linux.git/rust/kernel/uaccess.rs, branch v6.18.21 Clone of https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git rust: uaccess: use newtype for user pointers 2025-07-14T21:52:45+00:00 Alice Ryhl aliceryhl@google.com 2025-06-16T13:45:57+00:00 60ecf796cdc8638c570a4ad06bae6a0d48a8986d Currently, Rust code uses a typedef for unsigned long to represent userspace addresses. This is unfortunate because it means that userspace addresses could accidentally be mixed up with other integers. To alleviate that, we introduce a new UserPtr struct that wraps a raw pointer to represent a userspace address. By using a struct, type checking enforces that userspace addresses cannot be mixed up with anything else. This is similar to the __user annotation in C that detects cases where user pointers are mixed with non-user pointers. Note that unlike __user pointers in C, this type is just a pointer without a target type. This means that it can't detect cases such as mixing up which struct this user pointer references. However, that is okay due to the way this is intended to be used - generally, you create a UserPtr in your ioctl callback from the provided usize *before* dispatching on which ioctl is in use, and then after dispatching on the ioctl you pass the UserPtr into a UserSliceReader or UserSliceWriter; selecting the target type does not happen until you have obtained the UserSliceReader/Writer. The UserPtr type is not marked with #[derive(Debug)], which means that it's not possible to print values of this type. This avoids ASLR leakage. The type is added to the prelude as it is a fairly fundamental type similar to c_int. The wrapping_add() method is renamed to wrapping_byte_add() for consistency with the method name found on raw pointers. Reviewed-by: Benno Lossin <lossin@kernel.org> Reviewed-by: Danilo Krummrich <dakr@kernel.org> Reviewed-by: Christian Schrefl <chrisi.schrefl@gmail.com> Reviewed-by: Boqun Feng <boqun.feng@gmail.com> Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: Alice Ryhl <aliceryhl@google.com> Link: https://lore.kernel.org/r/20250616-userptr-newtype-v3-1-5ff7b2d18d9e@google.com [ Reworded title. - Miguel ] Signed-off-by: Miguel Ojeda <ojeda@kernel.org> 
Currently, Rust code uses a typedef for unsigned long to represent
userspace addresses. This is unfortunate because it means that userspace
addresses could accidentally be mixed up with other integers. To
alleviate that, we introduce a new UserPtr struct that wraps a raw
pointer to represent a userspace address. By using a struct, type
checking enforces that userspace addresses cannot be mixed up with
anything else.

This is similar to the __user annotation in C that detects cases where
user pointers are mixed with non-user pointers.

Note that unlike __user pointers in C, this type is just a pointer
without a target type. This means that it can't detect cases such as
mixing up which struct this user pointer references. However, that is
okay due to the way this is intended to be used - generally, you create
a UserPtr in your ioctl callback from the provided usize *before*
dispatching on which ioctl is in use, and then after dispatching on the
ioctl you pass the UserPtr into a UserSliceReader or UserSliceWriter;
selecting the target type does not happen until you have obtained the
UserSliceReader/Writer.

The UserPtr type is not marked with #[derive(Debug)], which means that
it's not possible to print values of this type. This avoids ASLR
leakage.

The type is added to the prelude as it is a fairly fundamental type
similar to c_int. The wrapping_add() method is renamed to
wrapping_byte_add() for consistency with the method name found on raw
pointers.

Reviewed-by: Benno Lossin <lossin@kernel.org>
Reviewed-by: Danilo Krummrich <dakr@kernel.org>
Reviewed-by: Christian Schrefl <chrisi.schrefl@gmail.com>
Reviewed-by: Boqun Feng <boqun.feng@gmail.com>
Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Alice Ryhl <aliceryhl@google.com>
Link: https://lore.kernel.org/r/20250616-userptr-newtype-v3-1-5ff7b2d18d9e@google.com
[ Reworded title. - Miguel ]
Signed-off-by: Miguel Ojeda <ojeda@kernel.org>
rust: uaccess: add UserSliceReader::strcpy_into_buf 2025-07-13T23:34:12+00:00 Alice Ryhl aliceryhl@google.com 2025-06-16T12:41:48+00:00 17bbbefbf6715a543ff4713e26f7b8e6b7a876d6 This patch adds a more convenient method for reading C strings from userspace. Logic is added to NUL-terminate the buffer when necessary so that a &CStr can be returned. Note that we treat attempts to read past `self.length` as a fault, so this returns EFAULT if that limit is exceeded before `buf.len()` is reached. Reviewed-by: Danilo Krummrich <dakr@kernel.org> Signed-off-by: Alice Ryhl <aliceryhl@google.com> Reviewed-by: Benno Lossin <lossin@kernel.org> Link: https://lore.kernel.org/r/20250616-strncpy-from-user-v5-2-2d3fb0e1f5af@google.com [ Use `from_mut` to clean `clippy::ref_as_ptr` lint. Reworded title. - Miguel ] Signed-off-by: Miguel Ojeda <ojeda@kernel.org> 
This patch adds a more convenient method for reading C strings from
userspace. Logic is added to NUL-terminate the buffer when necessary so
that a &CStr can be returned.

