Re: [PATCH v8 6/6] rust: enable `clippy::ref_as_ptr` lint

From: Boqun Feng
Date: Tue Apr 15 2025 - 13:38:25 EST

Next message: Steven Rostedt: "Re: [PATCH v4 2/4] ftrace: Add support for function argument to graph tracer"
Previous message: Mateusz Guzik: "Re: [PATCH] vmalloc: Use atomic_long_add_return_relaxed()"
In reply to: Benno Lossin: "Re: [PATCH v8 6/6] rust: enable `clippy::ref_as_ptr` lint"
Next in thread: Tamir Duberstein: "Re: [PATCH v8 6/6] rust: enable `clippy::ref_as_ptr` lint"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Wed, Apr 09, 2025 at 10:47:23AM -0400, Tamir Duberstein wrote:
> In Rust 1.78.0, Clippy introduced the `ref_as_ptr` lint [1]:
>
> > Using `as` casts may result in silently changing mutability or type.
>
> While this doesn't eliminate unchecked `as` conversions, it makes such
> conversions easier to scrutinize. It also has the slight benefit of
> removing a degree of freedom on which to bikeshed. Thus apply the
> changes and enable the lint -- no functional change intended.
>
> Link: https://rust-lang.github.io/rust-clippy/master/index.html#ref_as_ptr [1]
> Suggested-by: Benno Lossin <benno.lossin@xxxxxxxxx>
> Link: https://lore.kernel.org/all/D8PGG7NTWB6U.3SS3A5LN4XWMN@xxxxxxxxx/
> Signed-off-by: Tamir Duberstein <tamird@xxxxxxxxx>
> ---
> Makefile | 1 +
> rust/bindings/lib.rs | 1 +
> rust/kernel/device_id.rs | 3 ++-
> rust/kernel/fs/file.rs | 3 ++-
> rust/kernel/str.rs | 6 ++++--
> rust/kernel/uaccess.rs | 10 ++++------
> rust/uapi/lib.rs | 1 +
> 7 files changed, 15 insertions(+), 10 deletions(-)
>
> diff --git a/Makefile b/Makefile
> index eb5a942241a2..2a16e02f26db 100644
> --- a/Makefile
> +++ b/Makefile
> @@ -485,6 +485,7 @@ export rust_common_flags := --edition=2021 \
> -Wclippy::no_mangle_with_rust_abi \
> -Wclippy::ptr_as_ptr \
> -Wclippy::ptr_cast_constness \
> + -Wclippy::ref_as_ptr \
> -Wclippy::undocumented_unsafe_blocks \
> -Wclippy::unnecessary_safety_comment \
> -Wclippy::unnecessary_safety_doc \
> diff --git a/rust/bindings/lib.rs b/rust/bindings/lib.rs
> index b105a0d899cc..2b69016070c6 100644
> --- a/rust/bindings/lib.rs
> +++ b/rust/bindings/lib.rs
> @@ -27,6 +27,7 @@
> #[allow(dead_code)]
> #[allow(clippy::cast_lossless)]
> #[allow(clippy::ptr_as_ptr)]
> +#[allow(clippy::ref_as_ptr)]
> #[allow(clippy::undocumented_unsafe_blocks)]
> mod bindings_raw {
> // Manual definition for blocklisted types.
> diff --git a/rust/kernel/device_id.rs b/rust/kernel/device_id.rs
> index 4063f09d76d9..37cc03d1df4c 100644
> --- a/rust/kernel/device_id.rs
> +++ b/rust/kernel/device_id.rs
> @@ -136,7 +136,8 @@ impl<T: RawDeviceId, U, const N: usize> IdTable<T, U> for IdArray<T, U, N> {
> fn as_ptr(&self) -> *const T::RawType {
> // This cannot be `self.ids.as_ptr()`, as the return pointer must have correct provenance
> // to access the sentinel.
> - (self as *const Self).cast()
> + let this: *const Self = self;

Hmm.. so this lint usually just requires to use a let statement instead
of as expression when casting a reference to a pointer? Not 100%
convinced this results into better code TBH..

> + this.cast()
> }
>
> fn id(&self, index: usize) -> &T::RawType {
> diff --git a/rust/kernel/fs/file.rs b/rust/kernel/fs/file.rs
> index 791f493ada10..559a4bfa123f 100644
> --- a/rust/kernel/fs/file.rs
> +++ b/rust/kernel/fs/file.rs
> @@ -359,12 +359,13 @@ impl core::ops::Deref for File {
> type Target = LocalFile;
> #[inline]
> fn deref(&self) -> &LocalFile {
> + let this: *const Self = self;
> // SAFETY: The caller provides a `&File`, and since it is a reference, it must point at a
> // valid file for the desired duration.
> //
> // By the type invariants, there are no `fdget_pos` calls that did not take the
> // `f_pos_lock` mutex.
> - unsafe { LocalFile::from_raw_file((self as *const Self).cast()) }
> + unsafe { LocalFile::from_raw_file(this.cast()) }
> }
> }
>
> diff --git a/rust/kernel/str.rs b/rust/kernel/str.rs
> index 40034f77fc2f..75b4a18c67c4 100644
> --- a/rust/kernel/str.rs
> +++ b/rust/kernel/str.rs
> @@ -28,8 +28,9 @@ pub const fn is_empty(&self) -> bool {
> /// Creates a [`BStr`] from a `[u8]`.
> #[inline]
> pub const fn from_bytes(bytes: &[u8]) -> &Self {
> + let bytes: *const [u8] = bytes;
> // SAFETY: `BStr` is transparent to `[u8]`.
> - unsafe { &*(bytes as *const [u8] as *const BStr) }
> + unsafe { &*(bytes as *const BStr) }

unsafe { &*(bytes.cast::<BStr>()) }

? I'm curious why this dodged the other lint (ptr_as_ptr).

> }
>
> /// Strip a prefix from `self`. Delegates to [`slice::strip_prefix`].
> @@ -289,8 +290,9 @@ pub const fn from_bytes_with_nul(bytes: &[u8]) -> Result<&Self, CStrConvertError
> /// `NUL` byte (or the string will be truncated).
> #[inline]
> pub unsafe fn from_bytes_with_nul_unchecked_mut(bytes: &mut [u8]) -> &mut CStr {
> + let bytes: *mut [u8] = bytes;
> // SAFETY: Properties of `bytes` guaranteed by the safety precondition.
> - unsafe { &mut *(bytes as *mut [u8] as *mut CStr) }
> + unsafe { &mut *(bytes as *mut CStr) }

Ditto.

> }
>
> /// Returns a C pointer to the string.
> diff --git a/rust/kernel/uaccess.rs b/rust/kernel/uaccess.rs
> index 80a9782b1c6e..7a6fc78fc314 100644
> --- a/rust/kernel/uaccess.rs
> +++ b/rust/kernel/uaccess.rs
> @@ -240,9 +240,10 @@ pub fn read_raw(&mut self, out: &mut [MaybeUninit<u8>]) -> Result {
> /// Fails with [`EFAULT`] if the read happens on a bad address, or if the read goes out of
> /// bounds of this [`UserSliceReader`]. This call may modify `out` even if it returns an error.
> pub fn read_slice(&mut self, out: &mut [u8]) -> Result {
> + let out: *mut [u8] = out;
> // SAFETY: The types are compatible and `read_raw` doesn't write uninitialized bytes to
> // `out`.
> - let out = unsafe { &mut *(out as *mut [u8] as *mut [MaybeUninit<u8>]) };
> + let out = unsafe { &mut *(out as *mut [MaybeUninit<u8>]) };

Ditto.

Regards,
Boqun

> self.read_raw(out)
> }
>
> @@ -348,6 +349,7 @@ pub fn write<T: AsBytes>(&mut self, value: &T) -> Result {
> if len > self.length {
> return Err(EFAULT);
> }
> + let value: *const T = value;
> // SAFETY: The reference points to a value of type `T`, so it is valid for reading
> // `size_of::<T>()` bytes.
> //
> @@ -355,11 +357,7 @@ pub fn write<T: AsBytes>(&mut self, value: &T) -> Result {
> // kernel pointer. This mirrors the logic on the C side that skips the check when the length
> // is a compile-time constant.
> let res = unsafe {
> - bindings::_copy_to_user(
> - self.ptr as *mut c_void,
> - (value as *const T).cast::<c_void>(),
> - len,
> - )
> + bindings::_copy_to_user(self.ptr as *mut c_void, value.cast::<c_void>(), len)
> };
> if res != 0 {
> return Err(EFAULT);
> diff --git a/rust/uapi/lib.rs b/rust/uapi/lib.rs
> index d5dab4dfabec..6230ba48201d 100644
> --- a/rust/uapi/lib.rs
> +++ b/rust/uapi/lib.rs
> @@ -16,6 +16,7 @@
> clippy::all,
> clippy::cast_lossless,
> clippy::ptr_as_ptr,
> + clippy::ref_as_ptr,
> clippy::undocumented_unsafe_blocks,
> dead_code,
> missing_docs,
>
> --
> 2.49.0
>
>

Next message: Steven Rostedt: "Re: [PATCH v4 2/4] ftrace: Add support for function argument to graph tracer"
Previous message: Mateusz Guzik: "Re: [PATCH] vmalloc: Use atomic_long_add_return_relaxed()"
In reply to: Benno Lossin: "Re: [PATCH v8 6/6] rust: enable `clippy::ref_as_ptr` lint"
Next in thread: Tamir Duberstein: "Re: [PATCH v8 6/6] rust: enable `clippy::ref_as_ptr` lint"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]