[ blog » 2022 » 09_rust-kernel-module ][PART 2/3] A Rusty Module (by Philipp Gesang)
2022-09-02
  1. 212 » /
    1. 211 » 2024 Think Big
      1. 210 » Voyage to the 2024 Road World Championships in Zurich
      2. 209 » Norway and Finland
        1. 208 » Epilogue
        2. 207 » Stockholm
        3. 206 » Tampere to Turku
        4. 205 » Virrat to Tampere
        5. 204 » Vimpeli to Virrat
        6. 203 » Vihanti to Vimpeli
        7. 202 » Oulu to Vihanti
        8. 201 » Rovaniemi to Oulu
        9. 200 » Kolari to Rovaniemi
        10. 199 » Hetta to Kolari
        11. 198 » Karasjok to Hetta
        12. 197 » Lake Inari to Karasjok
        13. 196 » Kirkenes to Lake Inari
        14. 195 » Skiippagurra to Vardo
        15. 194 » Slettnes to Skiippagurra
        16. 193 » Mehamn to Slettnes
        17. 192 » Nordkapp
        18. 191 » Storekorsnes to Honningsvag
        19. 190 » Skjervoy to Storekorsnes
        20. 189 » Abord the MS Nordlys
        21. 188 » Ofotfjorden
        22. 187 » Vesteralen and Senja
        23. 186 » Lofoten Islands
        24. 185 » The Bright Midnight 2024
        25. 184 » d02: Tolga and Innlandet
        26. 183 » d00: Northbound
      3. 182 » Hardennes Gravel Tour
      4. 181 » Overnighter around Lake Constance and through Tyrol
      5. 180 » FOSDEM 2024
    2. 179 » 2023 till infinity
      1. 178 » The Keeb.io Iris keyboard
      2. 177 » EuroRust 2023
      3. 176 » Spain
        1. 175 » Epilogue
        2. 174 » d28: Sevilla
        3. 173 » d27: Tarifa
        4. 172 » d26: Africa
        5. 171 » d25: Sierra de las Nieves
        6. 170 » d24: The Mediterranean Coast
        7. 169 » d23: Pico del Veleta
        8. 168 » d22: Cordillera Penibetica
        9. 167 » d21: Andalucia
        10. 166 » d20: The Void
        11. 165 » d19: La Mancha
        12. 164 » d18: Madrid
        13. 163 » d17: Segovia
        14. 162 » d16: Valladolid
        15. 161 » d15: Leon
        16. 160 » d14: Alto de l'Angliru
        17. 159 » d13: Lagos de Covadonga
        18. 158 » d12: Picón Blanco
        19. 157 » d11: Bilbao
        20. 156 » d10: Euskadi
        21. 155 » d09: Nafarroa
        22. 154 » d08: Aquitaine
        23. 153 » d07: Col du Tourmalet
        24. 152 » d06: Occitanie
        25. 151 » d05: Mont Aigoual
        26. 150 » d04: Gard
        27. 149 » d03: Mont Ventoux
        28. 148 » d02: Col d'Izoard
        29. 147 » d01: Colle delle Finestre
      4. 146 » Italy and back
      5. 145 » Joining the 300 Club
      6. 144 » Micro-tour South Tyrol
        1. 143 » d3: Toblach to Lienz
        2. 142 » d2: Sterzing to Toblach
        3. 141 » d1: Munich to Sterzing
      7. 140 » First Look at the Librem 5
      8. 139 » Scouting the Alps
    3. 138 » It’s 2022 and we can’t get a break.
      1. 137 » Book: Burn. The Misunderstood Science of Metabolism
      2. 136 » [PART 0/3] Writing a Kernel Module in Rust
