[PATCH] rust: transmute: use split_at_checked() and split_at_mut_checked()

[PATCH] rust: transmute: use split_at_checked() and split_at_mut_checked()

[Albab Hasan]

Replace manual bounds checking followed by split_at() and split_at_mut()
calls with the checked variants split_at_checked() and
split_at_mut_checked(), which return None instead of panicking on
out-of-bounds indices.

These methods were stabilized in Rust 1.80.0, which is the current
minimum supported Rust version for the kernel.

This simplifies from_bytes_prefix(), from_bytes_mut_prefix(), and
from_bytes_copy_prefix() by removing the explicit bounds checks and
panic-avoidance comments that are no longer needed.

Signed-off-by: Albab Hasan <albabhasan276@gmail.com>
---
 rust/kernel/transmute.rs | 33 ++++++---------------------------
 1 file changed, 6 insertions(+), 27 deletions(-)

diff --git a/rust/kernel/transmute.rs b/rust/kernel/transmute.rs
index 5711580c9f9b..643b19406a24 100644
--- a/rust/kernel/transmute.rs
+++ b/rust/kernel/transmute.rs
@@ -67,16 +67,9 @@ fn from_bytes_prefix(bytes: &[u8]) -> Option<(&Self, &[u8])>
     where
         Self: Sized,
     {
-        if bytes.len() < size_of::<Self>() {
-            None
-        } else {
-            // PANIC: We checked that `bytes.len() >= size_of::<Self>`, thus `split_at` cannot
-            // panic.
-            // TODO: replace with `split_at_checked` once the MSRV is >= 1.80.
-            let (prefix, remainder) = bytes.split_at(size_of::<Self>());
+        let (prefix, remainder) = bytes.split_at_checked(size_of::<Self>())?;
 
-            Self::from_bytes(prefix).map(|s| (s, remainder))
-        }
+        Self::from_bytes(prefix).map(|s| (s, remainder))
     }
 
     /// Converts a mutable slice of bytes to a reference to `Self`.
@@ -110,16 +103,9 @@ fn from_bytes_mut_prefix(bytes: &mut [u8]) -> Option<(&mut Self, &mut [u8])>
     where
         Self: AsBytes + Sized,
     {
-        if bytes.len() < size_of::<Self>() {
-            None
-        } else {
-            // PANIC: We checked that `bytes.len() >= size_of::<Self>`, thus `split_at_mut` cannot
-            // panic.
-            // TODO: replace with `split_at_mut_checked` once the MSRV is >= 1.80.
-            let (prefix, remainder) = bytes.split_at_mut(size_of::<Self>());
+        let (prefix, remainder) = bytes.split_at_mut_checked(size_of::<Self>())?;
 
-            Self::from_bytes_mut(prefix).map(|s| (s, remainder))
-        }
+        Self::from_bytes_mut(prefix).map(|s| (s, remainder))
     }
 
     /// Creates an owned instance of `Self` by copying `bytes`.
@@ -149,16 +135,9 @@ fn from_bytes_copy_prefix(bytes: &[u8]) -> Option<(Self, &[u8])>
     where
         Self: Sized,
     {
-        if bytes.len() < size_of::<Self>() {
-            None
-        } else {
-            // PANIC: We checked that `bytes.len() >= size_of::<Self>`, thus `split_at` cannot
-            // panic.
-            // TODO: replace with `split_at_checked` once the MSRV is >= 1.80.
-            let (prefix, remainder) = bytes.split_at(size_of::<Self>());
+        let (prefix, remainder) = bytes.split_at_checked(size_of::<Self>())?;
 
-            Self::from_bytes_copy(prefix).map(|s| (s, remainder))
-        }
+        Self::from_bytes_copy(prefix).map(|s| (s, remainder))
     }
 }
 
-- 
2.43.0

Re: [PATCH] rust: transmute: use split_at_checked() and split_at_mut_checked()

[Miguel Ojeda]

On Tue, Mar 10, 2026 at 10:57 AM Albab Hasan <albabhasan276@gmail.com> wrote:
>
> These methods were stabilized in Rust 1.80.0, which is the current
> minimum supported Rust version for the kernel.

No, it is not 1.80.0, but 1.78.0 -- please check
`Documentation/process/changes.rst`.

We can still use them, since they were added in 1.77 from a quick
look, though, but the feature would need to be enabled.

We will soon bump the minimum this cycle (but it will not be 1.80 but
1.85), so we could alternatively just put the patch on top instead of
enabling the feature.

Thanks!

