Received: by 2002:ab2:1149:0:b0:1f3:1f8c:d0c6 with SMTP id z9csp2040004lqz; Tue, 2 Apr 2024 05:47:53 -0700 (PDT) X-Forwarded-Encrypted: i=3; AJvYcCUKFy7XHo9zOY7i8YLdI+GVQmyu+pLM8y0a+3mpXl0ANcl+V1CTii6xpuKNCPN3v0+DC+vQJd1M5k9NS6DBdjpO4B6HQSjH5FJZnwpLaQ== X-Google-Smtp-Source: AGHT+IHj9U0jtkme4ZYuDk9VGcfLNMWqHluFKHhPef1Egki2OIlSdaXI0dKNtU8QJLIuayAfiguG X-Received: by 2002:a50:9ee6:0:b0:56d:e975:d1dd with SMTP id a93-20020a509ee6000000b0056de975d1ddmr1044404edf.22.1712062073534; Tue, 02 Apr 2024 05:47:53 -0700 (PDT) ARC-Seal: i=2; a=rsa-sha256; t=1712062073; cv=pass; d=google.com; s=arc-20160816; b=H/VXltJ8308B7VTrEEAmSamuCh1XgPFnT0mzLgpNFT68sXIbFQIWsMEfqalMsAk5mB gy3iERi7+k1xvEtfSxLgFa+mMkXtfVf90j/eto5E8I8DYkUx4ch+2gpM2HYFhTA7h8Im BdYXziFA19maMsN3DNO+yuRH3I8hoSCMkMnX4e0e0eTQEmlWFGhUIezQMqlEt44cYQ31 kATnrvEcUKX39PqX83nMz6Or3VBdYSy3dvE85YdPsG7hjFp0U/3fF/ilSmHH6e36lxvb ojZp6pT4tB4Q2khJJOFg2P1MLRCybsbhdprIe8Sn881pW0QH0LrVFvZ0QzaeKRkqAaRu ICsQ== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=content-transfer-encoding:mime-version:list-unsubscribe :list-subscribe:list-id:precedence:feedback-id:references :in-reply-to:message-id:subject:cc:from:to:date:dkim-signature; bh=9xyuTCGaaAe31ycaYB+ZYD6nsgUvzbGxycpDYEU663s=; fh=iE8WIwXMxxcilA7Pbgb2TFS3+MGz8wNcqxj9Z0QCVxw=; b=NtaN/puv0N0nBDN728dlyhXmoIYFDmvUWSZiHJ9tQZ2YPxZejYOogvXgiad5NO/u+w mCEpHaGGqUpJVGoV4AwYQXaxpMkSao3KAOd5juHDHQSNjAmwMVwc1nvKbDE9ci9KHY/i rP0od03dotBzGIhArReDumfDV9edl7aom9IkYO6XCRR/EykyGIELEoWexeq0zP2bz5u/ 1Ml32x6UiZhtH8Ix9puW1zjevoSJdorGxB8RJlLtkgGIgpb/UBiphBzCEoVcUj9dgccz zcqj7J+V1sZLEAMucmYLgndYOhodNORPy+LRiM70jWXeDQ/REVbio3Wji3Eu0wLuXV0p KJSQ==; dara=google.com ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@proton.me header.s=protonmail header.b=TG+kzr3T; arc=pass (i=1 spf=pass spfdomain=proton.me dkim=pass dkdomain=proton.me dmarc=pass fromdomain=proton.me); spf=pass (google.com: domain of linux-kernel+bounces-127969-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:4601:e00::3 as permitted sender) smtp.mailfrom="linux-kernel+bounces-127969-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=proton.me Return-Path: Received: from am.mirrors.kernel.org (am.mirrors.kernel.org. [2604:1380:4601:e00::3]) by mx.google.com with ESMTPS id g8-20020a0564021ec800b00568c5cd4f45si5682543edg.625.2024.04.02.05.47.53 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 02 Apr 2024 05:47:53 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel+bounces-127969-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:4601:e00::3 as permitted sender) client-ip=2604:1380:4601:e00::3; Authentication-Results: mx.google.com; dkim=pass header.i=@proton.me header.s=protonmail header.b=TG+kzr3T; arc=pass (i=1 spf=pass spfdomain=proton.me dkim=pass dkdomain=proton.me dmarc=pass fromdomain=proton.me); spf=pass (google.com: domain of linux-kernel+bounces-127969-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:4601:e00::3 as