commit 7044dcff8301b29269016ebd17df27c4736140d2 · tjh.dev/kernel

tjh.dev / kernel

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

rust: macros: fix soundness issue in `module!` macro

The `module!` macro creates glue code that are called by C to initialize
the Rust modules using the `Module::init` function. Part of this glue
code are the local functions `__init` and `__exit` that are used to
initialize/destroy the Rust module.

These functions are safe and also visible to the Rust mod in which the
`module!` macro is invoked. This means that they can be called by other
safe Rust code. But since they contain `unsafe` blocks that rely on only
being called at the right time, this is a soundness issue.

Wrap these generated functions inside of two private modules, this
guarantees that the public functions cannot be called from the outside.
Make the safe functions `unsafe` and add SAFETY comments.

Cc: stable@vger.kernel.org
Reported-by: Björn Roy Baron <bjorn3_gh@protonmail.com>
Closes: https://github.com/Rust-for-Linux/linux/issues/629
Fixes: 1fbde52bde73 ("rust: add `macros` crate")
Signed-off-by: Benno Lossin <benno.lossin@proton.me>
Reviewed-by: Wedson Almeida Filho <walmeida@microsoft.com>
Link: https://lore.kernel.org/r/20240401185222.12015-1-benno.lossin@proton.me
[ Moved `THIS_MODULE` out of the private-in-private modules since it
should remain public, as Dirk Behme noticed [1]. Capitalized comments,
avoided newline in non-list SAFETY comments and reworded to add
Reported-by and newline. ]
Link: https://rust-for-linux.zulipchat.com/#narrow/stream/291565-Help/topic/x/near/433512583 [1]
Signed-off-by: Miguel Ojeda <ojeda@kernel.org>

authored by Benno Lossin and committed by Miguel Ojeda 2 years ago 7044dcff 49ceae68

+115 -75

1 changed file

expand all

unified split

rust

macros

module.rs

+115 -75

rust/macros/module.rs

··· 199 /// Used by the printing macros, e.g. [`info!`]. 200 const __LOG_PREFIX: &[u8] = b\"{name}\\0\"; 201 202 - /// The \"Rust loadable module\" mark. 203 - // 204 - // This may be best done another way later on, e.g. as a new modinfo 205 - // key or a new section. For the moment, keep it simple. 206 - #[cfg(MODULE)] 207 - #[doc(hidden)] 208 - #[used] 209 - static __IS_RUST_MODULE: () = (); 210 - 211 - static mut __MOD: Option<{type_}> = None; 212 - 213 // SAFETY: `__this_module` is constructed by the kernel at load time and will not be 214 // freed until the module is unloaded. 215 #[cfg(MODULE)] ··· 210 kernel::ThisModule::from_ptr(core::ptr::null_mut()) 211 }}; 212 213 - // Loadable modules need to export the `{{init,cleanup}}_module` identifiers. 214 - /// # Safety 215 - /// 216 - /// This function must not be called after module initialization, because it may be 217 - /// freed after that completes. 218 - #[cfg(MODULE)] 219 - #[doc(hidden)] 220 - #[no_mangle] 221 - #[link_section = \".init.text\"] 222 - pub unsafe extern \"C\" fn init_module() -> core::ffi::c_int {{ 223 - __init() 224 - }} 225 226 - #[cfg(MODULE)] 227 - #[doc(hidden)] 228 - #[no_mangle] 229 - pub extern \"C\" fn cleanup_module() {{ 230 - __exit() 231 - }} 232 233 - // Built-in modules are initialized through an initcall pointer 234 - // and the identifiers need to be unique. 235 - #[cfg(not(MODULE))] 236 - #[cfg(not(CONFIG_HAVE_ARCH_PREL32_RELOCATIONS))] 237 - #[doc(hidden)] 238 - #[link_section = \"{initcall_section}\"] 239 - #[used] 240 - pub static __{name}_initcall: extern \"C\" fn() -> core::ffi::c_int = __{name}_init; 241 242 - #[cfg(not(MODULE))] 243 - #[cfg(CONFIG_HAVE_ARCH_PREL32_RELOCATIONS)] 244 - core::arch::global_asm!( 245 - r#\".section \"{initcall_section}\", \"a\" 246 - __{name}_initcall: 247 - .long __{name}_init - . 248 - .previous 249 - \"# 250 - ); 251 252 - #[cfg(not(MODULE))] 253 - #[doc(hidden)] 254 - #[no_mangle] 255 - pub extern \"C\" fn __{name}_init() -> core::ffi::c_int {{ 256 - __init() 257 - }} 258 259 - #[cfg(not(MODULE))] 260 - #[doc(hidden)] 261 - #[no_mangle] 262 - pub extern \"C\" fn __{name}_exit() {{ 263 - __exit() 264 - }} 265 266 - fn __init() -> core::ffi::c_int {{ 267 - match <{type_} as kernel::Module>::init(&THIS_MODULE) {{ 268 - Ok(m) => {{ 269 - unsafe {{ 270 - __MOD = Some(m); 271 }} 272 - return 0; 273 }} 274 - Err(e) => {{ 275 - return e.to_errno(); 276 }} 277 }} 278 }} 279 - 280 - fn __exit() {{ 281 - unsafe {{ 282 - // Invokes `drop()` on `__MOD`, which should be used for cleanup. 283 - __MOD = None; 284 - }} 285 - }} 286 - 287 - {modinfo} 288 ", 289 type_ = info.type_, 290 name = info.name,

