1. Patchew
  2. linux
  3. View series

Printing with overflow checks can cause modpost errors

Joel Fernandes posted 1 patch 2 weeks, 6 days ago 
drivers/gpu/nova-core/nova_core.rs    |  1 +
drivers/gpu/nova-core/test_modpost.rs | 60 +++++++++++++++++++++++++++
2 files changed, 61 insertions(+)
create mode 100644 drivers/gpu/nova-core/test_modpost.rs
Printing with overflow checks can cause modpost errors
Posted by Joel Fernandes 2 weeks, 6 days ago 
Hello,
Recently some of have been running into modpost errors more frequently. Ahead
of Kangrejos, I am trying to study them, the one I looked at today is truly
weird, below are more details.

I narrowed it down to the print statement and specifically the FFI call to
printk bindings. This was first reported by Timur Tabi on CC. 

With CONFIG_RUST_OVERFLOW_CHECKS=y and CONFIG_RUST_BUILD_ASSERT_ALLOW=y, the
following patch when applied to nova-core will fail to build with following
errors. The question is why does the overflow checking fail since the
arithmetic is valid, and why only during printing (and say not during the
call to write32).

  MODPOST Module.symvers
ERROR: modpost: "rust_build_error" [drivers/gpu/nova-core/nova_core.ko] undefined!
make[2]: *** [scripts/Makefile.modpost:147: Module.symvers] Error 1
make[1]: *** [/home/joelaf/repo/linux-nova-rm-call/Makefile:1961: modpost] Error 2
make: *** [Makefile:248: __sub-make] Error 2

Any comments or thoughts?

---8<-----------------------

From: Joel Fernandes <joelagnelf@nvidia.com>
Subject: [PATCH] Reproduce modpost error due to print

Signed-off-by: Joel Fernandes <joelagnelf@nvidia.com>
---
 drivers/gpu/nova-core/nova_core.rs    |  1 +
 drivers/gpu/nova-core/test_modpost.rs | 60 +++++++++++++++++++++++++++
 2 files changed, 61 insertions(+)
 create mode 100644 drivers/gpu/nova-core/test_modpost.rs

diff --git a/drivers/gpu/nova-core/nova_core.rs b/drivers/gpu/nova-core/nova_core.rs
index 4dbc7e5daae3..9ed48ddf6df9 100644
--- a/drivers/gpu/nova-core/nova_core.rs
+++ b/drivers/gpu/nova-core/nova_core.rs
@@ -15,6 +15,7 @@
 mod sbuffer;
 mod util;
 mod vbios;
+mod test_modpost;
 
 pub(crate) const MODULE_NAME: &kernel::str::CStr = <LocalModule as kernel::ModuleMetadata>::NAME;
 
