| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <CAJ-ks9mzyfvsxkyud_wLXfhLD_zP95bivCQ9i2aC-3ea=Y7+0A@mail.gmail.com>
Date: Tue, 15 Apr 2025 13:58:41 -0400
From: Tamir Duberstein <tamird@...il.com>
To: Boqun Feng <boqun.feng@...il.com>
Cc: Masahiro Yamada <masahiroy@...nel.org>, Nathan Chancellor <nathan@...nel.org>,
Miguel Ojeda <ojeda@...nel.org>, Alex Gaynor <alex.gaynor@...il.com>, Gary Guo <gary@...yguo.net>,
Björn Roy Baron <bjorn3_gh@...tonmail.com>,
Benno Lossin <benno.lossin@...ton.me>, Andreas Hindborg <a.hindborg@...nel.org>,
Alice Ryhl <aliceryhl@...gle.com>, Trevor Gross <tmgross@...ch.edu>,
Danilo Krummrich <dakr@...nel.org>, Greg Kroah-Hartman <gregkh@...uxfoundation.org>,
"Rafael J. Wysocki" <rafael@...nel.org>, Brendan Higgins <brendan.higgins@...ux.dev>,
David Gow <davidgow@...gle.com>, Rae Moar <rmoar@...gle.com>,
Bjorn Helgaas <bhelgaas@...gle.com>, Luis Chamberlain <mcgrof@...nel.org>,
Russ Weight <russ.weight@...ux.dev>, Rob Herring <robh@...nel.org>,
Saravana Kannan <saravanak@...gle.com>, Abdiel Janulgue <abdiel.janulgue@...il.com>,
Daniel Almeida <daniel.almeida@...labora.com>, Robin Murphy <robin.murphy@....com>,
Maarten Lankhorst <maarten.lankhorst@...ux.intel.com>, Maxime Ripard <mripard@...nel.org>,
Thomas Zimmermann <tzimmermann@...e.de>, David Airlie <airlied@...il.com>, Simona Vetter <simona@...ll.ch>,
FUJITA Tomonori <fujita.tomonori@...il.com>, Nicolas Schier <nicolas.schier@...ux.dev>,
Frederic Weisbecker <frederic@...nel.org>, Lyude Paul <lyude@...hat.com>,
Thomas Gleixner <tglx@...utronix.de>, Anna-Maria Behnsen <anna-maria@...utronix.de>,
linux-kbuild@...r.kernel.org, linux-kernel@...r.kernel.org,
rust-for-linux@...r.kernel.org, linux-kselftest@...r.kernel.org,
kunit-dev@...glegroups.com, linux-pci@...r.kernel.org,
linux-block@...r.kernel.org, devicetree@...r.kernel.org,
dri-devel@...ts.freedesktop.org, netdev@...r.kernel.org
Subject: Re: [PATCH v8 6/6] rust: enable `clippy::ref_as_ptr` lint
Hi Boqun, thanks for having a look!
On Tue, Apr 15, 2025 at 1:37 PM Boqun Feng <boqun.feng@...il.com> wrote:
>
> On Wed, Apr 09, 2025 at 10:47:23AM -0400, Tamir Duberstein wrote:
> > In Rust 1.78.0, Clippy introduced the `ref_as_ptr` lint [1]:
> >
> > > Using `as` casts may result in silently changing mutability or type.
> >
> > While this doesn't eliminate unchecked `as` conversions, it makes such
> > conversions easier to scrutinize. It also has the slight benefit of
> > removing a degree of freedom on which to bikeshed. Thus apply the
> > changes and enable the lint -- no functional change intended.
> >
> > Link: https://rust-lang.github.io/rust-clippy/master/index.html#ref_as_ptr [1]
> > Suggested-by: Benno Lossin <benno.lossin@...ton.me>
> > Link: https://lore.kernel.org/all/D8PGG7NTWB6U.3SS3A5LN4XWMN@proton.me/
> > Signed-off-by: Tamir Duberstein <tamird@...il.com>
> > ---
> > Makefile | 1 +
> > rust/bindings/lib.rs | 1 +
> > rust/kernel/device_id.rs | 3 ++-
> > rust/kernel/fs/file.rs | 3 ++-
> > rust/kernel/str.rs | 6 ++++--
> > rust/kernel/uaccess.rs | 10 ++++------
> > rust/uapi/lib.rs | 1 +
> > 7 files changed, 15 insertions(+), 10 deletions(-)
> >
> > diff --git a/Makefile b/Makefile
> > index eb5a942241a2..2a16e02f26db 100644
> > --- a/Makefile
> > +++ b/Makefile
> > @@ -485,6 +485,7 @@ export rust_common_flags := --edition=2021 \
> > -Wclippy::no_mangle_with_rust_abi \
> > -Wclippy::ptr_as_ptr \
> > -Wclippy::ptr_cast_constness \
> > + -Wclippy::ref_as_ptr \
> > -Wclippy::undocumented_unsafe_blocks \
> > -Wclippy::unnecessary_safety_comment \
> > -Wclippy::unnecessary_safety_doc \
> > diff --git a/rust/bindings/lib.rs b/rust/bindings/lib.rs
> > index b105a0d899cc..2b69016070c6 100644
> > --- a/rust/bindings/lib.rs
> > +++ b/rust/bindings/lib.rs
> > @@ -27,6 +27,7 @@
> > #[allow(dead_code)]
> > #[allow(clippy::cast_lossless)]
> > #[allow(clippy::ptr_as_ptr)]
> > +#[allow(clippy::ref_as_ptr)]
> > #[allow(clippy::undocumented_unsafe_blocks)]
> > mod bindings_raw {
> > // Manual definition for blocklisted types.
