1. Patchew
  2. linux
  3. View series

[PATCH] rust: print: add SAFETY comments to unsafe blocks

Albab Hasan posted 1 patch 1 week, 6 days ago 
rust/kernel/print.rs | 9 +++++++--
1 file changed, 7 insertions(+), 2 deletions(-)
[PATCH] rust: print: add SAFETY comments to unsafe blocks
Posted by Albab Hasan 1 week, 6 days ago 
Replace the placeholder // SAFETY: TODO. comments with proper safety
descriptions for the two unsafe blocks in rust_fmt_argument and
call_printk.

For rust_fmt_argument the ptr parameter is provided by the %pA
format specifier handler in vsprintf that guarantees it points to a
valid properly aligned fmt::Arguments<'_> value. since
fmt::Arguments implements Copy the dereference is a bitwise
copy with no side effects.

For call_printk the safety depends on the functions documented
preconditions the format string is one of the fixed compile time
constants from format_strings and the module name is null terminated.
the arguments match the format specifiers (%s for module name %pA
for the fmt::Arguments pointer).

Signed-off-by: Albab Hasan <albabhasan276@gmail.com>
---
 rust/kernel/print.rs | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/rust/kernel/print.rs b/rust/kernel/print.rs
index 6fd84389a858..8e1029b0a0b4 100644
--- a/rust/kernel/print.rs
+++ b/rust/kernel/print.rs
@@ -29,7 +29,9 @@
     use fmt::Write;
     // SAFETY: The C contract guarantees that `buf` is valid if it's less than `end`.
     let mut w = unsafe { RawFormatter::from_ptrs(buf.cast(), end.cast()) };
-    // SAFETY: TODO.
+    // SAFETY: `ptr` is provided by the `%pA` format specifier in `vsprintf` which guarantees
+    // that it points to a valid, properly aligned `fmt::Arguments<'_>` value for the lifetime
+    // of this function call.
     let _ = w.write_fmt(unsafe { *ptr.cast::<fmt::Arguments<'_>>() });
     w.pos().cast()
 }
@@ -109,7 +111,10 @@ pub unsafe fn call_printk(
 ) {
     // `_printk` does not seem to fail in any path.
     #[cfg(CONFIG_PRINTK)]
-    // SAFETY: TODO.
+    // SAFETY: `format_string` is one of the fixed `format_strings::*` constants, which are
+    // valid null-terminated C format strings. `module_name` is guaranteed by the caller to be
+    // null-terminated. `&args` points to a valid `fmt::Arguments` on the stack, passed as
+    // `%pA` which `_printk` will forward to `rust_fmt_argument` for rendering.
     unsafe {
         bindings::_printk(
             format_string.as_ptr(),
-- 
2.43.0
Re: [PATCH] rust: print: add SAFETY comments to unsafe blocks
Posted by Miguel Ojeda 1 week, 5 days ago 
On Sat, Mar 21, 2026 at 3:34 PM Albab Hasan <albabhasan276@gmail.com> wrote:
>
> Replace the placeholder // SAFETY: TODO. comments with proper safety
> descriptions for the two unsafe blocks in rust_fmt_argument and
> call_printk.
>
> For rust_fmt_argument the ptr parameter is provided by the %pA
> format specifier handler in vsprintf that guarantees it points to a
> valid properly aligned fmt::Arguments<'_> value. since
> fmt::Arguments implements Copy the dereference is a bitwise
> copy with no side effects.
>
> For call_printk the safety depends on the functions documented
> preconditions the format string is one of the fixed compile time
> constants from format_strings and the module name is null terminated.
> the arguments match the format specifiers (%s for module name %pA
> for the fmt::Arguments pointer).
>
> Signed-off-by: Albab Hasan <albabhasan276@gmail.com>

Did you see the following ones?

  https://lore.kernel.org/rust-for-linux/20260212125427.122362-1-alizainuimx@gmail.com/
  https://lore.kernel.org/rust-for-linux/20260211182755.82220-1-shivendra02467@gmail.com/

What is the relation with them? (Cc'ing their authors)

Thanks!

Link: https://github.com/Rust-for-Linux/linux/issues/351

Cheers,
Miguel
Re: [PATCH] rust: print: add SAFETY comments to unsafe blocks
Posted by Albab Hasan 1 week, 5 days ago 
Thanks for pointing these out Miguel. I wasn't aware of the prior
patches. Sorry for the
duplicate. Happy to drop mine in favor of whichever version you prefer.

