Received: by 2002:ab2:1149:0:b0:1f3:1f8c:d0c6 with SMTP id z9csp879308lqz; Sun, 31 Mar 2024 03:28:10 -0700 (PDT) X-Forwarded-Encrypted: i=3; AJvYcCWbtatbm91aHE0oN7eRDJh4x6iZ7IKYri4mJPXlDQ2HS6MUNPN/m/GmjQfo1CwOzjgptNuY7QTlsXRLXM3T5Y5gkf4+SOBSHzDdG9CLFQ== X-Google-Smtp-Source: AGHT+IHYzhjCpushB0N7gf1j5biYoXs3OMLOgw/bxv0EQlJ1EFjbYH6wTHUens8mkrPwAFGIcHY2 X-Received: by 2002:a05:6a20:849a:b0:1a3:e37a:d228 with SMTP id u26-20020a056a20849a00b001a3e37ad228mr6158271pzd.27.1711880890149; Sun, 31 Mar 2024 03:28:10 -0700 (PDT) ARC-Seal: i=2; a=rsa-sha256; t=1711880890; cv=pass; d=google.com; s=arc-20160816; b=n/q2RHbGNdCJmK5DZ+Ej8ZE+4agfgsCp7aI1DrknWuOUNRuc3UQbYgMJ779Rpi63qr JyXWCg+FwUTtL4WOrNGo5SuhVd6o6W0P/H2EWs9KRa5zlTqfMiNPv3Eo/ILByzbezhHT OjKpSTr0Pb1gk9SeVVxS9mdYLeEzUpEljZ8PAj6RVKIbygIRTlxPvl5PQlnNMUPx2pVX vciaNvnTl7WjZH7QRxRclctaQ4ovbASQVQiIqQQWz6ZG7eitcPEiOX0XQEbuox78JS8e DFQ8hVFG/hJ2DzoDzCuO5+GIN2VCtJkp6GlcovkYbeZ+xjkeOsCBeH9/bsyyQSeE5moN eeGw== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=content-transfer-encoding:mime-version:list-unsubscribe :list-subscribe:list-id:precedence:feedback-id:references :in-reply-to:message-id:subject:cc:from:to:date:dkim-signature; bh=xXth9F6mwWUjnYOxzF4GaPch1yXF0oNpcQcxRS44w7o=; fh=P4quBinulthQn5hiRWEmiz+qUs1NaHyILMacydKehGk=; b=F0SUDYpFUYb9Y7yrXyb2fU6PW915MUNiq5jh6cEvBP3ObD+sawLIfpvOSvCqlCLN/Z zNQhulAAwLYVFe2FJkEUwexm2AOaedKzjGWd7NvmaYm0K/HhhwaLIO7yfWDzBrlgM7YE tulVuaOUQ8AkXqIJqOLZ3tgW2Vgz6a4ptklDiIBCJMbP+NjN6XegfW74pD/4jYVmQMPl 342oLogcVZQF99w445nBIQu8wYeEMQjWOzAjeI32fP5vkieLUClWKGhZM/bq5R3h75ly QwQGk/IY0g9qY/WJWL24Z4LmjfWCphTNcyGXKGCiFl7sEh/tVFCA7EvfdIXSPASVNvWN /kVA==; dara=google.com ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@proton.me header.s=protonmail header.b=drQZw0N5; arc=pass (i=1 spf=pass spfdomain=proton.me dkim=pass dkdomain=proton.me dmarc=pass fromdomain=proton.me); spf=pass (google.com: domain of linux-kernel+bounces-126034-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:40f1:3f00::1 as permitted sender) smtp.mailfrom="linux-kernel+bounces-126034-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=proton.me Return-Path: Received: from sy.mirrors.kernel.org (sy.mirrors.kernel.org. [2604:1380:40f1:3f00::1]) by mx.google.com with ESMTPS id i2-20020a63e902000000b005dc86bae4b8si7378536pgh.408.2024.03.31.03.28.09 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 31 Mar 2024 03:28:10 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel+bounces-126034-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:40f1:3f00::1 as permitted sender) client-ip=2604:1380:40f1:3f00::1; Authentication-Results: mx.google.com; dkim=pass header.i=@proton.me header.s=protonmail header.b=drQZw0N5; arc=pass (i=1 spf=pass spfdomain=proton.me dkim=pass dkdomain=proton.me dmarc=pass fromdomain=proton.me); spf=pass (google.com: domain of linux-kernel+bounces-126034-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:40f1:3f00::1 as permitted sender) smtp.mailfrom="linux-kernel+bounces-126034-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=proton.me Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by