Note that we treat attempts to read past `self.length` as a fault, so
this returns EFAULT if that limit is exceeded before `buf.len()` is
reached.

Reviewed-by: Danilo Krummrich <dakr@kernel.org>
Signed-off-by: Alice Ryhl <aliceryhl@google.com>
Reviewed-by: Benno Lossin <lossin@kernel.org>
Link: https://lore.kernel.org/r/20250616-strncpy-from-user-v5-2-2d3fb0e1f5af@google.com
[ Use `from_mut` to clean `clippy::ref_as_ptr` lint. Reworded
  title. - Miguel ]
Signed-off-by: Miguel Ojeda <ojeda@kernel.org>
rust: uaccess: add strncpy_from_user 2025-07-13T23:33:26+00:00 Alice Ryhl aliceryhl@google.com 2025-06-16T12:41:47+00:00 8da881d39c1b7fd4a211587ba40f1c936909a11a This patch adds a direct wrapper around the C function of the same name. It's not really intended for direct use by Rust code since strncpy_from_user has a somewhat unfortunate API where it only nul-terminates the buffer if there's space for the nul-terminator. This means that a direct Rust wrapper around it could not return a &CStr since the buffer may not be a cstring. However, we still add the method to build more convenient APIs on top of it, which will happen in subsequent patches. Reviewed-by: Danilo Krummrich <dakr@kernel.org> Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Reviewed-by: Boqun Feng <boqun.feng@gmail.com> Reviewed-by: Benno Lossin <lossin@kernel.org> Signed-off-by: Alice Ryhl <aliceryhl@google.com> Link: https://lore.kernel.org/r/20250616-strncpy-from-user-v5-1-2d3fb0e1f5af@google.com [ Reworded title. - Miguel ] Signed-off-by: Miguel Ojeda <ojeda@kernel.org> 
This patch adds a direct wrapper around the C function of the same name.
It's not really intended for direct use by Rust code since
strncpy_from_user has a somewhat unfortunate API where it only
nul-terminates the buffer if there's space for the nul-terminator. This
means that a direct Rust wrapper around it could not return a &CStr
since the buffer may not be a cstring. However, we still add the method
to build more convenient APIs on top of it, which will happen in
subsequent patches.

Reviewed-by: Danilo Krummrich <dakr@kernel.org>
Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Reviewed-by: Boqun Feng <boqun.feng@gmail.com>
Reviewed-by: Benno Lossin <lossin@kernel.org>
Signed-off-by: Alice Ryhl <aliceryhl@google.com>
Link: https://lore.kernel.org/r/20250616-strncpy-from-user-v5-1-2d3fb0e1f5af@google.com
[ Reworded title. - Miguel ]
Signed-off-by: Miguel Ojeda <ojeda@kernel.org>
rust: enable `clippy::ref_as_ptr` lint 2025-06-22T21:09:32+00:00 Tamir Duberstein tamird@gmail.com 2025-06-15T20:55:10+00:00 dc35ddcf97e99b18559d0855071030e664aae44d In Rust 1.78.0, Clippy introduced the `ref_as_ptr` lint [1]: > Using `as` casts may result in silently changing mutability or type. While this doesn't eliminate unchecked `as` conversions, it makes such conversions easier to scrutinize. It also has the slight benefit of removing a degree of freedom on which to bikeshed. Thus apply the changes and enable the lint -- no functional change intended. Link: https://rust-lang.github.io/rust-clippy/master/index.html#ref_as_ptr [1] Suggested-by: Benno Lossin <benno.lossin@proton.me> Link: https://lore.kernel.org/all/D8PGG7NTWB6U.3SS3A5LN4XWMN@proton.me/ Reviewed-by: Benno Lossin <benno.lossin@proton.me> Reviewed-by: Boqun Feng <boqun.feng@gmail.com> Signed-off-by: Tamir Duberstein <tamird@gmail.com> Acked-by: Danilo Krummrich <dakr@kernel.org> Link: https://lore.kernel.org/r/20250615-ptr-as-ptr-v12-6-f43b024581e8@gmail.com Signed-off-by: Miguel Ojeda <ojeda@kernel.org> 
In Rust 1.78.0, Clippy introduced the `ref_as_ptr` lint [1]:

> Using `as` casts may result in silently changing mutability or type.

While this doesn't eliminate unchecked `as` conversions, it makes such
conversions easier to scrutinize.  It also has the slight benefit of
removing a degree of freedom on which to bikeshed. Thus apply the
changes and enable the lint -- no functional change intended.

Link: https://rust-lang.github.io/rust-clippy/master/index.html#ref_as_ptr [1]
Suggested-by: Benno Lossin <benno.lossin@proton.me>
Link: https://lore.kernel.org/all/D8PGG7NTWB6U.3SS3A5LN4XWMN@proton.me/
Reviewed-by: Benno Lossin <benno.lossin@proton.me>
Reviewed-by: Boqun Feng <boqun.feng@gmail.com>
Signed-off-by: Tamir Duberstein <tamird@gmail.com>
Acked-by: Danilo Krummrich <dakr@kernel.org>
Link: https://lore.kernel.org/r/20250615-ptr-as-ptr-v12-6-f43b024581e8@gmail.com
Signed-off-by: Miguel Ojeda <ojeda@kernel.org>
Merge tag 'alloc-next-v6.16-2025-05-13' of https://github.com/Rust-for-Linux/linux into rust-next 2025-05-18T18:56:03+00:00 Miguel Ojeda ojeda@kernel.org 2025-05-18T18:56:03+00:00 22c3335c5dcd33063fe1894676a3a6ff1008d506 Pull alloc updates from Danilo Krummrich: "Box: - Support for type coercion, e.g. 'Box<T>' to 'Box<dyn U>' if T implements U Vec: - Implement new methods (prerequisites for nova-core and binder) - Vec::truncate() - Vec::resize() - Vec::clear() - Vec::pop() - Vec::push_within_capacity() - New error type: PushError - Vec::drain_all() - Vec::retain() - Vec::remove() - New error type: RemoveError - Vec::insert_within_capacity - New error type: InsertError - Simplify Vec::push() using Vec::spare_capacity_mut() - Split Vec::set_len() into Vec::inc_len() and Vec::dec_len() - Add type invariant Vec::len() <= Vec::capacity - Simplify Vec::truncate() using Vec::dec_len()" * tag 'alloc-next-v6.16-2025-05-13' of https://github.com/Rust-for-Linux/linux: rust: alloc: add Vec::insert_within_capacity rust: alloc: add Vec::remove rust: alloc: add Vec::retain rust: alloc: add Vec::drain_all rust: alloc: add Vec::push_within_capacity rust: alloc: add Vec::pop rust: alloc: add Vec::clear rust: alloc: replace `Vec::set_len` with `inc_len` rust: alloc: refactor `Vec::truncate` using `dec_len` rust: alloc: add `Vec::dec_len` rust: alloc: add Vec::len() <= Vec::capacity invariant rust: alloc: allow coercion from `Box<T>` to `Box<dyn U>` if T implements U rust: alloc: use `spare_capacity_mut` to reduce unsafe rust: alloc: add Vec::resize method rust: alloc: add Vec::truncate method rust: alloc: add missing invariant in Vec::set_len() 
Pull alloc updates from Danilo Krummrich:
 "Box:

   - Support for type coercion, e.g. 'Box<T>' to 'Box<dyn U>' if T
     implements U

  Vec:

   - Implement new methods (prerequisites for nova-core and binder)
      - Vec::truncate()
      - Vec::resize()
      - Vec::clear()
      - Vec::pop()
      - Vec::push_within_capacity()
         - New error type: PushError
      - Vec::drain_all()
      - Vec::retain()
      - Vec::remove()
         - New error type: RemoveError
      - Vec::insert_within_capacity
         - New error type: InsertError

   - Simplify Vec::push() using Vec::spare_capacity_mut()

   - Split Vec::set_len() into Vec::inc_len() and Vec::dec_len()
      - Add type invariant Vec::len() <= Vec::capacity
      - Simplify Vec::truncate() using Vec::dec_len()"

* tag 'alloc-next-v6.16-2025-05-13' of https://github.com/Rust-for-Linux/linux:
  rust: alloc: add Vec::insert_within_capacity
  rust: alloc: add Vec::remove
  rust: alloc: add Vec::retain
  rust: alloc: add Vec::drain_all
  rust: alloc: add Vec::push_within_capacity
  rust: alloc: add Vec::pop
  rust: alloc: add Vec::clear
  rust: alloc: replace `Vec::set_len` with `inc_len`
  rust: alloc: refactor `Vec::truncate` using `dec_len`
  rust: alloc: add `Vec::dec_len`
  rust: alloc: add Vec::len() <= Vec::capacity invariant
  rust: alloc: allow coercion from `Box<T>` to `Box<dyn U>` if T implements U
  rust: alloc: use `spare_capacity_mut` to reduce unsafe
  rust: alloc: add Vec::resize method
  rust: alloc: add Vec::truncate method
  rust: alloc: add missing invariant in Vec::set_len()
rust: uaccess: take advantage of the prelude and `Result`'s defaults 2025-05-11T22:20:25+00:00 Miguel Ojeda ojeda@kernel.org 2025-04-29T15:14:45+00:00 7d8dee4689278e174900509b8c4604651159d8ee The `kernel` prelude brings `Result` and the error codes; and the prelude itself is already available in the examples automatically. In addition, `Result` already defaults to `T = ()`. Thus simplify. Reviewed-by: Alice Ryhl <aliceryhl@google.com> Link: https://lore.kernel.org/r/20250429151445.438977-1-ojeda@kernel.org Signed-off-by: Miguel Ojeda <ojeda@kernel.org> 
The `kernel` prelude brings `Result` and the error codes; and the prelude
itself is already available in the examples automatically.

In addition, `Result` already defaults to `T = ()`.

Thus simplify.

Reviewed-by: Alice Ryhl <aliceryhl@google.com>
Link: https://lore.kernel.org/r/20250429151445.438977-1-ojeda@kernel.org
Signed-off-by: Miguel Ojeda <ojeda@kernel.org>
rust: alloc: replace `Vec::set_len` with `inc_len` 2025-04-23T10:05:23+00:00 Tamir Duberstein tamird@gmail.com 2025-04-16T17:15:43+00:00 88d5d6a38d5161228fbfe017eb94d777d5e8a0e4 Rename `set_len` to `inc_len` and simplify its safety contract. Note that the usage in `CString::try_from_fmt` remains correct as the receiver is known to have `len == 0`. Reviewed-by: Alice Ryhl <aliceryhl@google.com> Signed-off-by: Tamir Duberstein <tamird@gmail.com> Link: https://lore.kernel.org/r/20250416-vec-set-len-v4-4-112b222604cd@gmail.com Signed-off-by: Danilo Krummrich <dakr@kernel.org> 
Rename `set_len` to `inc_len` and simplify its safety contract.

Note that the usage in `CString::try_from_fmt` remains correct as the
receiver is known to have `len == 0`.

Reviewed-by: Alice Ryhl <aliceryhl@google.com>
Signed-off-by: Tamir Duberstein <tamird@gmail.com>
Link: https://lore.kernel.org/r/20250416-vec-set-len-v4-4-112b222604cd@gmail.com
Signed-off-by: Danilo Krummrich <dakr@kernel.org>
rust: uaccess: name the correct function 2025-03-23T18:45:03+00:00 Tamir Duberstein tamird@gmail.com 2025-03-17T11:43:03+00:00 4e72a62e8ddd00e50bfe9aec13995fa2079f6486 Correctly refer to `reserve` rather than `try_reserve` in a comment. This comment has been incorrect since inception in commit 1b580e7b9ba2 ("rust: uaccess: add userspace pointers"). Fixes: 1b580e7b9ba2 ("rust: uaccess: add userspace pointers") Signed-off-by: Tamir Duberstein <tamird@gmail.com> Reviewed-by: Alice Ryhl <aliceryhl@google.com> Reviewed-by: Benno Lossin <benno.lossin@proton.me> Reviewed-by: Charalampos Mitrodimas <charmitro@posteo.net> Link: https://lore.kernel.org/r/20250317-uaccess-typo-reserve-v1-1-bbfcb45121f3@gmail.com Signed-off-by: Miguel Ojeda <ojeda@kernel.org> 
Correctly refer to `reserve` rather than `try_reserve` in a comment.  This
comment has been incorrect since inception in commit 1b580e7b9ba2 ("rust:
uaccess: add userspace pointers").

Fixes: 1b580e7b9ba2 ("rust: uaccess: add userspace pointers")
Signed-off-by: Tamir Duberstein <tamird@gmail.com>
Reviewed-by: Alice Ryhl <aliceryhl@google.com>
Reviewed-by: Benno Lossin <benno.lossin@proton.me>
Reviewed-by: Charalampos Mitrodimas <charmitro@posteo.net>
Link: https://lore.kernel.org/r/20250317-uaccess-typo-reserve-v1-1-bbfcb45121f3@gmail.com
Signed-off-by: Miguel Ojeda <ojeda@kernel.org>
rust: uaccess: generalize userSliceReader to support any Vec 2025-01-13T22:46:23+00:00 Filipe Xavier felipeaggger@gmail.com 2025-01-07T19:25:39+00:00 c80dd3fc45d573458bc763d599d97c82cf5dc212 The UserSliceReader::read_all function is currently restricted to use only Vec with the kmalloc allocator. However, there is no reason for this limitation. This patch generalizes the function to accept any Vec regardless of the allocator used. There's a use-case for a KVVec in Binder to avoid maximum sizes for a certain array. Link: https://github.com/Rust-for-Linux/linux/issues/1136 Signed-off-by: Filipe Xavier <felipeaggger@gmail.com> Reviewed-by: Alice Ryhl <aliceryhl@google.com> Reviewed-by: Boqun Feng <boqun.feng@gmail.com> Link: https://lore.kernel.org/r/20250107-gen-userslice-readall-alloc-v2-1-d7fe4d19241a@gmail.com [ Reflowed and slightly reworded title. - Miguel ] Signed-off-by: Miguel Ojeda <ojeda@kernel.org> 
The UserSliceReader::read_all function is currently restricted to use
only Vec with the kmalloc allocator. However, there is no reason for
this limitation.

This patch generalizes the function to accept any Vec regardless of the
allocator used.

There's a use-case for a KVVec in Binder to avoid maximum sizes for a
certain array.

Link: https://github.com/Rust-for-Linux/linux/issues/1136
Signed-off-by: Filipe Xavier <felipeaggger@gmail.com>
Reviewed-by: Alice Ryhl <aliceryhl@google.com>
Reviewed-by: Boqun Feng <boqun.feng@gmail.com>
Link: https://lore.kernel.org/r/20250107-gen-userslice-readall-alloc-v2-1-d7fe4d19241a@gmail.com
[ Reflowed and slightly reworded title. - Miguel ]
Signed-off-by: Miguel Ojeda <ojeda@kernel.org>
rust: map `long` to `isize` and `char` to `u8` 2024-12-16T20:49:33+00:00 Gary Guo gary@garyguo.net 2024-09-13T21:29:24+00:00 1bae8729e50a900f41e9a1c17ae81113e4cf62b8 The following FFI types are replaced compared to `core::ffi`: 1. `char` type is now always mapped to `u8`, since kernel uses `-funsigned-char` on the C code. `core::ffi` maps it to platform default ABI, which can be either signed or unsigned. 2. `long` is now always mapped to `isize`. It's very common in the kernel to use `long` to represent a pointer-sized integer, and in fact `intptr_t` is a typedef of `long` in the kernel. Enforce this mapping rather than mapping to `i32/i64` depending on platform can save us a lot of unnecessary casts. Signed-off-by: Gary Guo <gary@garyguo.net> Reviewed-by: Alice Ryhl <aliceryhl@google.com> Link: https://lore.kernel.org/r/20240913213041.395655-5-gary@garyguo.net [ Moved `uaccess` changes from the next commit, since they were irrefutable patterns that Rust >= 1.82.0 warns about. Reworded slightly and reformatted a few documentation comments. Rebased on top of `rust-next`. Added the removal of two casts to avoid Clippy warnings. - Miguel ] Signed-off-by: Miguel Ojeda <ojeda@kernel.org> 
The following FFI types are replaced compared to `core::ffi`:

1. `char` type is now always mapped to `u8`, since kernel uses
   `-funsigned-char` on the C code. `core::ffi` maps it to platform
   default ABI, which can be either signed or unsigned.

2. `long` is now always mapped to `isize`. It's very common in the
   kernel to use `long` to represent a pointer-sized integer, and in
   fact `intptr_t` is a typedef of `long` in the kernel. Enforce this
   mapping rather than mapping to `i32/i64` depending on platform can
   save us a lot of unnecessary casts.

Signed-off-by: Gary Guo <gary@garyguo.net>
Reviewed-by: Alice Ryhl <aliceryhl@google.com>
Link: https://lore.kernel.org/r/20240913213041.395655-5-gary@garyguo.net
[ Moved `uaccess` changes from the next commit, since they were
  irrefutable patterns that Rust >= 1.82.0 warns about. Reworded
  slightly and reformatted a few documentation comments. Rebased on
  top of `rust-next`. Added the removal of two casts to avoid Clippy
  warnings. - Miguel ]
Signed-off-by: Miguel Ojeda <ojeda@kernel.org>