Re: [PATCH v7 2/4] rust: kernel: Add pointer wrapper types for safe pointer formatting

public inbox for rust-for-linux@vger.kernel.org
 help / color / mirror / Atom feed

From: Alice Ryhl <aliceryhl@google.com>
To: Ke Sun <sunke@kylinos.cn>
Cc: "Dirk Behme" <dirk.behme@gmail.com>,
	"Boqun Feng" <boqun.feng@gmail.com>,
	"Miguel Ojeda" <ojeda@kernel.org>,
	"Petr Mladek" <pmladek@suse.com>,
	"Steven Rostedt" <rostedt@goodmis.org>,
	"Timur Tabi" <ttabi@nvidia.com>,
	"Danilo Krummrich" <dakr@kernel.org>,
	"Benno Lossin" <lossin@kernel.org>,
	"John Ogness" <john.ogness@linutronix.de>,
	"Andy Shevchenko" <andriy.shevchenko@linux.intel.com>,
	"Rasmus Villemoes" <linux@rasmusvillemoes.dk>,
	"Andrew Morton" <akpm@linux-foundation.org>,
	"Gary Guo" <gary@garyguo.net>,
	"Björn Roy Baron" <bjorn3_gh@protonmail.com>,
	"Andreas Hindborg" <a.hindborg@kernel.org>,
	"Trevor Gross" <tmgross@umich.edu>,
	"Tamir Duberstein" <tamird@gmail.com>,
	"Ke Sun" <sk.alvin.x@gmail.com>,
	rust-for-linux@vger.kernel.org
Subject: Re: [PATCH v7 2/4] rust: kernel: Add pointer wrapper types for safe pointer formatting
Date: Mon, 29 Dec 2025 09:03:23 +0000	[thread overview]
Message-ID: <aVJD2z7p93NlEg0o@google.com> (raw)
In-Reply-To: <20251229072157.3857053-3-sunke@kylinos.cn>

On Mon, Dec 29, 2025 at 03:21:20PM +0800, Ke Sun wrote:
> Add three pointer wrapper types (HashedPtr, RestrictedPtr, RawPtr) to
> rust/kernel/ptr.rs that correspond to C kernel's printk format specifiers
> %p, %pK, and %px. These types provide type-safe pointer formatting that
> matches C kernel patterns.
> 
> These wrapper types implement core::fmt::Pointer and delegate to the
> corresponding kernel formatting functions, enabling safe pointer
> formatting in Rust code that prevents information leaks about kernel
> memory layout.
> 
> Users can explicitly use these types:
>     pr_info!("{:p}\n", HashedPtr::from(ptr));
>     pr_info!("{:p}\n", RestrictedPtr::from(ptr));
>     pr_info!("{:p}\n", RawPtr::from(ptr));

These ::from calls are inconvenient. Why not just make the field public
and let users write:

	pr_info!("{:p}\n", HashedPtr(ptr));
	pr_info!("{:p}\n", RestrictedPtr(ptr));
	pr_info!("{:p}\n", RawPtr(ptr));

If the only concern is casts, then just make the struct generic:

	pub struct HashedPtr<T>(pub *const T);

Since *mut T will automatically downgrade to *const T, this should allow
HashedPtr(ptr) to work with any raw pointer.

> -use crate::build_assert;
> +use crate::{
> +    bindings,
> +    build_assert,
> +    ffi::c_void, //
> +};

Please use prelude::* instead of ffi::c_void.

>  /// Type representing an alignment, which is always a power of two.
>  ///
> @@ -225,3 +236,240 @@ fn align_up(self, alignment: Alignment) -> Option<Self> {
>  }
>  
>  impl_alignable_uint!(u8, u16, u32, u64, usize);
> +
> +/// Placeholder string used when pointer hashing is not ready yet.
> +const PTR_PLACEHOLDER: &str = if core::mem::size_of::<*const c_void>() == 8 {

size_of is in the kernel prelude.

