From: Alice Ryhl <aliceryhl@google.com>
To: Philipp Stanner <phasta@kernel.org>
Cc: "Miguel Ojeda" <ojeda@kernel.org>,
"Alex Gaynor" <alex.gaynor@gmail.com>,
"Boqun Feng" <boqun.feng@gmail.com>,
"Gary Guo" <gary@garyguo.net>,
"Björn Roy Baron" <bjorn3_gh@protonmail.com>,
"Benno Lossin" <lossin@kernel.org>,
"Andreas Hindborg" <a.hindborg@kernel.org>,
"Trevor Gross" <tmgross@umich.edu>,
"Danilo Krummrich" <dakr@kernel.org>,
"Greg Kroah-Hartman" <gregkh@linuxfoundation.org>,
"Viresh Kumar" <viresh.kumar@linaro.org>,
"Tamir Duberstein" <tamird@gmail.com>,
rust-for-linux@vger.kernel.org, linux-kernel@vger.kernel.org
Subject: Re: [PATCH] rust: lib: Add necessary unsafes for container_of
Date: Fri, 14 Nov 2025 14:14:29 +0000 [thread overview]
Message-ID: <aRc5RVnXe4PGNkt0@google.com> (raw)
In-Reply-To: <20251114140020.327075-2-phasta@kernel.org>
On Fri, Nov 14, 2025 at 03:00:21PM +0100, Philipp Stanner wrote:
> When trying to use LinkedList in the kernel crate, build fails with an
> error message demanding unsafe blocks in the container_of macro:
>
> error[E0133]: call to unsafe function `core::ptr::mut_ptr::<impl *mut T>::byte_sub`
> is unsafe and requires unsafe block
> --> rust/kernel/lib.rs:252:29
> |
> 252 | let container_ptr = field_ptr.byte_sub(offset).cast::<$Container>();
> | ^^^^^^^^^^^^^^^^^^^^^^^^^^ call to unsafe function
> |
> ::: rust/kernel/drm/jq.rs:98:1
> |
> 98 | / impl_list_item! {
> 99 | | impl ListItem<0> for BasicItem { using ListLinks { self.links }; }
> 100 | | }
> | |_- in this macro invocation
> |
> note: an unsafe function restricts its caller, but its body is safe by default
> --> rust/kernel/list/impl_list_item_mod.rs:216:13
> |
> 216 | unsafe fn view_value(me: *mut $crate::list::ListLinks<$num>) -> *const Self {
> | ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> |
> ::: rust/kernel/drm/jq.rs:98:1
> |
> 98 | / impl_list_item! {
> 99 | | impl ListItem<0> for BasicItem { using ListLinks { self.links }; }
> 100 | | }
> | |_- in this macro invocation
> = note: requested on the command line with `-D unsafe-op-in-unsafe-fn`
> = note: this error originates in the macro `$crate::container_of` which comes
> from the expansion of the macro `impl_list_item`
>
> Add unsafe blocks to container_of to fix the issue.
>
> Fixes: b20fbbc08a36 ("rust: check type of `$ptr` in `container_of!`")
> Suggested-by: Alice Ryhl <aliceryhl@google.com>
> Signed-off-by: Philipp Stanner <phasta@kernel.org>
> ---
> I'm currently writing DrmJobqueue, a new piece of infrastructure. It
> uses LinkedList and resides in the kernel crate. When using LinkedList
> from within there, for reasons I don't fully understand the error above
> shows up.
> The other testing infrastructure doesn't seem to run into the error,
> though.
>
> P.
> ---
> rust/kernel/lib.rs | 7 +++++--
> 1 file changed, 5 insertions(+), 2 deletions(-)
>
> diff --git a/rust/kernel/lib.rs b/rust/kernel/lib.rs
> index fef97f2a5098..a26b87015e7d 100644
> --- a/rust/kernel/lib.rs
> +++ b/rust/kernel/lib.rs
> @@ -249,8 +249,11 @@ macro_rules! container_of {
> ($field_ptr:expr, $Container:ty, $($fields:tt)*) => {{
> let offset: usize = ::core::mem::offset_of!($Container, $($fields)*);
> let field_ptr = $field_ptr;
> - let container_ptr = field_ptr.byte_sub(offset).cast::<$Container>();
> - $crate::assert_same_type(field_ptr, (&raw const (*container_ptr).$($fields)*).cast_mut());
> + // SAFETY: Offsetting the pointer to the container is correct because the offset was
> + // calculated validly above.
> + let container_ptr = unsafe { field_ptr.byte_sub(offset).cast::<$Container>() };
> + // SAFETY: Safe because the container_ptr was validly created above.
> + $crate::assert_same_type(field_ptr, unsafe { (&raw const (*container_ptr).$($fields)*) }.cast_mut());
The unsafe block goes in the impl_list_item! macro. This change makes
container_of! a safe operation, but is should not be a safe operation
because it uses byte_sub which promises the compiler that this pointer
offset operation stays within a single allocation.
Alice
next prev parent reply other threads:[~2025-11-14 14:14 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-11-14 14:00 [PATCH] rust: lib: Add necessary unsafes for container_of Philipp Stanner
2025-11-14 14:14 ` Alice Ryhl [this message]
2025-11-17 8:24 ` Philipp Stanner
2025-11-17 8:59 ` Miguel Ojeda
2025-11-14 20:21 ` Miguel Ojeda
2025-11-17 6:36 ` Philipp Stanner
2025-11-17 6:49 ` Miguel Ojeda
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=aRc5RVnXe4PGNkt0@google.com \
--to=aliceryhl@google.com \
--cc=a.hindborg@kernel.org \
--cc=alex.gaynor@gmail.com \
--cc=bjorn3_gh@protonmail.com \
--cc=boqun.feng@gmail.com \
--cc=dakr@kernel.org \
--cc=gary@garyguo.net \
--cc=gregkh@linuxfoundation.org \
--cc=linux-kernel@vger.kernel.org \
--cc=lossin@kernel.org \
--cc=ojeda@kernel.org \
--cc=phasta@kernel.org \
--cc=rust-for-linux@vger.kernel.org \
--cc=tamird@gmail.com \
--cc=tmgross@umich.edu \
--cc=viresh.kumar@linaro.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).