From: Philipp Stanner <phasta@mailbox.org>
To: Alice Ryhl <aliceryhl@google.com>, Philipp Stanner <phasta@kernel.org>
Cc: "Miguel Ojeda" <ojeda@kernel.org>,
"Alex Gaynor" <alex.gaynor@gmail.com>,
"Boqun Feng" <boqun.feng@gmail.com>,
"Gary Guo" <gary@garyguo.net>,
"Björn Roy Baron" <bjorn3_gh@protonmail.com>,
"Benno Lossin" <lossin@kernel.org>,
"Andreas Hindborg" <a.hindborg@kernel.org>,
"Trevor Gross" <tmgross@umich.edu>,
"Danilo Krummrich" <dakr@kernel.org>,
"Greg Kroah-Hartman" <gregkh@linuxfoundation.org>,
"Viresh Kumar" <viresh.kumar@linaro.org>,
"Tamir Duberstein" <tamird@gmail.com>,
rust-for-linux@vger.kernel.org, linux-kernel@vger.kernel.org
Subject: Re: [PATCH] rust: lib: Add necessary unsafes for container_of
Date: Mon, 17 Nov 2025 09:24:19 +0100 [thread overview]
Message-ID: <2da1f1588ce8e02831e7bcda569f4e03ce88e4cf.camel@mailbox.org> (raw)
In-Reply-To: <aRc5RVnXe4PGNkt0@google.com>
On Fri, 2025-11-14 at 14:14 +0000, Alice Ryhl wrote:
> On Fri, Nov 14, 2025 at 03:00:21PM +0100, Philipp Stanner wrote:
> > When trying to use LinkedList in the kernel crate, build fails with an
> > error message demanding unsafe blocks in the container_of macro:
> >
[…]
> > rust/kernel/lib.rs | 7 +++++--
> > 1 file changed, 5 insertions(+), 2 deletions(-)
> >
> > diff --git a/rust/kernel/lib.rs b/rust/kernel/lib.rs
> > index fef97f2a5098..a26b87015e7d 100644
> > --- a/rust/kernel/lib.rs
> > +++ b/rust/kernel/lib.rs
> > @@ -249,8 +249,11 @@ macro_rules! container_of {
> > ($field_ptr:expr, $Container:ty, $($fields:tt)*) => {{
> > let offset: usize = ::core::mem::offset_of!($Container, $($fields)*);
> > let field_ptr = $field_ptr;
> > - let container_ptr = field_ptr.byte_sub(offset).cast::<$Container>();
> > - $crate::assert_same_type(field_ptr, (&raw const (*container_ptr).$($fields)*).cast_mut());
> > + // SAFETY: Offsetting the pointer to the container is correct because the offset was
> > + // calculated validly above.
> > + let container_ptr = unsafe { field_ptr.byte_sub(offset).cast::<$Container>() };
> > + // SAFETY: Safe because the container_ptr was validly created above.
> > + $crate::assert_same_type(field_ptr, unsafe { (&raw const (*container_ptr).$($fields)*) }.cast_mut());
>
> The unsafe block goes in the impl_list_item! macro. This change makes
> container_of! a safe operation, but is should not be a safe operation
> because it uses byte_sub which promises the compiler that this pointer
> offset operation stays within a single allocation.
OK, so container_of is an unsafe function and all uses of it must be
guarded by an unsafe block.
If I do this, however
diff --git a/rust/kernel/list/impl_list_item_mod.rs b/rust/kernel/list/impl_list_item_mod.rs
index 202bc6f97c13..2f05b73c9eed 100644
--- a/rust/kernel/list/impl_list_item_mod.rs
+++ b/rust/kernel/list/impl_list_item_mod.rs
@@ -217,7 +217,7 @@ unsafe fn view_value(me: *mut $crate::list::ListLinks<$num>) -> *const Self {
// SAFETY: `me` originates from the most recent call to `prepare_to_insert`, so it
// points at the field `$field` in a value of type `Self`. Thus, reversing that
// operation is still in-bounds of the allocation.
- $crate::container_of!(me, Self, $($field).*)
+ unsafe { $crate::container_of!(me, Self, $($field).*) }
}
// GUARANTEES:
@@ -242,7 +242,7 @@ unsafe fn post_remove(me: *mut $crate::list::ListLinks<$num>) -> *const Self {
// SAFETY: `me` originates from the most recent call to `prepare_to_insert`, so it
// points at the field `$field` in a value of type `Self`. Thus, reversing that
// operation is still in-bounds of the allocation.