> +impl fmt::Pointer for RestrictedPtr {
> +    fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
> +        // Handle NULL pointers
> +        if self.0.is_null() {
> +            return Pointer::fmt(&self.0, f);
> +        }
> +
> +        // Use kptr_restrict_value to handle all kptr_restrict cases.
> +        // - Returns 0: kptr_restrict == 0, use original pointer (needs hashing)
> +        // - Returns 1: kptr_restrict == 1, *pptr may be modified to NULL if no permission
> +        // - Returns 2: kptr_restrict >= 2, *pptr is set to NULL
> +        // - Returns -1: IRQ context with kptr_restrict == 1 (error case)
> +        let mut ptr_value = self.0;
> +        // SAFETY: kptr_restrict_value handles capability checks and IRQ context.
> +        // It may modify ptr_value to NULL if there's no permission.
> +        let ret = unsafe { bindings::kptr_restrict_value(core::ptr::addr_of_mut!(ptr_value)) };

Simplifies to:

	let ret = unsafe { bindings::kptr_restrict_value(&raw mut ptr_value) };

or even:

	let ret = unsafe { bindings::kptr_restrict_value(&mut ptr_value) };

> +        match ret {
> +            -1 => {
> +                // IRQ context with kptr_restrict == 1 - print error placeholder
> +                // This should not happen in normal Rust code, but handle it gracefully
> +                f.pad("(pK-error)")

Why can't this happen in Rust code? Rust can run in IRQ context.

> +            }
> +            0 => {
> +                // kptr_restrict == 0: hash the pointer (same as %p)
> +                format_hashed_ptr(self.0, f)
> +            }
> +            1 => {
> +                // kptr_restrict == 1: print raw pointer if ptr_value is non-null,
> +                // otherwise print 0 (no permission)
> +                if ptr_value.is_null() {
> +                    Pointer::fmt(&core::ptr::null::<c_void>(), f)
> +                } else {
> +                    // Print the raw pointer directly (like %px)
> +                    // This matches C behavior: pointer_string() prints the raw address
> +                    Pointer::fmt(&ptr_value, f)
> +                }
> +            }
> +            _ => {
> +                // kptr_restrict >= 2: always print 0
> +                // ptr_value should already be NULL, but check to be safe
> +                Pointer::fmt(&core::ptr::null::<c_void>(), f)
> +            }
> +        }
> +    }
> +}

Alice

next prev parent reply	other threads:[~2025-12-29  9:03 UTC|newest]

Thread overview: 18+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2025-12-29  7:21 [PATCH v7 0/4] rust: Add safe pointer formatting support Ke Sun
2025-12-29  7:21 ` [PATCH v7 1/4] lib/vsprintf: Export functions for Rust " Ke Sun
2025-12-29 10:44   ` Dirk Behme
2025-12-31  2:46     ` Ke Sun
2025-12-31 11:07       ` Alice Ryhl
2025-12-29 14:18   ` Andy Shevchenko
2025-12-29 15:00     ` Ke Sun
2025-12-31 10:04     ` Alice Ryhl
2026-01-01  1:43       ` 孙科
2026-01-01  1:46         ` Alice Ryhl
2025-12-29  7:21 ` [PATCH v7 2/4] rust: kernel: Add pointer wrapper types for safe pointer formatting Ke Sun
2025-12-29  9:03   ` Alice Ryhl [this message]
2025-12-29 14:07     ` Ke Sun
2025-12-29  7:21 ` [PATCH v7 3/4] rust: fmt: Default raw pointer formatting to HashedPtr Ke Sun
2025-12-29  7:21 ` [PATCH v7 4/4] docs: rust: Add pointer formatting documentation Ke Sun
2025-12-29 14:11 ` [PATCH v7 0/4] rust: Add safe pointer formatting support Andy Shevchenko
2025-12-30  2:03   ` Ke Sun
2025-12-30  8:40     ` Andy Shevchenko

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=aVJD2z7p93NlEg0o@google.com \
    --to=aliceryhl@google.com \
    --cc=a.hindborg@kernel.org \
    --cc=akpm@linux-foundation.org \
    --cc=andriy.shevchenko@linux.intel.com \
    --cc=bjorn3_gh@protonmail.com \
    --cc=boqun.feng@gmail.com \
    --cc=dakr@kernel.org \
    --cc=dirk.behme@gmail.com \
    --cc=gary@garyguo.net \
    --cc=john.ogness@linutronix.de \
    --cc=linux@rasmusvillemoes.dk \
    --cc=lossin@kernel.org \
    --cc=ojeda@kernel.org \
    --cc=pmladek@suse.com \
    --cc=rostedt@goodmis.org \
    --cc=rust-for-linux@vger.kernel.org \
    --cc=sk.alvin.x@gmail.com \
    --cc=sunke@kylinos.cn \
    --cc=tamird@gmail.com \
    --cc=tmgross@umich.edu \
    --cc=ttabi@nvidia.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox