Clean unsafe in unsafe fns warnings
#348
Conversation
Signed-off-by: Miguel Ojeda <ojeda@kernel.org>
Signed-off-by: Miguel Ojeda <ojeda@kernel.org>
This prevents new ones from getting in. Signed-off-by: Miguel Ojeda <ojeda@kernel.org>
Well, that was super quick! Please do not rush it! :)
Good question, if they are not, well, soon people will notice since it is |
|
By the way, to simplify, I have not split some of the I will open an issue and explain what should be done to do the |
|
Do we need to switch on some sort of "warnings=errors" in the build? As part of this PR, or a new one? |
|
Do you mean making the warning now an error? It is done in the third commit. |
|
Should we go even further, and treat all warnings as errors? |
|
For For the rest of modules etc., I would also do it -- if we |
| @@ -85,8 +85,11 @@ impl<T: Sync> FileOpenAdapter for Registration<T> { | |||
| type Arg = T; | |||
|
|
|||
| unsafe fn convert(_inode: *mut bindings::inode, file: *mut bindings::file) -> *const Self::Arg { | |||
| // TODO: `SAFETY` comment required here even if `unsafe` is not present, | |||
| // because `container_of!` hides it. Ideally we would not allow | |||
| // `unsafe` code as parameters to macros. | |||
| let reg = crate::container_of!((*file).private_data, Self, mdev); | |||
There was a problem hiding this comment.
The macro could introduce a temp outside of the unsafe block that stores the value casted to a raw ptr. Ideally no $foo:expr happen inside an unsafe block for macros.
There was a problem hiding this comment.
I guess this could also be a lint with some logic like:
- If inside an
unsafe fn... - And there is a macro call outside an
unsafeblock... - And
unsafe_op_in_unsafe_fnis enabled in this context... - And if the node/AST/tree of a parameter appears as-is...
- Then check that node/AST/tree is not inside an introduced
unsafeblock.
Easier said than done, and I guess I am forgetting a few things, but... :^)
If you think it makes sense, I can open an issue too.
There was a problem hiding this comment.
Maybe. I believe there has been discussion previously regarding "unsafe" hygiene, but I can't remember what came of it. I think it was on internals.rust-lang.org.
There was a problem hiding this comment.
I guess it does not hurt to open it to keep track.
| @@ -111,7 +111,7 @@ pub trait ModuleParam: core::fmt::Display + core::marker::Sized { | |||
| /// | |||
| /// The `arg` field of `param` must be an instance of `Self`. | |||
| unsafe extern "C" fn free(arg: *mut crate::c_types::c_void) { | |||
| core::ptr::drop_in_place(arg as *mut Self); | |||
| unsafe { core::ptr::drop_in_place(arg as *mut Self) }; | |||
There was a problem hiding this comment.
Here and elsewhere you may want to move the ; inside the unsafe block. While this doesn't change behavior as all cases are for () returning expressions I think, it does look nicer IMHO.
There was a problem hiding this comment.
Yeah, now that you mention it, I agree.
Does anyone know if there a way to tell rustfmt to look for this? Or in Clippy perhaps?
There was a problem hiding this comment.
I can't find a clippy lint for this. Makes sense to have as a clippy lint though IMO.
There was a problem hiding this comment.
+1 Opened rust-lang/rust-clippy#7322.
|
|
(edited out a wordy reply that basically just agrees with Gary, lol) So yes, I would be on board with switching on "deny warnings" in the CI only, not in the |
|
I was referring more to deny individually as many warnings as possible, like this one, i.e. not every possible future warning. So agreed! |
Add a test case to assert that the skb->pkt_type which was set from the BPF program is retained from the netkit xmit side to the peer's device at tcx ingress location. # ./vmtest.sh -- ./test_progs -t netkit [...] ./test_progs -t netkit [ 1.140780] bpf_testmod: loading out-of-tree module taints kernel. [ 1.141127] bpf_testmod: module verification failed: signature and/or required key missing - tainting kernel [ 1.284601] tsc: Refined TSC clocksource calibration: 3408.006 MHz [ 1.286672] clocksource: tsc: mask: 0xffffffffffffffff max_cycles: 0x311fd9b189d, max_idle_ns: 440795225691 ns [ 1.290384] clocksource: Switched to clocksource tsc #345 tc_netkit_basic:OK #346 tc_netkit_device:OK #347 tc_netkit_multi_links:OK #348 tc_netkit_multi_opts:OK #349 tc_netkit_neigh_links:OK #350 tc_netkit_pkt_type:OK Summary: 6/0 PASSED, 0 SKIPPED, 0 FAILED Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> Link: https://lore.kernel.org/r/20240524163619.26001-4-daniel@iogearbox.net Signed-off-by: Alexei Starovoitov <ast@kernel.org>
Requesting a review from our in-house Rust experts since even if this is mechanical, I am not 100% sure I know about all the cases where introducing a block may change behavior (e.g. creating temporaries etc.).
Note that this does not add
// SAFETYcomments -- that cleanup will come later when we add atidyscript, but this at least cleans up the warnings to avoid missing other warnings in the sea and allows us todenythe warning so that we stop getting newunsafeblocks insideunsafe fns without a proper// SAFETYcomment.Fixes #340.
Fixes #341.