diff --git a/drivers/gpu/nova-core/test_modpost.rs b/drivers/gpu/nova-core/test_modpost.rs
new file mode 100644
index 000000000000..eab82b6176a8
--- /dev/null
+++ b/drivers/gpu/nova-core/test_modpost.rs
@@ -0,0 +1,60 @@
+use kernel::prelude::*;
+use kernel::io::Io;
+use core::ops::Deref;
+use crate::driver::Bar0;
+use crate::falcon::{FalconEngine};
+use crate::falcon::gsp::Gsp;
+
+macro_rules! test_reg_array {
+    ($name:ident @ $base:ty [ $offset:literal [ $size:expr ] ]) => {
+        pub(crate) struct $name(u32);
+        
+        impl $name {
+            pub(crate) const OFFSET: usize = $offset;
+            pub(crate) const SIZE: usize = $size;
+            pub(crate) const STRIDE: usize = 4;
+            
+            #[inline(always)]
+            pub(crate) fn write_with_printk<const SIZE: usize, T, B>(
+                self,
+                io: &T,
+                _base: &B,
+                idx: usize
+            ) where
+                T: Deref<Target = Io<SIZE>>,
+                B: kernel::io::register::RegisterBase<$base>,
+            {
+                // This assert has no effect on the issue and can be commented
+                // to still reproduce the error.
+                build_assert!(idx < Self::SIZE);
+
+                let offset = <B as kernel::io::register::RegisterBase<$base>>::BASE +
+                    Self::OFFSET + (idx * Self::STRIDE);
+
+                // PRINTK BLOCK -- entire block can be replaced with pr_err("{}", offset)
+                // and it would still show the same error.
+                let args = core::format_args!("{}", offset);
+                unsafe {
+                    kernel::bindings::_printk( // ---> Causes the MODPOST error
+                        kernel::print::format_strings::ERR.as_ptr(),
+                        crate::__LOG_PREFIX.as_ptr(),
+                        core::ptr::from_ref(&args).cast::<kernel::ffi::c_void>(),
+                    );
+                }
+                // END PRINTK BLOCK
+                
+                io.write32(self.0, offset);
+            }
+            
+        }
+    };
+}
+
+test_reg_array!(TestFbifTranscfg @ crate::falcon::PFalconBase [ 0x00000600 [ 8 ] ]);
+
+#[no_mangle]
+pub(crate) extern "C" fn test_single(bar: &Bar0) {
+    TestFbifTranscfg(0x00000001).write_with_printk(bar, &Gsp::ID, 0);
+}
+
+
-- 
2.34.1
Re: Printing with overflow checks can cause modpost errors
Posted by Andrew Ballance 2 weeks, 6 days ago 
On Thu, Sep 11, 2025 at 05:31:57PM -0400, Joel Fernandes wrote:
> Hello,
> Recently some of have been running into modpost errors more frequently. Ahead
> of Kangrejos, I am trying to study them, the one I looked at today is truly
> weird, below are more details.
> 
> I narrowed it down to the print statement and specifically the FFI call to
> printk bindings. This was first reported by Timur Tabi on CC. 
> 
> With CONFIG_RUST_OVERFLOW_CHECKS=y and CONFIG_RUST_BUILD_ASSERT_ALLOW=y, the
> following patch when applied to nova-core will fail to build with following
> errors. The question is why does the overflow checking fail since the
> arithmetic is valid, and why only during printing (and say not during the
> call to write32).
> 
>   MODPOST Module.symvers
> ERROR: modpost: "rust_build_error" [drivers/gpu/nova-core/nova_core.ko] undefined!
> make[2]: *** [scripts/Makefile.modpost:147: Module.symvers] Error 1
> make[1]: *** [/home/joelaf/repo/linux-nova-rm-call/Makefile:1961: modpost] Error 2
> make: *** [Makefile:248: __sub-make] Error 2
> 
> Any comments or thoughts?
> 

Io::write32 tries to do a bounds check at compile time and if it cannot
be done it causes a build error. it looks like because a pointer to
offset is passed across a ffi boundary, rustc makes no assumptions about
the value of offset. so it cannot do the bounds check at compile time
and causes a build error.

Best regards,
Andrew Ballance
Re: Printing with overflow checks can cause modpost errors
Posted by Joel Fernandes 2 weeks, 6 days ago 
On Thu, Sep 11, 2025 at 07:27:26PM -0500, Andrew Ballance wrote:
> On Thu, Sep 11, 2025 at 05:31:57PM -0400, Joel Fernandes wrote:
> > Hello,
> > Recently some of have been running into modpost errors more frequently. Ahead
> > of Kangrejos, I am trying to study them, the one I looked at today is truly
> > weird, below are more details.
> > 
> > I narrowed it down to the print statement and specifically the FFI call to
> > printk bindings. This was first reported by Timur Tabi on CC. 
> > 
> > With CONFIG_RUST_OVERFLOW_CHECKS=y and CONFIG_RUST_BUILD_ASSERT_ALLOW=y, the
> > following patch when applied to nova-core will fail to build with following
> > errors. The question is why does the overflow checking fail since the
> > arithmetic is valid, and why only during printing (and say not during the
> > call to write32).
> > 
> >   MODPOST Module.symvers
> > ERROR: modpost: "rust_build_error" [drivers/gpu/nova-core/nova_core.ko] undefined!
> > make[2]: *** [scripts/Makefile.modpost:147: Module.symvers] Error 1
> > make[1]: *** [/home/joelaf/repo/linux-nova-rm-call/Makefile:1961: modpost] Error 2
> > make: *** [Makefile:248: __sub-make] Error 2
> > 
> > Any comments or thoughts?
> > 
> 
> Io::write32 tries to do a bounds check at compile time and if it cannot
> be done it causes a build error. it looks like because a pointer to
> offset is passed across a ffi boundary, rustc makes no assumptions about
> the value of offset. so it cannot do the bounds check at compile time
> and causes a build error.

Are you saying this issue is related to iowrite32? I don't think so because
the issue does not happen if you comment out the pr_err in my example and
leave the write32 as it is. So it is something with the call to printk (FFI).

