[PATCH v5 0/2] rust: `overflow_assert!` macro

[PATCH v5 0/2] rust: `overflow_assert!` macro

[Antonio Hickey]

This patch set introduces a macro for overflow assertions, the use of
this macro will avoid local `#ifdef`s by encapsulating the conditional
behavior to the macro. In addition this macro also allows us to document
the intent of the assertion more clearly.

Changes in v5:
- Refactored the `overflow_assert!` macro  to forward all tokens
  to the `assert!`, allowing full message formatting and parity
  with `debug_assert!`.
- Improved the documentation of the `overflow_assert!` macro.
- Updated example use patch to also use a custom message.
- Link to v4: https://lore.kernel.org/all/20250629024310.97937-1-contact@antoniohickey.com/

Changes in v4:
- Added the ability for callers to supply a custom message to the
  overflow assertion.
- Small change to verbage in documentation. 
- Link to v3: https://lore.kernel.org/all/20250621230231.100181-1-contact@antoniohickey.com/

Changes in v3:
- Made the `overflow_assert!` macro take in expressions instead of
  values.
- Fixed path in macro to fully qualify.
- Refactor macro to make the conditional compilation as local as
  possible.
- Refactor macro to utilize the `cfg!` macro like the standard library
  does to reduce boilerplate.
- Added an example use case of the `overflow_assert!` macro
- Link to v2: https://lore.kernel.org/rust-for-linux/20250504165612.86459-1-contact@antoniohickey.com/

Changes in v2:
- Fixed example doc comment so it doesn't panic.
- Link to v1: https://lore.kernel.org/rust-for-linux/20250504164349.84149-1-contact@antoniohickey.com/

Suggested-by: Miguel Ojeda <ojeda@kernel.org>
Link: https://github.com/Rust-for-Linux/linux/issues/1159
Co-developed-by: Daniel Cote <danielstonecote@gmail.com>
Signed-off-by: Daniel Cote <danielstonecote@gmail.com>
Signed-off-by: Antonio Hickey <contact@antoniohickey.com>
Cc: Tamir Duberstein <tamird@gmail.com>

Antonio Hickey (2):
  rust: kernel: create `overflow_assert!` macro
  rust: uaccess: refactor to use `overflow_assert!`

 rust/kernel/lib.rs             |  1 +
 rust/kernel/overflow_assert.rs | 44 ++++++++++++++++++++++++++++++++++
 rust/kernel/uaccess.rs         |  4 ++--
 3 files changed, 47 insertions(+), 2 deletions(-)
 create mode 100644 rust/kernel/overflow_assert.rs

-- 
2.50.1

[PATCH v5 1/2] rust: kernel: create `overflow_assert!` macro

[Antonio Hickey]

This commit creates a macro for overflow assertions, the use of this
macro will avoid local `#ifdef`s by encapsulating the conditional
behavior (like `#[cfg(CONFIG_RUST_OVERFLOW_CHECKS)]`) to the macro.

In addition this macro allows us to document the intent of the assertion
more clearly.

Co-developed-by: Daniel Cote <danielstonecote@gmail.com>
Signed-off-by: Daniel Cote <danielstonecote@gmail.com>
Signed-off-by: Antonio Hickey <contact@antoniohickey.com>
Link: https://github.com/Rust-for-Linux/linux/issues/1159
Suggested-by: Miguel Ojeda <ojeda@kernel.org>
---
 rust/kernel/lib.rs             |  1 +
 rust/kernel/overflow_assert.rs | 44 ++++++++++++++++++++++++++++++++++
 2 files changed, 45 insertions(+)
 create mode 100644 rust/kernel/overflow_assert.rs

