[PATCH] rust: document safety requirements for fmt::Arguments dereference

[PATCH] rust: document safety requirements for fmt::Arguments dereference

[Riccardo]

Signed-off-by: Riccardo <riccioadami@gmail.com>
---
 rust/kernel/print.rs | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/rust/kernel/print.rs b/rust/kernel/print.rs
index 899bed9c08fd..5f54be97a6a0 100644
--- a/rust/kernel/print.rs
+++ b/rust/kernel/print.rs
@@ -25,10 +25,10 @@
     // SAFETY: The C contract guarantees that `buf` is valid if it's less than `end`.
     let mut w = unsafe { RawFormatter::from_ptrs(buf.cast(), end.cast()) };
     //SAFETY: `ptr` is provided by the kernel formatting path for the `%pA`
-// specifier during `vsnprintf` processing and always points to a valid
-// `fmt::Arguments` value created by the caller. The value lives at least
-// for the duration of this call and is only read here. It is not stored
-// or accessed after returning, so dereferencing it is safe.
+    // specifier during `vsnprintf` processing and always points to a valid
+    // `fmt::Arguments` value created by the caller. The value lives at least
+    // for the duration of this call and is only read here. It is not stored
+    // or accessed after returning, so dereferencing it is safe.
 
     let _ = w.write_fmt(unsafe { *ptr.cast::<fmt::Arguments<'_>>() });
     w.pos().cast()
-- 
2.52.0

Re: [PATCH] rust: document safety requirements for fmt::Arguments dereference

[Greg KH]

On Sat, Dec 20, 2025 at 09:43:32AM +0000, Riccardo wrote:
> Signed-off-by: Riccardo <riccioadami@gmail.com>
> ---
>  rust/kernel/print.rs | 8 ++++----
>  1 file changed, 4 insertions(+), 4 deletions(-)
> 
> diff --git a/rust/kernel/print.rs b/rust/kernel/print.rs
> index 899bed9c08fd..5f54be97a6a0 100644
> --- a/rust/kernel/print.rs
> +++ b/rust/kernel/print.rs
> @@ -25,10 +25,10 @@
>      // SAFETY: The C contract guarantees that `buf` is valid if it's less than `end`.
>      let mut w = unsafe { RawFormatter::from_ptrs(buf.cast(), end.cast()) };
>      //SAFETY: `ptr` is provided by the kernel formatting path for the `%pA`
> -// specifier during `vsnprintf` processing and always points to a valid
> -// `fmt::Arguments` value created by the caller. The value lives at least
> -// for the duration of this call and is only read here. It is not stored
> -// or accessed after returning, so dereferencing it is safe.
> +    // specifier during `vsnprintf` processing and always points to a valid
> +    // `fmt::Arguments` value created by the caller. The value lives at least
> +    // for the duration of this call and is only read here. It is not stored
> +    // or accessed after returning, so dereferencing it is safe.
>  
>      let _ = w.write_fmt(unsafe { *ptr.cast::<fmt::Arguments<'_>>() });
>      w.pos().cast()
> -- 
> 2.52.0
> 
> 

Hi,

This is the friendly patch-bot of Greg Kroah-Hartman.  You have sent him
a patch that has triggered this response.  He used to manually respond
to these common problems, but in order to save his sanity (he kept
writing the same thing over and over, yet to different people), I was
created.  Hopefully you will not take offence and will fix the problem
in your patch and resubmit it so that it can be accepted into the Linux
kernel tree.

You are receiving this message because of the following common error(s)
as indicated below:

- You did not specify a description of why the patch is needed, or
  possibly, any description at all, in the email body.  Please read the
  section entitled "The canonical patch format" in the kernel file,
  Documentation/process/submitting-patches.rst for what is needed in
  order to properly describe the change.

- It looks like you did not use your "real" name for the patch on either
  the Signed-off-by: line, or the From: line (both of which have to
  match).  Please read the kernel file,
  Documentation/process/submitting-patches.rst for how to do this
  correctly.

If you wish to discuss this problem further, or you have questions about
how to resolve this issue, please feel free to respond to this email and
Greg will reply once he has dug out from the pending patches received
from other developers.

thanks,

greg k-h's patch email bot

[PATCH] rust: document safety requirements for fmt::Arguments dereference

[Riccardo]

From: Riccardo Adami <riccioadami@gmail.com>

This patch documents the safety requirements for dereferencing
`fmt::Arguments` in the kernel's `vsnprintf` formatting path. This
clarifies why it is safe to perform the unsafe dereference in
`rust_fmt_argument` and helps future maintainers understand the
invariants, reducing the risk of incorrect modifications.