Why can't it assume the value of offset? All the values to compute it are
available at compile time right?

thanks,

 - Joel
Re: Printing with overflow checks can cause modpost errors
Posted by Andrew Ballance 2 weeks, 6 days ago 
On 9/11/25 9:53 PM, Joel Fernandes wrote:
> On Thu, Sep 11, 2025 at 07:27:26PM -0500, Andrew Ballance wrote:
>> On Thu, Sep 11, 2025 at 05:31:57PM -0400, Joel Fernandes wrote:
>>> Hello,
>>> Recently some of have been running into modpost errors more frequently. Ahead
>>> of Kangrejos, I am trying to study them, the one I looked at today is truly
>>> weird, below are more details.
>>>
>>> I narrowed it down to the print statement and specifically the FFI call to
>>> printk bindings. This was first reported by Timur Tabi on CC.
>>>
>>> With CONFIG_RUST_OVERFLOW_CHECKS=y and CONFIG_RUST_BUILD_ASSERT_ALLOW=y, the
>>> following patch when applied to nova-core will fail to build with following
>>> errors. The question is why does the overflow checking fail since the
>>> arithmetic is valid, and why only during printing (and say not during the
>>> call to write32).
>>>
>>>    MODPOST Module.symvers
>>> ERROR: modpost: "rust_build_error" [drivers/gpu/nova-core/nova_core.ko] undefined!
>>> make[2]: *** [scripts/Makefile.modpost:147: Module.symvers] Error 1
>>> make[1]: *** [/home/joelaf/repo/linux-nova-rm-call/Makefile:1961: modpost] Error 2
>>> make: *** [Makefile:248: __sub-make] Error 2
>>>
>>> Any comments or thoughts?
>>>
>>
>> Io::write32 tries to do a bounds check at compile time and if it cannot
>> be done it causes a build error. it looks like because a pointer to
>> offset is passed across a ffi boundary, rustc makes no assumptions about
>> the value of offset. so it cannot do the bounds check at compile time
>> and causes a build error.
> 
> Are you saying this issue is related to iowrite32? I don't think so because
> the issue does not happen if you comment out the pr_err in my example and
> leave the write32 as it is. So it is something with the call to printk (FFI).
> 
> Why can't it assume the value of offset? All the values to compute it are
> available at compile time right?
> 
> thanks,
> 
>   - Joel
> 

This is a resend because I forgot to cc the mailing list.

it has to do with the FFI call. The value of offset can be found out at
compile time, but because a pointer is passed through, the c side could
theoretically change the value before write32 is called.
The pointer passed is const so rustc should assume that the c side does
not change offset, but looks like rustc does not do that.

as a test i created a version where a copy of offset is passed to printk
instead of offset and it compiles.
e.g:
// SNIP
let offset = <B as kernel::io::register::RegisterBase<$base>>::BASE
     + Self::OFFSET
     + (idx * Self::STRIDE);
let offset_copy = offset;

