lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <2da1f1588ce8e02831e7bcda569f4e03ce88e4cf.camel@mailbox.org>
Date: Mon, 17 Nov 2025 09:24:19 +0100
From: Philipp Stanner <phasta@...lbox.org>
To: Alice Ryhl <aliceryhl@...gle.com>, Philipp Stanner <phasta@...nel.org>
Cc: Miguel Ojeda <ojeda@...nel.org>, Alex Gaynor <alex.gaynor@...il.com>, 
 Boqun Feng <boqun.feng@...il.com>, Gary Guo <gary@...yguo.net>,
 Björn Roy Baron <bjorn3_gh@...tonmail.com>, Benno Lossin
 <lossin@...nel.org>, Andreas Hindborg <a.hindborg@...nel.org>, Trevor Gross
 <tmgross@...ch.edu>, Danilo Krummrich <dakr@...nel.org>, Greg Kroah-Hartman
 <gregkh@...uxfoundation.org>, Viresh Kumar <viresh.kumar@...aro.org>, Tamir
 Duberstein <tamird@...il.com>,  rust-for-linux@...r.kernel.org,
 linux-kernel@...r.kernel.org
Subject: Re: [PATCH] rust: lib: Add necessary unsafes for container_of

On Fri, 2025-11-14 at 14:14 +0000, Alice Ryhl wrote:
> On Fri, Nov 14, 2025 at 03:00:21PM +0100, Philipp Stanner wrote:
> > When trying to use LinkedList in the kernel crate, build fails with an
> > error message demanding unsafe blocks in the container_of macro:
> > 

[…]

> >  rust/kernel/lib.rs | 7 +++++--
> >  1 file changed, 5 insertions(+), 2 deletions(-)
> > 
> > diff --git a/rust/kernel/lib.rs b/rust/kernel/lib.rs
> > index fef97f2a5098..a26b87015e7d 100644
> > --- a/rust/kernel/lib.rs
> > +++ b/rust/kernel/lib.rs
> > @@ -249,8 +249,11 @@ macro_rules! container_of {
> >      ($field_ptr:expr, $Container:ty, $($fields:tt)*) => {{
> >          let offset: usize = ::core::mem::offset_of!($Container, $($fields)*);
> >          let field_ptr = $field_ptr;
> > -        let container_ptr = field_ptr.byte_sub(offset).cast::<$Container>();
> > -        $crate::assert_same_type(field_ptr, (&raw const (*container_ptr).$($fields)*).cast_mut());
> > +        // SAFETY: Offsetting the pointer to the container is correct because the offset was
> > +        // calculated validly above.
> > +        let container_ptr = unsafe { field_ptr.byte_sub(offset).cast::<$Container>() };
> > +        // SAFETY: Safe because the container_ptr was validly created above.
> > +        $crate::assert_same_type(field_ptr, unsafe { (&raw const (*container_ptr).$($fields)*) }.cast_mut());
> 
> The unsafe block goes in the impl_list_item! macro. This change makes
> container_of! a safe operation, but is should not be a safe operation
> because it uses byte_sub which promises the compiler that this pointer
> offset operation stays within a single allocation.


OK, so container_of is an unsafe function and all uses of it must be
guarded by an unsafe block.

If I do this, however

diff --git a/rust/kernel/list/impl_list_item_mod.rs b/rust/kernel/list/impl_list_item_mod.rs
index 202bc6f97c13..2f05b73c9eed 100644
--- a/rust/kernel/list/impl_list_item_mod.rs
+++ b/rust/kernel/list/impl_list_item_mod.rs
@@ -217,7 +217,7 @@ unsafe fn view_value(me: *mut $crate::list::ListLinks<$num>) -> *const Self {
                 // SAFETY: `me` originates from the most recent call to `prepare_to_insert`, so it
                 // points at the field `$field` in a value of type `Self`. Thus, reversing that
                 // operation is still in-bounds of the allocation.
-                $crate::container_of!(me, Self, $($field).*)
+                unsafe { $crate::container_of!(me, Self, $($field).*) }
             }
 
             // GUARANTEES:
@@ -242,7 +242,7 @@ unsafe fn post_remove(me: *mut $crate::list::ListLinks<$num>) -> *const Self {
                 // SAFETY: `me` originates from the most recent call to `prepare_to_insert`, so it
                 // points at the field `$field` in a value of type `Self`. Thus, reversing that
                 // operation is still in-bounds of the allocation.
-                $crate::container_of!(me, Self, $($field).*)
+                unsafe { $crate::container_of!(me, Self, $($field).*) }
             }
         }
     )*};


then the compiler gets sad again, complaining precisely about the
internals of container_of:



