lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20250921005345.GB2101443@joelbox2>
Date: Sat, 20 Sep 2025 20:53:45 -0400
From: Joel Fernandes <joelagnelf@...dia.com>
To: Boqun Feng <boqun.feng@...il.com>
Cc: linux-kernel@...r.kernel.org, Miguel Ojeda <ojeda@...nel.org>,
	Alex Gaynor <alex.gaynor@...il.com>, Gary Guo <gary@...yguo.net>,
	Björn Roy Baron <bjorn3_gh@...tonmail.com>,
	Benno Lossin <lossin@...nel.org>,
	Andreas Hindborg <a.hindborg@...nel.org>,
	Alice Ryhl <aliceryhl@...gle.com>, Trevor Gross <tmgross@...ch.edu>,
	Danilo Krummrich <dakr@...nel.org>, acourbot@...dia.com,
	Alistair Popple <apopple@...dia.com>, Timur Tabi <ttabi@...dia.com>,
	rust-for-linux@...r.kernel.org
Subject: Re: [PATCH] rust: print: Fix issue with rust_build_error

Hi Boqun,

On Sat, Sep 20, 2025 at 12:34:04PM -0700, Boqun Feng wrote:
> On Sat, Sep 20, 2025 at 12:19:58PM -0400, Joel Fernandes wrote:
> > When printing just before calling io.write32(), modpost fails due to
> > build_assert's missing rust_build_error symbol. The issue is that, the
> > printk arguments are passed as reference in bindings code, thus Rust
> > cannot trust its value and fails to optimize away the build_assert.
> > 
> 
> I think "cannot trust" is a bit vague and misleading here, for this
> kind of "workaround", we want the reason to be a bit clear. @Gary, could
> you help explain it a bit more?

I dumped the MIR and LLVM IRs here. It appears in the case of calling an
external function, it creates a pointer:

MIR:

bb0: {
    _1 = const 42_i32;           // offset = 42
    _3 = &raw const _1;          // Address is taken causing an escape I think.
    _2 = some_func(move _3);
}

I then dumped the LLVM IR and saw that it is infact reloading the pointer
after some_func is called.

Where as otherwise, you don't see the 'raw const' thing and no reloading
(build check is optimized away).

But I freely admit to be not yet too knowledgeable about the Rust compiler
and I only arrived at this patch with trial and error.

> 
> > The issue can be reproduced with the following simple snippet:
> >   let offset = 0;
> >   pr_err!("{}", offset);
> >   io.write32(base, offset);
> > 
> > Fix it by just using a closure to call printk. Rust captures the
> > arguments into the closure's arguments thus breaking the dependency.
> > This can be fixed by simply creating a variable alias for each variable
> > however the closure is a simple and concise fix.
> > 
> 
> Similar here, "breaking the dependency" and "creating a variable alias"
> can be described more accurately, e.g. the latter can be "creating a new
> binding".

Yeah sorry, "breaking the dependency" is indeed vague. I meant there is a
dependency between the external function modifying the data pointed at, and
the code following external function call using the data. Due to this, the
pointer is reloaded. I'll explain it better.

> 
> All in all, we need to establish a wide understanding of the issue and
> agree on a reasonable fix. But anyway, thank Joel for doing this ;-)

Absolutely, please consider this patch as a starting point for an
investigation. Worst case, maybe if I fixed the closure issue, it can be a
temporary workaround to alleviate the pain felt by some real users.

thanks,

 - Joel


> 
> Regards,
> Boqun
> 
> > Another approach with using const-generics for the io.write32 API was
> > investigated, but it cannot work with code that dynamically calculates
> > the write offset.
> > 
> > Disassembly of users of pr_err!() with/without patch shows identical
> > code generation, thus the fix has no difference in the final binary.
> > 
> > Signed-off-by: Joel Fernandes <joelagnelf@...dia.com>
> > ---
> >  rust/kernel/print.rs | 44 ++++++++++++++++++++++++--------------------
> >  1 file changed, 24 insertions(+), 20 deletions(-)
> > 
> > diff --git a/rust/kernel/print.rs b/rust/kernel/print.rs
> > index 2d743d78d220..5847942195a7 100644
> > --- a/rust/kernel/print.rs
> > +++ b/rust/kernel/print.rs
> > @@ -143,34 +143,38 @@ pub fn call_printk_cont(args: fmt::Arguments<'_>) {
> >  #[expect(clippy::crate_in_macro_def)]
> >  macro_rules! print_macro (
> >      // The non-continuation cases (most of them, e.g. `INFO`).
> > -    ($format_string:path, false, $($arg:tt)+) => (
> > +    ($format_string:path, false, $($arg:tt)+) => ({
> >          // To remain sound, `arg`s must be expanded outside the `unsafe` block.
> >          // Typically one would use a `let` binding for that; however, `format_args!`
> >          // takes borrows on the arguments, but does not extend the scope of temporaries.
> >          // Therefore, a `match` expression is used to keep them around, since
> >          // the scrutinee is kept until the end of the `match`.
> > -        match $crate::prelude::fmt!($($arg)+) {
> > -            // SAFETY: This hidden macro should only be called by the documented
> > -            // printing macros which ensure the format string is one of the fixed
> > -            // ones. All `__LOG_PREFIX`s are null-terminated as they are generated
> > -            // by the `module!` proc macro or fixed values defined in a kernel
> > -            // crate.
> > -            args => unsafe {
> > -                $crate::print::call_printk(
> > -                    &$format_string,
> > -                    crate::__LOG_PREFIX,
> > -                    args,
> > -                );
> > +        (|| {
> > +            match $crate::prelude::fmt!($($arg)+) {
> > +                // SAFETY: This hidden macro should only be called by the documented
> > +                // printing macros which ensure the format string is one of the fixed
> > +                // ones. All `__LOG_PREFIX`s are null-terminated as they are generated
> > +                // by the `module!` proc macro or fixed values defined in a kernel
> > +                // crate.
> > +                args => unsafe {
> > +                    $crate::print::call_printk(
> > +                        &$format_string,
> > +                        crate::__LOG_PREFIX,
> > +                        args,
> > +                    );
> > +                }
> >              }
> > -        }
> > -    );
> > +        })();
> > +    });
> >  
> >      // The `CONT` case.
> > -    ($format_string:path, true, $($arg:tt)+) => (
> > -        $crate::print::call_printk_cont(
> > -            $crate::prelude::fmt!($($arg)+),
> > -        );
> > -    );
> > +    ($format_string:path, true, $($arg:tt)+) => ({
> > +        (|| {
> > +            $crate::print::call_printk_cont(
> > +                $crate::prelude::fmt!($($arg)+),
> > +            );
> > +        })();
> > +    });
> >  );
> >  
> >  /// Stub for doctests
> > -- 
> > 2.34.1
> >

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