[PATCH v2 2/2] rust: pin-init: internal: init: document load-bearing fact of field accessors

[PATCH v2 2/2] rust: pin-init: internal: init: document load-bearing fact of field accessors

[Benno Lossin]

The functions `[Pin]Init::__[pinned_]init` and `ptr::write` called from
the `init!` macro require the passed pointer to be aligned. This fact is
ensured by the creation of field accessors to previously initialized
fields.

Since we missed this very important fact from the beginning [1],
document it in the code.

Link: https://rust-for-linux.zulipchat.com/#narrow/channel/561532-pin-init/topic/initialized.20field.20accessor.20detection/with/576210658 [1]
Fixes: 90e53c5e70a6 ("rust: add pin-init API core")
Cc: stable@vger.kernel.org # 6.19.y and 6.18.y: patch should apply without issues
Cc: stable@vger.kernel.org # 6.12.y and 6.6.y: need prerequisite see below `---` for more info
Signed-off-by: Benno Lossin <lossin@kernel.org>
---
As already explained in the previous email, we discovered an unsoundness
in pin-init that exists since the beginning, but was unknowingly fixed
in commit 42415d163e5d ("rust: pin-init: add references to previously
initialized fields").

We introduced pin-init in 90e53c5e70a6 ("rust: add pin-init API core"),
which was included in 6.4. The affected stable trees that are still
maintained are: 6.12 and 6.6. Note that 6.18 and 6.19 already contain
42415d163e5d, so they are unaffected.

We still should backport this piece of documentation explaining the need
for the field accessors for soundness. For this reasons we also want to
backport it to 6.18 and 6.19.

Note that this patch depends on 42415d163e5d; so the only versions this
patch can go in directly are 6.18 and 6.19. I will send separate patch
series' for the older versions. The series' will include a backport of
42415d163e5d as well as a modified version of this patch, since this
patch depends on the `syn` rewrite, which is not present in older
versions.
---
 rust/pin-init/internal/src/init.rs | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/rust/pin-init/internal/src/init.rs b/rust/pin-init/internal/src/init.rs
index da53adc44ecf..738f62c8105c 100644
--- a/rust/pin-init/internal/src/init.rs
+++ b/rust/pin-init/internal/src/init.rs
@@ -251,6 +251,10 @@ fn init_fields(
                 });
                 // Again span for better diagnostics
                 let write = quote_spanned!(ident.span()=> ::core::ptr::write);
+                // NOTE: the field accessor ensures that the initialized field is properly aligned.
+                // Unaligned fields will cause the compiler to emit E0793. We do not support
+                // unaligned fields since `Init::__init` requires an aligned pointer; the call to
+                // `ptr::write` below has the same requirement.
                 let accessor = if pinned {
                     let project_ident = format_ident!("__project_{ident}");
                     quote! {
@@ -278,6 +282,10 @@ fn init_fields(
             InitializerKind::Init { ident, value, .. } => {
                 // Again span for better diagnostics
                 let init = format_ident!("init", span = value.span());
+                // NOTE: the field accessor ensures that the initialized field is properly aligned.
+                // Unaligned fields will cause the compiler to emit E0793. We do not support
+                // unaligned fields since `Init::__init` requires an aligned pointer; the call to
+                // `ptr::write` below has the same requirement.
                 let (value_init, accessor) = if pinned {
                     let project_ident = format_ident!("__project_{ident}");
                     (
-- 
2.53.0

Re: [PATCH v2 2/2] rust: pin-init: internal: init: document load-bearing fact of field accessors

[Gary Guo]

On Mon Mar 2, 2026 at 2:04 PM GMT, Benno Lossin wrote:
> The functions `[Pin]Init::__[pinned_]init` and `ptr::write` called from
> the `init!` macro require the passed pointer to be aligned. This fact is
> ensured by the creation of field accessors to previously initialized
> fields.
> 
> Since we missed this very important fact from the beginning [1],
> document it in the code.
> 
> Link: https://rust-for-linux.zulipchat.com/#narrow/channel/561532-pin-init/topic/initialized.20field.20accessor.20detection/with/576210658 [1]
> Fixes: 90e53c5e70a6 ("rust: add pin-init API core")
> Cc: stable@vger.kernel.org # 6.19.y and 6.18.y: patch should apply without issues
> Cc: stable@vger.kernel.org # 6.12.y and 6.6.y: need prerequisite see below `---` for more info

Hmm, if this patch is applied as is, the --- below is going to be cut out and
this line wouldn't make sense.

