From nobody Thu Apr  2 17:15:17 2026
Received: from mail-pl1-f195.google.com (mail-pl1-f195.google.com
 [209.85.214.195])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 17D61346E6D
	for <linux-kernel@vger.kernel.org>; Wed, 11 Feb 2026 18:29:24 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.214.195
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1770834565; cv=none;
 b=Z+aTtFa5Uocx1N8hG0M9Zrzs2EwRpnHk8JtyZ372PZ8UzfM4aLM8HfS+yrCj80soz4Qo6avhd1t3s2QEI2UQ7HKChgL/MzQF+ATPnJO3VJ5YoOzlPEDIMNRacVJrPAK0AtP7PWwTEplDXDei3I8S/JM5OWQGAw1TRFyihJh/cZo=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1770834565; c=relaxed/simple;
	bh=WQpVW/oDOphVv/4uJd2OzbDiuRxqVxfbHqvvB7C+vho=;
	h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References:
	 MIME-Version;
 b=ktaxLq5bgdZoL9TXYH1D7FFIcwQHq9C80CKYpv39QcHrUPO6km7T1x4XbMKs69NuxJKzXJyEC3anzdQiOgoirukCG8LriAhnwOs06eOic1cigZ6tSLntg7wTvDaRU22joeM/dZHhGtWNN6HtQ1DydGyGNcg3TL280qtWHFKrVa8=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=gmail.com;
 spf=pass smtp.mailfrom=gmail.com;
 dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.b=Ta/bbJ3A; arc=none smtp.client-ip=209.85.214.195
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.b="Ta/bbJ3A"
Received: by mail-pl1-f195.google.com with SMTP id
 d9443c01a7336-2a9296b3926so13677205ad.1
        for <linux-kernel@vger.kernel.org>;
 Wed, 11 Feb 2026 10:29:23 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20230601; t=1770834563; x=1771439363;
 darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=NaABifRNKqssgfdqYHudelLxNmXQ+VSLCReMOwAkY2s=;
        b=Ta/bbJ3AMQ/AvKv52JWp+EYLkzoVAQkGKzDcLCgMbq4E7BO31j7DKPjw8EQWDRgJ5Y
         eZdBgfIk8YkUK8nuP4ArbmH725wrWT75Ic0/RZ2XT7TgsdA+TDVfZm9G/gALPztkXeJE
         ZkWi+abhTrtJD8iHUv9CY66fi8gPiQ0ZRMtOOJX4eJT7pxKSTfKQHPnzBOHoLkRB0zet
         1egB14QSkabpjqW+EmnZcPxL8TDQ5FxYuz06LvxGyNdhINdTtqeQE1GyASBbycMme1wm
         acKFsyXluyOTDUF+V7ocAY0BJeoqY0XYvAXu6yOgkX45R6YDx53otU+6dP8U6v6vEKnm
         v41Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1770834563; x=1771439363;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from
         :to:cc:subject:date:message-id:reply-to;
        bh=NaABifRNKqssgfdqYHudelLxNmXQ+VSLCReMOwAkY2s=;
        b=gngjzqrsn9uy/H+KUIcO8aztwLPS6VV52tyI2d0Wkhp9njH+CUPVcIwNqOjpwCHoV6
         toxlFoc67R0jXCip2KTkZ0wevi/SxEzFlWAtYcJeCroyPyFiWXZbXEunvTIUBXRdEO/g
         fgKHsGEM0vsc3wKZ+pcNbrIewf+L2lZup8WmunGGTMfbd9xi//hUYLeu8i+MFZx3be8W
