Fix UB in an io_uring test, and add a safety comment. (#1547)

* Fix UB in an io_uring test, and add a safety comment.

Add a safety comment to `io_uring_register` that the pointee must
point to mutable memory. We should fix the API too, but that's a
semver break, so I've filed #1545.

Also, remove an entry from CHANGES.md that didn't happen.

* Remove `syscall_readonly` in `io_uring_register`.

Author: sunfishcode

CHANGES.md

@@ -66,12 +66,6 @@ constant.
 [`IORING_REGISTER_FILES_SKIP`]: https://docs.rs/rustix/1/rustix/io_uring/constant.IORING_REGISTER_FILES_SKIP.html
 [`rustix::fs::CWD`]: https://docs.rs/rustix/1/rustix/fs/constant.CWD.html
 
-[`rustix::io_uring::io_uring_register`] now has a [`IoringRegisterFlags`]
-argument, and `rustix::io_uring::io_uring_register_with` is removed.
-
-[`rustix::io_uring::io_uring_register`]: https://docs.rs/rustix/1/rustix/io_uring/fn.io_uring_register.html
-[`IoringRegisterFlags`]: https://docs.rs/rustix/1/rustix/io_uring/struct.IoringRegisterFlags.html
-
 Several structs in [`rustix::io_uring`] are now marked `#[non_exhaustive]`
 because they contain padding or reserved fields. Instead of constructing
 them with field values and `..Default::default()`, construct them with

src/backend/linux_raw/io_uring/syscalls.rs

@@ -29,7 +29,9 @@ pub(crate) unsafe fn io_uring_register(
     arg: *const c_void,
     nr_args: u32,
 ) -> io::Result<u32> {
-    ret_c_uint(syscall_readonly!(
+    // This is not `syscall_readonly` because when `opcode` is
+    // `IoringRegisterOp::RegisterRingFds`, `arg`'s pointee is mutated.
+    ret_c_uint(syscall!(
         __NR_io_uring_register,
         fd,
         c_uint(opcode as u32),
@@ -46,7 +48,9 @@ pub(crate) unsafe fn io_uring_register_with(
     arg: *const c_void,
     nr_args: u32,
 ) -> io::Result<u32> {
-    ret_c_uint(syscall_readonly!(
+    // This is not `syscall_readonly` because when `opcode` is
+    // `IoringRegisterOp::RegisterRingFds`, `arg`'s pointee is mutated.
+    ret_c_uint(syscall!(
         __NR_io_uring_register,
         fd,
         c_uint((opcode as u32) | bitflags_bits!(flags)),

src/io_uring/mod.rs

@@ -106,6 +106,9 @@ pub unsafe fn io_uring_setup(entries: u32, params: &mut io_uring_params) -> io::
 /// responsible for ensuring that memory and resources are only accessed in
 /// valid ways.
 ///
+/// If `opcode` is `IoringRegisterOp::RegisterRingFds`, `arg` must point to
+/// mutable memory, despite being `*const`.
+///
 /// # References
 ///  - [Linux]
 ///
@@ -129,6 +132,9 @@ pub unsafe fn io_uring_register<Fd: AsFd>(
 /// responsible for ensuring that memory and resources are only accessed in
 /// valid ways.
 ///
+/// If `opcode` is `IoringRegisterOp::RegisterRingFds`, `arg` must point to
+/// mutable memory, despite being `*const`.
+///
 /// # References
 ///  - [Linux]
 ///

tests/io_uring/register.rs

@@ -15,7 +15,7 @@ fn do_register<FD>(
     fd: FD,
     registered_fd: bool,
     opcode: IoringRegisterOp,
-    arg: *const c_void,
+    arg: *mut c_void,
     arg_nr: u32,
 ) -> Result<()>
 where
@@ -27,8 +27,10 @@ where
         IoringRegisterFlags::default()
     };
 
+    // Cast `arg` to `*const c_void` to match the current API. See
+    // <https://github.com/bytecodealliance/rustix/issues/1545>.
     unsafe {
-        io_uring_register_with(fd, opcode, flags, arg, arg_nr)?;
+        io_uring_register_with(fd, opcode, flags, arg as *const c_void, arg_nr)?;
     }
 
     Ok(())
@@ -43,7 +45,7 @@ fn register_ring(fd: BorrowedFd<'_>) -> Result<BorrowedFd<'_>> {
         fd,
         false,
         IoringRegisterOp::RegisterRingFds,
-        (&update as *const io_uring_rsrc_update).cast::<c_void>(),
+        (&mut update as *mut io_uring_rsrc_update).cast::<c_void>(),
         1,
     )?;
 
@@ -63,7 +65,7 @@ where
         fd,
         true,
         IoringRegisterOp::UnregisterRingFds,
-        (&update as *const io_uring_rsrc_update).cast::<c_void>(),
+        (&update as *const io_uring_rsrc_update as *mut io_uring_rsrc_update).cast::<c_void>(),
         1,
     )?;
 
@@ -81,7 +83,7 @@ where
         fd,
         true,
         IoringRegisterOp::RegisterIowqMaxWorkers,
-        (&iowq_max_workers as *const [u32; 2]).cast::<c_void>(),
+        (&iowq_max_workers as *const [u32; 2] as *mut [u32; 2]).cast::<c_void>(),
         2,
     )?;
 
@@ -96,7 +98,7 @@ where
         fd,
         false,
         IoringRegisterOp::RegisterPbufRing,
-        (reg as *const io_uring_buf_reg).cast::<c_void>(),
+        (reg as *const io_uring_buf_reg as *mut io_uring_buf_reg).cast::<c_void>(),
         1,
     )
 }