#
f9275893 |
| 28-Aug-2024 |
Boqun Feng <boqun.feng@gmail.com> |
rust: macros: provide correct provenance when constructing THIS_MODULE
commit a5a3c952e82c1ada12bf8c55b73af26f1a454bd2 upstream.
Currently while defining `THIS_MODULE` symbol in `module!()`, the po
rust: macros: provide correct provenance when constructing THIS_MODULE
commit a5a3c952e82c1ada12bf8c55b73af26f1a454bd2 upstream.
Currently while defining `THIS_MODULE` symbol in `module!()`, the pointer used to construct `ThisModule` is derived from an immutable reference of `__this_module`, which means the pointer doesn't have the provenance for writing, and that means any write to that pointer is UB regardless of data races or not. However, the usage of `THIS_MODULE` includes passing this pointer to functions that may write to it (probably in unsafe code), and this will create soundness issues.
One way to fix this is using `addr_of_mut!()` but that requires the unstable feature "const_mut_refs". So instead of `addr_of_mut()!`, an extern static `Opaque` is used here: since `Opaque<T>` is transparent to `T`, an extern static `Opaque` will just wrap the C symbol (defined in a C compile unit) in an `Opaque`, which provides a pointer with writable provenance via `Opaque::get()`. This fix the potential UBs because of pointer provenance unmatched.
Reported-by: Alice Ryhl <aliceryhl@google.com> Signed-off-by: Boqun Feng <boqun.feng@gmail.com> Reviewed-by: Alice Ryhl <aliceryhl@google.com> Reviewed-by: Trevor Gross <tmgross@umich.edu> Reviewed-by: Benno Lossin <benno.lossin@proton.me> Reviewed-by: Gary Guo <gary@garyguo.net> Closes: https://rust-for-linux.zulipchat.com/#narrow/stream/x/topic/x/near/465412664 Fixes: 1fbde52bde73 ("rust: add `macros` crate") Cc: stable@vger.kernel.org # 6.6.x: be2ca1e03965: ("rust: types: Make Opaque::get const") Link: https://lore.kernel.org/r/20240828180129.4046355-1-boqun.feng@gmail.com [ Fixed two typos, reworded title. - Miguel ] Signed-off-by: Miguel Ojeda <ojeda@kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
show more ...
|
#
a4dec33d |
| 01-Apr-2024 |
Benno Lossin <benno.lossin@proton.me> |
rust: macros: fix soundness issue in `module!` macro
[ Upstream commit 7044dcff8301b29269016ebd17df27c4736140d2 ]
The `module!` macro creates glue code that are called by C to initialize the Rust m
rust: macros: fix soundness issue in `module!` macro
[ Upstream commit 7044dcff8301b29269016ebd17df27c4736140d2 ]
The `module!` macro creates glue code that are called by C to initialize the Rust modules using the `Module::init` function. Part of this glue code are the local functions `__init` and `__exit` that are used to initialize/destroy the Rust module.
These functions are safe and also visible to the Rust mod in which the `module!` macro is invoked. This means that they can be called by other safe Rust code. But since they contain `unsafe` blocks that rely on only being called at the right time, this is a soundness issue.
Wrap these generated functions inside of two private modules, this guarantees that the public functions cannot be called from the outside. Make the safe functions `unsafe` and add SAFETY comments.
Cc: stable@vger.kernel.org Reported-by: Björn Roy Baron <bjorn3_gh@protonmail.com> Closes: https://github.com/Rust-for-Linux/linux/issues/629 Fixes: 1fbde52bde73 ("rust: add `macros` crate") Signed-off-by: Benno Lossin <benno.lossin@proton.me> Reviewed-by: Wedson Almeida Filho <walmeida@microsoft.com> Link: https://lore.kernel.org/r/20240401185222.12015-1-benno.lossin@proton.me [ Moved `THIS_MODULE` out of the private-in-private modules since it should remain public, as Dirk Behme noticed [1]. Capitalized comments, avoided newline in non-list SAFETY comments and reworded to add Reported-by and newline. ] Link: https://rust-for-linux.zulipchat.com/#narrow/stream/291565-Help/topic/x/near/433512583 [1] Signed-off-by: Miguel Ojeda <ojeda@kernel.org> Signed-off-by: Sasha Levin <sashal@kernel.org>
show more ...
|
#
738ea6d9 |
| 06-Feb-2024 |
Thomas Bertschinger <tahbertschinger@gmail.com> |
rust: module: place generated init_module() function in .init.text
[ Upstream commit 1b6170ff7a203a5e8354f19b7839fe8b897a9c0d ]
Currently Rust kernel modules have their init code placed in the `.te
rust: module: place generated init_module() function in .init.text
[ Upstream commit 1b6170ff7a203a5e8354f19b7839fe8b897a9c0d ]
Currently Rust kernel modules have their init code placed in the `.text` section of the .ko file. I don't think this causes any real problems for Rust modules as long as all code called during initialization lives in `.text`.
