Re: [PATCH 1/2] rust: pin-init: internal: init: remove `#[disable_initialized_field_access]`

From: Janne Grunau

Date: Sun Mar 01 2026 - 12:12:40 EST

On Sat, Feb 28, 2026 at 12:37:04PM +0100, Benno Lossin wrote:
> Gary noticed [1] that the initializer macros as well as the `[Pin]Init`
> traits cannot support packed struct, since they use operations that
> require aligned pointers. This means that any code using packed structs
> and pin-init is unsound.
>
> Thus remove the `#[disable_initialized_field_access]` attribute from
> `init!`, which is the only safe way to create an initializer of a packed
> struct.
>
> In the future, we can add support for packed structs by changing the
> trait infrastructure to include `UnalignedInit` or hopefully another
> mechanism.
>
> Reported-by: Gary Guo <gary@xxxxxxxxxxx>
> Link: https://rust-for-linux.zulipchat.com/#narrow/channel/561532-pin-init/topic/initialized.20field.20accessor.20detection/with/576210658 [1]
> Fixes: ceca298c53f9 ("rust: pin-init: internal: init: add escape hatch for referencing initialized fields")
> Signed-off-by: Benno Lossin <lossin@xxxxxxxxxx>
> ---
> This commit does not need backporting, as ceca298c53f9 is not yet in any
> stable tree.
>
> However, the unsoundness still affects several stable trees, because it
> was unknowingly fixed in commit 42415d163e5d ("rust: pin-init: add
> references to previously initialized fields"). Before then, packed
> structs compiled without any issues with pin-init and thus all prior
> kernel versions with pin-init that do not contain that commit are
> affected.
>
> We introduced pin-init in 90e53c5e70a6 ("rust: add pin-init API core"),
> which was included in 6.4. The affected stable trees that are still
> maintained are: 6.17, 6.16, 6.12, and 6.6. Note that 6.18 and 6.19
> already contain 42415d163e5d, so they are unaffected.
>
> I will prepare a separate patch series to backport 42415d163e5d to each
> of the affected trees, including the second patch of this series that
> documents the fact that field accessors are load-bearing for soundness.
>
> @asahi folks, let me know if I should prioritize a solution for packed
> structs. Otherwise I'd like not support it at the moment, as that
> requires some deeper changes to the internals of pin-init. I'm tracking
> the status of packed structs in:

I have worked around this in the downstream AOP audio driver now. I did
not do that initially since it looked more involved and we were planning
to bring support back.
These structs describe messages for communication with a coprocessor via
shared memory. They are derived by observing messages by tracing. So
there is only limited understanding how the messages are formated. Their
layout has for obvious reason match exactly so `#[repr(C, packed)]` is
the obvious choice.
One of the structs had a size of N * 4 - 1 which results in a alignment
of 1. Fortunately the struct could be padded to multiple of 4.
Nevertheless it was required to replace a few u32 with an unaligned
version.

I'm not sure if there is a need to support unaligned fields in pin-init.
The workarounds in the asahi GPU and AOP audio drivers are acceptable
and could stay indefinitely.

Janne

> https://github.com/Rust-for-Linux/pin-init/issues/112