---
 rust/kernel/print.rs | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/rust/kernel/print.rs b/rust/kernel/print.rs
index 899bed9c08fd..5f54be97a6a0 100644
--- a/rust/kernel/print.rs
+++ b/rust/kernel/print.rs
@@ -25,10 +25,10 @@
     // SAFETY: The C contract guarantees that `buf` is valid if it's less than `end`.
     let mut w = unsafe { RawFormatter::from_ptrs(buf.cast(), end.cast()) };
     //SAFETY: `ptr` is provided by the kernel formatting path for the `%pA`
-// specifier during `vsnprintf` processing and always points to a valid
-// `fmt::Arguments` value created by the caller. The value lives at least
-// for the duration of this call and is only read here. It is not stored
-// or accessed after returning, so dereferencing it is safe.
+    // specifier during `vsnprintf` processing and always points to a valid
+    // `fmt::Arguments` value created by the caller. The value lives at least
+    // for the duration of this call and is only read here. It is not stored
+    // or accessed after returning, so dereferencing it is safe.
 
     let _ = w.write_fmt(unsafe { *ptr.cast::<fmt::Arguments<'_>>() });
     w.pos().cast()
-- 
2.52.0

Re: [PATCH] rust: document safety requirements for fmt::Arguments dereference

[Greg KH]

On Sat, Dec 20, 2025 at 10:14:01AM +0000, Riccardo wrote:
> From: Riccardo Adami <riccioadami@gmail.com>
> 
> This patch documents the safety requirements for dereferencing
> `fmt::Arguments` in the kernel's `vsnprintf` formatting path. This
> clarifies why it is safe to perform the unsafe dereference in
> `rust_fmt_argument` and helps future maintainers understand the
> invariants, reducing the risk of incorrect modifications.
> 
> ---
>  rust/kernel/print.rs | 8 ++++----
>  1 file changed, 4 insertions(+), 4 deletions(-)
> 
> diff --git a/rust/kernel/print.rs b/rust/kernel/print.rs
> index 899bed9c08fd..5f54be97a6a0 100644
> --- a/rust/kernel/print.rs
> +++ b/rust/kernel/print.rs
> @@ -25,10 +25,10 @@
>      // SAFETY: The C contract guarantees that `buf` is valid if it's less than `end`.
>      let mut w = unsafe { RawFormatter::from_ptrs(buf.cast(), end.cast()) };
>      //SAFETY: `ptr` is provided by the kernel formatting path for the `%pA`
> -// specifier during `vsnprintf` processing and always points to a valid
> -// `fmt::Arguments` value created by the caller. The value lives at least
> -// for the duration of this call and is only read here. It is not stored
> -// or accessed after returning, so dereferencing it is safe.
> +    // specifier during `vsnprintf` processing and always points to a valid
> +    // `fmt::Arguments` value created by the caller. The value lives at least
> +    // for the duration of this call and is only read here. It is not stored
> +    // or accessed after returning, so dereferencing it is safe.
>  
>      let _ = w.write_fmt(unsafe { *ptr.cast::<fmt::Arguments<'_>>() });
>      w.pos().cast()
> -- 
> 2.52.0
> 

Hi,

This is the friendly patch-bot of Greg Kroah-Hartman.  You have sent him
a patch that has triggered this response.  He used to manually respond
to these common problems, but in order to save his sanity (he kept
writing the same thing over and over, yet to different people), I was
created.  Hopefully you will not take offence and will fix the problem
in your patch and resubmit it so that it can be accepted into the Linux
kernel tree.

You are receiving this message because of the following common error(s)
as indicated below:

- Your patch does not have a Signed-off-by: line.  Please read the
  kernel file, Documentation/process/submitting-patches.rst and resend
  it after adding that line.  Note, the line needs to be in the body of
  the email, before the patch, not at the bottom of the patch or in the
  email signature.

- This looks like a new version of a previously submitted patch, but you
  did not list below the --- line any changes from the previous version.
  Please read the section entitled "The canonical patch format" in the
  kernel file, Documentation/process/submitting-patches.rst for what
  needs to be done here to properly describe this.

