Re: [PATCH v2 01/21] rust: transmute: add `cast_slice[_mut]` functions

[sashiko-bot@kernel.org]

Thank you for your contribution! Sashiko AI review found 2 potential issue(s) to consider:
- [High] The `# Safety` sections for `cast_slice` and `cast_slice_mut` are incomplete and unsound, omitting requirements for validity invariants, interior mutability, and mutable write-back.
- [Low] Missing `#[inline]` attribute on the `cast_slice` and `cast_slice_mut` abstraction functions.
--

commit 81ab9367137984ee8a82555d066400739962f02f
Author: Benno Lossin <lossin@kernel.org>

rust: transmute: add cast_slice[_mut] functions

Add functions to make casting slices only one unsafe block.

Message-ID: <20250814124424.516191-2-lossin@kernel.org>

> diff --git a/rust/kernel/transmute.rs b/rust/kernel/transmute.rs
> --- a/rust/kernel/transmute.rs
> +++ b/rust/kernel/transmute.rs
[ ... ]
> +/// # Safety
> +///
> +/// - `T` and `U` must have the same layout.
> +pub unsafe fn cast_slice<T, U>(slice: &[T]) -> &[U] {

[Severity: High]
Are the safety requirements here complete? It seems we also need to ensure
that any bit pattern valid for T is also valid for U, and that the cast
doesn't introduce interior mutability.

[Severity: Low]
This isn't a bug, but should this have an #[inline] attribute since it is a
small forwarding function in an abstraction crate?

> +    // CAST: by the safety requirements, `T` and `U` have the same layout.
> +    let ptr = slice.as_ptr().cast::<U>();
> +    // SAFETY: `ptr` and `len` come from the same slice reference.
> +    unsafe { slice::from_raw_parts(ptr, slice.len()) }
> +}
[ ... ]
> +/// # Safety
> +///
> +/// - `T` and `U` must have the same layout.
> +pub unsafe fn cast_slice_mut<T, U>(slice: &mut [T]) -> &mut [U] {

[Severity: High]
Are the safety preconditions here sufficient to prevent undefined behavior?
In addition to layout equivalence, any value of U written to the slice must
also be a valid T, and the cast shouldn't introduce interior mutability.

[Severity: Low]
This isn't a bug, but should this also be marked with #[inline] according to
the Rust subsystem coding guidelines for abstraction functions?

> +    // CAST: by the safety requirements, `T` and `U` have the same layout.
> +    let ptr = slice.as_mut_ptr().cast::<U>();
> +    // SAFETY: `ptr` and `len` come from the same slice reference.
> +    unsafe { slice::from_raw_parts_mut(ptr, slice.len()) }
> +}

-- 
Sashiko AI review · https://sashiko.dev/#/patchset/20260623045406.2589547-1-alistair.francis@wdc.com?part=1