From: Alice Ryhl <aliceryhl@google.com>
To: Hsiu Che Yu <yu.whisper.personal@gmail.com>
Cc: "Alexandre Courbot" <acourbot@nvidia.com>,
"Miguel Ojeda" <ojeda@kernel.org>,
"Yury Norov" <yury.norov@gmail.com>,
"Boqun Feng" <boqun.feng@gmail.com>,
"Gary Guo" <gary@garyguo.net>,
"Björn Roy Baron" <bjorn3_gh@protonmail.com>,
"Benno Lossin" <lossin@kernel.org>,
"Andreas Hindborg" <a.hindborg@kernel.org>,
"Trevor Gross" <tmgross@umich.edu>,
"Danilo Krummrich" <dakr@kernel.org>,
rust-for-linux@vger.kernel.org, linux-kernel@vger.kernel.org
Subject: Re: [PATCH] rust: num: bounded: add safety comment for Bounded::__new
Date: Mon, 1 Dec 2025 10:12:27 +0000 [thread overview]
Message-ID: <aS1qC_ol2XEpZ44b@google.com> (raw)
In-Reply-To: <20251201062516.45495-1-yu.whisper.personal@gmail.com>
On Mon, Dec 01, 2025 at 02:25:16PM +0800, Hsiu Che Yu wrote:
> The `__new` constructor only performs a bounds check and stores the
> value in the wrapper type. It does not perform any unsafe memory
> operations, so it does not need to be marked as `unsafe`.
>
> Reported-by: Miguel Ojeda <ojeda@kernel.org>
> Closes: https://github.com/Rust-for-Linux/linux/issues/1211
>
> Signed-off-by: Hsiu Che Yu <yu.whisper.personal@gmail.com>
> ---
> rust/kernel/num/bounded.rs | 3 +++
> 1 file changed, 3 insertions(+)
>
> diff --git a/rust/kernel/num/bounded.rs b/rust/kernel/num/bounded.rs
> index f870080af8ac..cde1b8ba6880 100644
> --- a/rust/kernel/num/bounded.rs
> +++ b/rust/kernel/num/bounded.rs
> @@ -284,6 +284,9 @@ impl<T, const N: u32> Bounded<T, N>
> ///
> /// The caller remains responsible for checking, either statically or dynamically, that `value`
> /// can be represented as a `T` using at most `N` bits.
> + ///
> + /// **Note**: This function is not marked as `unsafe` because it performs no memory-unsafe
> + /// operations itself.
I disagree. For the same reasons as str::from_utf8_unchecked, this
should also be unsafe. It creates a value that violates invariants,
which may be used to trigger UB combined with other safe code.
Alice
next prev parent reply other threads:[~2025-12-01 10:12 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-12-01 6:25 [PATCH] rust: num: bounded: add safety comment for Bounded::__new Hsiu Che Yu
2025-12-01 10:12 ` Alice Ryhl [this message]
2025-12-01 13:26 ` Hsiu Che Yu
2025-12-01 12:44 ` Miguel Ojeda
2025-12-01 13:35 ` Hsiu Che Yu
2025-12-01 16:05 ` Miguel Ojeda
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=aS1qC_ol2XEpZ44b@google.com \
--to=aliceryhl@google.com \
--cc=a.hindborg@kernel.org \
--cc=acourbot@nvidia.com \
--cc=bjorn3_gh@protonmail.com \
--cc=boqun.feng@gmail.com \
--cc=dakr@kernel.org \
--cc=gary@garyguo.net \
--cc=linux-kernel@vger.kernel.org \
--cc=lossin@kernel.org \
--cc=ojeda@kernel.org \
--cc=rust-for-linux@vger.kernel.org \
--cc=tmgross@umich.edu \
--cc=yu.whisper.personal@gmail.com \
--cc=yury.norov@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.