lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <20260128202130.196419-1-shivendra02467@gmail.com>
Date: Thu, 29 Jan 2026 01:51:30 +0530
From: Shivendra Sharma <shivendra02467@...il.com>
To: ojeda@...nel.org,
	boqun.feng@...il.com,
	gary@...yguo.net,
	bjorn3_gh@...tonmail.com,
	lossin@...nel.org,
	a.hindborg@...nel.org,
	aliceryhl@...gle.com,
	tmgross@...ch.edu,
	dakr@...nel.org
Cc: rust-for-linux@...r.kernel.org,
	linux-kernel@...r.kernel.org,
	shivendra02467@...il.com
Subject: [PATCH] rust: kernel: document safety for rust_fmt_argument

Currently, `rust_fmt_argument` uses a TODO for its safety rationale and
suppresses the `missing_safety_doc` clippy warning.

Following feedback from a previous attempt [1], replace the
suppression with a formal "# Safety" section and update the internal
"// SAFETY" comments to reference these requirements. Additionally,
add a comment to the C header file pointing to the Rust documentation
for safety preconditions.

[1] https://lore.kernel.org/rust-for-linux/CANiq72=b=Z+6dk4XWK6QWcKDJx7SYXL0obAFFfWp8xpE1CFkkw@mail.gmail.com/

Signed-off-by: Shivendra Sharma <shivendra02467@...il.com>
---
 include/linux/sprintf.h |  7 ++++++-
 rust/kernel/print.rs    | 14 +++++++++++---
 2 files changed, 17 insertions(+), 4 deletions(-)

diff --git a/include/linux/sprintf.h b/include/linux/sprintf.h
index f06f7b785091..f915829cbba5 100644
--- a/include/linux/sprintf.h
+++ b/include/linux/sprintf.h
@@ -25,7 +25,12 @@ __scanf(2, 0) int vsscanf(const char *, const char *, va_list);
 extern bool no_hash_pointers;
 void hash_pointers_finalize(bool slub_debug);
 
-/* Used for Rust formatting ('%pA') */
+/**
+ * Used for Rust formatting ('%pA').
+ *
+ * Safety preconditions are documented in the Rust implementation
+ * (rust/kernel/print.rs).
+ */
 char *rust_fmt_argument(char *buf, char *end, const void *ptr);
 
 #endif	/* _LINUX_KERNEL_SPRINTF_H */
diff --git a/rust/kernel/print.rs b/rust/kernel/print.rs
index 2d743d78d220..30da8b974398 100644
--- a/rust/kernel/print.rs
+++ b/rust/kernel/print.rs
@@ -14,7 +14,12 @@
 };
 
 // Called from `vsprintf` with format specifier `%pA`.
-#[expect(clippy::missing_safety_doc)]
+///
+/// # Safety
+///
+/// - `buf` must be valid for writes until `end`.
+/// - `ptr` must point to a valid `fmt::Arguments` instance.
+/// - The `fmt::Arguments` must remain valid for the duration of the call.
 #[export]
 unsafe extern "C" fn rust_fmt_argument(
     buf: *mut c_char,
@@ -22,9 +27,12 @@
     ptr: *const c_void,
 ) -> *mut c_char {
     use fmt::Write;
-    // SAFETY: The C contract guarantees that `buf` is valid if it's less than `end`.
+    // SAFETY: The safety requirements of this function (see above)
+    // guarantee that `buf` and `end` define a valid range.
     let mut w = unsafe { RawFormatter::from_ptrs(buf.cast(), end.cast()) };
-    // SAFETY: TODO.
+
+    // SAFETY: The safety requirements of this function guarantee that `ptr`
+    // points to a valid `fmt::Arguments`.
     let _ = w.write_fmt(unsafe { *ptr.cast::<fmt::Arguments<'_>>() });
     w.pos().cast()
 }
-- 
2.52.0

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