From: Alice Ryhl <aliceryhl@google.com>
To: Tamir Duberstein <tamird@gmail.com>
Cc: "Masahiro Yamada" <masahiroy@kernel.org>,
"Nathan Chancellor" <nathan@kernel.org>,
"Nicolas Schier" <nicolas@fjasle.eu>,
"Miguel Ojeda" <ojeda@kernel.org>,
"Alex Gaynor" <alex.gaynor@gmail.com>,
"Boqun Feng" <boqun.feng@gmail.com>,
"Gary Guo" <gary@garyguo.net>,
"Björn Roy Baron" <bjorn3_gh@protonmail.com>,
"Benno Lossin" <benno.lossin@proton.me>,
"Andreas Hindborg" <a.hindborg@kernel.org>,
"Trevor Gross" <tmgross@umich.edu>,
"Danilo Krummrich" <dakr@kernel.org>,
"Greg Kroah-Hartman" <gregkh@linuxfoundation.org>,
"Rafael J. Wysocki" <rafael@kernel.org>,
"Brendan Higgins" <brendan.higgins@linux.dev>,
"David Gow" <davidgow@google.com>, "Rae Moar" <rmoar@google.com>,
"Bjorn Helgaas" <bhelgaas@google.com>,
"Luis Chamberlain" <mcgrof@kernel.org>,
"Russ Weight" <russ.weight@linux.dev>,
"Rob Herring" <robh@kernel.org>,
"Saravana Kannan" <saravanak@google.com>,
linux-kbuild@vger.kernel.org, linux-kernel@vger.kernel.org,
rust-for-linux@vger.kernel.org, linux-kselftest@vger.kernel.org,
kunit-dev@googlegroups.com, linux-pci@vger.kernel.org,
linux-block@vger.kernel.org, devicetree@vger.kernel.org
Subject: Re: [PATCH v5 6/6] rust: use strict provenance APIs
Date: Tue, 18 Mar 2025 12:29:20 +0000 [thread overview]
Message-ID: <Z9lnIJCcVSza6UVo@google.com> (raw)
In-Reply-To: <20250317-ptr-as-ptr-v5-6-5b5f21fa230a@gmail.com>
On Mon, Mar 17, 2025 at 10:23:56AM -0400, Tamir Duberstein wrote:
> Throughout the tree, use the strict provenance APIs stabilized in Rust
> 1.84.0[1]. Retain backwards-compatibility by introducing forwarding
> functions at the `kernel` crate root along with polyfills for rustc <
> 1.84.0.
>
> Use `#[allow(clippy::incompatible_msrv)]` to avoid warnings on rustc <
> 1.84.0 as our MSRV is 1.78.0.
>
> In the `kernel` crate, enable the strict provenance lints on rustc >=
> 1.84.0; do this in `lib.rs` rather than `Makefile` to avoid introducing
> compiler flags that are dependent on the rustc version in use.
>
> Link: https://blog.rust-lang.org/2025/01/09/Rust-1.84.0.html#strict-provenance-apis [1]
> Suggested-by: Benno Lossin <benno.lossin@proton.me>
> Link: https://lore.kernel.org/all/D8EIXDMRXMJP.36TFCGWZBRS3Y@proton.me/
> Signed-off-by: Tamir Duberstein <tamird@gmail.com>
I'm not convinced that the pros of this change outweigh the cons. I
think this is going to be too confusing for the C developers who look at
this code.
> diff --git a/rust/kernel/uaccess.rs b/rust/kernel/uaccess.rs
> index 719b0a48ff55..96393bcf6bd7 100644
> --- a/rust/kernel/uaccess.rs
> +++ b/rust/kernel/uaccess.rs
> @@ -226,7 +226,9 @@ pub fn read_raw(&mut self, out: &mut [MaybeUninit<u8>]) -> Result {
> }
> // SAFETY: `out_ptr` points into a mutable slice of length `len`, so we may write
> // that many bytes to it.
> - let res = unsafe { bindings::copy_from_user(out_ptr, self.ptr as *const c_void, len) };
> + let res = unsafe {
> + bindings::copy_from_user(out_ptr, crate::with_exposed_provenance(self.ptr), len)
> + };
> if res != 0 {
> return Err(EFAULT);
> }
> @@ -264,7 +266,7 @@ pub fn read<T: FromBytes>(&mut self) -> Result<T> {
> let res = unsafe {
> bindings::_copy_from_user(
> out.as_mut_ptr().cast::<c_void>(),
> - self.ptr as *const c_void,
> + crate::with_exposed_provenance(self.ptr),
> len,
> )
> };
That's especially true for cases like this. These are userspace pointers
that are never dereferenced. It's not useful to care about provenance
here.
