[PATCH] rust: move ARef and AlwaysRefCounted to sync::aref

[PATCH] rust: move ARef and AlwaysRefCounted to sync::aref

[Shankari Anand]

Move the definitions of `ARef` and `AlwaysRefCounted` from `types.rs`
to a new file `sync/aref.rs`.
Define the corresponding `aref` module under `rust/kernel/sync.rs`.
These types are better grouped in `sync` with other synchronization primitives.

To avoid breaking existing imports, they are re-exported from `types.rs`.
Drop unused imports `mem::ManuallyDrop`, `ptr::NonNull` from `types.rs`,
they are now only used in `sync/aref.rs`, where they are already imported.

Suggested-by: Benno Lossin <lossin@kernel.org>
Link: https://github.com/Rust-for-Linux/linux/issues/1173
Signed-off-by: Shankari Anand <shankari.ak0208@gmail.com>
---

The moving patch and updating patch are split as discussed in https://github.com/Rust-for-Linux/linux/issues/1173
A follow-up patch will update all the call sites to import `ARef` and `AlwaysRefCounted`
directly from `sync::aref` instead of `types`.

Fixes were also made to intra-doc links: unresolved references to `inc_ref` and `dec_ref`
were updated to use `AlwaysRefCounted::inc_ref` and `AlwaysRefCounted::dec_ref`.

---
 rust/kernel/sync.rs      |   1 +
 rust/kernel/sync/aref.rs | 170 +++++++++++++++++++++++++++++++++++++++
 rust/kernel/types.rs     | 156 ++---------------------------------
 3 files changed, 176 insertions(+), 151 deletions(-)
 create mode 100644 rust/kernel/sync/aref.rs

diff --git a/rust/kernel/sync.rs b/rust/kernel/sync.rs
index 36a719015583..3e9748c213a8 100644
--- a/rust/kernel/sync.rs
+++ b/rust/kernel/sync.rs
@@ -10,6 +10,7 @@
 use pin_init;
 