However, if a Rust `init_module()` function (that lives in `.text`) calls a function marked with `__init` (in C) or `#[link_section = ".init.text"]` (in Rust), then a warning is generated by modpost because that function lives in `.init.text`. For example:
WARNING: modpost: fs/bcachefs/bcachefs: section mismatch in reference: init_module+0x6 (section: .text) -> _RNvXCsj7d3tFpT5JS_15bcachefs_moduleNtB2_8BcachefsNtCsjDtqRIL3JAG_6kernel6Module4init (section: .init.text)
I ran into this while experimenting with converting the bcachefs kernel module from C to Rust. The module's `init()`, written in Rust, calls C functions like `bch2_vfs_init()` which are placed in `.init.text`.
This patch places the macro-generated `init_module()` Rust function in the `.init.text` section. It also marks `init_module()` as unsafe--now it may not be called after module initialization completes because it may be freed already.
Note that this is not enough on its own to actually get all the module initialization code in that section. The module author must still add the `#[link_section = ".init.text"]` attribute to the Rust `init()` in the `impl kernel::Module` block in order to then call `__init` functions. However, this patch enables module authors do so, when previously it would not be possible (without warnings).
Signed-off-by: Thomas Bertschinger <tahbertschinger@gmail.com> Reviewed-by: Martin Rodriguez Reboredo <yakoyoku@gmail.com> Reviewed-by: Alice Ryhl <aliceryhl@google.com> Link: https://lore.kernel.org/r/20240206153806.567055-1-tahbertschinger@gmail.com [ Reworded title to add prefix. ] Signed-off-by: Miguel Ojeda <ojeda@kernel.org> Stable-dep-of: 7044dcff8301 ("rust: macros: fix soundness issue in `module!` macro") Signed-off-by: Sasha Levin <sashal@kernel.org>
show more ...
|
#
41bdc6de |
| 04-Jul-2023 |
Andrea Righi <andrea.righi@canonical.com> |
btf, scripts: rust: drop is_rust_module.sh
With commit c1177979af9c ("btf, scripts: Exclude Rust CUs with pahole") we are now able to use pahole directly to identify Rust compilation units (CUs) and
btf, scripts: rust: drop is_rust_module.sh
With commit c1177979af9c ("btf, scripts: Exclude Rust CUs with pahole") we are now able to use pahole directly to identify Rust compilation units (CUs) and exclude them from generating BTF debugging information (when DEBUG_INFO_BTF is enabled).
And if pahole doesn't support the --lang-exclude flag, we can't enable both RUST and DEBUG_INFO_BTF at the same time.
So, in any case, the script is_rust_module.sh is just redundant and we can drop it.
NOTE: we may also be able to drop the "Rust loadable module" mark inside Rust modules, but it seems safer to keep it for now to make sure we are not breaking any external tool that may potentially rely on it.
Signed-off-by: Andrea Righi <andrea.righi@canonical.com> Reviewed-by: Nathan Chancellor <nathan@kernel.org> Tested-by: Eric Curtin <ecurtin@redhat.com> Reviewed-by: Eric Curtin <ecurtin@redhat.com> Reviewed-by: Neal Gompa <neal@gompa.dev> Reviewed-by: Masahiro Yamada <masahiroy@kernel.org> Reviewed-by: Martin Rodriguez Reboredo <yakoyoku@gmail.com> Acked-by: Daniel Xu <dxu@dxuuu.xyz> Link: https://lore.kernel.org/r/20230704052136.155445-1-andrea.righi@canonical.com [ Picked the `Reviewed-by`s from the old patch too. ] Signed-off-by: Miguel Ojeda <ojeda@kernel.org>
show more ...
|
#
46384d09 |
| 03-Apr-2023 |
Asahi Lina <lina@asahilina.net> |
rust: error: Rename to_kernel_errno() -> to_errno()
This is kernel code, so specifying "kernel" is redundant. Let's simplify things and just call it to_errno().
Reviewed-by: Gary Guo <gary@garyguo.
rust: error: Rename to_kernel_errno() -> to_errno()
This is kernel code, so specifying "kernel" is redundant. Let's simplify things and just call it to_errno().
