lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <aYRSpYCIaRmsNvip@google.com>
Date: Thu, 5 Feb 2026 08:19:49 +0000
From: Alice Ryhl <aliceryhl@...gle.com>
To: Muchamad Coirul Anwar <muchamadcoirulanwar@...il.com>
Cc: ojeda@...nel.org, boqun@...nel.org, gary@...yguo.net, 
	bjorn3_gh@...tonmail.com, lossin@...nel.org, a.hindborg@...nel.org, 
	tmgross@...ch.edu, dakr@...nel.org, tamird@...nel.org, 
	gregkh@...uxfoundation.org, fujita.tomonori@...il.com, 
	andrewjballance@...il.com, rust-for-linux@...r.kernel.org, 
	linux-kernel@...r.kernel.org
Subject: Re: [PATCH] rust: print: add safety comments for %pA formatting

On Thu, Feb 05, 2026 at 11:21:32AM +0700, Muchamad Coirul Anwar wrote:
> The safety comments in `rust_fmt_argument` and `call_printk` were
> previously marked as TODO.
> 
> This patch adds the missing safety documentation explaining why
> dereferencing the pointers and calling the C `_printk` function
> is safe in these contexts. It clarifies the contract between
> `lib/vsprintf.c` and the Rust implementation regarding the `%pA`
> format specifier.
> 
> Signed-off-by: Muchamad Coirul Anwar <muchamadcoirulanwar@...il.com>
> ---
>  rust/kernel/print.rs | 10 ++++++++--
>  1 file changed, 8 insertions(+), 2 deletions(-)
> 
> diff --git a/rust/kernel/print.rs b/rust/kernel/print.rs
> index 6fd84389a858..3e6ff8f42d95 100644
> --- a/rust/kernel/print.rs
> +++ b/rust/kernel/print.rs
> @@ -29,7 +29,11 @@
>      use fmt::Write;
>      // SAFETY: The C contract guarantees that `buf` is valid if it's less than `end`.
>      let mut w = unsafe { RawFormatter::from_ptrs(buf.cast(), end.cast()) };
> -    // SAFETY: TODO.
> +    // SAFETY: The C implementation of `vsprintf` (in `lib/vsprintf.c`) specifically
> +    // calls this function ONLY when processing the `%pA` format specifier.
> +    // On the Rust side (`call_printk`), we guarantee that `%pA` is always paired
> +    // with a valid pointer to `fmt::Arguments`.
> +    // Therefore, dereferencing `ptr` here is safe.

There are multiple places that %pA is passed. For example, there is also
seq_file.rs and probably more.

Perhaps remove the reference to call_printk here?

// SAFETY: The C implementation of `vsprintf` (in `lib/vsprintf.c`) specifically
// calls this function ONLY when processing the `%pA` format specifier.
// On the Rust side, we always pair `%pA` with a valid pointer to
// `fmt::Arguments`.

>      let _ = w.write_fmt(unsafe { *ptr.cast::<fmt::Arguments<'_>>() });
>      w.pos().cast()
>  }
> @@ -109,7 +113,9 @@ pub unsafe fn call_printk(
>  ) {
>      // `_printk` does not seem to fail in any path.
>      #[cfg(CONFIG_PRINTK)]
> -    // SAFETY: TODO.
> +    // SAFETY: The format string is constructed to use `%pA`, which corresponds to the
> +    // pointer to `fmt::Arguments` passed as the third argument.
> +    // Since `args` is a valid reference, casting it to a pointer is safe.
>      unsafe {
>          bindings::_printk(
>              format_string.as_ptr(),
> -- 
> 2.50.0
>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