Thanks,
Albab

On Sun, 22 Mar 2026 at 05:14, Miguel Ojeda
<miguel.ojeda.sandonis@gmail.com> wrote:
>
> On Sat, Mar 21, 2026 at 3:34 PM Albab Hasan <albabhasan276@gmail.com> wrote:
> >
> > Replace the placeholder // SAFETY: TODO. comments with proper safety
> > descriptions for the two unsafe blocks in rust_fmt_argument and
> > call_printk.
> >
> > For rust_fmt_argument the ptr parameter is provided by the %pA
> > format specifier handler in vsprintf that guarantees it points to a
> > valid properly aligned fmt::Arguments<'_> value. since
> > fmt::Arguments implements Copy the dereference is a bitwise
> > copy with no side effects.
> >
> > For call_printk the safety depends on the functions documented
> > preconditions the format string is one of the fixed compile time
> > constants from format_strings and the module name is null terminated.
> > the arguments match the format specifiers (%s for module name %pA
> > for the fmt::Arguments pointer).
> >
> > Signed-off-by: Albab Hasan <albabhasan276@gmail.com>
>
> Did you see the following ones?
>
>   https://lore.kernel.org/rust-for-linux/20260212125427.122362-1-alizainuimx@gmail.com/
>   https://lore.kernel.org/rust-for-linux/20260211182755.82220-1-shivendra02467@gmail.com/
>
> What is the relation with them? (Cc'ing their authors)
>
> Thanks!
>
> Link: https://github.com/Rust-for-Linux/linux/issues/351
>
> Cheers,
> Miguel
Re: [PATCH] rust: print: add SAFETY comments to unsafe blocks
Posted by Shivendra Sharma 1 week, 5 days ago 
On Sun, Mar 22, 2026 at 8:40 AM Albab Hasan <albabhasan276@gmail.com> wrote:
>
> Thanks for pointing these out Miguel. I wasn't aware of the prior
> patches. Sorry for the
> duplicate. Happy to drop mine in favor of whichever version you prefer.
>
> Thanks,
> Albab
>
> On Sun, 22 Mar 2026 at 05:14, Miguel Ojeda
> <miguel.ojeda.sandonis@gmail.com> wrote:
> >
> > On Sat, Mar 21, 2026 at 3:34 PM Albab Hasan <albabhasan276@gmail.com> wrote:
> > >
> > > Replace the placeholder // SAFETY: TODO. comments with proper safety
> > > descriptions for the two unsafe blocks in rust_fmt_argument and
> > > call_printk.
> > >
> > > For rust_fmt_argument the ptr parameter is provided by the %pA
> > > format specifier handler in vsprintf that guarantees it points to a
> > > valid properly aligned fmt::Arguments<'_> value. since
> > > fmt::Arguments implements Copy the dereference is a bitwise
> > > copy with no side effects.
> > >
> > > For call_printk the safety depends on the functions documented
> > > preconditions the format string is one of the fixed compile time
> > > constants from format_strings and the module name is null terminated.
> > > the arguments match the format specifiers (%s for module name %pA
> > > for the fmt::Arguments pointer).
> > >
> > > Signed-off-by: Albab Hasan <albabhasan276@gmail.com>
> >
> > Did you see the following ones?
> >
> >   https://lore.kernel.org/rust-for-linux/20260212125427.122362-1-alizainuimx@gmail.com/
> >   https://lore.kernel.org/rust-for-linux/20260211182755.82220-1-shivendra02467@gmail.com/
> >
> > What is the relation with them? (Cc'ing their authors)
> >
> > Thanks!
> >
> > Link: https://github.com/Rust-for-Linux/linux/issues/351
> >
> > Cheers,
> > Miguel

Hi Albab,

Thank you for the kind response! It is incredibly easy to miss older
threads on the mailing list. I really appreciate you taking the time
to look into this and write up these safety requirements.

Hi Miguel,

Regarding the relation: the v2 patch I linked earlier targets the
exact same two TODOs in print.rs.

The v2 implements the generic wording Alice Ryhl suggested to ensure
the %pA guarantee covers all users. I also believe that v2 cleanly
resolves all the lints related to Issue #351 in print.rs.

That said, Albab did provide some great extra detail regarding the
call_printk invariants. If you prefer their more detailed wording for
that specific block over the v2 version, just let me know and I am
fully open to incorporating it!

Best regards,

Shivendra

Patchew 2.1-devel-ea86937

© 2016 - 2026 Red Hat, Inc.