        1. 135 » [PART 3/3] The Colors of Rust
        2. 134 » [PART 2/3] A Rusty Module
        3. 133 » [PART 1/3] Corroding the Kernel: CONFIG_RUST=y
      3. 132 » Book: The Voyage of the Beagle
      4. 131 » Norway
        1. 130 » Epilogue
        2. 129 » Norway: A Brief Review
        3. 128 » d27: Wrapping it up
        4. 127 » d26: Eidstod to Langesund
        5. 126 » d25: Hovden to Eidstod
        6. 125 » d24: Odda to Hovden
        7. 124 » d23: Fusa to Odda
        8. 123 » d22: Rutledal to Fusa
        9. 122 » d21: Dragsvik to Rutledal
        10. 121 » d20: Skjolden to Dragsvik
        11. 120 » d19: Heggebottvatnet to Skjolden
        12. 119 » d18: Andalsnes to Heggebottvatnet
        13. 118 » d17: Skei to Åndalsnes
        14. 117 » d16: Trondheim to Skei
        15. 116 » d15: Osen to Trondheim
        16. 115 » d14: Kolvereid to Osen
        17. 114 » d13: Brønnøysund to Kolvereid
        18. 113 » d12: Nesna to Brønnøysund
        19. 112 » d11: Amnes to Nesna
        20. 111 » d10: Bodø to Åmnes
        21. 110 » d09: Hov to Bodø
        22. 109 » d08: Sortland to Hov
        23. 108 » d07: Finnsness to Sortland
        24. 107 » d06: Aboard the MS Vesterålen
        25. 106 » d05: Honningsvåg
        26. 105 » d04: Skaidi to Honningsvåg: North Cape
        27. 104 » d03: Langfjordbotn to Skaidi
        28. 103 » d02: Lyngen to Langfjordbotn
        29. 102 » d01: Tromsø to Lyngen
        30. 101 » d00: Swiss Prelude
      5. 100 » Book: The Science of Self-Control
      6. 99 » Ride: Strasbourg
      7. 98 » Ride: Hessen
      8. 97 » Ride: Ulm
      9. 96 » Ride: Bodensee
      10. 95 » Florence
        1. 94 » Florence pt. II
        2. 93 » Arezzo – Pratomagno – Firenze
        3. 92 » Perugia
        4. 91 » Siena – San Gimignano – Firenze
        5. 90 » Florence pt. I
    4. 89 » Life goes on in 2021
      1. 88 » Italy
        1. 87 » Epilogue
        2. 86 » d28: The Rhine
        3. 85 » d27: The Stelvio
        4. 84 » d26: Isarco and Adige
        5. 83 » d25: The Tre Cime and South Tyrol
        6. 82 » d24: Into the Dolomiti
        7. 81 » d23: The Lagoon
        8. 80 » d22: San Marino and the Adriatic
        9. 79 » d21: Umbria
        10. 78 » d20: Tuscany
        11. 77 » d19: Lazio
        12. 76 » d18: Rome
        13. 75 » d17: The Central Appennino
        14. 74 » d16: Blockhaus
        15. 73 » d15: The Adriatic Coast
        16. 72 » d14: Gargano
        17. 71 » d13: Apulian Countryside
        18. 70 » d12: Campania
        19. 69 » d11: Pompeii
        20. 68 » d10: The Salerno Province
        21. 67 » d09: La Costa di Maratea
        22. 66 » d08: The Coast of Calabria
        23. 65 » d07: Aspromonte
        24. 64 » d06: The Strait of Messina
        25. 63 » d05: Etna
        26. 62 » d04: Southern Sicily
        27. 61 » d03: Akragas
        28. 60 » d02: Segesta
        29. 59 » d01: Palermo
        30. 58 » d00: Odyssee