sy.mirrors.kernel.org (Postfix) with ESMTPS id D5AF6B20DEF for ; Sun, 31 Mar 2024 10:28:00 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 6695F77A03; Sun, 31 Mar 2024 10:27:53 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=proton.me header.i=@proton.me header.b="drQZw0N5" Received: from mail-4322.protonmail.ch (mail-4322.protonmail.ch [185.70.43.22]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 57498763EC; Sun, 31 Mar 2024 10:27:50 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=185.70.43.22 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1711880872; cv=none; b=e6gMlreel5UHPKcXWnunhMQGoCd2rA86nQ+cTiFINgVFXBmGFYMlDog7vCjNbpptkM+1yNc2ZLiKGLi4pVBDWT68nobQAawBU5nhLGlevTdPfLhrsfqxHib6SDYEMICaDOgVIlOlEXuA7go0MxeelZPTwQjoQuMvGiH6GkLOcL0= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1711880872; c=relaxed/simple; bh=L/10QJEhsAIm7eEgjRvTrgcoaqTTGRJhJ9WBna1Dhzo=; h=Date:To:From:Cc:Subject:Message-ID:In-Reply-To:References: MIME-Version:Content-Type; b=B0ks29nkeg+I722LXKQRyPvB2otD09yFrnak5ITlEnAPyTkSlhlLPMUsnTZyq2y0f6JT8yaLRg9IKaAbBRhoV7HjPOptvczG/SgN/OQPtWaVoW6NlRD9iUeFX9/fpqm3DN2hYK6ADYAAD/friSXDYPbPmaFtHlzv9hWFAsbiwxs= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=proton.me; spf=pass smtp.mailfrom=proton.me; dkim=pass (2048-bit key) header.d=proton.me header.i=@proton.me header.b=drQZw0N5; arc=none smtp.client-ip=185.70.43.22 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=proton.me Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=proton.me DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=proton.me; s=protonmail; t=1711880862; x=1712140062; bh=xXth9F6mwWUjnYOxzF4GaPch1yXF0oNpcQcxRS44w7o=; h=Date:To:From:Cc:Subject:Message-ID:In-Reply-To:References: Feedback-ID:From:To:Cc:Date:Subject:Reply-To:Feedback-ID: Message-ID:BIMI-Selector; b=drQZw0N5x+P/gZGHHE0jckPV6Ol7xxWmHl241EVA4RqoHZXHzth9hx7sTbBfj4Ju1 8pOT0V6UUng3HHCl7BXMkwBefdE3p8A/5KDazXZB07HfNMOQJtA+CDLBT6q/zlyqOt /N2Co0gmGH0WsdP77w9XkNIlQTOPOsjnNsx4MuhJpR0K+5mbXgvpAKHXxcDbYbmwAm jsDoIUaQNFhBKSZfJJ91qnu+ru1ZKdsBBKwQ3KEFporLzFDvJM32o4+gO3LRHTzsUu J5wCxK4v9QdcIiN1vliExlJWEdNH2R9RHfQdUESW7DNEOCuecKuDvDljcJvdy9OS0B uuclS0MVnsaPA== Date: Sun, 31 Mar 2024 10:27:37 +0000 To: Wedson Almeida Filho From: Benno Lossin Cc: Miguel Ojeda , Alex Gaynor , Boqun Feng , Gary Guo , =?utf-8?Q?Bj=C3=B6rn_Roy_Baron?= , Andreas Hindborg , Alice Ryhl , Martin Rodriguez Reboredo , Asahi Lina , Eric Curtin , Neal Gompa , Thomas Bertschinger , Andrea Righi , Sumera Priyadarsini , Finn Behrens , Adam Bratschi-Kaye , stable@vger.kernel.org, Daniel Xu , rust-for-linux@vger.kernel.org, linux-kernel@vger.kernel.org Subject: Re: [PATCH] rust: macros: fix soundness issue in `module!