pr_err!("{}", offset_copy);
io.write32(self.0, offset);
// SNIP

Best regards,
Andrew Ballance
Re: Printing with overflow checks can cause modpost errors
Posted by Joel Fernandes 2 weeks, 2 days ago 
On Thu, Sep 11, 2025 at 11:08:17PM -0500, Andrew Ballance wrote:
> On 9/11/25 9:53 PM, Joel Fernandes wrote:
> > On Thu, Sep 11, 2025 at 07:27:26PM -0500, Andrew Ballance wrote:
> > > On Thu, Sep 11, 2025 at 05:31:57PM -0400, Joel Fernandes wrote:
> > > > Hello,
> > > > Recently some of have been running into modpost errors more frequently. Ahead
> > > > of Kangrejos, I am trying to study them, the one I looked at today is truly
> > > > weird, below are more details.
> > > > 
> > > > I narrowed it down to the print statement and specifically the FFI call to
> > > > printk bindings. This was first reported by Timur Tabi on CC.
> > > > 
> > > > With CONFIG_RUST_OVERFLOW_CHECKS=y and CONFIG_RUST_BUILD_ASSERT_ALLOW=y, the
> > > > following patch when applied to nova-core will fail to build with following
> > > > errors. The question is why does the overflow checking fail since the
> > > > arithmetic is valid, and why only during printing (and say not during the
> > > > call to write32).
> > > > 
> > > >    MODPOST Module.symvers
> > > > ERROR: modpost: "rust_build_error" [drivers/gpu/nova-core/nova_core.ko] undefined!
> > > > make[2]: *** [scripts/Makefile.modpost:147: Module.symvers] Error 1
> > > > make[1]: *** [/home/joelaf/repo/linux-nova-rm-call/Makefile:1961: modpost] Error 2
> > > > make: *** [Makefile:248: __sub-make] Error 2
> > > > 
> > > > Any comments or thoughts?
> > > > 
> > > 
> > > Io::write32 tries to do a bounds check at compile time and if it cannot
> > > be done it causes a build error. it looks like because a pointer to
> > > offset is passed across a ffi boundary, rustc makes no assumptions about
> > > the value of offset. so it cannot do the bounds check at compile time
> > > and causes a build error.
> > 
> > Are you saying this issue is related to iowrite32? I don't think so because
> > the issue does not happen if you comment out the pr_err in my example and
> > leave the write32 as it is. So it is something with the call to printk (FFI).
> > 
> > Why can't it assume the value of offset? All the values to compute it are
> > available at compile time right?
> > 
> > thanks,
> > 
> >   - Joel
> > 
> 
> This is a resend because I forgot to cc the mailing list.
> 
> it has to do with the FFI call. The value of offset can be found out at
> compile time, but because a pointer is passed through, the c side could
> theoretically change the value before write32 is called.
> The pointer passed is const so rustc should assume that the c side does
> not change offset, but looks like rustc does not do that.
> 
> as a test i created a version where a copy of offset is passed to printk
> instead of offset and it compiles.
> e.g:
> // SNIP
> let offset = <B as kernel::io::register::RegisterBase<$base>>::BASE
>     + Self::OFFSET
>     + (idx * Self::STRIDE);
> let offset_copy = offset;
> 
> pr_err!("{}", offset_copy);
> io.write32(self.0, offset);
> // SNIP

Andrew,
Thanks, I came to the same conclusion. After the first FFI call, the compiler
has to redo the overflow checking and cannot optimize it away. The issue does
not happen if either drop the print, or the io.write32, so it is their
combination that causes the issue.

So I guess how do we fix it? One crude way could be for the print macro to
alias its arguments automatically. But that does not fix the general problem
as it could occur with other FFI calls as well, not just printing.

thanks,

 - Joel
Re: Printing with overflow checks can cause modpost errors
