Re: [PATCH v5 5/7] revocable: Add fops replacement

["Danilo Krummrich" <dakr@kernel.org>]

On Thu Oct 23, 2025 at 6:48 PM CEST, Jason Gunthorpe wrote:
> On Thu, Oct 23, 2025 at 06:20:02PM +0200, Danilo Krummrich wrote:
>> On Thu Oct 23, 2025 at 5:57 PM CEST, Jason Gunthorpe wrote:
>> > IMHO the rust code does it principally because the sync unregister
>> > life cycle model does not fit naturally into rust.
>> 
>> That's not the case.
>> 
>> In fact, we try to give as much "sync" guarantees as possible. For instance,
>> when a driver registers an IRQ the irq::Registration API enforces that the IRQ
>> is unregistered before the registering device is unbound.
>> 
>> As a consequence, the IRQ callback can provide a &Device<Bound>, which acts as a
>> "cookie" that proves that for this scope (IRQ callback) the device is guaranteed
>> to be bound.
>> 
>> With this "cookie" we can then directly access device resources (such as I/O
>> memory) that is within a Devres (and hence a Revocable) container directly,
>> *without* any locking. I.e. we can safely bypass the Revocable and hence its
>> overhead.
>
> It is good news to hear it, but I think you are making the point I was
> trying to make.
>
> In rust if you have a Device<bound> and you skip the revocable
> locking, I'd argue that you don't need "revocable" at all, just
> enforcement of a Device<bound>.
>
> IOW the presence of revocable in rust, with all the locking, is
> because the sync life cycle model is not available.

That's not the reason, it *is* available.

Requiring a &Device<Bound> "cookie" to be able to access a device resource
directly is one part of it. The other one is to ensure that the device resource
is actually released once the device is unbound.

When a device is unbound the Revocable within a Devres container automatically
drops the device resource (i.e. calls the destructor, which, for instance,
unmaps and releases an MMIO memory region).

Subsequently, it also ensures that the device resources can't be accessed
anymore, even if a driver would hold on to the corresponding object instance:

Obviously, it can't be accessed with a &Device<Bound> anymore, because it is
impossible that the caller is within a scope where a &Device<Bound> is present.

And an access with Revocable::try_access() will fail as well, because Revocable
knows internally that the destructor of the wrapped object was called already.

So, what we achieve is that as long as the driver uses safe code (i.e. no unsafe
{}), there is no way for a driver to mess this up and produce a bug that affects
the rest of the kernel.

While at the same time there is zero overhead in "sync" scopes, and non-"sync"
scopes, which we unfortunately need in some rare cases, are still supported in a
safe way.

> Sounds like the idea is that the sync model will be widely available
> and the revocable lock will rarely be used?

That is correct.