Alice
next prev parent reply other threads:[~2025-03-18 12:29 UTC|newest]
Thread overview: 55+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-03-17 14:23 [PATCH v5 0/6] rust: reduce pointer casts, enable related lints Tamir Duberstein
2025-03-17 14:23 ` [PATCH v5 1/6] rust: retain pointer mut-ness in `container_of!` Tamir Duberstein
2025-03-17 14:23 ` [PATCH v5 2/6] rust: enable `clippy::ptr_as_ptr` lint Tamir Duberstein
2025-03-17 14:23 ` [PATCH v5 3/6] rust: enable `clippy::ptr_cast_constness` lint Tamir Duberstein
2025-03-17 14:23 ` [PATCH v5 4/6] rust: enable `clippy::as_ptr_cast_mut` lint Tamir Duberstein
2025-03-17 14:23 ` [PATCH v5 5/6] rust: enable `clippy::as_underscore` lint Tamir Duberstein
2025-03-17 14:23 ` [PATCH v5 6/6] rust: use strict provenance APIs Tamir Duberstein
2025-03-17 15:04 ` Tamir Duberstein
2025-03-17 17:39 ` Boqun Feng
2025-03-17 18:04 ` Tamir Duberstein
2025-03-17 18:06 ` Boqun Feng
2025-03-17 18:10 ` Tamir Duberstein
2025-03-17 18:16 ` Boqun Feng
2025-03-17 18:50 ` Tamir Duberstein
2025-03-17 19:05 ` Tamir Duberstein
2025-03-17 20:28 ` Boqun Feng
2025-03-17 20:35 ` Tamir Duberstein
2025-03-17 20:46 ` Boqun Feng
2025-03-17 20:53 ` Tamir Duberstein
2025-03-17 21:36 ` Boqun Feng
2025-03-17 23:56 ` Tamir Duberstein
2025-03-18 0:14 ` Boqun Feng
2025-03-18 0:11 ` Boqun Feng
2025-03-18 0:41 ` Tamir Duberstein
2025-03-18 9:23 ` Benno Lossin
2025-03-19 15:25 ` Boqun Feng
2025-03-19 20:03 ` Benno Lossin
2025-03-17 17:50 ` Benno Lossin
2025-03-17 18:31 ` Tamir Duberstein
2025-03-17 18:33 ` Tamir Duberstein
2025-03-18 12:29 ` Alice Ryhl [this message]
2025-03-18 14:08 ` Tamir Duberstein
2025-03-19 0:23 ` Benno Lossin
2025-03-19 12:21 ` Alice Ryhl
2025-03-19 14:14 ` Tamir Duberstein
2025-03-19 14:42 ` Benno Lossin
2025-03-19 18:23 ` Tamir Duberstein
2025-03-19 20:06 ` Benno Lossin
2025-03-19 14:25 ` Benno Lossin
2025-03-19 20:02 ` Benno Lossin
2025-03-19 20:20 ` [PATCH v5 0/6] rust: reduce pointer casts, enable related lints Tamir Duberstein
2025-03-24 20:16 ` Benno Lossin
2025-03-24 20:55 ` Tamir Duberstein
2025-03-24 21:16 ` Tamir Duberstein
2025-03-24 21:39 ` Benno Lossin
2025-03-24 21:35 ` Tamir Duberstein
2025-03-24 21:55 ` Benno Lossin
2025-03-24 21:59 ` Tamir Duberstein
2025-03-25 11:05 ` Benno Lossin
2025-03-25 11:10 ` Miguel Ojeda
2025-03-25 13:34 ` Tamir Duberstein
2025-03-25 15:33 ` Benno Lossin
2025-03-25 17:17 ` Tamir Duberstein
2025-03-25 20:22 ` Tamir Duberstein
2025-03-25 20:29 ` Benno Lossin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=Z9lnIJCcVSza6UVo@google.com \
--to=aliceryhl@google.com \
--cc=a.hindborg@kernel.org \
--cc=alex.gaynor@gmail.com \
--cc=benno.lossin@proton.me \
--cc=bhelgaas@google.com \
--cc=bjorn3_gh@protonmail.com \
--cc=boqun.feng@gmail.com \
--cc=brendan.higgins@linux.dev \
--cc=dakr@kernel.org \
--cc=davidgow@google.com \
--cc=devicetree@vger.kernel.org \
--cc=gary@garyguo.net \
--cc=gregkh@linuxfoundation.org \
--cc=kunit-dev@googlegroups.com \
--cc=linux-block@vger.kernel.org \
--cc=linux-kbuild@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-kselftest@vger.kernel.org \
--cc=linux-pci@vger.kernel.org \
--cc=masahiroy@kernel.org \
--cc=mcgrof@kernel.org \
--cc=nathan@kernel.org \
--cc=nicolas@fjasle.eu \
--cc=ojeda@kernel.org \
--cc=rafael@kernel.org \
--cc=rmoar@google.com \
--cc=robh@kernel.org \
--cc=russ.weight@linux.dev \
--cc=rust-for-linux@vger.kernel.org \
--cc=saravanak@google.com \
--cc=tamird@gmail.com \
--cc=tmgross@umich.edu \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.