| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <aYMfrT_Cv2NC-MB1@google.com>
Date: Wed, 4 Feb 2026 10:30:05 +0000
From: Alice Ryhl <aliceryhl@...gle.com>
To: Philipp Stanner <phasta@...nel.org>
Cc: David Airlie <airlied@...il.com>, Simona Vetter <simona@...ll.ch>,
Danilo Krummrich <dakr@...nel.org>, Gary Guo <gary@...yguo.net>, Benno Lossin <lossin@...nel.org>,
"Christian König" <christian.koenig@....com>, Boris Brezillon <boris.brezillon@...labora.com>,
Daniel Almeida <daniel.almeida@...labora.com>, Joel Fernandes <joelagnelf@...dia.com>,
linux-kernel@...r.kernel.org, dri-devel@...ts.freedesktop.org,
rust-for-linux@...r.kernel.org, stable@...r.kernel.org
Subject: Re: [RFC PATCH 1/4] rust: list: Add unsafe for container_of
On Tue, Feb 03, 2026 at 09:14:00AM +0100, Philipp Stanner wrote:
> impl_list_item_mod.rs calls container_of() without unsafe blocks at a
> couple of places. Since container_of() is an unsafe macro / function,
> the blocks are strictly necessary.
>
> For unknown reasons, that problem was so far not visible and only gets
> visible once one utilizes the list implementation from within the core
> crate:
>
> error[E0133]: call to unsafe function `core::ptr::mut_ptr::<impl *mut T>::byte_sub`
> is unsafe and requires unsafe block
> --> rust/kernel/lib.rs:252:29
> |
> 252 | let container_ptr = field_ptr.byte_sub(offset).cast::<$Container>();
> | ^^^^^^^^^^^^^^^^^^^^^^^^^^ call to unsafe function
> |
> ::: rust/kernel/drm/jq.rs:98:1
> |
> 98 | / impl_list_item! {
> 99 | | impl ListItem<0> for BasicItem { using ListLinks { self.links }; }
> 100 | | }
> | |_- in this macro invocation
> |
> note: an unsafe function restricts its caller, but its body is safe by default
> --> rust/kernel/list/impl_list_item_mod.rs:216:13
> |
> 216 | unsafe fn view_value(me: *mut $crate::list::ListLinks<$num>) -> *const Self {
> | ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> |
> ::: rust/kernel/drm/jq.rs:98:1
> |
> 98 | / impl_list_item! {
> 99 | | impl ListItem<0> for BasicItem { using ListLinks { self.links }; }
> 100 | | }
> | |_- in this macro invocation
> = note: requested on the command line with `-D unsafe-op-in-unsafe-fn`
> = note: this error originates in the macro `$crate::container_of` which comes
> from the expansion of the macro `impl_list_item`
>
> Add unsafe blocks to container_of to fix the issue.
>
> Cc: stable@...r.kernel.org # v6.17+
> Fixes: c77f85b347dd ("rust: list: remove OFFSET constants")
> Suggested-by: Alice Ryhl <aliceryhl@...gle.com>
> Signed-off-by: Philipp Stanner <phasta@...nel.org>
With the reason that Gary shared added to the commit message:
Reviewed-by: Alice Ryhl <aliceryhl@...gle.com>
> ---
> rust/kernel/list/impl_list_item_mod.rs | 12 ++++++------
> 1 file changed, 6 insertions(+), 6 deletions(-)
>
> diff --git a/rust/kernel/list/impl_list_item_mod.rs b/rust/kernel/list/impl_list_item_mod.rs
> index 202bc6f97c13..7052095efde5 100644
> --- a/rust/kernel/list/impl_list_item_mod.rs
> +++ b/rust/kernel/list/impl_list_item_mod.rs
> @@ -217,7 +217,7 @@ unsafe fn view_value(me: *mut $crate::list::ListLinks<$num>) -> *const Self {
> // SAFETY: `me` originates from the most recent call to `prepare_to_insert`, so it
> // points at the field `$field` in a value of type `Self`. Thus, reversing that
> // operation is still in-bounds of the allocation.
> - $crate::container_of!(me, Self, $($field).*)
> + unsafe { $crate::container_of!(me, Self, $($field).*) }
> }
>
> // GUARANTEES:
> @@ -242,7 +242,7 @@ unsafe fn post_remove(me: *mut $crate::list::ListLinks<$num>) -> *const Self {
> // SAFETY: `me` originates from the most recent call to `prepare_to_insert`, so it
> // points at the field `$field` in a value of type `Self`. Thus, reversing that
> // operation is still in-bounds of the allocation.
> - $crate::container_of!(me, Self, $($field).*)
> + unsafe { $crate::container_of!(me, Self, $($field).*) }
> }
> }
> )*};
> @@ -270,9 +270,9 @@ unsafe fn prepare_to_insert(me: *const Self) -> *mut $crate::list::ListLinks<$nu
> // SAFETY: The caller promises that `me` points at a valid value of type `Self`.
> let links_field = unsafe { <Self as $crate::list::ListItem<$num>>::view_links(me) };
>
> - let container = $crate::container_of!(
> + let container = unsafe { $crate::container_of!(
> links_field, $crate::list::ListLinksSelfPtr<Self, $num>, inner
> - );
> + ) };
It may be cleaner to write this as:
let container = unsafe {
$crate::container_of!(
links_field, $crate::list::ListLinksSelfPtr<Self, $num>, inner
)
};
Rustfmt has no effect on macro definitions, but if this was not a macro,
then I believe that rustfmt would format it like the above.
>
> // SAFETY: By the same reasoning above, `links_field` is a valid pointer.
> let self_ptr = unsafe {
> @@ -319,9 +319,9 @@ unsafe fn view_links(me: *const Self) -> *mut $crate::list::ListLinks<$num> {
> // `ListArc` containing `Self` until the next call to `post_remove`. The value cannot
> // be destroyed while a `ListArc` reference exists.
> unsafe fn view_value(links_field: *mut $crate::list::ListLinks<$num>) -> *const Self {
> - let container = $crate::container_of!(
> + let container = unsafe { $crate::container_of!(
> links_field, $crate::list::ListLinksSelfPtr<Self, $num>, inner
> - );
> + ) };
Ditto here.
Alice
Powered by blists - more mailing lists