Re: [PATCH RESEND v11] rust: fmt: add safe pointer formatting support

["Gary Guo" <gary@garyguo.net>]

On Wed Mar 11, 2026 at 8:46 AM GMT, Ke Sun wrote:
> Add Pointer trait and HashedPtr pointer wrapper type for safe pointer
> formatting:
>
> - Pointer trait: A copy of core::fmt::Pointer that, together with the
>   Adapter type and fmt! macro, ensures raw pointers are automatically
>   formatted using HashedPtr instead of being formatted directly.
>
> - HashedPtr: Formats pointers with kernel hashing (corresponds to %p).
>   This is now the default behavior when formatting raw pointers with
>   "{:p}", preventing kernel memory layout information leakage.
>
> Link: https://github.com/Rust-for-Linux/linux/issues/1219
> Signed-off-by: Ke Sun <sunke@kylinos.cn>
> ---
> v11:
> - Fix inaccurate or inappropriate descriptions in comments
> - Use as_char_ptr instead of as_ptr so that a *const u8 pointer is
>   always passed to scnprintf on all architectures
> - Per Tamir's suggestion, replace doctests with mod tests and adjust
>   test content to make the tests more meaningful
> - Remove the RawPtr wrapper type: it and HashedPtr use different
>   formatting mechanisms (HashedPtr uses scnprintf and pad; RawPtr would
>   call core's Pointer impl directly). This series focuses on fixing the
>   issue that without it {:p} would output the pointer's stack address,
>   and on using HashedPtr to safely format raw pointers and avoid leaking
>   kernel address space layout information
>
> v10: https://lore.kernel.org/rust-for-linux/20260121050059.2315091-1-sunke@kylinos.cn/
> - Merge all patches into a single patch
> - Improve `kernel::fmt::Pointer` trait implementation
>
> v9: https://lore.kernel.org/rust-for-linux/20260119033006.1453006-1-sunke@kylinos.cn/
> - Refactor implementation to use Pointer trait and Adapter pattern
>   instead of exporting ptr_to_hashval() from lib/vsprintf.c. Use
>   scnprintf directly in Rust for pointer hashing, eliminating the
>   need for C function export
> - Move pointer wrapper types from rust/kernel/ptr.rs to
>   rust/kernel/fmt.rs
> - Split implementation into more granular patches: Pointer trait
>   foundation, HashedPtr type, raw pointer default behavior, and
>   RawPtr type
> - Remove documentation patch, integrate examples into code doctests
> - Simplify API and improve code organization following Display trait
>   pattern
>
> v8: https://lore.kernel.org/rust-for-linux/20260101081605.1300953-1-sunke@kylinos.cn/
> - Remove RestrictedPtr (%pK) support: only export ptr_to_hashval() with
>   EXPORT_SYMBOL_NS_GPL using "RUST_INTERNAL" namespace, provide only two
>   pointer wrapper types (HashedPtr, RawPtr) for %p and %px
> - Change API from HashedPtr::from(ptr) to HashedPtr(ptr) for direct
>   construction
>
> v7: https://lore.kernel.org/rust-for-linux/20251229072157.3857053-1-sunke@kylinos.cn/
> - Refactor kptr_restrict handling: extract kptr_restrict_value() from
>   restricted_pointer() in lib/vsprintf.c and export it for Rust use, and
>   improve RestrictedPtr::fmt() implementation to directly handle
>   kptr_restrict_value() return values (0, 1, 2, -1) for better code
>   clarity
> - Remove Debug derive from pointer wrapper types (HashedPtr,
>   RestrictedPtr, RawPtr)
>
> v6: https://lore.kernel.org/rust-for-linux/20251227033958.3713232-1-sunke@kylinos.cn/
> - Fix placeholder formatting to use `f.pad()` instead of `f.write_str()`
>   in format_hashed_ptr(), ensuring width, alignment, and padding options
>   are correctly applied to PTR_PLACEHOLDER
>
> v5: https://lore.kernel.org/rust-for-linux/20251226140751.2215563-1-sunke@kylinos.cn/
> - Format use statements in rust/kernel/ptr.rs and rust/kernel/fmt.rs
>   using kernel vertical style with alphabetical ordering
> - Remove unnecessary SAFETY comment in rust/kernel/ptr.rs (addressed
>   Clippy warning)
> - Update type ordering to alphabetical (HashedPtr, RawPtr,