        31. 57 » d00: Heading South
      2. 56 » Ride: Hohloh
    5. 55 » Entries for 2020
      1. 54 » Cycling the Alps, August 2020
        1. 53 » Epilogue
        2. 52 » d14: Feldkirch to Tübingen
        3. 51 » d13: Brunnen to Feldkirch
        4. 50 » d12: Bern to Brunnen
        5. 49 » d11: Oberwald to Bern – Grimselpass
        6. 48 » d10: Furkapass
        7. 47 » d09: Saillon to Oberwald – The upper Rhone
        8. 46 » d08: Arvier to Saillon – Col du Grand-Saint-Bernard
        9. 45 » d07: Bessans to Arvier – Col de l’Iseran and Col du Petit-Saint-Bernard
        10. 44 » d06: Chianocco to Bessans – Col du Mont Cénis
        11. 43 » d05: Les Alberts to Chianocco – Col de Montgenèvre
        12. 42 » d04: Saint-Michel to Les Alberts – Col du Galibier
        13. 41 » d03: Culoz to Saint-Michel-de-Maurienne
        14. 40 » d02: Le Grand Colombier
        15. 39 » d01: Geneva to Culoz
      2. 38 » Ride: Konstanz and the Swiss Border
      3. 37 » Ride: Hornisgrinde
      4. 36 » Book: The Vital Question
      5. 35 » Mini-Tour Tübingen → Heidelberg, Heidelberg → Tübingen
    6. 34 » Entries for 2019
      1. 33 » A look at the keyboardio split keyboard
      2. 32 » Bicycle touring Great Britain
        1. 31 » UK tour route maps
        2. 30 » d28, France pt. 3: Baerenthal to Karlsruhe
        3. 29 » d27, France pt. 2: Sierck-les-Bains to Baerenthal
        4. 28 » d26, Luxembourg: Bastogne to Sierck-les-Bains
        5. 27 » d25, Belgium pt 3: Dinant to Bastogne
        6. 26 » d24, Belgium pt 2: Geraardsbergen to Dinant
        7. 25 » d23, Belgium pt 1: Krombeke to Geraardsbergen
        8. 24 » d22, France pt. 1: Dover to Krombeke
        9. 23 » d21, England pt. 8: Crowborough to Dover
        10. 22 » d20, England pt. 7: Arundel to Crowborough
        11. 21 » d19, England pt. 6: Salisbury to Arundel
        12. 20 » d18, England pt. 5: Wells to Salisbury
        13. 19 » d17, England pt. 4: Hay-on-Wye to Wells
        14. 18 » d16, Wales pt. 3: Dolgellau to Hay-on-Wye
        15. 17 » d15, Wales pt. 2: Conwy to Dolgellau
        16. 16 » d14, Wales pt. 1: Ormskirk to Conwy
        17. 15 » d13, England pt. 3: Hawes to Ormskirk
        18. 14 » d12, England pt. 2: Alston to Hawes
        19. 13 » d11, England pt. 1: Moffat to Alston
        20. 12 » d10, Scotland pt. 8: Kinross to Moffat
        21. 11 » d09, Scotland pt. 7: Newtonmore to Kinross
        22. 10 » d08, Scotland pt. 6: Inverness to Newtonmore
        23. 9 » d07, Scotland pt. 5: Applecross to Inverness
        24. 8 » d06, Scotland pt. 4: Gairloch to Applecross
        25. 7 » d05, Scotland pt. 3: Ullapool to Gairloch
        26. 6 » d04, Scotland pt. 2: Durness to Ullapool
        27. 5 » d03, Scotland pt. 1: John O'Groats to Durness
        28. 4 » d02, Orkney, day 2
        29. 3 » d01, Orkney
        30. 2 » reaching Orkney
        31. 1 » Experimental first entry

