From: Ke Sun <sk.alvin.x@gmail.com>
To: Dirk Behme <dirk.behme@gmail.com>, Ke Sun <sunke@kylinos.cn>,
Miguel Ojeda <ojeda@kernel.org>, Petr Mladek <pmladek@suse.com>,
Steven Rostedt <rostedt@goodmis.org>,
Timur Tabi <ttabi@nvidia.com>, Danilo Krummrich <dakr@kernel.org>,
Benno Lossin <lossin@kernel.org>
Cc: "Boqun Feng" <boqun.feng@gmail.com>,
"Gary Guo" <gary@garyguo.net>,
"Björn Roy Baron" <bjorn3_gh@protonmail.com>,
"Andreas Hindborg" <a.hindborg@kernel.org>,
"Alice Ryhl" <aliceryhl@google.com>,
"Trevor Gross" <tmgross@umich.edu>,
"Tamir Duberstein" <tamird@gmail.com>,
rust-for-linux@vger.kernel.org
Subject: Re: [PATCH v6 2/4] rust: kernel: Add pointer wrapper types for safe pointer formatting
Date: Mon, 29 Dec 2025 15:34:19 +0800 [thread overview]
Message-ID: <97efae81-bde6-4ebe-a650-495676716248@gmail.com> (raw)
In-Reply-To: <faeb6601-de91-4c40-af33-9f081d2b7f6a@gmail.com>
On 12/29/25 14:44, Dirk Behme wrote:
> On 27.12.25 04:39, Ke Sun wrote:
>> Add three pointer wrapper types (HashedPtr, RestrictedPtr, RawPtr) to
>> rust/kernel/ptr.rs that correspond to C kernel's printk format specifiers
>> %p, %pK, and %px. These types provide type-safe pointer formatting that
>> matches C kernel patterns.
>>
>> These wrapper types implement core::fmt::Pointer and delegate to the
>> corresponding kernel formatting functions, enabling safe pointer
>> formatting in Rust code that prevents information leaks about kernel
>> memory layout.
>>
>> Users can explicitly use these types:
>> pr_info!("{:p}\n", HashedPtr::from(ptr));
>> pr_info!("{:p}\n", RestrictedPtr::from(ptr));
>> pr_info!("{:p}\n", RawPtr::from(ptr));
>>
>> Signed-off-by: Ke Sun <sunke@kylinos.cn>
>> ---
>> rust/helpers/fmt.c | 65 +++++++++++
>> rust/helpers/helpers.c | 3 +-
>> rust/kernel/ptr.rs | 241 ++++++++++++++++++++++++++++++++++++++++-
>> 3 files changed, 305 insertions(+), 4 deletions(-)
>> create mode 100644 rust/helpers/fmt.c
>>
> ....
>> diff --git a/rust/kernel/ptr.rs b/rust/kernel/ptr.rs
>> index e3893ed04049d..8b58221c2ec4b 100644
>> --- a/rust/kernel/ptr.rs
>> +++ b/rust/kernel/ptr.rs
> ....
>> +/// A pointer that will be hashed when printed (corresponds to `%p`).
>> +///
>> +/// This is the default behavior for kernel pointers - they are hashed to prevent
>> +/// leaking information about the kernel memory layout.
>> +///
>> +/// # Example
>> +///
>> +/// ```
>> +/// use kernel::{
>> +/// prelude::fmt,
>> +/// ptr::HashedPtr,
>> +/// str::CString, //
>> +/// };
>> +///
>> +/// let ptr = HashedPtr::from(0x12345678 as *const u8);
>> +/// pr_info!("Hashed pointer: {:016p}\n", ptr);
>> +///
>> +/// // Width option test
>> +/// let cstr = CString::try_from_fmt(fmt!("{:30p}", ptr))?;
>> +/// let width_30 = cstr.to_str()?;
>> +/// assert_eq!(width_30.len(), 30);
>> +/// # Ok::<(), kernel::error::Error>(())
>> +/// ```
>> +#[repr(transparent)]
>> +#[derive(Copy, Clone, Debug)]
>
> I wonder if the `Debug` could be used to expose the raw pointer where
> it shouldn't?