>   RestrictedPtr) in fmt.rs macro invocation
>
> v4: https://lore.kernel.org/rust-for-linux/20251225225709.3944255-1-sunke@kylinos.cn/
> - Use Pointer::fmt() instead of write!(f, "{:p}", ...) to preserve
>   formatting options (width, alignment, padding characters)
> - Improve code structure: reduce unsafe block scope, use early return
>   pattern
> - Add doctests with formatting option tests for all pointer wrapper
>   types
> - Enhance documentation with detailed formatting options section,
>   including examples for width, alignment, and padding
> - Fix RestrictedPtr example to use pr_info! instead of seq_print! in
>   docs
>
> v3: https://lore.kernel.org/rust-for-linux/20251224081315.729684-1-sunke@kylinos.cn/
> - Export ptr_to_hashval() from lib/vsprintf.c for Rust pointer hashing
> - Add three pointer wrapper types (HashedPtr, RestrictedPtr, RawPtr) in
>   rust/kernel/ptr.rs corresponding to %p, %pK, and %px
> - Make raw pointers automatically use HashedPtr when formatted with {:p}
> - Add documentation for pointer wrapper types
>
> v2: https://lore.kernel.org/rust-for-linux/20251223033018.2814732-1-sunke@kylinos.cn/
> - Disabled {:p} raw pointer printing by default to prevent accidental
>   information leaks
>
> v1: https://lore.kernel.org/rust-for-linux/20251218032709.2184890-1-sunke@kylinos.cn/
> - Initial implementation that directly printed raw pointers
> ---
>  rust/kernel/fmt.rs | 145 ++++++++++++++++++++++++++++++++++++++++++++++++++++-
>  1 file changed, 143 insertions(+), 2 deletions(-)
>
> diff --git a/rust/kernel/fmt.rs b/rust/kernel/fmt.rs
> index 1e8725eb44ed7..11a0508a7fd08 100644
> --- a/rust/kernel/fmt.rs
> +++ b/rust/kernel/fmt.rs
> @@ -5,6 +5,7 @@
>  //! This module is intended to be used in place of `core::fmt` in kernel code.
>  
>  pub use core::fmt::{Arguments, Debug, Error, Formatter, Result, Write};
> +use kernel::str::CStrExt;
>  
>  /// Internal adapter used to route and allow implementations of formatting traits for foreign types.
>  ///
> @@ -27,8 +28,8 @@ fn fmt(&self, f: &mut Formatter<'_>) -> Result {
>      };
>  }
>  
> -use core::fmt::{Binary, LowerExp, LowerHex, Octal, Pointer, UpperExp, UpperHex};
> -impl_fmt_adapter_forward!(Debug, LowerHex, UpperHex, Octal, Binary, Pointer, LowerExp, UpperExp);
> +use core::fmt::{Binary, LowerExp, LowerHex, Octal, UpperExp, UpperHex};
> +impl_fmt_adapter_forward!(Debug, LowerHex, UpperHex, Octal, Binary, LowerExp, UpperExp);
>  
>  /// A copy of [`core::fmt::Display`] that allows us to implement it for foreign types.
>  ///
> @@ -90,3 +91,143 @@ fn fmt(&self, f: &mut Formatter<'_>) -> Result {
>      {<T: ?Sized>} crate::sync::Arc<T> {where crate::sync::Arc<T>: core::fmt::Display},
>      {<T: ?Sized>} crate::sync::UniqueArc<T> {where crate::sync::UniqueArc<T>: core::fmt::Display},
>  );
> +
> +/// A copy of [`core::fmt::Pointer`] to prevent raw pointers from being
> +/// formatted directly.
> +///
> +/// Together, the [`Adapter`] type, [`fmt!`] macro, and this trait ensure
> +/// that raw pointers (`*const T` and `*mut T`) are automatically
> +/// formatted using [`HashedPtr`] instead of being formatted directly,
> +/// preventing kernel memory layout information leakage.
> +///
> +/// [`fmt!`]: crate::prelude::fmt!
> +pub trait Pointer {
> +    /// Same as [`core::fmt::Pointer::fmt`].
> +    fn fmt(&self, f: &mut Formatter<'_>) -> Result;
> +}
> +
> +impl<T: ?Sized + Pointer> Pointer for &T {
> +    fn fmt(&self, f: &mut Formatter<'_>) -> Result {
> +        Pointer::fmt(*self, f)
> +    }
> +}

This doesn't look right. pointer formatting for a reference should be printing
its address, not the pointee.

Best,
Gary

> +
> +impl<T: ?Sized + Pointer> core::fmt::Pointer for Adapter<&T> {
> +    fn fmt(&self, f: &mut Formatter<'_>) -> Result {
> +        let Self(t) = self;
> +        Pointer::fmt(t, f)
> +    }
> +}