... > > Maybe something like > > > > Every time a memory location is read, the reader's position is advanced by > > the read length and the next read will start from there. This helps prevent > > accidentally reading the same location twice and causing a TOCTOU bug. WTF TOCTOU? I'm guessing it is reading things twice and getting different answers. That really doesn't match how copying from userspace is used is many places. Sometimes you really do want to be using offsets and lengths. For instance the user buffer might contain offsets of items further down the buffer. There is also the code (eg ioctl) that does a read-modify-write on a buffer. There is also this bit: > > + /// Reads the entirety of the user slice. > > + /// > > + /// Returns `EFAULT` if the address does not currently point to > > + /// mapped, readable memory. > > + pub fn read_all(self) -> Result<Vec<u8>> { > > + self.reader().read_all() > > + } > > If I understand it correctly, the function will return `EFAULT` if _any_ > address in the interval `[self.0, self.0 + self.1)` does not point to > mapped, readable memory. Maybe the docs could be more explicit. That isn't (and can't be) how it works. access_ok() checks that the buffer isn't in kernel space. The copy is then done until it actually faults on an invalid address. In that case the destination buffer has been updated to the point of failure. You can't do a check before the copy because another thread can change the mapping (it would also be horribly expensive). David - Registered Address Lakeside, Bramley Road, Mount Farm, Milton Keynes, MK1 1PT, UK Registration No: 1397386 (Wales)