Posted by Joel Fernandes 2 weeks, 2 days ago 
On Tue, Sep 16, 2025 at 06:32:52AM -0400, Joel Fernandes wrote:
> On Thu, Sep 11, 2025 at 11:08:17PM -0500, Andrew Ballance wrote:
> > On 9/11/25 9:53 PM, Joel Fernandes wrote:
> > > On Thu, Sep 11, 2025 at 07:27:26PM -0500, Andrew Ballance wrote:
> > > > On Thu, Sep 11, 2025 at 05:31:57PM -0400, Joel Fernandes wrote:
> > > > > Hello,
> > > > > Recently some of have been running into modpost errors more frequently. Ahead
> > > > > of Kangrejos, I am trying to study them, the one I looked at today is truly
> > > > > weird, below are more details.
> > > > > 
> > > > > I narrowed it down to the print statement and specifically the FFI call to
> > > > > printk bindings. This was first reported by Timur Tabi on CC.
> > > > > 
> > > > > With CONFIG_RUST_OVERFLOW_CHECKS=y and CONFIG_RUST_BUILD_ASSERT_ALLOW=y, the
> > > > > following patch when applied to nova-core will fail to build with following
> > > > > errors. The question is why does the overflow checking fail since the
> > > > > arithmetic is valid, and why only during printing (and say not during the
> > > > > call to write32).
> > > > > 
> > > > >    MODPOST Module.symvers
> > > > > ERROR: modpost: "rust_build_error" [drivers/gpu/nova-core/nova_core.ko] undefined!
> > > > > make[2]: *** [scripts/Makefile.modpost:147: Module.symvers] Error 1
> > > > > make[1]: *** [/home/joelaf/repo/linux-nova-rm-call/Makefile:1961: modpost] Error 2
> > > > > make: *** [Makefile:248: __sub-make] Error 2
> > > > > 
> > > > > Any comments or thoughts?
> > > > > 
> > > > 
> > > > Io::write32 tries to do a bounds check at compile time and if it cannot
> > > > be done it causes a build error. it looks like because a pointer to
> > > > offset is passed across a ffi boundary, rustc makes no assumptions about
> > > > the value of offset. so it cannot do the bounds check at compile time
> > > > and causes a build error.
> > > 
> > > Are you saying this issue is related to iowrite32? I don't think so because
> > > the issue does not happen if you comment out the pr_err in my example and
> > > leave the write32 as it is. So it is something with the call to printk (FFI).
> > > 
> > > Why can't it assume the value of offset? All the values to compute it are
> > > available at compile time right?
> > > 
> > > thanks,
> > > 
> > >   - Joel
> > > 
> > 
> > This is a resend because I forgot to cc the mailing list.
> > 
> > it has to do with the FFI call. The value of offset can be found out at
> > compile time, but because a pointer is passed through, the c side could
> > theoretically change the value before write32 is called.
> > The pointer passed is const so rustc should assume that the c side does
> > not change offset, but looks like rustc does not do that.
> > 
> > as a test i created a version where a copy of offset is passed to printk
> > instead of offset and it compiles.
> > e.g:
> > // SNIP
> > let offset = <B as kernel::io::register::RegisterBase<$base>>::BASE
> >     + Self::OFFSET
> >     + (idx * Self::STRIDE);
> > let offset_copy = offset;
> > 
> > pr_err!("{}", offset_copy);
> > io.write32(self.0, offset);
> > // SNIP
> 
> Andrew,
> Thanks, I came to the same conclusion. After the first FFI call, the compiler
> has to redo the overflow checking and cannot optimize it away. The issue does
> not happen if either drop the print, or the io.write32, so it is their
> combination that causes the issue.
> 
> So I guess how do we fix it? One crude way could be for the print macro to
> alias its arguments automatically. But that does not fix the general problem
> as it could occur with other FFI calls as well, not just printing.