In the first part we configured and built a Rust enabled kernel, and had a look at how rustc and related tools are integrated into the kernel build system. Now that we’re all set up we can finally hack on some in-kernel Rust code.

To illustrate the path to writing a basic module in Rust we will implement a simple sysctl that can be used to set or flip a bit.

Starting Point

Even at this point before Rust support is even merged, there is no shortage of code examples. Part of the Rust-for-Linux tree itsel are numerous modules under samples/rust/ that demonstrate how Rust code interfaces with a wide span of kernel facilities from firewalling to filesystems.

Upstream also provides a small out-of-tree module which doesn’t do much aside from allocating a Vec and emit a printk from the module’s Drop implementation. This will serve as the starting point for our further exploration of kernel side Rust.

Modules

A module is declared using the proc-macro module!() or one of its special-purpose variants, e. g. module_fs!() for filesystems.

module! {
    type: OxiMod,
    name: "oximod",
    author: "The Man from Ox",
    description: "Oxidize the Kernel",
    license: "GPL",
}

struct OxiMod;

Where type is actually the name of a struct that implements the trait kernel::Module which requires just one function init() similar to how module_init() defines the setup functions for modules written in C. Shouldn’t there be a corresponding exit() function? Not necessarily: The Rust for Linux authors chose the more “rustic” approach of using the Drop trait as the canonical way of executing code when the module is about to be removed. This maps nicely to the requirement that the function passed to module_exit() be infallible.

impl kernel::Module for OxiMod {
    fn init(name: &'static CStr, _module: &'static ThisModule) -> Result<Self> {
        pr_info!("Hello world, I am {}!\n", name);
        Ok(OxiMod)
    }
}

impl Drop for OxiMod {
    fn drop(&mut self) { pr_info!("Bye!\n"); }
}

At the Rust end, kernel modules behave like crates. The code forming part of the module is compiled as one translation unit even if it comprises multiple files. This has consequences for symbol visibility as well: pub(crate) implies module scope while an unqualified pub … results in a compile error:

error: unreachable `pub` item
 --> /root/src/linux/demo-sysctl/other.rs:6:5
  |
6 |     pub fn new() -> Self {
  |     ---^^^^^^^^^^^^^^^^^
  |     |
  |     help: consider restricting its visibility: `pub(crate)`

IOW, the function isn’t being exported so it is useless to declare it with global visibility. (pub use other::Foo; in the module root would export the symbol, but to whom?)

Fallibility

The APIs in std tend to treat allocation failure as something that can’t happen. E. g. Vec::push() will not inform the caller if a heap allocation fails while resizing the underlying element storage – it will simply panic!(). This “pseudo-infallibility” is baked into the function signature of push() which returns the unit value () and thus cannot communicate that something went wrong. As Rust lacks exceptions (ignoring std::panic::catch_unwind() for the sake of argument), it also provides no means of reintroducing in fallibility by bypassing the type system like C++ does for constructors with std::bad_alloc.

Given overcommit, this nonchalance towards allocation failure works reasonably well for userspace applications. In kernel space however, out of memory conditions need to be handled and panicking on OOM would be, in Linus’ words, “fundamentally wrong”. Consequently, the panicking APIs are disabled in kernel-side Rust by virtue of that --cfg no_global_oom_handling flag that the Makefile passes to rustc. Their fallible analogues like try_new(), try_push(), try_reserve(), try_with_capacity() serve as replacements, allowing Err(ENOMEM) to propagate up the stack. These APIs were added to the standard library as part of the larger fallible collection allocation effort outlined in RFC 2116. Despite the stabilization not being completed yet these methods are the bread and butter when dealing with dynamic allocation in the kernel.

Digression: Rust and the Kernel Allocator

Regarding standard library support, it came up earlier that not only do we have core at our disposal but also most of alloc. That is quite an accomplishment by the Rust-for-Linux devs as it provides most of your favorite containers from alloc::collections.

It was made feasible by hooking kernel allocation functions into the GlobalAlloc trait and which happens in rust/kernel/allocator.rs. kmalloc and friends are invoked with the GFP_KERNEL (“get free pages”) flag which means that the kernel may put the caller to sleep until it can satisfy the allocation. It imposes the requirement that the caller be reentrant but in Rust we’re not usually mutating shared state anyways. It also implies that alloc APIs which actually perform allocations must not happen from inside interrupt handlers or timers. (For an overview of the different GFP flags see Linux Device Drivers, chapter 8: Allocating Memory.)

