Re: [PATCH] uaccess: rust: use newtype for user pointers

[Alice Ryhl <aliceryhl@google.com>]

On Tue, May 06, 2025 at 03:59:20PM +0200, Miguel Ojeda wrote:
> On Tue, May 6, 2025 at 3:26 PM Alice Ryhl <aliceryhl@google.com> wrote:
> >
> > The UserPtr type is not marked with #[derive(Debug)], which means that
> > it's not possible to print values of this type. This avoids ASLR
> > breakage.
> 
> By breakage you mean leaking the information by mistake?

Yeah, I'll reword to "ASLR leakage".

> Since it is `pub`, should we make it even harder to make a mistake
> here by making it private? You are already providing and using the
> `as_` methods anyway, so we would only need a `new` or conversion
> method or `Into` similar (not sure which one would be best -- perhaps
> a single one with a descriptive name is a good idea to grep for it
> easily).

If we change it to store a raw pointer, then that might be a good idea.

> > +    /// Increment this user pointer by `add` bytes.
> > +    ///
> > +    /// This is addition is wrapping, so wrapping around the address space does not result in a
> 
> s/is//
> 
> > +    /// panic even if `CONFIG_RUST_OVERFLOW_CHECKS` is enabled.
> > +    pub fn wrapping_add(self, add: usize) -> UserPtr {
> > +        UserPtr(self.0.wrapping_add(add))
> > +    }
> > +}
> 
> I guess you are using `wrapping_add` since we have a `usize` internal
> type, but I wonder if we should use the pointer-related naming, i.e.
> `wrapping_byte_add`.

That makes sense.

> Also, perhaps it is best to use another name for the parameter -- I
> would pick `count` like the standard library.

Sure.

> In addition, should we get this directly into the `prelude`? `__user`
> is also global and fairly short. It may not be heavily used all the
> time like other things, but it is fairly fundamental, like the `c_*`
> ones.

Good idea.

Alice