I just read the upcoming Rust code for Linux Kernel from Github. Maybe I am stupid. What I see is just unsafe everywhere. All Rust functions are unsafe.

For example
https://github.com/Rust-for-Linux/linux/blob/rust/rust/alloc/rc.rs


The entire code are just unsafe hell.


#[cfg(not(no_global_oom_handling))]
unsafe fn allocate_for_layout(
value_layout: Layout,
allocate: impl FnOnce(Layout) -> Result<NonNull, AllocError>,
mem_to_rcbox: impl FnOnce(*mut u8) -> *mut RcBox,
) -> *mut RcBox {
// Calculate layout using the given value layout.
// Previously, layout was calculated on the expression
// `&*(ptr as *const RcBox)`, but this created a misaligned
// reference (see #54908).
let layout = Layout::new::<RcBox>().extend(value_layout).unwrap().0.pad_to_align();
unsafe {
Rc::try_allocate_for_layout(value_layout, allocate, mem_to_rcbox)
.unwrap_or_else(|_| handle_alloc_error(layout))
}
}

/// Allocates an `RcBox` with sufficient space for
/// a possibly-unsized inner value where the value has the layout provided,
/// returning an error if allocation fails.
///
/// The function `mem_to_rcbox` is called with the data pointer
/// and must return back a (potentially fat)-pointer for the `RcBox`.
#[inline]
unsafe fn try_allocate_for_layout(
value_layout: Layout,
allocate: impl FnOnce(Layout) -> Result<NonNull, AllocError>,
mem_to_rcbox: impl FnOnce(*mut u8) -> *mut RcBox,
) -> Result<*mut RcBox, AllocError> {
// Calculate layout using the given value layout.
// Previously, layout was calculated on the expression
// `&*(ptr as *const RcBox)`, but this created a misaligned
// reference (see #54908).
let layout = Layout::new::<RcBox>().extend(value_layout).unwrap().0.pad_to_align();

// Allocate for the layout.
let ptr = allocate(layout)?;

// Initialize the RcBox
let inner = mem_to_rcbox(ptr.as_non_null_ptr().as_ptr());
unsafe {
debug_assert_eq!(Layout::for_value(&*inner), layout);

ptr::write(&mut (*inner).strong, Cell::new(1));
ptr::write(&mut (*inner).weak, Cell::new(1));
}

Ok(inner)
}


Dual error reporting (C++ moment).

C++ is clearly a terrible choice for kernel development due to exception handling and all sorts of other issues. Here the rust code looks just as bad as using C++ for me.
I do not understand how could this code brings any safety.



Some Rust people like Alex Gaynor who actively push Rust into kernel look crazy for me. They said using C and C++ violates human rights.

https://www.memorysafety.org/docs/memory-safety/

These vulnerabilities and exploits, and many others, are made possible because C and C++ are not memory safe. Organizations which write large amounts of C and C++ inevitably produce large numbers of vulnerabilities that can be directly attributed to a lack of memory safety. These vulnerabilities are exploited, to the peril of hospitals, human rights dissidents, and health policy experts. Using C and C++ is bad for society, bad for your reputation, and it's bad for your customers.


Maybe Linus Torvalds also agrees using C and C++ violates human rights like those Rust people believe?