diff --git a/rust/kernel/lib.rs b/rust/kernel/lib.rs
index ed53169e795c..901e54a509a3 100644
--- a/rust/kernel/lib.rs
+++ b/rust/kernel/lib.rs
@@ -103,6 +103,7 @@
 pub mod of;
 #[cfg(CONFIG_PM_OPP)]
 pub mod opp;
+pub mod overflow_assert;
 pub mod page;
 #[cfg(CONFIG_PCI)]
 pub mod pci;
diff --git a/rust/kernel/overflow_assert.rs b/rust/kernel/overflow_assert.rs
new file mode 100644
index 000000000000..f3de3b1b2cf3
--- /dev/null
+++ b/rust/kernel/overflow_assert.rs
@@ -0,0 +1,44 @@
+// SPDX-License-Identifier: GPL-2.0
+
+//! Overflow assertion.
+
+/// Asserts that a boolean expression is `true` at runtime.
+///
+/// This will invoke the [`panic!`] macro if the provided
+/// expression cannot be evaluated to `true` at runtime.
+///
+/// This macro only has effect when `CONFIG_RUST_OVERFLOW_CHECKS`
+/// is enabled, otherwise it expands to a no-op.
+///
+/// This assertion is intended only for extra validation within
+/// builds and environments where panics are acceptable. **Do not
+/// rely on `overflow_assert!` for checks that must *always* execute**
+/// (e.g. to prevent undefined behavior, perform access checks, etc).
+///
+/// # Examples
+///
+/// Basic boolean condition:
+///
+/// ```
+/// let a: u32 = 10;
+/// let b: u32 = 5;
+/// overflow_assert!(a >= b);
+/// ```
+///
+/// A guard before doing a size computation that could overflow:
+/// ```
+/// fn reserve_for_concat(curr: usize, to_add: usize, cap: usize) {
+///     // If enabled, catch obvious overflow logic errors early:
+///     overflow_assert!(curr <= cap, "curr={} > cap={}", curr, cap);
+///     overflow_assert!(to_add <= cap - curr, "would exceed cap: {}+{} > {}", curr, to_add, cap);
+///     // ... then proceed to grow/append
+/// }
+/// ```
+#[macro_export]
+macro_rules! overflow_assert {
+    ($($arg:tt)*) => {
+        if cfg!(CONFIG_RUST_OVERFLOW_CHECKS) {
+            ::core::assert!($($arg)*);
+        }
+    };
+}
-- 
2.50.1

[PATCH v5 2/2] rust: uaccess: refactor to use `overflow_assert!`

[Antonio Hickey]

Using the `overflow_assert!` macro here adds documentation to
the intent of the assertion, and avoids local `#ifdefs`s by
encapsulating the conditional behavior to the macro itself.

Co-developed-by: Daniel Cote <danielstonecote@gmail.com>
Signed-off-by: Daniel Cote <danielstonecote@gmail.com>
Signed-off-by: Antonio Hickey <contact@antoniohickey.com>
Link: https://github.com/Rust-for-Linux/linux/issues/1159
Suggested-by: Miguel Ojeda <ojeda@kernel.org>
---
 rust/kernel/uaccess.rs | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/rust/kernel/uaccess.rs b/rust/kernel/uaccess.rs
index a8fb4764185a..cbf201ebd426 100644
--- a/rust/kernel/uaccess.rs
+++ b/rust/kernel/uaccess.rs
@@ -9,6 +9,7 @@
     bindings,
     error::Result,
     ffi::{c_char, c_void},
+    overflow_assert,
     prelude::*,
     transmute::{AsBytes, FromBytes},
 };
@@ -499,8 +500,7 @@ fn raw_strncpy_from_user(dst: &mut [MaybeUninit<u8>], src: UserPtr) -> Result<us
         return Err(Error::from_errno(res as i32));
     }
 
-    #[cfg(CONFIG_RUST_OVERFLOW_CHECKS)]
-    assert!(res <= len);
+    overflow_assert!(res <= len, "strncpy_from_user wrote past dst buffer length");
 
     // GUARANTEES: `strncpy_from_user` was successful, so `dst` has contents in accordance with the
     // guarantees of this function.
-- 
2.50.1