         WtMcYH1OL2WjQxmeNuBwmXcUf8vAMhNxOwTVUD6MSS/zXKl9EkBjehS+6Ijnb7bKJ9de
         NUA8F6o1ekobPKj5Q5oXMAZRgAfieexG+v8ykHuJ9v21pJwSGJipfNEcPMyATqYHB0lO
         w85g==
X-Forwarded-Encrypted: i=1;
 AJvYcCXRoFbhxQY2n6/G22ktjWBTrAkvgH1mQmYabcT0dYlhlWAvAYa8/KyFjIJ3xlESztlSYNGMsjCYZLgruio=@vger.kernel.org
X-Gm-Message-State: AOJu0YwEZFZrgrq4gh5pUbA9A1q3OPTvIWHJqE4gWC68Oxe42h8Wvnbk
	LNY4/LeIk7mcwe+1khdb3M1v8VGvtRGIrMIND8JcwL2sp7byeg4Pwuyy
X-Gm-Gg: AZuq6aJiFTGJmmYOEjLJmCBMQgimtin86fQu5Vux0Rfijs/UQl5kBX45+l+EJZY+jaK
	b9XI9E+GgL/lM749itwpIGaxCCKMDhNoFAHo9+CNLDpbo6W1xtJeOfVGEIc7pQJTFjpQBlyOs0D
	Vn+AKFfH5IogmG5z1o4DTstUy7MSjKLwB83KegwMMoEnJ+fkoRm135Q4GilBVWvD5t2LXdcRz6a
	QJpCS+0PSpa75khgjJUMNpC/SZgXRuiwq2KSjphtFWoN81i/ZnHxHJri6d1N/+NttaNyAiOpPgA
	C3uDjMdp5zQOwBt1mWQLo2vwNsangtfGZVz7clOq7LpOoy0WKvN41ujABb0srn6CmSclttr6WsF
	ojlGwPVqi4Y5zF4wVS96YqUKqeN+AzDSeGcIC3Y3p2wX6tEhuoKceE66dPDIU2hUkF80V50rS0d
	9plYu+krAWx60VniAEEP1X
X-Received: by 2002:a17:902:eb83:b0:2a0:34ee:3725 with SMTP id
 d9443c01a7336-2ab3988c991mr267705ad.14.1770834563304;
        Wed, 11 Feb 2026 10:29:23 -0800 (PST)
Received: from nixos ([117.250.76.240])
        by smtp.gmail.com with ESMTPSA id
 d9443c01a7336-2ab2986f532sm28762425ad.25.2026.02.11.10.29.17
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Wed, 11 Feb 2026 10:29:22 -0800 (PST)
From: Shivendra Sharma <shivendra02467@gmail.com>
To: Muchamad Coirul Anwar <muchamadcoirulanwar@gmail.com>,
	Miguel Ojeda <ojeda@kernel.org>
Cc: Alice Ryhl <aliceryhl@google.com>,
	Boqun Feng <boqun@kernel.org>,
	Gary Guo <gary@garyguo.net>,
	=?UTF-8?q?Bj=C3=B6rn=20Roy=20Baron?= <bjorn3_gh@protonmail.com>,
	Benno Lossin <lossin@kernel.org>,
	Andreas Hindborg <a.hindborg@kernel.org>,
	Trevor Gross <tmgross@umich.edu>,
	Danilo Krummrich <dakr@kernel.org>,
	Tamir Duberstein <tamird@kernel.org>,
	Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
	rust-for-linux@vger.kernel.org,
	linux-kernel@vger.kernel.org,
	Shivendra Sharma <shivendra02467@gmail.com>
Subject: [PATCH v2] rust: print: add safety documentation for %pA handling
Date: Wed, 11 Feb 2026 23:57:55 +0530
Message-ID: <20260211182755.82220-1-shivendra02467@gmail.com>
X-Mailer: git-send-email 2.51.2
In-Reply-To: 
 <CAO26r3Rh7WEYrH9ksD3ary=2OUSmYj372iCAGx=VsGnXAN4ySQ@mail.gmail.com>
References: 
 <CAO26r3Rh7WEYrH9ksD3ary=2OUSmYj372iCAGx=VsGnXAN4ySQ@mail.gmail.com>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

