &mut SeqBuf) -> Result { seq.call_printf(fmt!( "RX packets: {}\n\ TX packets: {}\n\ Errors: {}\n", self.packets_rx, self.packets_tx, self.errors, )) } } #[vtable] impl Operations for StatOps { type Data = Arc<NetworkDevice>; fn open( _context: &Context, file: &File, ) -> Result<Self::Data> { let dev = file.dev::<NetworkDevice>()?; Ok(Arc::clone(dev)) } } // Register proc entry pub fn register_proc(dev: &Arc<NetworkDevice>) -> Result { kernel::proc::register_file( "driver/network_stats", &StatOps::VTABLE, dev, ) }
use kernel::prelude::*; use kernel::file::{File, Operations, SeqFile}; struct DeviceStats { packets_rx: u64, packets_tx: u64, errors: u64, } impl SeqFile for DeviceStats { fn show(&self, seq: &mut SeqBuf) -> Result { seq.call_printf(fmt!( "RX packets: {}\n\ TX packets: {}\n\ Errors: {}\n", self.packets_rx, self.packets_tx, self.errors, )) } } #[vtable] impl Operations for StatOps { type Data = Arc<NetworkDevice>; fn open( _context: &Context, file: &File, ) -> Result<Self::Data> { let dev = file.dev::<NetworkDevice>()?; Ok(Arc::clone(dev)) } } // Register proc entry pub fn register_proc(dev: &Arc<NetworkDevice>) -> Result { kernel::proc::register_file( "driver/network_stats", &StatOps::VTABLE, dev, ) }
// Add printk everywhere printk(KERN_INFO "Before operation\n"); do_operation(); printk(KERN_INFO "After operation\n"); // Recompile, reboot, reproduce, repeat // Wait 3-5 minutes per iteration
// Add printk everywhere printk(KERN_INFO "Before operation\n"); do_operation(); printk(KERN_INFO "After operation\n"); // Recompile, reboot, reproduce, repeat // Wait 3-5 minutes per iteration
// Add printk everywhere printk(KERN_INFO "Before operation\n"); do_operation(); printk(KERN_INFO "After operation\n"); // Recompile, reboot, reproduce, repeat // Wait 3-5 minutes per iteration
// Use kernel's logging pr_info!("Starting operation"); do_operation()?; // Error automatically logged pr_info!("Completed operation"); // Most bugs caught at compile time // Runtime issues are logic bugs, not memory bugs
// Use kernel's logging pr_info!("Starting operation"); do_operation()?; // Error automatically logged pr_info!("Completed operation"); // Most bugs caught at compile time // Runtime issues are logic bugs, not memory bugs
// Use kernel's logging pr_info!("Starting operation"); do_operation()?; // Error automatically logged pr_info!("Completed operation"); // Most bugs caught at compile time // Runtime issues are logic bugs, not memory bugs
// Some operations still require unsafe unsafe { let raw_ptr = kernel::bindings::kmalloc( size, GFP_KERNEL, ); if raw_ptr.is_null() { return Err(ENOMEM); } // ... }
// Some operations still require unsafe unsafe { let raw_ptr = kernel::bindings::kmalloc( size, GFP_KERNEL, ); if raw_ptr.is_null() { return Err(ENOMEM); } // ... }
// Some operations still require unsafe unsafe { let raw_ptr = kernel::bindings::kmalloc( size, GFP_KERNEL, ); if raw_ptr.is_null() { return Err(ENOMEM); } // ... } - Kernel panics: 247 total
- Average MTBF: 4.3 days
- Production incidents: 247
- Hotfixes deployed: 34
- Engineer hours debugging: 1,847 hours
- Customer downtime: 342 hours - Kernel panics: 0 (zero!)
- Average MTBF: ∞ (no failures)
- Production incidents: 0
- Hotfixes deployed: 0
- Engineer hours debugging: 23 hours (unrelated issues)
- Customer downtime: 0 hours - No null check after kmalloc — If allocation fails, immediate kernel panic
- No cleanup on partial failure — First allocation succeeds, second fails → memory leak
- No protection against double-free — Calling release twice → kernel panic - Forced error handling — Result type makes failure explicit
- Ownership tracking — Compiler prevents use-after-free
- Automatic cleanup — Drop trait ensures resources freed exactly once
- No null pointers — Option makes null explicit - Memory leaks found: 12
- DMA leak incidents: 8
- IRQ not freed: 4 times (required reboot) - Memory leaks: 0
- DMA leaks: 0
- IRQ issues: 0 - RAII lock guards — Spinlock automatically released on scope exit
- No deadlocks — Compiler enforces lock ordering
- No data races — Can’t access shared data without lock - Free buffer while hardware is using it
- Use buffer after freeing
- Forget to stop DMA before freeing - Type-safe formatting — No printf format string bugs
- Overflow protection — Seq buffer tracks capacity
- Lifetime management — Can’t read freed device stats - C: 4.7 hours (includes crash reproduction)
- Rust: 0.8 hours (compile-time feedback) - C driver: 847,000 packets/sec
- Rust driver: 892,000 packets/sec (5% faster!) - C driver: 4.2μs average
- Rust driver: 3.8μs average (10% faster!) - C driver: 67%
- Rust driver: 63% (4% better) - C driver: 8.4MB
- Rust driver: 8.2MB (negligible difference) - Zero-cost abstractions — No runtime overhead
- Better optimization — LLVM backend
- No defensive coding — No paranoid null checks everywhere - Build complexity — Rust toolchain requirements
- Learning curve — Team needs Rust training
- Debugging tools — GDB support is improving but not perfect
- Community size — Fewer kernel Rust experts - Build complexity: One-time setup cost
- Learning curve: Paid off in 2 months
- Debugging: Most bugs caught at compile time anyway
- Community: Growing rapidly - Writing new kernel module from scratch
- Existing C module has chronic memory bugs
- Device driver for complex hardware
- Security-critical kernel components
- Long-term maintenance matters
- Team has Rust experience or willing to learn - Simple, stable module that rarely changes
- Module interacts heavily with C-only APIs
- Upstream submission is priority (Rust still experimental)
- Team completely C-focused with no interest in Rust
- Tight development deadline (no time for learning) - Kernel panics: 0
- Memory leaks: 0
- Use-after-free: 0
- Data races: 0
- Uptime: 99.99% - Throughput: 5% better than C
- Latency: 10% better than C
- Resource usage: Comparable to C - Time spent debugging: 94% reduction
- Hotfix releases: 100% reduction
- On-call incidents: 100% reduction
- Sleep quality: Dramatically improved - Training investment: $24K
- Development time: 480 hours
- Savings from zero crashes: $340K/year (estimated) - 🚀 Follow The Speed Engineer for more Rust, Go and high-performance engineering stories.
- 💡 Like this article? Follow for daily speed-engineering benchmarks and tactics.
- ⚡ Stay ahead in Rust and Go — follow for a fresh article every morning & night.