 mod arc;
+pub mod aref;
 mod condvar;
 pub mod lock;
 mod locked_by;
diff --git a/rust/kernel/sync/aref.rs b/rust/kernel/sync/aref.rs
new file mode 100644
index 000000000000..3b526b63f94f
--- /dev/null
+++ b/rust/kernel/sync/aref.rs
@@ -0,0 +1,170 @@
+// SPDX-License-Identifier: GPL-2.0
+
+//! Atomic reference-counted pointer abstraction.
+//!
+//! This module provides [`ARef<T>`], an owned reference to a value that implements
+//! [`AlwaysRefCounted`] — an unsafe trait for types that manage their own reference count.
+//!
+//! It is based on the Linux kernel's manual reference counting model and is typically used
+//! with C types that implement reference counting (e.g., via `refcount_t` or `kref`).
+//!
+//! For Rust-managed objects, prefer using [`Arc`](crate::sync::Arc) instead.
+
+use core::{
+    marker::PhantomData,
+    mem::ManuallyDrop,
+    ops::Deref,
+    ptr::NonNull,
+};
+
+/// Trait for types that are _always_ reference-counted.
+///
+/// This trait allows types to define custom reference increment and decrement logic.
+/// It enables safe conversion from a shared reference `&T` to an owned [`ARef<T>`].
+///
+/// This is usually implemented by wrappers around C types with manual refcounting.
+///
+/// For purely Rust-managed memory, consider using [`Arc`](crate::sync::Arc) instead.
+///
+/// # Safety
+///
+/// Implementers must ensure that:
+///
+/// - Calling [`AlwaysRefCounted::inc_ref`] keeps the object alive in memory until a matching [`AlwaysRefCounted::dec_ref`] is called.
+/// - The object is always managed by a reference count; it must never be stack-allocated or
+///   otherwise untracked.
+/// - When the count reaches zero in [`AlwaysRefCounted::dec_ref`], the object is properly freed and no further
+///   access occurs.
+///
+/// Failure to follow these rules may lead to use-after-free or memory corruption.
+
+pub unsafe trait AlwaysRefCounted {
+    /// Increments the reference count on the object.
+    fn inc_ref(&self);
+
+    /// Decrements the reference count on the object.
+    ///
+    /// Frees the object when the count reaches zero.
+    ///
+    /// # Safety
+    ///
+    /// Callers must ensure that there was a previous matching increment to the reference count,
+    /// and that the object is no longer used after its reference count is decremented (as it may
+    /// result in the object being freed), unless the caller owns another increment on the refcount
+    /// (e.g., it calls [`AlwaysRefCounted::inc_ref`] twice, then calls
+    /// [`AlwaysRefCounted::dec_ref`] once).
+    unsafe fn dec_ref(obj: NonNull<Self>);
+}
+
+/// An owned reference to an always-reference-counted object.
+///
+/// The object's reference count is automatically decremented when an instance of [`ARef`] is
+/// dropped. It is also automatically incremented when a new instance is created via
+/// [`ARef::clone`].
+///
+/// # Invariants
+///
+/// The pointer stored in `ptr` is non-null and valid for the lifetime of the [`ARef`] instance. In
+/// particular, the [`ARef`] instance owns an increment on the underlying object's reference count.
+pub struct ARef<T: AlwaysRefCounted> {
+    ptr: NonNull<T>,
+    _p: PhantomData<T>,
+}
+
+// SAFETY: It is safe to send `ARef<T>` to another thread when the underlying `T` is `Sync` because
+// it effectively means sharing `&T` (which is safe because `T` is `Sync`); additionally, it needs
+// `T` to be `Send` because any thread that has an `ARef<T>` may ultimately access `T` using a
+// mutable reference, for example, when the reference count reaches zero and `T` is dropped.
+unsafe impl<T: AlwaysRefCounted + Sync + Send> Send for ARef<T> {}
+
+// SAFETY: It is safe to send `&ARef<T>` to another thread when the underlying `T` is `Sync`
+// because it effectively means sharing `&T` (which is safe because `T` is `Sync`); additionally,
+// it needs `T` to be `Send` because any thread that has a `&ARef<T>` may clone it and get an
+// `ARef<T>` on that thread, so the thread may ultimately access `T` using a mutable reference, for
+// example, when the reference count reaches zero and `T` is dropped.
+unsafe impl<T: AlwaysRefCounted + Sync + Send> Sync for ARef<T> {}
+
+impl<T: AlwaysRefCounted> ARef<T> {
+    /// Creates a new instance of [`ARef`].
+    ///
+    /// It takes over an increment of the reference count on the underlying object.
+    ///
+    /// # Safety
+    ///
+    /// Callers must ensure that the reference count was incremented at least once, and that they
+    /// are properly relinquishing one increment. That is, if there is only one increment, callers
+    /// must not use the underlying object anymore -- it is only safe to do so via the newly
+    /// created [`ARef`].
+    pub unsafe fn from_raw(ptr: NonNull<T>) -> Self {
+        // INVARIANT: The safety requirements guarantee that the new instance now owns the
+        // increment on the refcount.
+        Self {
+            ptr,
+            _p: PhantomData,
+        }
+    }
+
+    /// Consumes the `ARef`, returning a raw pointer.
+    ///
+    /// This function does not change the refcount. After calling this function, the caller is
+    /// responsible for the refcount previously managed by the `ARef`.
+    ///
+    /// # Examples
+    ///
+    /// ```
+    /// use core::ptr::NonNull;
+    /// use kernel::types::{ARef, AlwaysRefCounted};
+    ///
+    /// struct Empty {}
+    ///
+    /// # // SAFETY: TODO.
+    /// unsafe impl AlwaysRefCounted for Empty {
+    ///     fn inc_ref(&self) {}
+    ///     unsafe fn dec_ref(_obj: NonNull<Self>) {}
+    /// }
+    ///
+    /// let mut data = Empty {};
+    /// let ptr = NonNull::<Empty>::new(&mut data).unwrap();
+    /// # // SAFETY: TODO.
+    /// let data_ref: ARef<Empty> = unsafe { ARef::from_raw(ptr) };
+    /// let raw_ptr: NonNull<Empty> = ARef::into_raw(data_ref);
+    ///
+    /// assert_eq!(ptr, raw_ptr);
+    /// ```
+    pub fn into_raw(me: Self) -> NonNull<T> {
+        ManuallyDrop::new(me).ptr
+    }
+}
+
+impl<T: AlwaysRefCounted> Clone for ARef<T> {
+    fn clone(&self) -> Self {
+        self.inc_ref();
+        // SAFETY: We just incremented the refcount above.
+        unsafe { Self::from_raw(self.ptr) }
+    }
+}
+
+impl<T: AlwaysRefCounted> Deref for ARef<T> {
+    type Target = T;
+
+    fn deref(&self) -> &Self::Target {
+        // SAFETY: The type invariants guarantee that the object is valid.
+        unsafe { self.ptr.as_ref() }
+    }
+}
+
+impl<T: AlwaysRefCounted> From<&T> for ARef<T> {
+    fn from(b: &T) -> Self {
+        b.inc_ref();
+        // SAFETY: We just incremented the refcount above.
+        unsafe { Self::from_raw(NonNull::from(b)) }
+    }
+}
+
+impl<T: AlwaysRefCounted> Drop for ARef<T> {
+    fn drop(&mut self) {
+        // SAFETY: The type invariants guarantee that the `ARef` owns the reference we're about to
+        // decrement.
+        unsafe { T::dec_ref(self.ptr) };
+    }
+}
diff --git a/rust/kernel/types.rs b/rust/kernel/types.rs
index 22985b6f6982..ae2350d87a27 100644
--- a/rust/kernel/types.rs
+++ b/rust/kernel/types.rs
@@ -5,12 +5,15 @@
 use core::{
     cell::UnsafeCell,
     marker::{PhantomData, PhantomPinned},
-    mem::{ManuallyDrop, MaybeUninit},
+    mem::{MaybeUninit},
     ops::{Deref, DerefMut},
-    ptr::NonNull,
 };
 use pin_init::{PinInit, Zeroable};
 
