From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: Danilo Krummrich <dakr@kernel.org>
Cc: "Matthew Maurer" <mmaurer@google.com>,
"Miguel Ojeda" <ojeda@kernel.org>,
"Alex Gaynor" <alex.gaynor@gmail.com>,
"Boqun Feng" <boqun.feng@gmail.com>,
"Gary Guo" <gary@garyguo.net>,
"Björn Roy Baron" <bjorn3_gh@protonmail.com>,
"Benno Lossin" <benno.lossin@proton.me>,
"Andreas Hindborg" <a.hindborg@kernel.org>,
"Alice Ryhl" <aliceryhl@google.com>,
"Trevor Gross" <tmgross@umich.edu>,
"Rafael J. Wysocki" <rafael@kernel.org>,
"Sami Tolvanen" <samitolvanen@google.com>,
"Timur Tabi" <ttabi@nvidia.com>,
linux-kernel@vger.kernel.org, rust-for-linux@vger.kernel.org
Subject: Re: [PATCH v3 1/4] rust: debugfs: Bind DebugFS directory creation
Date: Fri, 2 May 2025 09:00:07 +0200 [thread overview]
Message-ID: <2025050230-browsing-backstab-8de9@gregkh> (raw)
In-Reply-To: <aBRoNKjB063QhGZo@pollux>
On Fri, May 02, 2025 at 08:37:40AM +0200, Danilo Krummrich wrote:
> On Thu, May 01, 2025 at 10:47:41PM +0000, Matthew Maurer wrote:
> > +/// Owning handle to a DebugFS directory.
> > +///
> > +/// This directory will be cleaned up when it goes out of scope.
> > +///
> > +/// # Invariants
> > +///
> > +/// The wrapped pointer will always be `NULL`, an error, or an owned DebugFS `dentry`.
> > +#[repr(transparent)]
> > +pub struct Dir(#[cfg(CONFIG_DEBUG_FS)] *mut bindings::dentry);
>
> Should probably use Opaque instead of a raw pointer.
>
> > +// SAFETY: Dir is just a `dentry` under the hood, which the API promises can be transferred
>
> [`Dir`]
>
> > +// between threads.
> > +unsafe impl Send for Dir {}
> > +
> > +// SAFETY: All the native functions we re-export use interior locking, and the contents of the
> > +// struct are opaque to Rust.
> > +unsafe impl Sync for Dir {}
> > +
> > +impl Dir {
> > + /// Create a new directory in DebugFS at the root.
> > + ///
> > + /// # Examples
> > + ///
> > + /// ```
> > + /// # use kernel::c_str;
> > + /// # use kernel::debugfs::Dir;
> > + /// {
> > + /// let parent = Dir::new(c_str!("parent"));
> > + /// // The path "parent" exists in DebugFS here.
> > + /// }
> > + /// // It does not exist here.
>
> This ready like an explanation for scopes; I think we should drop those comments
> and the scope.
>
> > + /// ```
> > + pub fn new(name: &CStr) -> Self {
> > + Self::create(name, None)
> > + }
> > +
> > + /// Create a DebugFS subdirectory.
> > + ///
> > + /// This returns a [`SubDir`], which will not be automatically cleaned up when it leaves scope.
> > + /// To convert this to a handle governing the lifetime of the directory, use [`Dir::from`].
> > + ///
> > + /// # Examples
> > + ///
> > + /// ```
> > + /// # use kernel::c_str;
> > + /// # use kernel::debugfs::Dir;
> > + /// {
> > + /// let parent = Dir::new(c_str!("parent"));
> > + /// // The path "parent" exists in DebugFS here.
> > + /// {
> > + /// let child = parent.subdir(c_str!("child"));
> > + /// // The path "parent/child" exists in DebugFS here.
> > + /// }
> > + /// // The path "parent/child" still exists.
> > + /// {
> > + /// let child2 = Dir::from(parent.subdir(c_str!("child2")));
> > + /// // The path "parent/child2" exists in DebugFS here.
> > + /// }
> > + /// // The path "parent/child2" is gone.
> > + /// }
> > + /// // None of the paths exist here.
>
> I think the fact that you need all those comments here proves that it's not
> really intuitive. Please see me comment on SubDir below.
>
> > + /// ```
> > + pub fn subdir(&self, name: &CStr) -> SubDir {
> > + SubDir::new(Self::create(name, Some(self)))
> > + }
> > +
> > + /// Create a new directory in DebugFS. If `parent` is [`None`], it will be created at the root.
> > + #[cfg(CONFIG_DEBUG_FS)]
> > + fn create(name: &CStr, parent: Option<&Self>) -> Self {
> > + let parent_ptr = match parent {
> > + Some(parent) => parent.as_ptr(),
> > + None => core::ptr::null_mut(),
> > + };
> > + // SAFETY:
> > + // * `name` argument points to a NUL-terminated string that lives across the call, by
> > + // invariants of `&CStr`.
> > + // * If `parent` is `None`, `parent` accepts null pointers to mean create at root.
> > + // * If `parent` is `Some`, `parent` accepts live dentry debugfs pointers.
> > + // * `debugfs_create_dir` either returns an error code or a legal `dentry` pointer,
> > + // so we can call `Self::from_ptr`.