··· 199 /// Used by the printing macros, e.g. [`info!`]. 200 const __LOG_PREFIX: &[u8] = b\"{name}\\0\"; 201 202 // SAFETY: `__this_module` is constructed by the kernel at load time and will not be 203 // freed until the module is unloaded. 204 #[cfg(MODULE)] ··· 221 kernel::ThisModule::from_ptr(core::ptr::null_mut()) 222 }}; 223 224 + // Double nested modules, since then nobody can access the public items inside. 225 + mod __module_init {{ 226 + mod __module_init {{ 227 + use super::super::{type_}; 228 229 + /// The \"Rust loadable module\" mark. 230 + // 231 + // This may be best done another way later on, e.g. as a new modinfo 232 + // key or a new section. For the moment, keep it simple. 233 + #[cfg(MODULE)] 234 + #[doc(hidden)] 235 + #[used] 236 + static __IS_RUST_MODULE: () = (); 237 238 + static mut __MOD: Option<{type_}> = None; 239 240 + // Loadable modules need to export the `{{init,cleanup}}_module` identifiers. 241 + /// # Safety 242 + /// 243 + /// This function must not be called after module initialization, because it may be 244 + /// freed after that completes. 245 + #[cfg(MODULE)] 246 + #[doc(hidden)] 247 + #[no_mangle] 248 + #[link_section = \".init.text\"] 249 + pub unsafe extern \"C\" fn init_module() -> core::ffi::c_int {{ 250 + // SAFETY: This function is inaccessible to the outside due to the double 251 + // module wrapping it. It is called exactly once by the C side via its 252 + // unique name. 253 + unsafe {{ __init() }} 254 + }} 255 256 + #[cfg(MODULE)] 257 + #[doc(hidden)] 258 + #[no_mangle] 259 + pub extern \"C\" fn cleanup_module() {{ 260 + // SAFETY: 261 + // - This function is inaccessible to the outside due to the double 262 + // module wrapping it. It is called exactly once by the C side via its 263 + // unique name, 264 + // - furthermore it is only called after `init_module` has returned `0` 265 + // (which delegates to `__init`). 266 + unsafe {{ __exit() }} 267 + }} 268 269 + // Built-in modules are initialized through an initcall pointer 270 + // and the identifiers need to be unique. 271 + #[cfg(not(MODULE))] 272 + #[cfg(not(CONFIG_HAVE_ARCH_PREL32_RELOCATIONS))] 273 + #[doc(hidden)] 274 + #[link_section = \"{initcall_section}\"] 275 + #[used] 276 + pub static __{name}_initcall: extern \"C\" fn() -> core::ffi::c_int = __{name}_init; 277 278 + #[cfg(not(MODULE))] 279 + #[cfg(CONFIG_HAVE_ARCH_PREL32_RELOCATIONS)] 280 + core::arch::global_asm!( 281 + r#\".section \"{initcall_section}\", \"a\" 282 + __{name}_initcall: 283 + .long __{name}_init - . 284 + .previous 285 + \"# 286 + ); 287 + 288 + #[cfg(not(MODULE))] 289 + #[doc(hidden)] 290 + #[no_mangle] 291 + pub extern \"C\" fn __{name}_init() -> core::ffi::c_int {{ 292 + // SAFETY: This function is inaccessible to the outside due to the double 293 + // module wrapping it. It is called exactly once by the C side via its 294 + // placement above in the initcall section. 295 + unsafe {{ __init() }} 296 + }} 297 + 298 + #[cfg(not(MODULE))] 299 + #[doc(hidden)] 300 + #[no_mangle] 301 + pub extern \"C\" fn __{name}_exit() {{ 302 + // SAFETY: 303 + // - This function is inaccessible to the outside due to the double 304 + // module wrapping it. It is called exactly once by the C side via its 305 + // unique name, 306 + // - furthermore it is only called after `__{name}_init` has returned `0` 307 + // (which delegates to `__init`). 308 + unsafe {{ __exit() }} 309 + }} 310 + 311 + /// # Safety 312 + /// 313 + /// This function must only be called once. 314 + unsafe fn __init() -> core::ffi::c_int {{ 315 + match <{type_} as kernel::Module>::init(&super::super::THIS_MODULE) {{ 316 + Ok(m) => {{ 317 + // SAFETY: No data race, since `__MOD` can only be accessed by this 318 + // module and there only `__init` and `__exit` access it. These 319 + // functions are only called once and `__exit` cannot be called 320 + // before or during `__init`. 321 + unsafe {{ 322 + __MOD = Some(m); 323 + }} 324 + return 0; 325 + }} 326 + Err(e) => {{ 327 + return e.to_errno(); 328 + }} 329 }} 330 }} 331 + 332 + /// # Safety 333 + /// 334 + /// This function must 335 + /// - only be called once, 336 + /// - be called after `__init` has been called and returned `0`. 337 + unsafe fn __exit() {{ 338 + // SAFETY: No data race, since `__MOD` can only be accessed by this module 339 + // and there only `__init` and `__exit` access it. These functions are only 340 + // called once and `__init` was already called. 341 + unsafe {{ 342 + // Invokes `drop()` on `__MOD`, which should be used for cleanup. 343 + __MOD = None; 344 + }} 345 }} 346 + 347 + {modinfo} 348 }} 349 }} 350 ", 351 type_ = info.type_, 352 name = info.name,