> > diff --git a/rust/kernel/device_id.rs b/rust/kernel/device_id.rs
> > index 4063f09d76d9..37cc03d1df4c 100644
> > --- a/rust/kernel/device_id.rs
> > +++ b/rust/kernel/device_id.rs
> > @@ -136,7 +136,8 @@ impl<T: RawDeviceId, U, const N: usize> IdTable<T, U> for IdArray<T, U, N> {
> > fn as_ptr(&self) -> *const T::RawType {
> > // This cannot be `self.ids.as_ptr()`, as the return pointer must have correct provenance
> > // to access the sentinel.
> > - (self as *const Self).cast()
> > + let this: *const Self = self;
>
> Hmm.. so this lint usually just requires to use a let statement instead
> of as expression when casting a reference to a pointer? Not 100%
> convinced this results into better code TBH..
The rationale is in the lint description and quoted in the commit
message: "Using `as` casts may result in silently changing mutability
or type.".
>
> > + this.cast()
> > }
> >
> > fn id(&self, index: usize) -> &T::RawType {
> > diff --git a/rust/kernel/fs/file.rs b/rust/kernel/fs/file.rs
> > index 791f493ada10..559a4bfa123f 100644
> > --- a/rust/kernel/fs/file.rs
> > +++ b/rust/kernel/fs/file.rs
> > @@ -359,12 +359,13 @@ impl core::ops::Deref for File {
> > type Target = LocalFile;
> > #[inline]
> > fn deref(&self) -> &LocalFile {
> > + let this: *const Self = self;
> > // SAFETY: The caller provides a `&File`, and since it is a reference, it must point at a
> > // valid file for the desired duration.
> > //
> > // By the type invariants, there are no `fdget_pos` calls that did not take the
> > // `f_pos_lock` mutex.
> > - unsafe { LocalFile::from_raw_file((self as *const Self).cast()) }
> > + unsafe { LocalFile::from_raw_file(this.cast()) }
> > }
> > }
> >
> > diff --git a/rust/kernel/str.rs b/rust/kernel/str.rs
> > index 40034f77fc2f..75b4a18c67c4 100644
> > --- a/rust/kernel/str.rs
> > +++ b/rust/kernel/str.rs
> > @@ -28,8 +28,9 @@ pub const fn is_empty(&self) -> bool {
> > /// Creates a [`BStr`] from a `[u8]`.
> > #[inline]
> > pub const fn from_bytes(bytes: &[u8]) -> &Self {
> > + let bytes: *const [u8] = bytes;
> > // SAFETY: `BStr` is transparent to `[u8]`.
> > - unsafe { &*(bytes as *const [u8] as *const BStr) }
> > + unsafe { &*(bytes as *const BStr) }
>
> unsafe { &*(bytes.cast::<BStr>()) }
>
> ? I'm curious why this dodged the other lint (ptr_as_ptr).
The reason it has to be written this way is that BStr is !Sized, and
`pointer::cast` has an implicit Sized bound.
Perhaps the lint is smart enough to avoid the suggestion in that case?
Seems like yes:
https://github.com/rust-lang/rust-clippy/blob/d3267e9230940757fde2fcb608605bf8dbfd85e1/clippy_lints/src/casts/ptr_as_ptr.rs#L36.
>
> > }
> >
> > /// Strip a prefix from `self`. Delegates to [`slice::strip_prefix`].
> > @@ -289,8 +290,9 @@ pub const fn from_bytes_with_nul(bytes: &[u8]) -> Result<&Self, CStrConvertError
> > /// `NUL` byte (or the string will be truncated).
> > #[inline]
> > pub unsafe fn from_bytes_with_nul_unchecked_mut(bytes: &mut [u8]) -> &mut CStr {
> > + let bytes: *mut [u8] = bytes;
> > // SAFETY: Properties of `bytes` guaranteed by the safety precondition.
> > - unsafe { &mut *(bytes as *mut [u8] as *mut CStr) }
> > + unsafe { &mut *(bytes as *mut CStr) }
>
> Ditto.
>
> > }
> >
> > /// Returns a C pointer to the string.
> > diff --git a/rust/kernel/uaccess.rs b/rust/kernel/uaccess.rs
> > index 80a9782b1c6e..7a6fc78fc314 100644
> > --- a/rust/kernel/uaccess.rs
> > +++ b/rust/kernel/uaccess.rs
> > @@ -240,9 +240,10 @@ pub fn read_raw(&mut self, out: &mut [MaybeUninit<u8>]) -> Result {
> > /// Fails with [`EFAULT`] if the read happens on a bad address, or if the read goes out of
> > /// bounds of this [`UserSliceReader`]. This call may modify `out` even if it returns an error.
> > pub fn read_slice(&mut self, out: &mut [u8]) -> Result {
> > + let out: *mut [u8] = out;
> > // SAFETY: The types are compatible and `read_raw` doesn't write uninitialized bytes to
> > // `out`.
> > - let out = unsafe { &mut *(out as *mut [u8] as *mut [MaybeUninit<u8>]) };
> > + let out = unsafe { &mut *(out as *mut [MaybeUninit<u8>]) };
>
> Ditto.
Same rationale here.
Cheers.
Tamir
Powered by blists - more mailing lists