All of lore.kernel.org
 help / color / mirror / Atom feed
From: Boqun Feng <boqun.feng@gmail.com>
To: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Cc: "Alice Ryhl" <aliceryhl@google.com>,
	"Miguel Ojeda" <ojeda@kernel.org>,
	"Andrew Morton" <akpm@linux-foundation.org>,
	"Alexander Viro" <viro@zeniv.linux.org.uk>,
	"Gary Guo" <gary@garyguo.net>,
	"Björn Roy Baron" <bjorn3_gh@protonmail.com>,
	"Benno Lossin" <benno.lossin@proton.me>,
	"Andreas Hindborg" <a.hindborg@kernel.org>,
	"Trevor Gross" <tmgross@umich.edu>,
	"Danilo Krummrich" <dakr@kernel.org>,
	rust-for-linux@vger.kernel.org, linux-kernel@vger.kernel.org
Subject: Re: [PATCH] uaccess: rust: add strncpy_from_user
Date: Fri, 25 Apr 2025 07:35:41 -0700	[thread overview]
Message-ID: <aAudvTvdhLwBv9gG@Mac.home> (raw)
In-Reply-To: <2025042509-french-washbowl-5cde@gregkh>

On Fri, Apr 25, 2025 at 03:52:16PM +0200, Greg Kroah-Hartman wrote:
> On Fri, Apr 25, 2025 at 06:39:25AM -0700, Boqun Feng wrote:
> > On Fri, Apr 25, 2025 at 09:43:30AM +0000, Alice Ryhl wrote:
> > > On Thu, Apr 24, 2025 at 08:57:13AM -0700, Boqun Feng wrote:
> > > > On Thu, Apr 24, 2025 at 03:17:48PM +0000, Alice Ryhl wrote:
> > > > > This is needed for ioctls that operate on a user-provided string.
> > > > > 
> > > > > It is somewhat unfortunate that strncpy_from_user does not nul-terminate
> > > > > the string when the end of `buf` is reached. This implies that we can't
> > > > > return a &CStr from the function, since the buffer may not always be
> > > > > nul-terminated.
> > > > > 
> > > > > That said, we could add more convenient helpers on top that add a NUL
> > > > > byte in that case.
> > > > > 
> > > > > This method isn't defined on UserSliceReader because it complicates the
> > > > > semantics. The UserSliceReader type also has its own maximum length, so
> > > > > we would have to limit the read by that length too.
> > > > > 
> > > > > Signed-off-by: Alice Ryhl <aliceryhl@google.com>
> > > > > ---
> > > > >  rust/kernel/uaccess.rs | 27 +++++++++++++++++++++++++++
> > > > >  1 file changed, 27 insertions(+)
> > > > > 
> > > > > diff --git a/rust/kernel/uaccess.rs b/rust/kernel/uaccess.rs
> > > > > index 80a9782b1c6e98ed6eae308ade8551afa7adc188..1bd82045e81ea887008e30241bd6de27f096b639 100644
> > > > > --- a/rust/kernel/uaccess.rs
> > > > > +++ b/rust/kernel/uaccess.rs
> > > > > @@ -369,3 +369,30 @@ pub fn write<T: AsBytes>(&mut self, value: &T) -> Result {
> > > > >          Ok(())
> > > > >      }
> > > > >  }
> > > > > +
> > > > > +/// Reads a nul-terminated string into `buf` and returns the length.
> > > > > +///
> > > > > +/// Fails with [`EFAULT`] if the read happens on a bad address. If the end of `buf` is reached,
> > > > > +/// then the buffer will not be nul-terminated.
> > > > > +#[inline]
> > > > > +pub fn strncpy_from_user(ptr: UserPtr, buf: &mut [u8]) -> Result<usize> {
> > > > 
> > > > Sorry maybe there is an email I'm missing, but could you provide more
> > > > context of the usage?
> > > > 
> > > > First the function name is a bit weird, because the 'n' in "strncpy"
> > > > means the parameters should have an 'n' (i.e. length) in it, but there
> > > > is none in the Rust version.
> > > 
> > > There is a length! It's the length of `buf`. It's pretty normal that C
> > > methods with a pointer and length become a Rust method with a slice.
> > > 
> > 
> > That's exactly the point, no need to reuse a name from C if we have
> > something better.
> 
> Up to point, us kernel developers are used to the C names, so keep it
> close if at all possible, ESPECIALLY for just links/wrappers of C
> functions like this one is.
> 

Well, see my other suggestion about always putting a NUL at the end.
Then it's going to be a different function than what strncpy() does.

And I also asked for the usage there, because IMO, there's no point of
replicating a strncpy() in Rust, we should design a better API, rather
than mimic what C does.

> > > The distinction between strcpy and strncpy in my eyes is that strcpy
> > > reads until you find a NUL byte, whereas strncpy reads until you find a
> > > NUL byte *or* you read a user-specified number of bytes. This method is
> > > in the latter category.
> > > 
> > 
> > Then copy_from_user_until_nul()? Or cstrcpy_from_user()? We should have
> > a bit consistent naming on Rust side regardless how C names things IMO.
> 
> You need to specify a max length, otherwise that's just going to confuse
> us all.  strncpy_from_user() is the function we are used to using for
> copying up to N number of bytes from userspace where a 0 termination
> stops the copy if N isn't reached.  So I vote highly for the original
> name here please.
> 

Have you read the Rust the function signature? There is no parameter for
the max length, the max length is implied in the `buf` slice. Plus we
should really consider what the usage is, for example, wouldn't it be
ideal that we provide a buffer that has an extra byte so that the
copy result is always NUL terminated? I randomly checked a few users of
C strncpy_from_user() (alloc_name() in mm/memfd.c, mtrr_write() in
arch/x86/kernel/cpu/mtrr/if.c), they all do the same: providing the
extra byte (i.e. buf size is > n). So it seems preferable to me that we
provide a function doing that instead of just replicating
strncpy_from_user() semantics here.

(You're the one that keeps telling us to focus on usages, and I think
that's a good perspective ;-))

Regards,
Boqun

> thanks,
> 
> greg k-h

  reply	other threads:[~2025-04-25 14:35 UTC|newest]

Thread overview: 12+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2025-04-24 15:17 [PATCH] uaccess: rust: add strncpy_from_user Alice Ryhl
2025-04-24 15:57 ` Boqun Feng
2025-04-25  9:43   ` Alice Ryhl
2025-04-25 13:39     ` Boqun Feng
2025-04-25 13:52       ` Greg Kroah-Hartman
2025-04-25 14:35         ` Boqun Feng [this message]
2025-04-25 14:45           ` Greg Kroah-Hartman
2025-04-24 16:32 ` Danilo Krummrich
2025-04-25  9:44   ` Alice Ryhl
2025-04-25 14:14     ` Danilo Krummrich
2025-04-24 16:38 ` Miguel Ojeda
2025-04-25  9:45   ` Alice Ryhl

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=aAudvTvdhLwBv9gG@Mac.home \
    --to=boqun.feng@gmail.com \
    --cc=a.hindborg@kernel.org \
    --cc=akpm@linux-foundation.org \
    --cc=aliceryhl@google.com \
    --cc=benno.lossin@proton.me \
    --cc=bjorn3_gh@protonmail.com \
    --cc=dakr@kernel.org \
    --cc=gary@garyguo.net \
    --cc=gregkh@linuxfoundation.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=ojeda@kernel.org \
    --cc=rust-for-linux@vger.kernel.org \
    --cc=tmgross@umich.edu \
    --cc=viro@zeniv.linux.org.uk \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.