diff options
| author | Benno Lossin <[email protected]> | 2024-04-01 18:52:50 +0000 |
|---|---|---|
| committer | Miguel Ojeda <[email protected]> | 2024-04-16 21:13:43 +0200 |
| commit | 7044dcff8301b29269016ebd17df27c4736140d2 (patch) | |
| tree | 548e126314b26a51f0145d95359392f1e073683a /rust/kernel/lib.rs | |
| parent | 49ceae68a0df9a92617a61e9ce8a0efcf6419585 (diff) | |
rust: macros: fix soundness issue in `module!` macro
The `module!` macro creates glue code that are called by C to initialize
the Rust modules using the `Module::init` function. Part of this glue
code are the local functions `__init` and `__exit` that are used to
initialize/destroy the Rust module.
These functions are safe and also visible to the Rust mod in which the
`module!` macro is invoked. This means that they can be called by other
safe Rust code. But since they contain `unsafe` blocks that rely on only
being called at the right time, this is a soundness issue.
Wrap these generated functions inside of two private modules, this
guarantees that the public functions cannot be called from the outside.
Make the safe functions `unsafe` and add SAFETY comments.
Cc: [email protected]
Reported-by: Björn Roy Baron <[email protected]>
Closes: https://github.com/Rust-for-Linux/linux/issues/629
Fixes: 1fbde52bde73 ("rust: add `macros` crate")
Signed-off-by: Benno Lossin <[email protected]>
Reviewed-by: Wedson Almeida Filho <[email protected]>
Link: https://lore.kernel.org/r/[email protected]
[ Moved `THIS_MODULE` out of the private-in-private modules since it
should remain public, as Dirk Behme noticed [1]. Capitalized comments,
avoided newline in non-list SAFETY comments and reworded to add
Reported-by and newline. ]
Link: https://rust-for-linux.zulipchat.com/#narrow/stream/291565-Help/topic/x/near/433512583 [1]
Signed-off-by: Miguel Ojeda <[email protected]>
Diffstat (limited to 'rust/kernel/lib.rs')
0 files changed, 0 insertions, 0 deletions