Hopefully at some point in the future more allocation modes like GFP_ATOMIC become usable with the stabilization of the allocator_api.

Clean BUGs

So what does happen when Rust code panics? Let’s add this timebomb to our module init() function:

let boom = [2u8, 1u8, 0u8];
pr_info!("countdown ...\n");
for step in 0..4 {
    kernel::delay::coarse_sleep(core::time::Duration::from_millis(500));
    pr_info!(".. {}\n", boom[step]);
}

The unidiomatic iteration code is needed to trigger the out of bounds array access resulting in this crash log:

[207794.130518] oximod: Hello world, I am oximod!
[207794.131632] oximod: countdown ...
[207794.638197] oximod: .. 2
[207795.150174] oximod: .. 1
[207795.654220] oximod: .. 0
[207796.163462] rust_kernel: panicked at 'index out of bounds: the len is 3 but the index is 3', /root/src/linux/demo-sysctl/oximod.rs:31:31
[207796.171632] ------------[ cut here ]------------
[207796.171656] kernel BUG at rust/helpers.c:45!

This is rust_helper_BUG(), function exported for Rust to invoke the BUG() macro which is then mapped by bindgen to the function BUG on the Rust end:

extern "C" {
    #[link_name="rust_helper_BUG"]
    pub fn BUG();
}

and hooked into the panic!() handler:

#[cfg(not(any(testlib, test)))]
#[panic_handler]
fn panic(info: &core::panic::PanicInfo<'_>) -> ! {
    pr_emerg!("{}\n", info);
    unsafe { bindings::BUG() };
    loop {}
}

This triggers the unwinding process:

[207796.172629] invalid opcode: 0000 [#1] PREEMPT SMP
[207796.172881] CPU: 0 PID: 340812 Comm: insmod Tainted: G           O      5.19.0+ #13
[207796.172982] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014
[207796.173001] RIP: 0010:rust_helper_BUG+0x5/0x10
[207796.174022] Code: 24 30 00 00 00 00 48 8d 7c 24 08 48 c7 c6 88 fa 48 ae e8 0e 46 41 00 0f 0b 00 00 cc cc 00 00 cc cc 00 00 cc cc 0f 1f 44 00 00 <0f> 0b 66 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 53 48 89 fb e8 a2
[207796.174022] RSP: 0018:ffff9c7040803918 EFLAGS: 00010246
[207796.174022] RAX: 000000000000007c RBX: ffff9c7040803a18 RCX: a617124871ab2700
[207796.175937] RDX: ffff89e33ec294c0 RSI: ffffffffae66f12e RDI: 00000000ffffffff
<snip />
[207796.179916] Call Trace:
[207796.181595]  <TASK>
[207796.181595]  rust_begin_unwind+0x66/0x80

The Rust unwind handler is invoked and what follows is a bunch of v0-style mangled names until we hit init_module.

[207796.183038]  ? _RNvXsP_NtCs3yuwAp0waWO_4core3fmtRhNtB5_5Debug3fmtCsfATHBUcknU9_6kernel+0x50/0x50
[207796.185124]  ? asm_sysvec_apic_timer_interrupt+0x16/0x20
[207796.185365]  ? _RNvNtCs3yuwAp0waWO_4core9panicking9panic_fmt+0x2c/0x30
[207796.185365]  ? _RNvNtCs3yuwAp0waWO_4core9panicking18panic_bounds_check+0x6f/0x80

There is the failed bounds check. Thanks to Rust the module enters this “controlled deorbit” procedure instead of triggering an invalid memory access as would be the case in C.