Add missing safety documentation to `rust_fmt_argument` and `call_printk`.
These comments clarify the safety requirements for dereferencing
pointers and calling the C `_printk` function, specifically
addressing the contract between `lib/vsprintf.c` and Rust regarding
the `%pA` format specifier.

The safety guarantee is made generic to cover all users of `%pA`,
including `seq_file.rs`.

Suggested-by: Alice Ryhl <aliceryhl@google.com>
Co-developed-by: Muchamad Coirul Anwar <muchamadcoirulanwar@gmail.com>
Signed-off-by: Muchamad Coirul Anwar <muchamadcoirulanwar@gmail.com>
Signed-off-by: Shivendra Sharma <shivendra02467@gmail.com>
---
v2:
  - Combined work with Muchamad Coirul Anwar.
  - Refined safety comments to be generic per Alice Ryhl's feedback.
  - Added formal "# Safety" section to rust_fmt_argument per Miguel Ojeda's
    previous suggestion.
  - Added documentation to include/linux/sprintf.h.
  - Links to previous versions:
    v1 (Shivendra): https://lore.kernel.org/rust-for-linux/20260128202130.1=
96419-1-shivendra02467@gmail.com/
    v1 (Muchamad): https://lore.kernel.org/rust-for-linux/20260205042132.40=
772-1-muchamadcoirulanwar@gmail.com/

 include/linux/sprintf.h |  7 ++++++-
 rust/kernel/print.rs    | 19 +++++++++++++++----
 2 files changed, 21 insertions(+), 5 deletions(-)

diff --git a/include/linux/sprintf.h b/include/linux/sprintf.h
index f06f7b785091..f915829cbba5 100644
--- a/include/linux/sprintf.h
+++ b/include/linux/sprintf.h
@@ -25,7 +25,12 @@ __scanf(2, 0) int vsscanf(const char *, const char *, va=
_list);
 extern bool no_hash_pointers;
 void hash_pointers_finalize(bool slub_debug);
=20
-/* Used for Rust formatting ('%pA') */
+/**
+ * Used for Rust formatting ('%pA').
+ *
+ * Safety preconditions are documented in the Rust implementation
+ * (rust/kernel/print.rs).
+ */
 char *rust_fmt_argument(char *buf, char *end, const void *ptr);
=20
 #endif	/* _LINUX_KERNEL_SPRINTF_H */
diff --git a/rust/kernel/print.rs b/rust/kernel/print.rs
index 6fd84389a858..15d4039a7646 100644
--- a/rust/kernel/print.rs
+++ b/rust/kernel/print.rs
@@ -19,7 +19,12 @@
 };
=20
 // Called from `vsprintf` with format specifier `%pA`.
-#[expect(clippy::missing_safety_doc)]
+///
+/// # Safety
+///
+/// - `buf` must be valid for writes until `end`.
+/// - `ptr` must point to a valid `fmt::Arguments` instance.
+/// - The `fmt::Arguments` must remain valid for the duration of the call.
 #[export]
 unsafe extern "C" fn rust_fmt_argument(
     buf: *mut c_char,
@@ -27,9 +32,13 @@
     ptr: *const c_void,
 ) -> *mut c_char {
     use fmt::Write;
-    // SAFETY: The C contract guarantees that `buf` is valid if it's less =
than `end`.
+    // SAFETY: The safety requirements of this function (see above)
+    // guarantee that `buf` and `end` define a valid range.
     let mut w =3D unsafe { RawFormatter::from_ptrs(buf.cast(), end.cast())=
 };
-    // SAFETY: TODO.
+    // SAFETY: The C implementation of `vsprintf` (in `lib/vsprintf.c`) sp=
ecifically
+    // calls this function ONLY when processing the `%pA` format specifier.
+    // On the Rust side, we always pair `%pA` with a valid pointer to
+    // `fmt::Arguments`, satisfying the requirements of this function (see=
 above).
     let _ =3D w.write_fmt(unsafe { *ptr.cast::<fmt::Arguments<'_>>() });
     w.pos().cast()
 }
@@ -109,7 +118,9 @@ pub unsafe fn call_printk(
 ) {
     // `_printk` does not seem to fail in any path.
     #[cfg(CONFIG_PRINTK)]
-    // SAFETY: TODO.
+    // SAFETY: The format string is constructed to use `%pA`, which corres=
ponds to the
+    // pointer to `fmt::Arguments` passed as the third argument.
+    // Since `args` is a valid reference, casting it to a pointer is safe.
     unsafe {
         bindings::_printk(
             format_string.as_ptr(),
--=20
2.51.2