Re: [PATCH 2/4] rust: sync: change `<Arc<T> as ForeignOwnable>::PointedTo` to `T`

[Fiona Behrens <me@kloenk.dev>]

Andreas Hindborg <a.hindborg@kernel.org> writes:

> Using `ArcInner` as `PoinedTo` in the `ForeignOwnable` implementation for
> `Arc` is a bit unfortunate. Using `T` as `PointedTo` does not remove any
> functionality, but allows `ArcInner` to be private. Further, it allows
> downstream users to write code that is generic over `Box` and `Arc`, when
> downstream users need access to `T` after calling `into_foreign`.
>
> Signed-off-by: Andreas Hindborg <a.hindborg@kernel.org>

Bit unfortunate that we first in the patch before made it public and now
private again, but it makes sense to split patches.
Think I also found this weird when I wrote my LED patch, so this makes
a lot of sense as this is what I would expect.

Reviewed-by: Fiona Behrens <me@kloenk.dev>

>
> ---
>
> This patch is a dependency for Rust `configfs` abstractions. It allows both
> `Box` and `Arc` to be used as pointer types in the `configfs` hierarchy.
> ---
>  rust/kernel/sync/arc.rs | 21 ++++++++++++++++-----
>  1 file changed, 16 insertions(+), 5 deletions(-)
>
> diff --git a/rust/kernel/sync/arc.rs b/rust/kernel/sync/arc.rs
> index dfe4abf82c25cf18398628d9cd5345a292419351..503e318b4c4effa2f1499b6fee0944079fde99aa 100644
> --- a/rust/kernel/sync/arc.rs
> +++ b/rust/kernel/sync/arc.rs
> @@ -143,7 +143,7 @@ pub struct Arc<T: ?Sized> {
>  #[doc(hidden)]
>  #[pin_data]
>  #[repr(C)]
> -pub struct ArcInner<T: ?Sized> {
> +struct ArcInner<T: ?Sized> {
>      refcount: Opaque<bindings::refcount_t>,
>      data: T,
>  }
> @@ -345,18 +345,25 @@ pub fn into_unique_or_drop(self) -> Option<Pin<UniqueArc<T>>> {
>  
>  // SAFETY: The `into_foreign` function returns a pointer that is well-aligned.
>  unsafe impl<T: 'static> ForeignOwnable for Arc<T> {
> -    type PointedTo = ArcInner<T>;
> +    type PointedTo = T;
>      type Borrowed<'a> = ArcBorrow<'a, T>;
>      type BorrowedMut<'a> = Self::Borrowed<'a>;
>  
>      fn into_foreign(self) -> *mut Self::PointedTo {
> -        ManuallyDrop::new(self).ptr.as_ptr()
> +        let x = ManuallyDrop::new(self).ptr.as_ptr();
> +        // SAFETY: `x` is a valid pointer to `Self` so the projection below is
> +        // in bounds of the allocation.
> +        unsafe { core::ptr::addr_of_mut!((*x).data) }
>      }
>  
>      unsafe fn from_foreign(ptr: *mut Self::PointedTo) -> Self {
> +        // SAFETY: We did the reverse offset calculation in `into_foreign`, so
> +        // the offset calculation below is in bounds of the allocation.
> +        let inner_ptr = unsafe { kernel::container_of!(ptr, ArcInner<T>, data).cast_mut() };
> +
>          // SAFETY: The safety requirements of this function ensure that `ptr` comes from a previous
>          // call to `Self::into_foreign`.
> -        let inner = unsafe { NonNull::new_unchecked(ptr) };
> +        let inner = unsafe { NonNull::new_unchecked(inner_ptr) };
>  
>          // SAFETY: By the safety requirement of this function, we know that `ptr` came from
>          // a previous call to `Arc::into_foreign`, which guarantees that `ptr` is valid and
> @@ -365,9 +372,13 @@ unsafe fn from_foreign(ptr: *mut Self::PointedTo) -> Self {
>      }
>  
>      unsafe fn borrow<'a>(ptr: *mut Self::PointedTo) -> ArcBorrow<'a, T> {
> +        // SAFETY: We did the reverse offset calculation in `into_foreign`, so
> +        // the offset calculation below is in bounds of the allocation.
> +        let inner_ptr = unsafe { kernel::container_of!(ptr, ArcInner<T>, data).cast_mut() };
> +
>          // SAFETY: The safety requirements of this function ensure that `ptr` comes from a previous
>          // call to `Self::into_foreign`.
> -        let inner = unsafe { NonNull::new_unchecked(ptr) };
> +        let inner = unsafe { NonNull::new_unchecked(inner_ptr) };
>  
>          // SAFETY: The safety requirements of `from_foreign` ensure that the object remains alive
>          // for the lifetime of the returned value.