+pub use crate::sync::aref::{ARef, AlwaysRefCounted};
+
 /// Used to transfer ownership to and from foreign (non-Rust) languages.
 ///
 /// Ownership is transferred from Rust to a foreign language by calling [`Self::into_foreign`] and
@@ -415,155 +418,6 @@ pub const fn raw_get(this: *const Self) -> *mut T {
     }
 }
 
-/// Types that are _always_ reference counted.
-///
-/// It allows such types to define their own custom ref increment and decrement functions.
-/// Additionally, it allows users to convert from a shared reference `&T` to an owned reference
-/// [`ARef<T>`].
-///
-/// This is usually implemented by wrappers to existing structures on the C side of the code. For
-/// Rust code, the recommendation is to use [`Arc`](crate::sync::Arc) to create reference-counted
-/// instances of a type.
-///
-/// # Safety
-///
-/// Implementers must ensure that increments to the reference count keep the object alive in memory
-/// at least until matching decrements are performed.
-///
-/// Implementers must also ensure that all instances are reference-counted. (Otherwise they
-/// won't be able to honour the requirement that [`AlwaysRefCounted::inc_ref`] keep the object
-/// alive.)
-pub unsafe trait AlwaysRefCounted {
-    /// Increments the reference count on the object.
-    fn inc_ref(&self);
-
-    /// Decrements the reference count on the object.
-    ///
-    /// Frees the object when the count reaches zero.
-    ///
-    /// # Safety
-    ///
-    /// Callers must ensure that there was a previous matching increment to the reference count,
-    /// and that the object is no longer used after its reference count is decremented (as it may
-    /// result in the object being freed), unless the caller owns another increment on the refcount
-    /// (e.g., it calls [`AlwaysRefCounted::inc_ref`] twice, then calls
-    /// [`AlwaysRefCounted::dec_ref`] once).
-    unsafe fn dec_ref(obj: NonNull<Self>);
-}
-
-/// An owned reference to an always-reference-counted object.
-///
-/// The object's reference count is automatically decremented when an instance of [`ARef`] is
-/// dropped. It is also automatically incremented when a new instance is created via
-/// [`ARef::clone`].
-///
-/// # Invariants
-///
-/// The pointer stored in `ptr` is non-null and valid for the lifetime of the [`ARef`] instance. In
-/// particular, the [`ARef`] instance owns an increment on the underlying object's reference count.
-pub struct ARef<T: AlwaysRefCounted> {
-    ptr: NonNull<T>,
-    _p: PhantomData<T>,
-}
-
-// SAFETY: It is safe to send `ARef<T>` to another thread when the underlying `T` is `Sync` because
-// it effectively means sharing `&T` (which is safe because `T` is `Sync`); additionally, it needs
-// `T` to be `Send` because any thread that has an `ARef<T>` may ultimately access `T` using a
-// mutable reference, for example, when the reference count reaches zero and `T` is dropped.
-unsafe impl<T: AlwaysRefCounted + Sync + Send> Send for ARef<T> {}
-
-// SAFETY: It is safe to send `&ARef<T>` to another thread when the underlying `T` is `Sync`
-// because it effectively means sharing `&T` (which is safe because `T` is `Sync`); additionally,
-// it needs `T` to be `Send` because any thread that has a `&ARef<T>` may clone it and get an
-// `ARef<T>` on that thread, so the thread may ultimately access `T` using a mutable reference, for
-// example, when the reference count reaches zero and `T` is dropped.
-unsafe impl<T: AlwaysRefCounted + Sync + Send> Sync for ARef<T> {}
-
-impl<T: AlwaysRefCounted> ARef<T> {
-    /// Creates a new instance of [`ARef`].
-    ///
-    /// It takes over an increment of the reference count on the underlying object.
-    ///
-    /// # Safety
-    ///
-    /// Callers must ensure that the reference count was incremented at least once, and that they
-    /// are properly relinquishing one increment. That is, if there is only one increment, callers
-    /// must not use the underlying object anymore -- it is only safe to do so via the newly
-    /// created [`ARef`].
-    pub unsafe fn from_raw(ptr: NonNull<T>) -> Self {
-        // INVARIANT: The safety requirements guarantee that the new instance now owns the
-        // increment on the refcount.
-        Self {
-            ptr,
-            _p: PhantomData,
-        }
-    }
-
-    /// Consumes the `ARef`, returning a raw pointer.
-    ///
-    /// This function does not change the refcount. After calling this function, the caller is
-    /// responsible for the refcount previously managed by the `ARef`.
-    ///
-    /// # Examples
-    ///
-    /// ```
-    /// use core::ptr::NonNull;
-    /// use kernel::types::{ARef, AlwaysRefCounted};
-    ///
-    /// struct Empty {}
-    ///
-    /// # // SAFETY: TODO.
-    /// unsafe impl AlwaysRefCounted for Empty {
-    ///     fn inc_ref(&self) {}
-    ///     unsafe fn dec_ref(_obj: NonNull<Self>) {}
-    /// }
-    ///
-    /// let mut data = Empty {};
-    /// let ptr = NonNull::<Empty>::new(&mut data).unwrap();
-    /// # // SAFETY: TODO.
-    /// let data_ref: ARef<Empty> = unsafe { ARef::from_raw(ptr) };
-    /// let raw_ptr: NonNull<Empty> = ARef::into_raw(data_ref);
-    ///
-    /// assert_eq!(ptr, raw_ptr);
-    /// ```
-    pub fn into_raw(me: Self) -> NonNull<T> {
-        ManuallyDrop::new(me).ptr
-    }
-}
-
-impl<T: AlwaysRefCounted> Clone for ARef<T> {
-    fn clone(&self) -> Self {
-        self.inc_ref();
-        // SAFETY: We just incremented the refcount above.
-        unsafe { Self::from_raw(self.ptr) }
-    }
-}
-
-impl<T: AlwaysRefCounted> Deref for ARef<T> {
-    type Target = T;
-
-    fn deref(&self) -> &Self::Target {
-        // SAFETY: The type invariants guarantee that the object is valid.
-        unsafe { self.ptr.as_ref() }
-    }
-}
-
-impl<T: AlwaysRefCounted> From<&T> for ARef<T> {
-    fn from(b: &T) -> Self {
-        b.inc_ref();
-        // SAFETY: We just incremented the refcount above.
-        unsafe { Self::from_raw(NonNull::from(b)) }
-    }
-}
-
-impl<T: AlwaysRefCounted> Drop for ARef<T> {
-    fn drop(&mut self) {
-        // SAFETY: The type invariants guarantee that the `ARef` owns the reference we're about to
-        // decrement.
-        unsafe { T::dec_ref(self.ptr) };
-    }
-}
-
 /// A sum type that always holds either a value of type `L` or `R`.
 ///
 /// # Examples
-- 
2.34.1

Re: [PATCH] rust: move ARef and AlwaysRefCounted to sync::aref

[Benno Lossin]

On Mon Jun 23, 2025 at 9:25 PM CEST, Shankari Anand wrote:
> Move the definitions of `ARef` and `AlwaysRefCounted` from `types.rs`
> to a new file `sync/aref.rs`.
> Define the corresponding `aref` module under `rust/kernel/sync.rs`.
> These types are better grouped in `sync` with other synchronization primitives.
>
> To avoid breaking existing imports, they are re-exported from `types.rs`.
> Drop unused imports `mem::ManuallyDrop`, `ptr::NonNull` from `types.rs`,
> they are now only used in `sync/aref.rs`, where they are already imported.
>
> Suggested-by: Benno Lossin <lossin@kernel.org>
> Link: https://github.com/Rust-for-Linux/linux/issues/1173
> Signed-off-by: Shankari Anand <shankari.ak0208@gmail.com>
> ---
>
> The moving patch and updating patch are split as discussed in https://github.com/Rust-for-Linux/linux/issues/1173
> A follow-up patch will update all the call sites to import `ARef` and `AlwaysRefCounted`
> directly from `sync::aref` instead of `types`.

