All of lore.kernel.org
 help / color / mirror / Atom feed
From: Alice Ryhl <aliceryhl@google.com>
To: Ke Sun <sunke@kylinos.cn>
Cc: "Dirk Behme" <dirk.behme@gmail.com>,
	"Boqun Feng" <boqun.feng@gmail.com>,
	"Miguel Ojeda" <ojeda@kernel.org>,
	"Petr Mladek" <pmladek@suse.com>,
	"Steven Rostedt" <rostedt@goodmis.org>,
	"Timur Tabi" <ttabi@nvidia.com>,
	"Danilo Krummrich" <dakr@kernel.org>,
	"Benno Lossin" <lossin@kernel.org>,
	"John Ogness" <john.ogness@linutronix.de>,
	"Andy Shevchenko" <andriy.shevchenko@linux.intel.com>,
	"Rasmus Villemoes" <linux@rasmusvillemoes.dk>,
	"Andrew Morton" <akpm@linux-foundation.org>,
	"Gary Guo" <gary@garyguo.net>,
	"Björn Roy Baron" <bjorn3_gh@protonmail.com>,
	"Andreas Hindborg" <a.hindborg@kernel.org>,
	"Trevor Gross" <tmgross@umich.edu>,
	"Tamir Duberstein" <tamird@gmail.com>,
	"Ke Sun" <sk.alvin.x@gmail.com>,
	rust-for-linux@vger.kernel.org
Subject: Re: [PATCH v7 2/4] rust: kernel: Add pointer wrapper types for safe pointer formatting
Date: Mon, 29 Dec 2025 09:03:23 +0000	[thread overview]
Message-ID: <aVJD2z7p93NlEg0o@google.com> (raw)
In-Reply-To: <20251229072157.3857053-3-sunke@kylinos.cn>

On Mon, Dec 29, 2025 at 03:21:20PM +0800, Ke Sun wrote:
> Add three pointer wrapper types (HashedPtr, RestrictedPtr, RawPtr) to
> rust/kernel/ptr.rs that correspond to C kernel's printk format specifiers
> %p, %pK, and %px. These types provide type-safe pointer formatting that
> matches C kernel patterns.
> 
> These wrapper types implement core::fmt::Pointer and delegate to the
> corresponding kernel formatting functions, enabling safe pointer
> formatting in Rust code that prevents information leaks about kernel
> memory layout.
> 
> Users can explicitly use these types:
>     pr_info!("{:p}\n", HashedPtr::from(ptr));
>     pr_info!("{:p}\n", RestrictedPtr::from(ptr));
>     pr_info!("{:p}\n", RawPtr::from(ptr));

These ::from calls are inconvenient. Why not just make the field public
and let users write:

	pr_info!("{:p}\n", HashedPtr(ptr));
	pr_info!("{:p}\n", RestrictedPtr(ptr));
	pr_info!("{:p}\n", RawPtr(ptr));

If the only concern is casts, then just make the struct generic:

	pub struct HashedPtr<T>(pub *const T);

Since *mut T will automatically downgrade to *const T, this should allow
HashedPtr(ptr) to work with any raw pointer.

> -use crate::build_assert;
> +use crate::{
> +    bindings,
> +    build_assert,
> +    ffi::c_void, //
> +};

Please use prelude::* instead of ffi::c_void.

>  /// Type representing an alignment, which is always a power of two.
>  ///
> @@ -225,3 +236,240 @@ fn align_up(self, alignment: Alignment) -> Option<Self> {
>  }
>  
>  impl_alignable_uint!(u8, u16, u32, u64, usize);
> +
> +/// Placeholder string used when pointer hashing is not ready yet.
> +const PTR_PLACEHOLDER: &str = if core::mem::size_of::<*const c_void>() == 8 {

size_of is in the kernel prelude.