I even see it with the following simple example, just using same variable
between safe and unsafe code, here offset is not even going to the C side
(there's no print):

  let mut offset = 0;
  unsafe {
    offset = 5;
  }
  io.write32(self.0, offset);

So maybe the issue is that the FFI related to print involves unsafe { },
hence it causes the same issue there too?

thanks,

 - Joel
Re: Printing with overflow checks can cause modpost errors
Posted by Joel Fernandes 2 weeks, 1 day ago 
On Tue, Sep 16, 2025 at 06:48:51AM -0400, Joel Fernandes wrote:
> On Tue, Sep 16, 2025 at 06:32:52AM -0400, Joel Fernandes wrote:
> > On Thu, Sep 11, 2025 at 11:08:17PM -0500, Andrew Ballance wrote:
> > > On 9/11/25 9:53 PM, Joel Fernandes wrote:
> > > > On Thu, Sep 11, 2025 at 07:27:26PM -0500, Andrew Ballance wrote:
> > > > > On Thu, Sep 11, 2025 at 05:31:57PM -0400, Joel Fernandes wrote:
> > > > > > Hello,
> > > > > > Recently some of have been running into modpost errors more frequently. Ahead
> > > > > > of Kangrejos, I am trying to study them, the one I looked at today is truly
> > > > > > weird, below are more details.
> > > > > > 
> > > > > > I narrowed it down to the print statement and specifically the FFI call to
> > > > > > printk bindings. This was first reported by Timur Tabi on CC.
> > > > > > 
> > > > > > With CONFIG_RUST_OVERFLOW_CHECKS=y and CONFIG_RUST_BUILD_ASSERT_ALLOW=y, the
> > > > > > following patch when applied to nova-core will fail to build with following
> > > > > > errors. The question is why does the overflow checking fail since the
> > > > > > arithmetic is valid, and why only during printing (and say not during the
> > > > > > call to write32).
> > > > > > 
> > > > > >    MODPOST Module.symvers
> > > > > > ERROR: modpost: "rust_build_error" [drivers/gpu/nova-core/nova_core.ko] undefined!
> > > > > > make[2]: *** [scripts/Makefile.modpost:147: Module.symvers] Error 1
> > > > > > make[1]: *** [/home/joelaf/repo/linux-nova-rm-call/Makefile:1961: modpost] Error 2
> > > > > > make: *** [Makefile:248: __sub-make] Error 2
> > > > > > 
> > > > > > Any comments or thoughts?
> > > > > > 
> > > > > 
> > > > > Io::write32 tries to do a bounds check at compile time and if it cannot
> > > > > be done it causes a build error. it looks like because a pointer to
> > > > > offset is passed across a ffi boundary, rustc makes no assumptions about
> > > > > the value of offset. so it cannot do the bounds check at compile time
> > > > > and causes a build error.
> > > > 
> > > > Are you saying this issue is related to iowrite32? I don't think so because
> > > > the issue does not happen if you comment out the pr_err in my example and
> > > > leave the write32 as it is. So it is something with the call to printk (FFI).
> > > > 
> > > > Why can't it assume the value of offset? All the values to compute it are
> > > > available at compile time right?
> > > > 
> > > > thanks,
> > > > 
> > > >   - Joel
> > > > 
> > > 
> > > This is a resend because I forgot to cc the mailing list.
> > > 
> > > it has to do with the FFI call. The value of offset can be found out at
> > > compile time, but because a pointer is passed through, the c side could
> > > theoretically change the value before write32 is called.
> > > The pointer passed is const so rustc should assume that the c side does
> > > not change offset, but looks like rustc does not do that.
> > > 
> > > as a test i created a version where a copy of offset is passed to printk
> > > instead of offset and it compiles.
> > > e.g:
> > > // SNIP
> > > let offset = <B as kernel::io::register::RegisterBase<$base>>::BASE
> > >     + Self::OFFSET
> > >     + (idx * Self::STRIDE);
> > > let offset_copy = offset;
> > > 
> > > pr_err!("{}", offset_copy);
> > > io.write32(self.0, offset);
> > > // SNIP
> > 
> > Andrew,
> > Thanks, I came to the same conclusion. After the first FFI call, the compiler
> > has to redo the overflow checking and cannot optimize it away. The issue does
> > not happen if either drop the print, or the io.write32, so it is their
> > combination that causes the issue.
> > 
> > So I guess how do we fix it? One crude way could be for the print macro to
> > alias its arguments automatically. But that does not fix the general problem
> > as it could occur with other FFI calls as well, not just printing.
> 
> I even see it with the following simple example, just using same variable
> between safe and unsafe code, here offset is not even going to the C side
> (there's no print):
> 
>   let mut offset = 0;
>   unsafe {
>     offset = 5;
>   }
>   io.write32(self.0, offset);
> 
> So maybe the issue is that the FFI related to print involves unsafe { },
> hence it causes the same issue there too?
> 

For the print usecase, if I move the match statement into a closure, the
issue disappears. Below is a patch, I can/will send it as a proper patch but
any initial thoughts? (Fair warning: Only lightly tested).

---8<-----------------------

From: Joel Fernandes <joelagnelf@nvidia.com>
Subject: [PATCH] rust: print: Fix issue with rust_build_error

When printing just before calling io.write32(), modpost fails. The issue
seems to be that, the printk arguments are used in an unsafe block, thus Rust
cannot trust its value. This can be fixed by simply creating a variable alias
for each variable.

Fix it in an even simpler way by just call printk in a closure. Rust captures
the arguments into the closure's arguments thus breaking the dependencies.
Tested with the following snippet and it builds with patch:

  let offset = 0;
  pr_err!("{}", offset);
  io.write32(base, offset);

Signed-off-by: Joel Fernandes <joelagnelf@nvidia.com>
---
 rust/kernel/print.rs | 33 ++++++++++++++++++---------------
 1 file changed, 18 insertions(+), 15 deletions(-)