Ah, I meant that you can just send the two patches in a single series.
No need to wait for anything (it's easier to review the two distinct
changes, that's why I thought it's a good idea to split them).

> Fixes were also made to intra-doc links: unresolved references to `inc_ref` and `dec_ref`
> were updated to use `AlwaysRefCounted::inc_ref` and `AlwaysRefCounted::dec_ref`.
>
> ---
>  rust/kernel/sync.rs      |   1 +
>  rust/kernel/sync/aref.rs | 170 +++++++++++++++++++++++++++++++++++++++
>  rust/kernel/types.rs     | 156 ++---------------------------------
>  3 files changed, 176 insertions(+), 151 deletions(-)
>  create mode 100644 rust/kernel/sync/aref.rs

This doesn't apply to `rust-next` or `v6.16-rc3`, what base did you use?
When creating `.patch` files for sending, please use `--base` to make
git add your base at the bottom.

---
Cheers,
Benno

Re: [PATCH] rust: move ARef and AlwaysRefCounted to sync::aref

[Shankari Anand]

> Ah, I meant that you can just send the two patches in a single series.
> No need to wait for anything (it's easier to review the two distinct
> changes, that's why I thought it's a good idea to split them).

Apologies for the misunderstanding on my part regarding the split. I
now understand that both patches should be sent as a single series for
ease of review. Thanks for the clarification!

> This doesn't apply to `rust-next` or `v6.16-rc3`, what base did you use?
> When creating `.patch` files for sending, please use `--base` to make
> git add your base at the bottom.

Regarding the patch not applying cleanly: I had tested it on rust-next
at the time, but it’s possible that a new commit has landed upstream
since then which is causing the conflict. I’ll rebase both patches on
the latest rust-next, re-test, and resend them together as a patch
series with --base included as well.

Thanks again for your feedback!


On Tue, Jun 24, 2025 at 4:56 AM Benno Lossin <lossin@kernel.org> wrote:
>
> On Mon Jun 23, 2025 at 9:25 PM CEST, Shankari Anand wrote:
> > Move the definitions of `ARef` and `AlwaysRefCounted` from `types.rs`
> > to a new file `sync/aref.rs`.
> > Define the corresponding `aref` module under `rust/kernel/sync.rs`.
> > These types are better grouped in `sync` with other synchronization primitives.
> >
> > To avoid breaking existing imports, they are re-exported from `types.rs`.
> > Drop unused imports `mem::ManuallyDrop`, `ptr::NonNull` from `types.rs`,
> > they are now only used in `sync/aref.rs`, where they are already imported.
> >
> > Suggested-by: Benno Lossin <lossin@kernel.org>
> > Link: https://github.com/Rust-for-Linux/linux/issues/1173
> > Signed-off-by: Shankari Anand <shankari.ak0208@gmail.com>
> > ---
> >
> > The moving patch and updating patch are split as discussed in https://github.com/Rust-for-Linux/linux/issues/1173
> > A follow-up patch will update all the call sites to import `ARef` and `AlwaysRefCounted`
> > directly from `sync::aref` instead of `types`.
>
> Ah, I meant that you can just send the two patches in a single series.
> No need to wait for anything (it's easier to review the two distinct
> changes, that's why I thought it's a good idea to split them).
>
> > Fixes were also made to intra-doc links: unresolved references to `inc_ref` and `dec_ref`
> > were updated to use `AlwaysRefCounted::inc_ref` and `AlwaysRefCounted::dec_ref`.
> >
> > ---
> >  rust/kernel/sync.rs      |   1 +
> >  rust/kernel/sync/aref.rs | 170 +++++++++++++++++++++++++++++++++++++++
> >  rust/kernel/types.rs     | 156 ++---------------------------------
> >  3 files changed, 176 insertions(+), 151 deletions(-)
> >  create mode 100644 rust/kernel/sync/aref.rs
>
> This doesn't apply to `rust-next` or `v6.16-rc3`, what base did you use?
> When creating `.patch` files for sending, please use `--base` to make
> git add your base at the bottom.
>
> ---
> Cheers,
> Benno