Re: [PATCH v5 01/19] rust: drm: ioctl: fix unbounded lifetimes in ioctl handler arguments
From: lyude
Date: Mon Jun 29 2026 - 17:32:46 EST
this macro is wild.
Reviewed-by: Lyude Paul <lyude@xxxxxxxxxx>
On Sun, 2026-06-28 at 16:53 +0200, Danilo Krummrich wrote:
> References to dev, data, and file in the declare_drm_ioctls! macro
> are
> created via unsafe pointer dereferences, producing unbounded
> lifetimes.
> If an ioctl handler explicitly annotates its parameters with 'static,
> the compiler accepts this, allowing the handler to stash references
> that
> outlive the ioctl call.
>
> Fix this by adding a higher-ranked function pointer coercion that
> enforces the handler accepts universally quantified lifetimes:
>
> let _: for<'a> fn(&'a _, &'a mut _, &'a _) -> _ = $func;
>
> Since the handler must be coercible to a function pointer accepting
> any
> lifetime 'a, it can no longer demand 'static on any parameter.
>
> Cc: stable@xxxxxxxxxxxxxxx
> Fixes: 9a69570682b1 ("rust: drm: ioctl: Add DRM ioctl abstraction")
> Reported-by: sashiko-bot@xxxxxxxxxx
> Closes:
> https://lore.kernel.org/all/20260620011346.A47D01F000E9@xxxxxxxxxxxxxxx/
> Suggested-by: Gary Guo <gary@xxxxxxxxxxx>
> Signed-off-by: Danilo Krummrich <dakr@xxxxxxxxxx>
> ---
> rust/kernel/drm/ioctl.rs | 6 ++++++
> 1 file changed, 6 insertions(+)
>
> diff --git a/rust/kernel/drm/ioctl.rs b/rust/kernel/drm/ioctl.rs
> index cf328101dde4..ccf4150d83b6 100644
> --- a/rust/kernel/drm/ioctl.rs
> +++ b/rust/kernel/drm/ioctl.rs
> @@ -135,6 +135,12 @@ macro_rules! declare_drm_ioctls {
> // dev/file match the current driver
> these ioctls are being declared
> // for, and it's not clear how to
> enforce this within the type system.
> let dev =
> $crate::drm::device::Device::from_raw(raw_dev);
> +
> + // Enforce that the handler accepts
> higher-ranked
> + // lifetimes, preventing it from
> requiring 'static
> + // references that could escape this
> scope.
> + let _: for<'a> fn(&'a _, &'a mut _, &'a
> _) -> _ = $func;
> +
> // SAFETY: The ioctl argument has size
> `_IOC_SIZE(cmd)`, which we
> // asserted above matches the size of
> this type, and all bit patterns of
> // UAPI structs must be valid.