You're right. If we implement Debug for these pointer wrapper types,
using {:?} would expose the
raw pointer address.
> Dirk
>
>
>> +pub struct HashedPtr(*const c_void);
>> +
>> +impl fmt::Pointer for HashedPtr {
>> + fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
>> + // Handle NULL pointers - print them directly
>> + if self.0.is_null() {
>> + return Pointer::fmt(&self.0, f);
>> + }
>> +
>> + format_hashed_ptr(self.0, f)
>> + }
>> +}
>> +
>> +/// A pointer that will be restricted based on `kptr_restrict` when printed (corresponds to `%pK`).
>> +///
>> +/// This is intended for use in procfs/sysfs files that are read by userspace.
>> +/// The behavior depends on the `kptr_restrict` sysctl setting.
>> +///
>> +/// # Example
>> +///
>> +/// ```
>> +/// use kernel::{
>> +/// prelude::fmt,
>> +/// ptr::RestrictedPtr,
>> +/// str::CString, //
>> +/// };
>> +///
>> +/// let ptr = RestrictedPtr::from(0x12345678 as *const u8);
>> +/// pr_info!("Restricted pointer: {:016p}\n", ptr);
>> +///
>> +/// // Width option test
>> +/// let cstr = CString::try_from_fmt(fmt!("{:30p}", ptr))?;
>> +/// let width_30 = cstr.to_str()?;
>> +/// assert_eq!(width_30.len(), 30);
>> +/// # Ok::<(), kernel::error::Error>(())
>> +/// ```
>> +#[repr(transparent)]
>> +#[derive(Copy, Clone, Debug)]
>> +pub struct RestrictedPtr(*const c_void);
>> +
>> +impl fmt::Pointer for RestrictedPtr {
>> + fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
>> + // Handle NULL pointers
>> + if self.0.is_null() {
>> + return Pointer::fmt(&self.0, f);
>> + }
>> +
>> + // Use kptr_restrict_value to handle all kptr_restrict cases.
>> + // SAFETY: kptr_restrict_value handles capability checks and IRQ context.
>> + // - Returns NULL if no permission, IRQ context, or kptr_restrict >= 2
>> + // - Returns the original pointer if kptr_restrict == 0 (needs hashing)
>> + // - Returns the original pointer if kptr_restrict == 1 with permission (print raw)
>> + let restricted_ptr = unsafe { bindings::kptr_restrict_value(self.0) };
>> +
>> + if restricted_ptr.is_null() {
>> + // No permission, IRQ context, or kptr_restrict >= 2 - print 0
>> + return Pointer::fmt(&core::ptr::null::<c_void>(), f);
>> + }
>> +
>> + // restricted_ptr is non-null, meaning we should print something.
>> + // SAFETY: Reading kptr_restrict is safe as it's a kernel variable.
>> + let restrict = unsafe { bindings::kptr_restrict };
>> +
>> + if restrict == 0 {
>> + // kptr_restrict == 0: hash the pointer (same as %p)
>> + format_hashed_ptr(self.0, f)
>> + } else {
>> + // kptr_restrict == 1 with permission: print the raw pointer directly (like %px)
>> + // This matches C behavior: pointer_string() prints the raw address
>> + Pointer::fmt(&restricted_ptr, f)
>> + }
>> + }
>> +}
>> +
>> +/// A pointer that will be printed as its raw address (corresponds to `%px`).
>> +///
>> +/// **Warning**: This exposes the real kernel address and should only be used
>> +/// for debugging purposes. Consider using [`HashedPtr`] or [`RestrictedPtr`] instead.