If you wish to discuss this problem further, or you have questions about
how to resolve this issue, please feel free to respond to this email and
Greg will reply once he has dug out from the pending patches received
from other developers.

thanks,

greg k-h's patch email bot

[PATCH] rust: document safety requirements for fmt::Arguments dereference

[Riccardo]

From: Riccardo Adami <riccioadami@gmail.com>

This patch documents the safety requirements for dereferencing
`fmt::Arguments` in the kernel's `vsnprintf` formatting path. This
clarifies why it is safe to perform the unsafe dereference in
`rust_fmt_argument` and helps future maintainers understand the
invariants, reducing the risk of incorrect modifications.
Signed-off-by: Riccardo <riccioadami@gmail.com>
---
 rust/kernel/print.rs | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/rust/kernel/print.rs b/rust/kernel/print.rs
index 899bed9c08fd..5f54be97a6a0 100644
--- a/rust/kernel/print.rs
+++ b/rust/kernel/print.rs
@@ -25,10 +25,10 @@
     // SAFETY: The C contract guarantees that `buf` is valid if it's less than `end`.
     let mut w = unsafe { RawFormatter::from_ptrs(buf.cast(), end.cast()) };
     //SAFETY: `ptr` is provided by the kernel formatting path for the `%pA`
-// specifier during `vsnprintf` processing and always points to a valid
-// `fmt::Arguments` value created by the caller. The value lives at least
-// for the duration of this call and is only read here. It is not stored
-// or accessed after returning, so dereferencing it is safe.
+    // specifier during `vsnprintf` processing and always points to a valid
+    // `fmt::Arguments` value created by the caller. The value lives at least
+    // for the duration of this call and is only read here. It is not stored
+    // or accessed after returning, so dereferencing it is safe.
 
     let _ = w.write_fmt(unsafe { *ptr.cast::<fmt::Arguments<'_>>() });
     w.pos().cast()
-- 
2.52.0

Re: [PATCH] rust: document safety requirements for fmt::Arguments dereference

[Dirk Behme]

Hi Riccardo,

On 20.12.25 14:00, Riccardo wrote:
> From: Riccardo Adami <riccioadami@gmail.com>

If you configure your mail tool to use `Riccardo Adami
<riccioadami@gmail.com>` automatically in the `From: ...` (instead
of`Riccardo <riccioadami@gmail.com>` which is there at the moment)
there is no need to add this `From: ...` manually here.

> This patch documents the safety requirements for dereferencing
> `fmt::Arguments` in the kernel's `vsnprintf` formatting path. This
> clarifies why it is safe to perform the unsafe dereference in
> `rust_fmt_argument` and helps future maintainers understand the
> invariants, reducing the risk of incorrect modifications.

Empty line between the description and the Signed-off-by please.

> Signed-off-by: Riccardo <riccioadami@gmail.com>

Please use your "full" name here. Like you have done in the manually
added `From: ...` above: Riccardo Adami <riccioadami@gmail.com>

> ---

If you send newer versions of your patch please use some versioning
v2, v3 etc. This has to go into the subject e.g. `[PATCH v2] ...` and
needs a change log here below the `---` e.g.

v2: Add Signed-off-by ....

Maybe you like to have a look to existing patches like

https://lore.kernel.org/rust-for-linux/20251218-inline-lock-unlock-v2-1-fbadac8bd61b@google.com/

>  rust/kernel/print.rs | 8 ++++----
>  1 file changed, 4 insertions(+), 4 deletions(-)
> 
> diff --git a/rust/kernel/print.rs b/rust/kernel/print.rs
> index 899bed9c08fd..5f54be97a6a0 100644
> --- a/rust/kernel/print.rs
> +++ b/rust/kernel/print.rs
> @@ -25,10 +25,10 @@
>      // SAFETY: The C contract guarantees that `buf` is valid if it's less than `end`.
>      let mut w = unsafe { RawFormatter::from_ptrs(buf.cast(), end.cast()) };
>      //SAFETY: `ptr` is provided by the kernel formatting path for the `%pA`
> -// specifier during `vsnprintf` processing and always points to a valid
> -// `fmt::Arguments` value created by the caller. The value lives at least
> -// for the duration of this call and is only read here. It is not stored
> -// or accessed after returning, so dereferencing it is safe.
> +    // specifier during `vsnprintf` processing and always points to a valid
> +    // `fmt::Arguments` value created by the caller. The value lives at least
> +    // for the duration of this call and is only read here. It is not stored
> +    // or accessed after returning, so dereferencing it is safe.

I have some difficulties matching the description in the commit
message above with this change. For me it looks like you just fix the
indentation but haven't changed anything on the SAFETY comment itself?

Looking at the original file

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/rust/kernel/print.rs?h=v6.19-rc1#n27

I wonder if in the end you want to update the `// SAFETY: TODO.`
there? What would match the commit description? But that isn't done
here. So if this is the case you might want to check if you sent an
intermediate version of you work?

Thanks for working on this!

Dirk