diff --git a/rust/kernel/print.rs b/rust/kernel/print.rs
index 2d743d78d220..d6ef31464102 100644
--- a/rust/kernel/print.rs
+++ b/rust/kernel/print.rs
@@ -143,27 +143,30 @@ pub fn call_printk_cont(args: fmt::Arguments<'_>) {
 #[expect(clippy::crate_in_macro_def)]
 macro_rules! print_macro (
     // The non-continuation cases (most of them, e.g. `INFO`).
-    ($format_string:path, false, $($arg:tt)+) => (
+    ($format_string:path, false, $($arg:tt)+) => ({
         // To remain sound, `arg`s must be expanded outside the `unsafe` block.
         // Typically one would use a `let` binding for that; however, `format_args!`
         // takes borrows on the arguments, but does not extend the scope of temporaries.
         // Therefore, a `match` expression is used to keep them around, since
         // the scrutinee is kept until the end of the `match`.
-        match $crate::prelude::fmt!($($arg)+) {
-            // SAFETY: This hidden macro should only be called by the documented
-            // printing macros which ensure the format string is one of the fixed
-            // ones. All `__LOG_PREFIX`s are null-terminated as they are generated
-            // by the `module!` proc macro or fixed values defined in a kernel
-            // crate.
-            args => unsafe {
-                $crate::print::call_printk(
-                    &$format_string,
-                    crate::__LOG_PREFIX,
-                    args,
-                );
+        let print_fn = || {
+            match $crate::prelude::fmt!($($arg)+) {
+                // SAFETY: This hidden macro should only be called by the documented
+                // printing macros which ensure the format string is one of the fixed
+                // ones. All `__LOG_PREFIX`s are null-terminated as they are generated
+                // by the `module!` proc macro or fixed values defined in a kernel
+                // crate.
+                args => unsafe {
+                    $crate::print::call_printk(
+                        &$format_string,
+                        crate::__LOG_PREFIX,
+                        args,
+                    );
+                }
             }
-        }
-    );
+        };
+        print_fn();
+    });
 
     // The `CONT` case.
     ($format_string:path, true, $($arg:tt)+) => (
-- 
2.34.1
Re: Printing with overflow checks can cause modpost errors
Posted by Timur Tabi 2 weeks ago 
On Tue, 2025-09-16 at 14:52 -0400, Joel Fernandes wrote:
> From: Joel Fernandes <joelagnelf@nvidia.com>
> Subject: [PATCH] rust: print: Fix issue with rust_build_error
> 
> When printing just before calling io.write32(), modpost fails. The issue
> seems to be that, the printk arguments are used in an unsafe block, thus Rust
> cannot trust its value. This can be fixed by simply creating a variable alias
> for each variable.
> 
> Fix it in an even simpler way by just call printk in a closure. Rust captures
> the arguments into the closure's arguments thus breaking the dependencies.
> Tested with the following snippet and it builds with patch:
> 
>   let offset = 0;
>   pr_err!("{}", offset);
>   io.write32(base, offset);
> 
> Signed-off-by: Joel Fernandes <joelagnelf@nvidia.com>

Tested-by: Timur Tabi <ttabi@nvidia.com>

This fixes an issue I had with pr_err!() and io.write32() and causing rust_build_error.
Re: Printing with overflow checks can cause modpost errors
Posted by Miguel Ojeda 2 weeks, 6 days ago 
On Fri, Sep 12, 2025 at 6:08 AM Andrew Ballance
<andrewjballance@gmail.com> wrote:
>
> The pointer passed is const so rustc should assume that the c side does
> not change offset, but looks like rustc does not do that.

That is not possible -- a const pointer does not guarantee the value
will not be changed.

Cheers,
Miguel
Re: Printing with overflow checks can cause modpost errors
Posted by Alice Ryhl 2 weeks, 6 days ago 
On Fri, Sep 12, 2025 at 10:28 AM Miguel Ojeda
<miguel.ojeda.sandonis@gmail.com> wrote:
>
> On Fri, Sep 12, 2025 at 6:08 AM Andrew Ballance
> <andrewjballance@gmail.com> wrote:
> >
> > The pointer passed is const so rustc should assume that the c side does
> > not change offset, but looks like rustc does not do that.
>
> That is not possible -- a const pointer does not guarantee the value
> will not be changed.

I believe this code is using an immutable reference and not just a
pointer, so it would be UB to use it to write to `offset`, and so it
would be valid to assume it has not changed. But I think that in most
scenarios, Rust only optimizes using that information when the
reference appears as a function argument, which is not the case here.

Alice
Re: Printing with overflow checks can cause modpost errors
Posted by Miguel Ojeda 2 weeks, 6 days ago 
On Fri, Sep 12, 2025 at 11:45 AM Alice Ryhl <aliceryhl@google.com> wrote:
>
> I believe this code is using an immutable reference and not just a
> pointer, so it would be UB to use it to write to `offset`, and so it
> would be valid to assume it has not changed. But I think that in most
> scenarios, Rust only optimizes using that information when the
> reference appears as a function argument, which is not the case here.

I understood Andrew as talking about the C side, i.e. a guarantee
coming from the C side.

Callers can guarantee in other ways, but I wanted to clarify that the
C const pointer doesn't really do anything.

Cheers,
Miguel

Patchew 2.1-devel-b67e4c2

© 2016 - 2025 Red Hat, Inc.