- $crate::container_of!(me, Self, $($field).*)
+ unsafe { $crate::container_of!(me, Self, $($field).*) }
}
}
)*};
then the compiler gets sad again, complaining precisely about the
internals of container_of:
error[E0133]: call to unsafe function `core::ptr::mut_ptr::<impl *mut T>::byte_sub` is unsafe and requires unsafe block
--> rust/kernel/lib.rs:252:29
|
252 | let container_ptr = field_ptr.byte_sub(offset).cast::<$Container>();
| ^^^^^^^^^^^^^^^^^^^^^^^^^^ call to unsafe function
|
::: rust/kernel/drm/jq.rs:124:1
|
124 | / impl_list_item! {
125 | | impl ListItem<0> for EnqueuedJob<dyn JobData> { using ListLinksSelfPtr { self.links }; }
126 | | }
| |_- in this macro invocation
|
= note: for more information, see <https://doc.rust-lang.org/nightly/edition-guide/rust-2024/unsafe-op-in-unsafe-fn.html>
= note: consult the function's documentation for information on how to avoid undefined behavior
note: an unsafe function restricts its caller, but its body is safe by default
--> rust/kernel/list/impl_list_item_mod.rs:269:13
|
269 | unsafe fn prepare_to_insert(me: *const Self) -> *mut $crate::list::ListLinks<$num> {
| ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|
::: rust/kernel/drm/jq.rs:124:1
|
124 | / impl_list_item! {
125 | | impl ListItem<0> for EnqueuedJob<dyn JobData> { using ListLinksSelfPtr { self.links }; }
126 | | }
| |_- in this macro invocation
= note: requested on the command line with `-D unsafe-op-in-unsafe-fn`
= note: this error originates in the macro `$crate::container_of` which comes from the expansion of the macro `impl_list_item` (in Nightly builds, run with -Z macro-backtrace for more info)
error[E0133]: dereference of raw pointer is unsafe and requires unsafe block
--> rust/kernel/lib.rs:254:57
|
254 | $crate::assert_same_type(field_ptr, (&raw const (*container_ptr).$($fields)*).cast_mut());
| ^^^^^^^^^^^^^^^^ dereference of raw pointer
|
::: rust/kernel/drm/jq.rs:124:1
|
124 | / impl_list_item! {
125 | | impl ListItem<0> for EnqueuedJob<dyn JobData> { using ListLinksSelfPtr { self.links }; }
126 | | }
| |_- in this macro invocation
|
= note: for more information, see <https://doc.rust-lang.org/nightly/edition-guide/rust-2024/unsafe-op-in-unsafe-fn.html>
= note: raw pointers may be null, dangling or unaligned; they can violate aliasing rules and cause data races: all of these are undefined behavior
= note: this error originates in the macro `$crate::container_of` which comes from the expansion of the macro `impl_list_item` (in Nightly builds, run with -Z macro-backtrace for more info)
error[E0133]: call to unsafe function `core::ptr::mut_ptr::<impl *mut T>::byte_sub` is unsafe and requires unsafe block
--> rust/kernel/lib.rs:252:29
|
252 | let container_ptr = field_ptr.byte_sub(offset).cast::<$Container>();
| ^^^^^^^^^^^^^^^^^^^^^^^^^^ call to unsafe function
|
::: rust/kernel/drm/jq.rs:124:1
|
124 | / impl_list_item! {
125 | | impl ListItem<0> for EnqueuedJob<dyn JobData> { using ListLinksSelfPtr { self.links }; }
126 | | }
| |_- in this macro invocation
|
= note: for more information, see <https://doc.rust-lang.org/nightly/edition-guide/rust-2024/unsafe-op-in-unsafe-fn.html>
= note: consult the function's documentation for information on how to avoid undefined behavior
note: an unsafe function restricts its caller, but its body is safe by default
--> rust/kernel/list/impl_list_item_mod.rs:321:13
|
321 | unsafe fn view_value(links_field: *mut $crate::list::ListLinks<$num>) -> *const Self {
| ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|
::: rust/kernel/drm/jq.rs:124:1
|
124 | / impl_list_item! {
125 | | impl ListItem<0> for EnqueuedJob<dyn JobData> { using ListLinksSelfPtr { self.links }; }
126 | | }
| |_- in this macro invocation
= note: this error originates in the macro `$crate::container_of` which comes from the expansion of the macro `impl_list_item` (in Nightly builds, run with -Z macro-backtrace for more info)
error[E0133]: dereference of raw pointer is unsafe and requires unsafe block
--> rust/kernel/lib.rs:254:57
|
254 | $crate::assert_same_type(field_ptr, (&raw const (*container_ptr).$($fields)*).cast_mut());
| ^^^^^^^^^^^^^^^^ dereference of raw pointer
|
::: rust/kernel/drm/jq.rs:124:1
|
124 | / impl_list_item! {
125 | | impl ListItem<0> for EnqueuedJob<dyn JobData> { using ListLinksSelfPtr { self.links }; }
126 | | }
| |_- in this macro invocation
|
= note: for more information, see <https://doc.rust-lang.org/nightly/edition-guide/rust-2024/unsafe-op-in-unsafe-fn.html>
= note: raw pointers may be null, dangling or unaligned; they can violate aliasing rules and cause data races: all of these are undefined behavior
= note: this error originates in the macro `$crate::container_of` which comes from the expansion of the macro `impl_list_item` (in Nightly builds, run with -Z macro-backtrace for more info)
next prev parent reply other threads:[~2025-11-17 8:30 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-11-14 14:00 [PATCH] rust: lib: Add necessary unsafes for container_of Philipp Stanner
2025-11-14 14:14 ` Alice Ryhl
2025-11-17 8:24 ` Philipp Stanner [this message]
2025-11-17 8:59 ` Miguel Ojeda
2025-11-14 20:21 ` Miguel Ojeda
2025-11-17 6:36 ` Philipp Stanner
2025-11-17 6:49 ` Miguel Ojeda
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=2da1f1588ce8e02831e7bcda569f4e03ce88e4cf.camel@mailbox.org \
--to=phasta@mailbox.org \
--cc=a.hindborg@kernel.org \
--cc=alex.gaynor@gmail.com \
--cc=aliceryhl@google.com \
--cc=bjorn3_gh@protonmail.com \
--cc=boqun.feng@gmail.com \
--cc=dakr@kernel.org \
--cc=gary@garyguo.net \
--cc=gregkh@linuxfoundation.org \
--cc=linux-kernel@vger.kernel.org \
--cc=lossin@kernel.org \
--cc=ojeda@kernel.org \
--cc=phasta@kernel.org \
--cc=rust-for-linux@vger.kernel.org \
--cc=tamird@gmail.com \
--cc=tmgross@umich.edu \
--cc=viresh.kumar@linaro.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).