git.ipfire.org Git - thirdparty/kernel/linux.git/commit

author	Gary Guo <gary@garyguo.net>
	Mon, 27 Apr 2026 15:43:01 +0000 (16:43 +0100)
committer	Miguel Ojeda <ojeda@kernel.org>
	Thu, 30 Apr 2026 20:43:32 +0000 (22:43 +0200)
commit	68bf102226cf2199dc609b67c1e847cad4de4b57
tree	93e7cdbcfb885ab02949ca9fcd401946571b0468	tree \| snapshot
parent	83ac2870310b694775ab7e8f0244fdd94fc21926	commit \| diff

rust: pin-init: fix incorrect accessor reference lifetime

When a field has been initialized, `init!`/`pin_init!` create a reference
or pinned reference to the field so it can be accessed later during the
initialization of other fields. However, the reference it created is
incorrectly `&'static` rather than just the scope of the initializer.

This means that you can do

    init!(Foo {
        a: 1,
        _: {
            let b: &'static u32 = a;
        }
    })

which is unsound.

This is caused by `&mut (*#slot).#ident`, which actually allows arbitrary
lifetime, so this is effectively `'static`. Somewhat ironically, the safety
justification of creating the accessor is.. "SAFETY: TODO".

Fix it by adding `let_binding` method on `DropGuard` to shorten lifetime.
This results in exactly what we want for these accessors. The safety and
invariant comments of `DropGuard` have been reworked; instead of reasoning
about what caller can do with the guard, express it in a way that the
ownership is transferred to the guard and `forget` takes it back, so the
unsafe operations within the `DropGuard` can be more easily justified.

Fixes: 42415d163e5d ("rust: pin-init: add references to previously initialized fields")
Cc: stable@vger.kernel.org
Signed-off-by: Gary Guo <gary@garyguo.net>
Link: https://patch.msgid.link/20260427-pin-init-fix-v3-2-496a699674dd@garyguo.net
[ Reworded for missing word. - Miguel ]
Signed-off-by: Miguel Ojeda <ojeda@kernel.org>

rust/pin-init/internal/src/init.rs		diff \| blob \| blame \| history
rust/pin-init/src/__internal.rs		diff \| blob \| blame \| history