>> +///
>> +/// # Example
>> +///
>> +/// ```
>> +/// use kernel::{
>> +/// prelude::fmt,
>> +/// ptr::RawPtr,
>> +/// str::CString, //
>> +/// };
>> +///
>> +/// let ptr = RawPtr::from(0x12345678 as *const u8);
>> +///
>> +/// // Basic formatting
>> +/// let cstr = CString::try_from_fmt(fmt!("{:p}", ptr))?;
>> +/// let formatted = cstr.to_str()?;
>> +/// assert_eq!(formatted, "0x12345678");
>> +///
>> +/// // Right align with zero padding, width 30
>> +/// let cstr = CString::try_from_fmt(fmt!("{:0>30p}", ptr))?;
>> +/// let right_zero = cstr.to_str()?;
>> +/// assert_eq!(right_zero, "000000000000000000000x12345678");
>> +///
>> +/// // Left align with zero padding, width 30
>> +/// let cstr = CString::try_from_fmt(fmt!("{:0<30p}", ptr))?;
>> +/// let left_zero = cstr.to_str()?;
>> +/// assert_eq!(left_zero, "0x1234567800000000000000000000");
>> +///
>> +/// // Center align with zero padding, width 30
>> +/// let cstr = CString::try_from_fmt(fmt!("{:0^30p}", ptr))?;
>> +/// let center_zero = cstr.to_str()?;
>> +/// assert_eq!(center_zero, "00000000000x123456780000000000");
>> +/// # Ok::<(), kernel::error::Error>(())
>> +/// ```
>> +#[repr(transparent)]
>> +#[derive(Copy, Clone, Debug)]
>> +pub struct RawPtr(*const c_void);
>> +
>> +impl fmt::Pointer for RawPtr {
>> + fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
>> + // Directly format the raw address - no hashing or restriction.
>> + // This corresponds to %px behavior.
>> + Pointer::fmt(&self.0, f)
>> + }
>> +}
>> +
>> +// Implement common methods for all pointer wrapper types
>> +impl_ptr_wrapper!(
>> + HashedPtr,
>> + RawPtr,
>> + RestrictedPtr, //
>> +);
next prev parent reply other threads:[~2025-12-29 7:34 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-12-27 3:39 [PATCH v6 0/4] rust: Add safe pointer formatting support Ke Sun
2025-12-27 3:39 ` [PATCH v6 1/4] lib/vsprintf: Export ptr_to_hashval for Rust use Ke Sun
2025-12-27 3:39 ` [PATCH v6 2/4] rust: kernel: Add pointer wrapper types for safe pointer formatting Ke Sun
2025-12-27 5:56 ` Boqun Feng
2025-12-29 7:38 ` Ke Sun
2025-12-29 6:44 ` Dirk Behme
2025-12-29 7:34 ` Ke Sun [this message]
2025-12-27 3:39 ` [PATCH v6 3/4] rust: fmt: Default raw pointer formatting to HashedPtr Ke Sun
2025-12-27 3:39 ` [PATCH v6 4/4] docs: rust: Add pointer formatting documentation Ke Sun
2025-12-27 9:12 ` [PATCH v6 0/4] rust: Add safe pointer formatting support Dirk Behme
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=97efae81-bde6-4ebe-a650-495676716248@gmail.com \
--to=sk.alvin.x@gmail.com \
--cc=a.hindborg@kernel.org \
--cc=aliceryhl@google.com \
--cc=bjorn3_gh@protonmail.com \
--cc=boqun.feng@gmail.com \
--cc=dakr@kernel.org \
--cc=dirk.behme@gmail.com \
--cc=gary@garyguo.net \
--cc=lossin@kernel.org \
--cc=ojeda@kernel.org \
--cc=pmladek@suse.com \
--cc=rostedt@goodmis.org \
--cc=rust-for-linux@vger.kernel.org \
--cc=sunke@kylinos.cn \
--cc=tamird@gmail.com \
--cc=tmgross@umich.edu \
--cc=ttabi@nvidia.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox