Re: [PATCH v5 6/6] rust: use strict provenance APIs
From: Benno Lossin
Date: Mon Mar 17 2025 - 13:51:10 EST
On Mon Mar 17, 2025 at 3:23 PM CET, Tamir Duberstein wrote:
> Throughout the tree, use the strict provenance APIs stabilized in Rust
> 1.84.0[1]. Retain backwards-compatibility by introducing forwarding
> functions at the `kernel` crate root along with polyfills for rustc <
> 1.84.0.
>
> Use `#[allow(clippy::incompatible_msrv)]` to avoid warnings on rustc <
> 1.84.0 as our MSRV is 1.78.0.
>
> In the `kernel` crate, enable the strict provenance lints on rustc >=
> 1.84.0; do this in `lib.rs` rather than `Makefile` to avoid introducing
> compiler flags that are dependent on the rustc version in use.
>
> Link: https://blog.rust-lang.org/2025/01/09/Rust-1.84.0.html#strict-provenance-apis [1]
> Suggested-by: Benno Lossin <benno.lossin@xxxxxxxxx>
> Link: https://lore.kernel.org/all/D8EIXDMRXMJP.36TFCGWZBRS3Y@xxxxxxxxx/
> Signed-off-by: Tamir Duberstein <tamird@xxxxxxxxx>
One comment below, with that fixed:
Reviewed-by: Benno Lossin <benno.lossin@xxxxxxxxx>
> ---
> init/Kconfig | 3 ++
> rust/kernel/alloc.rs | 2 +-
> rust/kernel/devres.rs | 4 +-
> rust/kernel/io.rs | 14 +++----
> rust/kernel/lib.rs | 108 +++++++++++++++++++++++++++++++++++++++++++++++++
> rust/kernel/of.rs | 2 +-
> rust/kernel/pci.rs | 4 +-
> rust/kernel/str.rs | 16 +++-----
> rust/kernel/uaccess.rs | 12 ++++--
> 9 files changed, 138 insertions(+), 27 deletions(-)
> +#[cfg(not(CONFIG_RUSTC_HAS_STABLE_STRICT_PROVENANCE))]
> +mod strict_provenance {
> + /// Gets the "address" portion of the pointer.
> + ///
> + /// See https://doc.rust-lang.org/stable/core/primitive.pointer.html#method.addr.
> + #[inline]
> + pub fn addr<T>(ptr: *const T) -> usize {
> + // This is core's implementation from
> + // https://github.com/rust-lang/rust/commit/4291332175d12e79e6061cdc3f5dccac2e28b969 through
> + // https://github.com/rust-lang/rust/blob/1.84.0/library/core/src/ptr/const_ptr.rs#L172
> + // which is the first version that satisfies `CONFIG_RUSTC_HAS_STABLE_STRICT_PROVENANCE`.
> + #[allow(clippy::undocumented_unsafe_blocks)]
> + unsafe {
> + #[allow(clippy::transmutes_expressible_as_ptr_casts)]
> + core::mem::transmute(ptr.cast::<()>())
> + }
I think we should just use `ptr as usize` here instead. It's going away
at some point and it will only affect optimizations (I don't even know
if they exist at the moment) of old versions.
---
Cheers,
Benno
> + }
> +
> + /// Exposes the "provenance" part of the pointer for future use in
> + /// [`with_exposed_provenance`] and returns the "address" portion.
> + ///
> + /// See https://doc.rust-lang.org/stable/core/primitive.pointer.html#method.expose_provenance.
> + #[inline]
> + pub fn expose_provenance<T>(ptr: *const T) -> usize {
> + ptr.cast::<()>() as usize
> + }
> +
> + /// Converts an address back to a pointer, picking up some previously 'exposed'
> + /// provenance.
> + ///
> + /// See https://doc.rust-lang.org/stable/core/ptr/fn.with_exposed_provenance.html.
> + #[inline]
> + pub fn with_exposed_provenance<T>(addr: usize) -> *const T {
> + addr as *const T
> + }
> +
> + /// Converts an address back to a mutable pointer, picking up some previously 'exposed'
> + /// provenance.
> + ///
> + /// See https://doc.rust-lang.org/stable/core/ptr/fn.with_exposed_provenance_mut.html
> + #[inline]
> + pub fn with_exposed_provenance_mut<T>(addr: usize) -> *mut T {
> + addr as *mut T
> + }
> +
> + /// Creates a pointer with the given address and no [provenance][crate::ptr#provenance].
> + ///
> + /// See https://doc.rust-lang.org/stable/core/ptr/fn.without_provenance_mut.html.
> + #[inline]
> + pub fn without_provenance_mut<T>(addr: usize) -> *mut T {
> + addr as *mut T
> + }
> +}
> +
> +pub use strict_provenance::*;
> +
> // Ensure conditional compilation based on the kernel configuration works;
> // otherwise we may silently break things like initcall handling.
> #[cfg(not(CONFIG_RUST))]