| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <aRc5RVnXe4PGNkt0@google.com>
Date: Fri, 14 Nov 2025 14:14:29 +0000
From: Alice Ryhl <aliceryhl@...gle.com>
To: Philipp Stanner <phasta@...nel.org>
Cc: Miguel Ojeda <ojeda@...nel.org>, Alex Gaynor <alex.gaynor@...il.com>,
Boqun Feng <boqun.feng@...il.com>, Gary Guo <gary@...yguo.net>,
"Björn Roy Baron" <bjorn3_gh@...tonmail.com>, Benno Lossin <lossin@...nel.org>,
Andreas Hindborg <a.hindborg@...nel.org>, Trevor Gross <tmgross@...ch.edu>,
Danilo Krummrich <dakr@...nel.org>, Greg Kroah-Hartman <gregkh@...uxfoundation.org>,
Viresh Kumar <viresh.kumar@...aro.org>, Tamir Duberstein <tamird@...il.com>,
rust-for-linux@...r.kernel.org, linux-kernel@...r.kernel.org
Subject: Re: [PATCH] rust: lib: Add necessary unsafes for container_of
On Fri, Nov 14, 2025 at 03:00:21PM +0100, Philipp Stanner wrote:
> When trying to use LinkedList in the kernel crate, build fails with an
> error message demanding unsafe blocks in the container_of macro:
>
> error[E0133]: call to unsafe function `core::ptr::mut_ptr::<impl *mut T>::byte_sub`
> is unsafe and requires unsafe block
> --> rust/kernel/lib.rs:252:29
> |
> 252 | let container_ptr = field_ptr.byte_sub(offset).cast::<$Container>();
> | ^^^^^^^^^^^^^^^^^^^^^^^^^^ call to unsafe function
> |
> ::: rust/kernel/drm/jq.rs:98:1
> |
> 98 | / impl_list_item! {
> 99 | | impl ListItem<0> for BasicItem { using ListLinks { self.links }; }
> 100 | | }
> | |_- in this macro invocation
> |
> note: an unsafe function restricts its caller, but its body is safe by default
> --> rust/kernel/list/impl_list_item_mod.rs:216:13
> |
> 216 | unsafe fn view_value(me: *mut $crate::list::ListLinks<$num>) -> *const Self {
> | ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> |
> ::: rust/kernel/drm/jq.rs:98:1
> |
> 98 | / impl_list_item! {
> 99 | | impl ListItem<0> for BasicItem { using ListLinks { self.links }; }
> 100 | | }
> | |_- in this macro invocation
> = note: requested on the command line with `-D unsafe-op-in-unsafe-fn`
> = note: this error originates in the macro `$crate::container_of` which comes
> from the expansion of the macro `impl_list_item`
>
> Add unsafe blocks to container_of to fix the issue.
>
> Fixes: b20fbbc08a36 ("rust: check type of `$ptr` in `container_of!`")
> Suggested-by: Alice Ryhl <aliceryhl@...gle.com>
> Signed-off-by: Philipp Stanner <phasta@...nel.org>
> ---
> I'm currently writing DrmJobqueue, a new piece of infrastructure. It
> uses LinkedList and resides in the kernel crate. When using LinkedList
> from within there, for reasons I don't fully understand the error above
> shows up.
> The other testing infrastructure doesn't seem to run into the error,
> though.
>
> P.
> ---
> rust/kernel/lib.rs | 7 +++++--
> 1 file changed, 5 insertions(+), 2 deletions(-)
>
> diff --git a/rust/kernel/lib.rs b/rust/kernel/lib.rs
> index fef97f2a5098..a26b87015e7d 100644
> --- a/rust/kernel/lib.rs
> +++ b/rust/kernel/lib.rs
> @@ -249,8 +249,11 @@ macro_rules! container_of {
> ($field_ptr:expr, $Container:ty, $($fields:tt)*) => {{
> let offset: usize = ::core::mem::offset_of!($Container, $($fields)*);
> let field_ptr = $field_ptr;
> - let container_ptr = field_ptr.byte_sub(offset).cast::<$Container>();
> - $crate::assert_same_type(field_ptr, (&raw const (*container_ptr).$($fields)*).cast_mut());
> + // SAFETY: Offsetting the pointer to the container is correct because the offset was
> + // calculated validly above.
> + let container_ptr = unsafe { field_ptr.byte_sub(offset).cast::<$Container>() };
> + // SAFETY: Safe because the container_ptr was validly created above.
> + $crate::assert_same_type(field_ptr, unsafe { (&raw const (*container_ptr).$($fields)*) }.cast_mut());
The unsafe block goes in the impl_list_item! macro. This change makes
container_of! a safe operation, but is should not be a safe operation
because it uses byte_sub which promises the compiler that this pointer
offset operation stays within a single allocation.
Alice
Powered by blists - more mailing lists