> > + unsafe { Self::from_ptr(bindings::debugfs_create_dir(name.as_char_ptr(), parent_ptr)) }
>
> Please split up in two calls, such that we don't have two unsafe function calls
> in a single unsafe block.
>
> > + }
> > +
> > + #[cfg(not(CONFIG_DEBUG_FS))]
> > + fn create(_name: &CStr, _parent: Option<&Self>) -> Self {
> > + Self()
> > + }
> > +
> > + /// Constructs a new DebugFS [`Dir`] from the underlying pointer.
> > + ///
> > + /// # Safety
> > + ///
> > + /// The pointer must either be an error code, `NULL`, or represent a transfer of ownership of a
> > + /// live DebugFS directory.
> > + #[cfg(CONFIG_DEBUG_FS)]
> > + unsafe fn from_ptr(ptr: *mut bindings::dentry) -> Self {
> > + Self(ptr)
> > + }
> > +
> > + /// Returns the pointer representation of the DebugFS directory.
> > + ///
> > + /// Due to the type invariant, the value returned from this function will always be an error
> > + /// code, NUL, or a live DebugFS directory.
>
> Maybe put this in a '# Guarantees' section.
>
> > + // If this function is ever needed with `not(CONFIG_DEBUG_FS)`, hardcode it to return `ENODEV`.
>
> I think you mean ERR_PTR(ENODEV).
>
> > + #[cfg(CONFIG_DEBUG_FS)]
> > + fn as_ptr(&self) -> *mut bindings::dentry {
> > + self.0
> > + }
> > +}
> > +
> > +impl Drop for Dir {
> > + fn drop(&mut self) {
> > + // SAFETY: `debugfs_remove` can take `NULL`, error values, and legal DebugFS dentries.
> > + // `as_ptr` guarantees that the pointer is of this form.
> > + #[cfg(CONFIG_DEBUG_FS)]
> > + unsafe {
> > + bindings::debugfs_remove(self.as_ptr())
> > + }
> > + }
> > +}
> > +
> > +/// Handle to a DebugFS directory that will stay alive after leaving scope.
> > +#[repr(transparent)]
> > +pub struct SubDir(ManuallyDrop<Dir>);
>
> I think it's not very intuitive if the default is that a SubDir still exists
> after it has been dropped. I think your first approach being explicit about this
> with keep() consuming the SubDir was much better; please keep this approach.
Wait, let's step back. Why do we care about the difference between a
"subdir" and a "dir"? They both are the same thing, and how do you
describe a subdir of a subdir? :)
Why the "split" here, that just adds additional mental energy to both
someone using the api, as well as someone having to review someone using
it. A directory is a directory, no matter where in debugfs it lives, so
let's just keep it as simple as possible please.
thanks,
greg k-h
next prev parent reply other threads:[~2025-05-02 7:00 UTC|newest]
Thread overview: 23+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-05-01 22:47 [PATCH v3 0/4] rust: DebugFS Bindings Matthew Maurer
2025-05-01 22:47 ` [PATCH v3 1/4] rust: debugfs: Bind DebugFS directory creation Matthew Maurer
2025-05-02 6:37 ` Danilo Krummrich
2025-05-02 7:00 ` Greg Kroah-Hartman [this message]
2025-05-02 7:05 ` Danilo Krummrich
2025-05-02 7:11 ` Greg Kroah-Hartman
2025-05-02 7:33 ` Danilo Krummrich
2025-05-02 7:39 ` Danilo Krummrich
2025-05-02 11:55 ` Greg Kroah-Hartman
2025-05-02 16:13 ` Matthew Maurer
2025-05-02 15:48 ` Matthew Maurer
2025-05-03 11:58 ` Danilo Krummrich
2025-05-02 8:12 ` Benno Lossin
2025-05-02 11:36 ` Greg Kroah-Hartman
2025-05-01 22:47 ` [PATCH v3 2/4] rust: debugfs: Bind file creation for long-lived Display Matthew Maurer
2025-05-02 6:52 ` Danilo Krummrich
2025-05-02 18:07 ` Matthew Maurer
2025-05-03 12:14 ` Danilo Krummrich
2025-05-01 22:47 ` [PATCH v3 3/4] rust: debugfs: Support format hooks Matthew Maurer
2025-05-01 22:47 ` [PATCH v3 4/4] rust: samples: Add debugfs sample Matthew Maurer
2025-05-02 7:01 ` Danilo Krummrich
2025-05-02 7:13 ` Greg Kroah-Hartman
2025-05-02 7:44 ` Danilo Krummrich
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=2025050230-browsing-backstab-8de9@gregkh \
--to=gregkh@linuxfoundation.org \
--cc=a.hindborg@kernel.org \
--cc=alex.gaynor@gmail.com \
--cc=aliceryhl@google.com \
--cc=benno.lossin@proton.me \
--cc=bjorn3_gh@protonmail.com \
--cc=boqun.feng@gmail.com \
--cc=dakr@kernel.org \
--cc=gary@garyguo.net \
--cc=linux-kernel@vger.kernel.org \
--cc=mmaurer@google.com \
--cc=ojeda@kernel.org \
--cc=rafael@kernel.org \
--cc=rust-for-linux@vger.kernel.org \
--cc=samitolvanen@google.com \
--cc=tmgross@umich.edu \
--cc=ttabi@nvidia.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.