Reviewed-by: Gary Guo <gary@garyguo.net> Reviewed-by: Martin Rodriguez Reboredo <yakoyoku@gmail.com> Signed-off-by: Asahi Lina <lina@asahilina.net> Link: https://lore.kernel.org/r/20230224-rust-error-v3-1-03779bddc02b@asahilina.net Signed-off-by: Miguel Ojeda <ojeda@kernel.org>
show more ...
|
#
39867fec |
| 23-Mar-2023 |
Asahi Lina <lina@asahilina.net> |
rust: macros: Allow specifying multiple module aliases
Modules can (and usually do) have multiple alias tags, in order to specify multiple possible device matches for autoloading. Allow this by chan
rust: macros: Allow specifying multiple module aliases
Modules can (and usually do) have multiple alias tags, in order to specify multiple possible device matches for autoloading. Allow this by changing the alias ModuleInfo field to an Option<Vec<String>>.
Note: For normal device IDs this is autogenerated by modpost (which is not properly integrated with Rust support yet), so it is useful to be able to manually add device match aliases for now, and should still be useful in the future for corner cases that modpost does not handle.
This pulls in the expect_group() helper from the rfl/rust branch (with credit to authors).
Co-developed-by: Miguel Ojeda <ojeda@kernel.org> Signed-off-by: Miguel Ojeda <ojeda@kernel.org> Co-developed-by: Finn Behrens <me@kloenk.dev> Signed-off-by: Finn Behrens <me@kloenk.dev> Co-developed-by: Sumera Priyadarsini <sylphrenadin@gmail.com> Signed-off-by: Sumera Priyadarsini <sylphrenadin@gmail.com> Reviewed-by: Vincenzo Palazzo <vincenzopalazzodev@gmail.com> Signed-off-by: Asahi Lina <lina@asahilina.net> Link: https://lore.kernel.org/r/20230224-rust-macros-v2-1-7396e8b7018d@asahilina.net Signed-off-by: Miguel Ojeda <ojeda@kernel.org>
show more ...
|
#
b13c9880 |
| 10-Nov-2022 |
Gary Guo <gary@garyguo.net> |
rust: macros: take string literals in `module!`
Instead of taking binary string literals, take string ones instead, making it easier for users to define a module, i.e. instead of calling `module!` l
rust: macros: take string literals in `module!`
Instead of taking binary string literals, take string ones instead, making it easier for users to define a module, i.e. instead of calling `module!` like:
module! { ... name: b"rust_minimal", ... }
now it is called as:
module! { ... name: "rust_minimal", ... }
Module names, aliases and license strings are restricted to ASCII only. However, the author and the description allows UTF-8.
For simplicity (avoid parsing), escape sequences and raw string literals are not yet handled.
Link: https://github.com/Rust-for-Linux/linux/issues/252 Link: https://lore.kernel.org/lkml/YukvvPOOu8uZl7+n@yadro.com/ Signed-off-by: Gary Guo <gary@garyguo.net> [Reworded, adapted for upstream and applied latest changes] Signed-off-by: Miguel Ojeda <ojeda@kernel.org>
show more ...
|
#
1fbde52b |
| 03-Jul-2021 |
Miguel Ojeda <ojeda@kernel.org> |
rust: add `macros` crate
This crate contains all the procedural macros ("proc macros") shared by all the kernel.
Procedural macros allow to create syntax extensions. They run at compile-time and ca
rust: add `macros` crate
This crate contains all the procedural macros ("proc macros") shared by all the kernel.
Procedural macros allow to create syntax extensions. They run at compile-time and can consume as well as produce Rust syntax.
For instance, the `module!` macro that is used by Rust modules is implemented here. It allows to easily declare the equivalent information to the `MODULE_*` macros in C modules, e.g.:
module! { type: RustMinimal, name: b"rust_minimal", author: b"Rust for Linux Contributors", description: b"Rust minimal sample", license: b"GPL", }
Co-developed-by: Alex Gaynor <alex.gaynor@gmail.com> Signed-off-by: Alex Gaynor <alex.gaynor@gmail.com> Co-developed-by: Finn Behrens <me@kloenk.de> Signed-off-by: Finn Behrens <me@kloenk.de> Co-developed-by: Adam Bratschi-Kaye <ark.email@gmail.com> Signed-off-by: Adam Bratschi-Kaye <ark.email@gmail.com> Co-developed-by: Wedson Almeida Filho <wedsonaf@google.com> Signed-off-by: Wedson Almeida Filho <wedsonaf@google.com> Co-developed-by: Sumera Priyadarsini <sylphrenadin@gmail.com> Signed-off-by: Sumera Priyadarsini <sylphrenadin@gmail.com> Co-developed-by: Gary Guo <gary@garyguo.net> Signed-off-by: Gary Guo <gary@garyguo.net> Co-developed-by: Matthew Bakhtiari <dev@mtbk.me> Signed-off-by: Matthew Bakhtiari <dev@mtbk.me> Co-developed-by: Björn Roy Baron <bjorn3_gh@protonmail.com> Signed-off-by: Björn Roy Baron <bjorn3_gh@protonmail.com> Signed-off-by: Miguel Ojeda <ojeda@kernel.org>
show more ...
|