error[E0133]: call to unsafe function `core::ptr::mut_ptr::<impl *mut T>::byte_sub` is unsafe and requires unsafe block
   --> rust/kernel/lib.rs:252:29
    |
252 |           let container_ptr = field_ptr.byte_sub(offset).cast::<$Container>();
    |                               ^^^^^^^^^^^^^^^^^^^^^^^^^^ call to unsafe function
    |
   ::: rust/kernel/drm/jq.rs:124:1
    |
124 | / impl_list_item! {
125 | |     impl ListItem<0> for EnqueuedJob<dyn JobData> { using ListLinksSelfPtr { self.links }; }
126 | | }
    | |_- in this macro invocation
    |
    = note: for more information, see <https://doc.rust-lang.org/nightly/edition-guide/rust-2024/unsafe-op-in-unsafe-fn.html>
    = note: consult the function's documentation for information on how to avoid undefined behavior
note: an unsafe function restricts its caller, but its body is safe by default
   --> rust/kernel/list/impl_list_item_mod.rs:269:13
    |
269 |               unsafe fn prepare_to_insert(me: *const Self) -> *mut $crate::list::ListLinks<$num> {
    |               ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
    |
   ::: rust/kernel/drm/jq.rs:124:1
    |
124 | / impl_list_item! {
125 | |     impl ListItem<0> for EnqueuedJob<dyn JobData> { using ListLinksSelfPtr { self.links }; }
126 | | }
    | |_- in this macro invocation
    = note: requested on the command line with `-D unsafe-op-in-unsafe-fn`
    = note: this error originates in the macro `$crate::container_of` which comes from the expansion of the macro `impl_list_item` (in Nightly builds, run with -Z macro-backtrace for more info)

error[E0133]: dereference of raw pointer is unsafe and requires unsafe block
   --> rust/kernel/lib.rs:254:57
    |
254 |           $crate::assert_same_type(field_ptr, (&raw const (*container_ptr).$($fields)*).cast_mut());
    |                                                           ^^^^^^^^^^^^^^^^ dereference of raw pointer
    |
   ::: rust/kernel/drm/jq.rs:124:1
    |
124 | / impl_list_item! {
125 | |     impl ListItem<0> for EnqueuedJob<dyn JobData> { using ListLinksSelfPtr { self.links }; }
126 | | }
    | |_- in this macro invocation
    |
    = note: for more information, see <https://doc.rust-lang.org/nightly/edition-guide/rust-2024/unsafe-op-in-unsafe-fn.html>
    = note: raw pointers may be null, dangling or unaligned; they can violate aliasing rules and cause data races: all of these are undefined behavior
    = note: this error originates in the macro `$crate::container_of` which comes from the expansion of the macro `impl_list_item` (in Nightly builds, run with -Z macro-backtrace for more info)

error[E0133]: call to unsafe function `core::ptr::mut_ptr::<impl *mut T>::byte_sub` is unsafe and requires unsafe block
   --> rust/kernel/lib.rs:252:29
    |
252 |           let container_ptr = field_ptr.byte_sub(offset).cast::<$Container>();
    |                               ^^^^^^^^^^^^^^^^^^^^^^^^^^ call to unsafe function
    |
   ::: rust/kernel/drm/jq.rs:124:1
    |
124 | / impl_list_item! {
125 | |     impl ListItem<0> for EnqueuedJob<dyn JobData> { using ListLinksSelfPtr { self.links }; }
126 | | }
    | |_- in this macro invocation
    |
    = note: for more information, see <https://doc.rust-lang.org/nightly/edition-guide/rust-2024/unsafe-op-in-unsafe-fn.html>
    = note: consult the function's documentation for information on how to avoid undefined behavior
note: an unsafe function restricts its caller, but its body is safe by default
   --> rust/kernel/list/impl_list_item_mod.rs:321:13
    |
321 |               unsafe fn view_value(links_field: *mut $crate::list::ListLinks<$num>) -> *const Self {
    |               ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
    |
   ::: rust/kernel/drm/jq.rs:124:1
    |
124 | / impl_list_item! {
125 | |     impl ListItem<0> for EnqueuedJob<dyn JobData> { using ListLinksSelfPtr { self.links }; }
126 | | }
    | |_- in this macro invocation
    = note: this error originates in the macro `$crate::container_of` which comes from the expansion of the macro `impl_list_item` (in Nightly builds, run with -Z macro-backtrace for more info)

error[E0133]: dereference of raw pointer is unsafe and requires unsafe block
   --> rust/kernel/lib.rs:254:57
    |
254 |           $crate::assert_same_type(field_ptr, (&raw const (*container_ptr).$($fields)*).cast_mut());
    |                                                           ^^^^^^^^^^^^^^^^ dereference of raw pointer
    |
   ::: rust/kernel/drm/jq.rs:124:1
    |
124 | / impl_list_item! {
125 | |     impl ListItem<0> for EnqueuedJob<dyn JobData> { using ListLinksSelfPtr { self.links }; }
126 | | }
    | |_- in this macro invocation
    |
    = note: for more information, see <https://doc.rust-lang.org/nightly/edition-guide/rust-2024/unsafe-op-in-unsafe-fn.html>
    = note: raw pointers may be null, dangling or unaligned; they can violate aliasing rules and cause data races: all of these are undefined behavior
    = note: this error originates in the macro `$crate::container_of` which comes from the expansion of the macro `impl_list_item` (in Nightly builds, run with -Z macro-backtrace for more info)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