[207796.185365]  ? _RNvXs4_NtNtNtCs3yuwAp0waWO_4core3fmt3num3impxNtB9_7Display3fmt+0x20/0x20
[207796.185365]  ? _RNvXs4_NtNtNtCs3yuwAp0waWO_4core3fmt3num3impxNtB9_7Display3fmt+0x20/0x20
[207796.185365]  ? _RNvXCsf5oFb5M32wh_6oximodNtB2_6OxiModNtCsfATHBUcknU9_6kernel6Module4init+0x263/0x270 [oximod]
[207796.185365]  ? radix_tree_node_alloc+0x73/0xc0
[207796.189969]  ? _RNvXNtNtNtCs3yuwAp0waWO_4core3fmt3num3impaNtB6_7Display3fmt+0x30/0x30
[207796.189969]  ? _RNvXs_Csf5oFb5M32wh_6oximodNtB4_6OxiModNtNtNtCs3yuwAp0waWO_4core3ops4drop4Drop4drop+0x60/0x60 [oximod]
[207796.189969]  ? init_module+0x15/0x80 [oximod]

How is the Rust unwinding apparatus hooked into the kernel? Citing these compiler flags from the Makefile once more:

KBUILD_RUSTFLAGS := $(rust_common_flags) \
                --target=$(objtree)/rust/target.json \
                -Cpanic=abort -Cembed-bitcode=n -Clto=n \
===>            ^^^^^^^^^^^^^
                -Cforce-unwind-tables=n -Ccodegen-units=1 \
===>            ^^^^^^^^^^^^^^^^^^^^^^^
                -Csymbol-mangling-version=v0 \
                -Crelocation-model=static \
                -Zfunction-sections=n \
                -Dclippy::float_arithmetic

it would appear that rustc is instructed to neither insert unwinding code nor generate the unwind tables. IOW we shouldn’t a) see any unwinding and b) be getting any backtraces at all!

But we do get a backtrace. The reason for this, it appears, is due to how objtool generates the information for the ORC unwinder. According to the kernel docs this happens without the involvement of DWARF debug info, which would explain the -Cforce-unwind-tables=n. Instead, it relies on objtool “reverse engineering” the flow of the generated code, emitting ORC data derived from the stack metadata validation mechanism. No magic involved, let’s leave it at that.

[207796.189969]  ? selinux_kernfs_init_security+0x54/0x1c0
<snip />
[207796.194966]  ? load_module+0x1332/0x14a0
<snip />
[207796.194966]  ? entry_SYSCALL_64_after_hwframe+0x46/0xb0
[207796.199943]  </TASK>
[207796.199943] Modules linked in: oximod(O+) kvtcol(O) intel_rapl_msr intel_rapl_common <snip />
[207796.203378] ---[ end trace 0000000000000000 ]---

And the module hangs.

Accessing Kernel Internals

One can feel right at home hacking on the kernel in Rust as the environment is already surprisingly complete. Pre-made bindings to raw kernel APIs are available in the bindings:: namespace. In addition, there are idiomatic Rust wrappers for numerous core concepts like ioctls, struct file, struct sk_buff etc. Finally, symbols exported using EXPORT_SYMBOL{_GPL} are available. Functions declared inline on the C end can be a bit tricky to interact with, as is the case for example with kmalloc() which is worked around by using krealloc() in the allocator.

Thanks to its expressiveness Rust allows for abstractions that make the developer experience vastly more ergonomic than C, and that is true of kernel code as well. To give an example, user pointers are represented as struct UserSlicePtr on a type level instead of the ad-hoc __user tagging convention that is used in C. Its implementation defines just a single unsafe member function, the constructor whose invariants cannot be enforced by the compiler. The remainder of operations defined on user slices can be called in safe code – which is the rule rather than the exception as most of the time the kernel APIs one interacts with provide their data already wrapped in UserSlicePtr.

On the topic of ergonomics, the c_str!() macro deserves mention. It allows creating ffi::CStrs at compile time, making them almost as convenient to use as &str - it would make a worthy addition to std.