> +impl fmt::Pointer for RestrictedPtr {
> +    fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
> +        // Handle NULL pointers
> +        if self.0.is_null() {
> +            return Pointer::fmt(&self.0, f);
> +        }
> +
> +        // Use kptr_restrict_value to handle all kptr_restrict cases.
> +        // - Returns 0: kptr_restrict == 0, use original pointer (needs hashing)
> +        // - Returns 1: kptr_restrict == 1, *pptr may be modified to NULL if no permission
> +        // - Returns 2: kptr_restrict >= 2, *pptr is set to NULL
> +        // - Returns -1: IRQ context with kptr_restrict == 1 (error case)
> +        let mut ptr_value = self.0;
> +        // SAFETY: kptr_restrict_value handles capability checks and IRQ context.
> +        // It may modify ptr_value to NULL if there's no permission.
> +        let ret = unsafe { bindings::kptr_restrict_value(core::ptr::addr_of_mut!(ptr_value)) };

Simplifies to:

	let ret = unsafe { bindings::kptr_restrict_value(&raw mut ptr_value) };

or even:

	let ret = unsafe { bindings::kptr_restrict_value(&mut ptr_value) };

> +        match ret {
> +            -1 => {
> +                // IRQ context with kptr_restrict == 1 - print error placeholder
> +                // This should not happen in normal Rust code, but handle it gracefully
> +                f.pad("(pK-error)")

Why can't this happen in Rust code? Rust can run in IRQ context.

> +            }
> +            0 => {
> +                // kptr_restrict == 0: hash the pointer (same as %p)
> +                format_hashed_ptr(self.0, f)
> +            }
> +            1 => {
> +                // kptr_restrict == 1: print raw pointer if ptr_value is non-null,
> +                // otherwise print 0 (no permission)
> +                if ptr_value.is_null() {
> +                    Pointer::fmt(&core::ptr::null::<c_void>(), f)
> +                } else {
> +                    // Print the raw pointer directly (like %px)
> +                    // This matches C behavior: pointer_string() prints the raw address
> +                    Pointer::fmt(&ptr_value, f)
> +                }
> +            }
> +            _ => {
> +                // kptr_restrict >= 2: always print 0
> +                // ptr_value should already be NULL, but check to be safe
> +                Pointer::fmt(&core::ptr::null::<c_void>(), f)
> +            }
> +        }
> +    }
> +}

Alice

  reply	other threads:[~2025-12-29  9:03 UTC|newest]

Thread overview: 18+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2025-12-29  7:21 [PATCH v7 0/4] rust: Add safe pointer formatting support Ke Sun
2025-12-29  7:21 ` [PATCH v7 1/4] lib/vsprintf: Export functions for Rust " Ke Sun
2025-12-29 10:44   ` Dirk Behme
2025-12-31  2:46     ` Ke Sun
2025-12-31 11:07       ` Alice Ryhl
2025-12-29 14:18   ` Andy Shevchenko
2025-12-29 15:00     ` Ke Sun
2025-12-31 10:04     ` Alice Ryhl
2026-01-01  1:43       ` 孙科
2026-01-01  1:46         ` Alice Ryhl
2025-12-29  7:21 ` [PATCH v7 2/4] rust: kernel: Add pointer wrapper types for safe pointer formatting Ke Sun
2025-12-29  9:03   ` Alice Ryhl [this message]
2025-12-29 14:07     ` Ke Sun
2025-12-29  7:21 ` [PATCH v7 3/4] rust: fmt: Default raw pointer formatting to HashedPtr Ke Sun
2025-12-29  7:21 ` [PATCH v7 4/4] docs: rust: Add pointer formatting documentation Ke Sun
2025-12-29 14:11 ` [PATCH v7 0/4] rust: Add safe pointer formatting support Andy Shevchenko
2025-12-30  2:03   ` Ke Sun
2025-12-30  8:40     ` Andy Shevchenko

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=aVJD2z7p93NlEg0o@google.com \
    --to=aliceryhl@google.com \
    --cc=a.hindborg@kernel.org \
    --cc=akpm@linux-foundation.org \
    --cc=andriy.shevchenko@linux.intel.com \
    --cc=bjorn3_gh@protonmail.com \
    --cc=boqun.feng@gmail.com \
    --cc=dakr@kernel.org \
    --cc=dirk.behme@gmail.com \
    --cc=gary@garyguo.net \
    --cc=john.ogness@linutronix.de \
    --cc=linux@rasmusvillemoes.dk \
    --cc=lossin@kernel.org \
    --cc=ojeda@kernel.org \
    --cc=pmladek@suse.com \
    --cc=rostedt@goodmis.org \
    --cc=rust-for-linux@vger.kernel.org \
    --cc=sk.alvin.x@gmail.com \
    --cc=sunke@kylinos.cn \
    --cc=tamird@gmail.com \
    --cc=tmgross@umich.edu \
    --cc=ttabi@nvidia.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.