permitted sender) smtp.mailfrom="linux-kernel+bounces-127969-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=proton.me Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by am.mirrors.kernel.org (Postfix) with ESMTPS id 403DD1F21753 for ; Tue, 2 Apr 2024 12:47:53 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 08B4A7A141; Tue, 2 Apr 2024 12:47:45 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=proton.me header.i=@proton.me header.b="TG+kzr3T" Received: from mail-40133.protonmail.ch (mail-40133.protonmail.ch [185.70.40.133]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id F1DBA77F15; Tue, 2 Apr 2024 12:47:41 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=185.70.40.133 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1712062064; cv=none; b=PjE4dOKzrmy7CPZP9CLo0aWZNkQxq2qKhpGVW4Mws16cT9XbnkbcN3YhKxHKM9nUlCYe0F0SqgQHDFqMVO/DRf4uog6eOAUfRshx2F292gv59djitX1Ak3xryby2MBarQGm3zVx+QnrXOmHIQvVaGq2xYbrYJ8nrCXKlExS5XhA= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1712062064; c=relaxed/simple; bh=tv77wEY2gXIZxwexHBZDtQXMh//LD9JALwsTToG42s0=; h=Date:To:From:Cc:Subject:Message-ID:In-Reply-To:References: MIME-Version:Content-Type; b=p8T7ZtUXEYjxXHjYy1YivlldfV56+1JYEVItdgIfv0ZBytb6nKPjNKo1BGO6/F3I5xsqVReCyqd9FjXBlxL6u/xtBqv0p97rRxHWTUjIuOiUAv2O9oCuJfsCvjP1RIFlzyZObMHOW+Jy5fjJ0zOWtKksUV8MOvZCJ3TgNiukPZI= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=proton.me; spf=pass smtp.mailfrom=proton.me; dkim=pass (2048-bit key) header.d=proton.me header.i=@proton.me header.b=TG+kzr3T; arc=none smtp.client-ip=185.70.40.133 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=proton.me Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=proton.me DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=proton.me; s=protonmail; t=1712062059; x=1712321259; bh=9xyuTCGaaAe31ycaYB+ZYD6nsgUvzbGxycpDYEU663s=; h=Date:To:From:Cc:Subject:Message-ID:In-Reply-To:References: Feedback-ID:From:To:Cc:Date:Subject:Reply-To:Feedback-ID: Message-ID:BIMI-Selector; b=TG+kzr3TwsqWUcLbtWZ6PfdIh3iPg/oJ5W4qWGbI0K5IiRAjwggyJuXOQnxm+8hSL YmiNT9OyPZGO61rWBLv+7aeZWLe5yrw373XGF4ufEKO5MCANKNmiu6wDwEvg6w8/h6 a6djz9Ga2cVYRPd3PuVtvchroM2sSLb9HWbwCqqaFivjh9zgp1B2OZtxlbo2AlO9uU Wbzo6C/viRR8gBHPlTcknRsSdec9oJQssEV2hAeCtjb2eXtqxiZRUkbcgTTVQpTabK AEQzqdoESVFRa8ccs+00opCqXH2EQfYMEJQB0scv77yNeh5HQN0g0vMkjCeHyHVhTW l2mEfF8g2ZdaQ== Date: Tue, 02 Apr 2024 12:47:34 +0000 To: Boqun Feng , Gary Guo From: Benno Lossin Cc: Miguel Ojeda , Alex Gaynor , Wedson Almeida Filho , =?utf-8?Q?Bj=C3=B6rn_Roy_Baron?= , Andreas Hindborg , Alice Ryhl , Martin Rodriguez Reboredo , Asahi Lina , Sumera Priyadarsini , Neal Gompa , Thomas Bertschinger , Andrea Righi , Matthew Bakhtiari , Adam Bratschi-Kaye , stable@vger.kernel.org, Masahiro Yamada , Wedson Almeida Filho , Finn Behrens , rust-for-linux@vger.kernel.org, linux-kernel@vger.kernel.org Subject: Re: [PATCH v2] rust: macros: fix soundness issue in `module!