Sysctl

The Rust wrapper which we will be using in this module is kernel::sysctl::Sysctl with its companion trait SysctlStorage. The trait is used to define how read and write accesses are handled for this sysctl: on store_value() it receives a shared reference to the slice with the data written from userspace, on read_value() it receives a wrapped, mutable __user pointer to write to. At this stage SysctlStorage is only implemented for one type, core::sync::atomic::AtomicBool which is sufficient for this chapter.

pub trait SysctlStorage: Sync {
    fn store_value(&self, data: &[u8]) -> (usize, Result);
    fn read_value(&self, data: &mut UserSlicePtrWriter) -> (usize, Result);
}

pub struct Sysctl<T: SysctlStorage> {
    inner: Box<T>,
    _table: Box<[bindings::ctl_table]>,
    header: *mut bindings::ctl_table_header,
}

Firstly, in the module type constructor the sysctl is registered under the desired path:

struct OxiMod(Sysctl<AtomicBool>);

impl kernel::Module for OxiMod {
    fn init(name: &'static CStr, _module: &'static ThisModule) -> Result<Self> {
        let sysctl = Sysctl::register(
            c_str!("example"),
            c_str!("atom"),
            AtomicBool::new(false),
            Mode::from_int(0o644),
        )?;
        Ok(OxiMod(sysctl))
    }
}

This results in the creation of /proc/sys/example/atom at insmod time. Since AtomicBool already implements SysctlStorage, it can be read from and written to at that path:

# insmod oximod.ko
# sysctl example/atom
example.atom = 0
# ls -l /proc/sys/example/
total 0
-rw-r--r-- 1 root root 0 2022-09-02 21:48 atom
# cat /proc/sys/example/atom
0
# printf 1 >/proc/sys/example/atom
# cat /proc/sys/example/atom
1

This was quick, in just a few lines of code we went from zero to a new sysctl available as example/atom. As for correctness, the module author doesn’t really have a reason to worry about it as that is the compiler’s job. The Sync trait bound on SysctlStorage guarantees that access to the backing type is serialized.

Digression: It’s not my EFAULT!

In reality getting to the point of a working OxiMod was not as frictionless as the above would make you believe. While playing around with struct Sysctl I soon hit a roadblock:

# cat /proc/sys/example/atom
cat: /proc/sys/example/atom: Bad address

# printf 0 >/proc/sys/example/atom
-bash: printf: write error: Bad address

Confusing. “Bad address” is EFAULT, what could possibly cause that?

Looking at the implementation of SysctlStorage, safe access to the buffer is handled by wrapping it in UserSlicePtr, the tuple struct representing a user pointer. Read / write operations on that type are defined in its implementation of the IoBufferReader, which is where the calls to copy_{from,to}_user() happen and EFAULT may be returned on failure. In the case of SysctlStorage the failure originates in access_ok() on the source or destination buffer of copy_from_user() or copy_to_user(), respectively. Something about the pointer received by proc_handler() must not be right, causing access_ok() to reject it.

Why that happens is obvious from proc_sysctl.c where the call to proc_handler() happens: the buffer it passes to the function is not a user pointer but a freshly allocated kernel one! Turns out this was changed in kernel v5.7 with commit 32927393dc1c: "sysctl: pass kernel pointers to ->proc_handler". The fix is straightforward – get rid of the UserSlicePtr wrapper as we can safely operate on the kernel pointer directly. Amazingly, the pull request on the Rust-for-Linux repo received a blazing-fast review that ironed out some obvious flaws within a few hours of submission.

Given the novelty of the project it comes as a surprise that parts of the Rust support haven’t kept up with kernel changes that were merged more than two years ago. To put a positive spin on it, Rust for Linux has reached a point of maturity where it is already subject ot bitrot!

Conclusion

This part of the series described the process of creating a trivial out-of-tree module in a few lines of Rust code. Starting from a minimal example provided by upstream, we discussed allocating APIs and how to use them idiomatically in kernel side Rust and then had a look at what happens if the module triggers a BUG(). Finally, the actual sysctl was implemented by combining a few predefined parts.

The resulting module doesn’t do much at all, it basically only allows storing a bit in the kernel, modifying and retrieving it. Part three will expand the functionality to actually have an effect on the system.