| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <aM8BrIT1clk_efE6@tardis.local>
Date: Sat, 20 Sep 2025 12:34:04 -0700
From: Boqun Feng <boqun.feng@...il.com>
To: Joel Fernandes <joelagnelf@...dia.com>
Cc: linux-kernel@...r.kernel.org, Miguel Ojeda <ojeda@...nel.org>,
Alex Gaynor <alex.gaynor@...il.com>, Gary Guo <gary@...yguo.net>,
Björn Roy Baron <bjorn3_gh@...tonmail.com>,
Benno Lossin <lossin@...nel.org>,
Andreas Hindborg <a.hindborg@...nel.org>,
Alice Ryhl <aliceryhl@...gle.com>, Trevor Gross <tmgross@...ch.edu>,
Danilo Krummrich <dakr@...nel.org>, acourbot@...dia.com,
Alistair Popple <apopple@...dia.com>, Timur Tabi <ttabi@...dia.com>,
rust-for-linux@...r.kernel.org
Subject: Re: [PATCH] rust: print: Fix issue with rust_build_error
On Sat, Sep 20, 2025 at 12:19:58PM -0400, Joel Fernandes wrote:
> When printing just before calling io.write32(), modpost fails due to
> build_assert's missing rust_build_error symbol. The issue is that, the
> printk arguments are passed as reference in bindings code, thus Rust
> cannot trust its value and fails to optimize away the build_assert.
>
I think "cannot trust" is a bit vague and misleading here, for this
kind of "workaround", we want the reason to be a bit clear. @Gary, could
you help explain it a bit more?
> The issue can be reproduced with the following simple snippet:
> let offset = 0;
> pr_err!("{}", offset);
> io.write32(base, offset);
>
> Fix it by just using a closure to call printk. Rust captures the
> arguments into the closure's arguments thus breaking the dependency.
> This can be fixed by simply creating a variable alias for each variable
> however the closure is a simple and concise fix.
>
Similar here, "breaking the dependency" and "creating a variable alias"
can be described more accurately, e.g. the latter can be "creating a new
binding".
All in all, we need to establish a wide understanding of the issue and
agree on a reasonable fix. But anyway, thank Joel for doing this ;-)
Regards,
Boqun
> Another approach with using const-generics for the io.write32 API was
> investigated, but it cannot work with code that dynamically calculates
> the write offset.
>
> Disassembly of users of pr_err!() with/without patch shows identical
> code generation, thus the fix has no difference in the final binary.
>
> Signed-off-by: Joel Fernandes <joelagnelf@...dia.com>
> ---
> rust/kernel/print.rs | 44 ++++++++++++++++++++++++--------------------
> 1 file changed, 24 insertions(+), 20 deletions(-)
>
> diff --git a/rust/kernel/print.rs b/rust/kernel/print.rs
> index 2d743d78d220..5847942195a7 100644
> --- a/rust/kernel/print.rs
> +++ b/rust/kernel/print.rs
> @@ -143,34 +143,38 @@ pub fn call_printk_cont(args: fmt::Arguments<'_>) {
> #[expect(clippy::crate_in_macro_def)]
> macro_rules! print_macro (
> // The non-continuation cases (most of them, e.g. `INFO`).
> - ($format_string:path, false, $($arg:tt)+) => (
> + ($format_string:path, false, $($arg:tt)+) => ({
> // To remain sound, `arg`s must be expanded outside the `unsafe` block.
> // Typically one would use a `let` binding for that; however, `format_args!`
> // takes borrows on the arguments, but does not extend the scope of temporaries.
> // Therefore, a `match` expression is used to keep them around, since
> // the scrutinee is kept until the end of the `match`.
> - match $crate::prelude::fmt!($($arg)+) {
> - // SAFETY: This hidden macro should only be called by the documented
> - // printing macros which ensure the format string is one of the fixed
> - // ones. All `__LOG_PREFIX`s are null-terminated as they are generated
> - // by the `module!` proc macro or fixed values defined in a kernel
> - // crate.
> - args => unsafe {
> - $crate::print::call_printk(
> - &$format_string,
> - crate::__LOG_PREFIX,
> - args,
> - );
> + (|| {
> + match $crate::prelude::fmt!($($arg)+) {
> + // SAFETY: This hidden macro should only be called by the documented
> + // printing macros which ensure the format string is one of the fixed
> + // ones. All `__LOG_PREFIX`s are null-terminated as they are generated
> + // by the `module!` proc macro or fixed values defined in a kernel
> + // crate.
> + args => unsafe {
> + $crate::print::call_printk(
> + &$format_string,
> + crate::__LOG_PREFIX,
> + args,
> + );
> + }
> }
> - }
> - );
> + })();
> + });
>
> // The `CONT` case.
> - ($format_string:path, true, $($arg:tt)+) => (
> - $crate::print::call_printk_cont(
> - $crate::prelude::fmt!($($arg)+),
> - );
> - );
> + ($format_string:path, true, $($arg:tt)+) => ({
> + (|| {
> + $crate::print::call_printk_cont(
> + $crate::prelude::fmt!($($arg)+),
> + );
> + })();
> + });
> );
>
> /// Stub for doctests
> --
> 2.34.1
>
Powered by blists - more mailing lists