Perhaps we should just put

    Cc: stable@vger.kernel.org # 6.12.y and 6.6.y: need commit 42415d163e5d ("rust: pin-init: add references to previously initialized fields")

Or leave this cc out and ask for manual picking?

> Signed-off-by: Benno Lossin <lossin@kernel.org>

Reviewed-by: Gary Guo <gary@garyguo.net>

Best,
Gary

> ---
> As already explained in the previous email, we discovered an unsoundness
> in pin-init that exists since the beginning, but was unknowingly fixed
> in commit 42415d163e5d ("rust: pin-init: add references to previously
> initialized fields").
> 
> We introduced pin-init in 90e53c5e70a6 ("rust: add pin-init API core"),
> which was included in 6.4. The affected stable trees that are still
> maintained are: 6.12 and 6.6. Note that 6.18 and 6.19 already contain
> 42415d163e5d, so they are unaffected.
> 
> We still should backport this piece of documentation explaining the need
> for the field accessors for soundness. For this reasons we also want to
> backport it to 6.18 and 6.19.
> 
> Note that this patch depends on 42415d163e5d; so the only versions this
> patch can go in directly are 6.18 and 6.19. I will send separate patch
> series' for the older versions. The series' will include a backport of
> 42415d163e5d as well as a modified version of this patch, since this
> patch depends on the `syn` rewrite, which is not present in older
> versions.
> ---
>  rust/pin-init/internal/src/init.rs | 8 ++++++++
>  1 file changed, 8 insertions(+)

Re: [PATCH v2 2/2] rust: pin-init: internal: init: document load-bearing fact of field accessors

[Miguel Ojeda]

On Mon, Mar 2, 2026 at 3:14 PM Gary Guo <gary@garyguo.net> wrote:
>
>     Cc: stable@vger.kernel.org # 6.12.y and 6.6.y: need commit 42415d163e5d ("rust: pin-init: add references to previously initialized fields")

Yeah, something like that is what I would have probably written. The
docs seem to suggest a format like this:

  Cc: <stable@vger.kernel.org> # 6.6.y, 6.12.y: 42415d163e5d: rust:
pin-init: add references to previously initialized fields
  Cc: <stable@vger.kernel.org> # 6.6.y, 6.12.y, 6.18.y, 6.19.y

i.e. first the prerequisite, then a line without it to indicate "this commit".

Cheers,
Miguel

Re: [PATCH v2 2/2] rust: pin-init: internal: init: document load-bearing fact of field accessors

[Benno Lossin]

On Mon Mar 2, 2026 at 3:20 PM CET, Miguel Ojeda wrote:
> On Mon, Mar 2, 2026 at 3:14 PM Gary Guo <gary@garyguo.net> wrote:
>>
>>     Cc: stable@vger.kernel.org # 6.12.y and 6.6.y: need commit 42415d163e5d ("rust: pin-init: add references to previously initialized fields")
>
> Yeah, something like that is what I would have probably written. The
> docs seem to suggest a format like this:
>
>   Cc: <stable@vger.kernel.org> # 6.6.y, 6.12.y: 42415d163e5d: rust:
> pin-init: add references to previously initialized fields
>   Cc: <stable@vger.kernel.org> # 6.6.y, 6.12.y, 6.18.y, 6.19.y
>
> i.e. first the prerequisite, then a line without it to indicate "this commit".

Yeah I saw that in the docs as well, but I thought that since the
cherry-pick wouldn't succeed (due to the syn rewrite). However, I wrote
that 6.18.y and 6.19.y applying the patch would succeed, but that's also
not true, there we also don't have the syn rewrite...

The two Cc lines you gave seem like the correct thing :)

So when you pick them, change the Cc's to that (unless I need a new
version of course).

Cheers,
Benno