` macro Message-ID: In-Reply-To: References: <20240401185222.12015-1-benno.lossin@proton.me> <20fcbbd0-4a7a-49b1-a383-f8b388153066@proton.me> Feedback-ID: 71780778:user:proton Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable On 02.04.24 00:17, Boqun Feng wrote: > On Mon, Apr 01, 2024 at 10:01:34PM +0000, Benno Lossin wrote: >> On 01.04.24 23:10, Boqun Feng wrote: >>> On Mon, Apr 01, 2024 at 06:52:50PM +0000, Benno Lossin wrote: >>> [...] >>>> + // Double nested modules, since then nobody can access th= e public items inside. >>>> + mod __module_init {{ >>>> + mod __module_init {{ >>>> + use super::super::{type_}; >>>> + >>>> + /// The \"Rust loadable module\" mark. >>>> + // >>>> + // This may be best done another way later on, e.= g. as a new modinfo >>>> + // key or a new section. For the moment, keep it = simple. >>>> + #[cfg(MODULE)] >>>> + #[doc(hidden)] >>>> + #[used] >>>> + static __IS_RUST_MODULE: () =3D (); >>>> + >>>> + static mut __MOD: Option<{type_}> =3D None; >>>> + >>>> + // SAFETY: `__this_module` is constructed by the = kernel at load time and will not be >>>> + // freed until the module is unloaded. >>>> + #[cfg(MODULE)] >>>> + static THIS_MODULE: kernel::ThisModule =3D unsafe= {{ >>>> + kernel::ThisModule::from_ptr(&kernel::binding= s::__this_module as *const _ as *mut _) >>> >>> While we're at it, probably we want the following as well? I.e. using >>> `Opaque` and extern block, because __this_module is certainly something >>> interior mutable and !Unpin. >>> >>> diff --git a/rust/macros/module.rs b/rust/macros/module.rs >>> index 293beca0a583..8aa4eed6578c 100644 >>> --- a/rust/macros/module.rs >>> +++ b/rust/macros/module.rs >>> @@ -219,7 +219,11 @@ mod __module_init {{ >>> // freed until the module is unloaded. >>> #[cfg(MODULE)] >>> static THIS_MODULE: kernel::ThisModule =3D unsaf= e {{ >>> - kernel::ThisModule::from_ptr(&kernel::bindings= ::__this_module as *const _ as *mut _) >>> + extern \"C\" {{ >>> + static __this_module: kernel::types::Opaqu= e; >>> + }} >>> + >>> + kernel::ThisModule::from_ptr(__this_module.get= ()) >>> }}; >>> #[cfg(not(MODULE))] >>> static THIS_MODULE: kernel::ThisModule =3D unsaf= e {{ >>> >>> Thoughts? >> >> I am not sure we need it. Bindgen generates >> >> extern "C" { >> pub static mut __this_module: module; >> } >> >> And the `mut` should take care of the "it might be modified by other >> threads". >=20 > Hmm.. but there could a C thread modifies some field of __this_module > while Rust code uses it, e.g. struct module has a list_head in it, which > could be used by C code to put another module next to it. This still should not be a problem, since we never actually read or write to the mutable static. The only thing we are doing is taking its address. `addr_of_mut!` should be sufficient. (AFAIK `static mut` is designed such that it can be mutated at any time by any thread. Maybe Gary knows more?) --=20 Cheers, Benno