` macro Message-ID: In-Reply-To: References: <20240327160346.22442-1-benno.lossin@proton.me> Feedback-ID: 71780778:user:proton Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable On 31.03.24 03:00, Wedson Almeida Filho wrote: > On Wed, 27 Mar 2024 at 13:04, Benno Lossin wrote= : >> + #[cfg(not(MODULE))] >> + #[doc(hidden)] >> + #[no_mangle] >> + pub extern \"C\" fn __{name}_exit() {{ >> + __exit() I just noticed this should be wrapped in an `unsafe` block with a SAFETY comment. Will fix this in v2. >> + }} >> >> - #[cfg(not(MODULE))] >> - #[doc(hidden)] >> - #[no_mangle] >> - pub extern \"C\" fn __{name}_exit() {{ >> - __exit() >> - }} >> + /// # Safety >> + /// >> + /// This function must >> + /// - only be called once, >> + /// - not be called concurrently with `__exit`. >=20 > I don't think the second item is needed here, it really is a > requirement on `__exit`. Fixed. >=20 >> + unsafe fn __init() -> core::ffi::c_int {{ >> + match <{type_} as kernel::Module>::init(&THIS_M= ODULE) {{ >> + Ok(m) =3D> {{ >> + // SAFETY: >> + // no data race, since `__MOD` can only= be accessed by this module and >> + // there only `__init` and `__exit` acc= ess it. These functions are only >> + // called once and `__exit` cannot be c= alled before or during `__init`. >> + unsafe {{ >> + __MOD =3D Some(m); >> + }} >> + return 0; >> + }} >> + Err(e) =3D> {{ >> + return e.to_errno(); >> + }} >> + }} >> + }} >> >> - fn __init() -> core::ffi::c_int {{ >> - match <{type_} as kernel::Module>::init(&THIS_MODULE) {= { >> - Ok(m) =3D> {{ >> + /// # Safety >> + /// >> + /// This function must >> + /// - only be called once, >> + /// - be called after `__init`, >> + /// - not be called concurrently with `__init`. >=20 > The second item is incomplete: it must be called after `__init` *succeeds= *. Indeed. >=20 > With that added (which is a different precondition), I think the third > item can be dropped because if you have to wait to see whether > `__init` succeeded or failed before you can call `__exit`, then > certainly you cannot call it concurrently with `__init`. I would love to drop that requirement, but I am not sure we can. With that requirement, I wanted to ensure that no data race on `__MOD` can happen. If you need to verify that `__init` succeeded, one might think that it is not possible to call `__exit` such that a data race occurs, but I think it could theoretically be done if the concrete `Module` implementation never failed. Do you have any suggestion for what I could add to the "be called after `__init` was called and returned `0`" requirement to make a data race impossible? --=20 Cheers, Benno >=20 >> + unsafe fn __exit() {{ >> + // SAFETY: >> + // no data race, since `__MOD` can only be acce= ssed by this module and there >> + // only `__init` and `__exit` access it. These = functions are only called once >> + // and `__init` was already called. >> unsafe {{ >> - __MOD =3D Some(m); >> + // Invokes `drop()` on `__MOD`, which shoul= d be used for cleanup. >> + __MOD =3D None; >> }} >> - return 0; >> }} >> - Err(e) =3D> {{ >> - return e.to_errno(); >> - }} >> - }} >> - }} >> >> - fn __exit() {{ >> - unsafe {{ >> - // Invokes `drop()` on `__MOD`, which should be use= d for cleanup. >> - __MOD =3D None; >> + {modinfo} >> }} >> }} >> - >> - {modinfo} >> ", >> type_ =3D info.type_, >> name =3D info.name, >> >> base-commit: 4cece764965020c22cff7665b18a012006359095 >> -- >> 2.44.0 >> >>