Cheers,
Miguel

Re: [PATCH] rust: transmute: use split_at_checked() and split_at_mut_checked()

[Albab Hasan]

On Wed, 11 Mar 2026 at 01:53, Miguel Ojeda
<miguel.ojeda.sandonis@gmail.com> wrote:
>
> On Tue, Mar 10, 2026 at 12:59 PM Albab Hasan <albabhasan276@gmail.com> wrote:
> >
> > Thanks for the correction. I'll wait for the MSRV bump to 1.85 and rebase the patch on top of that.
> >
> > Also I should note that a similar patch was made by Joy G Majumdar but that received no replies and was not merged (possibly abandoned). I forgot to add this in my initial mail. I hope that wont be a problem.
> >
> > Link to the previous patch: https://lore.kernel.org/linux-kernel/CABJmqzutbhyc5yiE_+=M=+gPCo=rYWZ2Tc2FhjMvC9QzZPuEag@mail.gmail.com/
>
> You're welcome!
>
> Sounds good -- I would suggest replying with "Reply to All", since it
> seems this reply was sent in private, rather than to the mailing list,
> i.e. I don't think others can see your reply. (You should avoid HTML
> replies, since they get dropped by the mailing lists, by the way).
>
> And thanks for the pointer to the other patch -- I didn't have it in
> my spreadsheet. It seems it was sent to some mailing lists that don't
> seem to exist (except for the LKML one). It wasn't sent to the
> individual maintainers either.
>
> I would suggest mentioning the other patch in public, and taking
> perhaps the chance to Cc the maintainers (using
> `scripts/get_maintainers.pl` or e.g.
> https://rust-for-linux.com/contributing#submitting-patches), plus
> Cc'ing Joy so that he is aware of this one, and perhaps you may want
> to consider crediting him (depending on what you think is fair, there
> are several ways -- please see
> `Documentation/process/submitting-patches.rst`).
>
> I hope that helps!
>
> Cheers,
> Miguel

Thanks Miguel.

I'll wait for the MSRV bump and send the V2 then.

I would also like to note that a similar patch was submitted by Joy G
Majumdar on 2026-01-05 but received no replies and was not merged:

https://lore.kernel.org/linux-kernel/CABJmqzutbhyc5yiE_+=M=+gPCo=rYWZ2Tc2FhjMvC9QzZPuEag@mail.gmail.com/

I'll Cc Joy and all relevant maintainers on v2, and credit him.

Thanks,
Albab

Re: [PATCH] rust: transmute: use split_at_checked() and split_at_mut_checked()

[Alexandre Courbot]

On Tue Mar 10, 2026 at 6:57 PM JST, Albab Hasan wrote:
> Replace manual bounds checking followed by split_at() and split_at_mut()
> calls with the checked variants split_at_checked() and
> split_at_mut_checked(), which return None instead of panicking on
> out-of-bounds indices.
>
> These methods were stabilized in Rust 1.80.0, which is the current
> minimum supported Rust version for the kernel.
>
> This simplifies from_bytes_prefix(), from_bytes_mut_prefix(), and
> from_bytes_copy_prefix() by removing the explicit bounds checks and
> panic-avoidance comments that are no longer needed.
>
> Signed-off-by: Albab Hasan <albabhasan276@gmail.com>
> ---
>  rust/kernel/transmute.rs | 33 ++++++---------------------------
>  1 file changed, 6 insertions(+), 27 deletions(-)
>
> diff --git a/rust/kernel/transmute.rs b/rust/kernel/transmute.rs
> index 5711580c9f9b..643b19406a24 100644
> --- a/rust/kernel/transmute.rs
> +++ b/rust/kernel/transmute.rs
> @@ -67,16 +67,9 @@ fn from_bytes_prefix(bytes: &[u8]) -> Option<(&Self, &[u8])>
>      where
>          Self: Sized,
>      {
> -        if bytes.len() < size_of::<Self>() {
> -            None
> -        } else {
> -            // PANIC: We checked that `bytes.len() >= size_of::<Self>`, thus `split_at` cannot
> -            // panic.
> -            // TODO: replace with `split_at_checked` once the MSRV is >= 1.80.
> -            let (prefix, remainder) = bytes.split_at(size_of::<Self>());
> +        let (prefix, remainder) = bytes.split_at_checked(size_of::<Self>())?;
>  
> -            Self::from_bytes(prefix).map(|s| (s, remainder))
> -        }
> +        Self::from_bytes(prefix).map(|s| (s, remainder))

Or as a single expression:

    bytes
        .split_at_checked(size_of::<Self>())
        .and_then(|(prefix, remainder)| Some((Self::from_bytes(prefix)?, remainder)))