this macro is wild.

Reviewed-by: Lyude Paul <[email protected]>

On Sun, 2026-06-28 at 16:53 +0200, Danilo Krummrich wrote:
> References to dev, data, and file in the declare_drm_ioctls! macro
> are
> created via unsafe pointer dereferences, producing unbounded
> lifetimes.
> If an ioctl handler explicitly annotates its parameters with 'static,
> the compiler accepts this, allowing the handler to stash references
> that
> outlive the ioctl call.
> 
> Fix this by adding a higher-ranked function pointer coercion that
> enforces the handler accepts universally quantified lifetimes:
> 
>   let _: for<'a> fn(&'a _, &'a mut _, &'a _) -> _ = $func;
> 
> Since the handler must be coercible to a function pointer accepting
> any
> lifetime 'a, it can no longer demand 'static on any parameter.
> 
> Cc: [email protected]
> Fixes: 9a69570682b1 ("rust: drm: ioctl: Add DRM ioctl abstraction")
> Reported-by: [email protected]
> Closes:
> https://lore.kernel.org/all/[email protected]/
> Suggested-by: Gary Guo <[email protected]>
> Signed-off-by: Danilo Krummrich <[email protected]>
> ---
>  rust/kernel/drm/ioctl.rs | 6 ++++++
>  1 file changed, 6 insertions(+)
> 
> diff --git a/rust/kernel/drm/ioctl.rs b/rust/kernel/drm/ioctl.rs
> index cf328101dde4..ccf4150d83b6 100644
> --- a/rust/kernel/drm/ioctl.rs
> +++ b/rust/kernel/drm/ioctl.rs
> @@ -135,6 +135,12 @@ macro_rules! declare_drm_ioctls {
>                              // dev/file match the current driver
> these ioctls are being declared
>                              // for, and it's not clear how to
> enforce this within the type system.
>                              let dev =
> $crate::drm::device::Device::from_raw(raw_dev);
> +
> +                            // Enforce that the handler accepts
> higher-ranked
> +                            // lifetimes, preventing it from
> requiring 'static
> +                            // references that could escape this
> scope.
> +                            let _: for<'a> fn(&'a _, &'a mut _, &'a
> _) -> _ = $func;
> +
>                              // SAFETY: The ioctl argument has size
> `_IOC_SIZE(cmd)`, which we
>                              // asserted above matches the size of
> this type, and all bit patterns of
>                              // UAPI structs must be valid.

Reply via email to