From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mail-wm1-f74.google.com (mail-wm1-f74.google.com [209.85.128.74]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 9CBA133D6D9 for ; Fri, 20 Feb 2026 10:35:15 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.128.74 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1771583717; cv=none; b=fEFuDFua2PdF/bSudxXgqd4H9xVFHv+4daFTpWgYUd/0Y4HdE22BV87P/xP8wazcGHv/BjoOEiOJwSrKHKgGOA2RjOiGWWEvSwB8p4h0CMMFjAhXmoYF4XvcZnynC5D1Oh8vNhex9aajMjbL+nVzQxNPkbIU1KYnX0vftXMSM/A= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1771583717; c=relaxed/simple; bh=+0veVdhvJiXHWfU3srloHvG6XN01ATLsuTVbT5o95C4=; h=Date:In-Reply-To:Mime-Version:References:Message-ID:Subject:From: To:Cc:Content-Type; b=PqNkhy7uRd2ir92IX/IHQTcn4Xn3/iZMoh/ZDPYMtGtHATgQ8mE9C+JNHCcxco8H8hjOaGjbKEhGbg29tpNERHH5EQs0h309HYQHuEoznS31d3jMjnlWTPVtyNi4cX17g8RTrlKSav6qRyuFslvTVpG6UFsogXYEVAj7A9hizOU= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com; spf=pass smtp.mailfrom=flex--aliceryhl.bounces.google.com; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b=1IXVmEbR; arc=none smtp.client-ip=209.85.128.74 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=flex--aliceryhl.bounces.google.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="1IXVmEbR" Received: by mail-wm1-f74.google.com with SMTP id 5b1f17b1804b1-48379489438so18303065e9.2 for ; Fri, 20 Feb 2026 02:35:15 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20230601; t=1771583714; x=1772188514; darn=vger.kernel.org; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:from:to:cc:subject:date:message-id:reply-to; bh=SuBBZbTgNeFNGP2KTDBOL9VXYwpq19RWtpTtqUl4jLA=; b=1IXVmEbR3x/gwrILo+4+FcRcD/u6auiA1qN6OHuF2E4HiKwOiUZV/WZYg7nR01wBRC uDc6mN3J7GSC90Cjq/Pl/PdqeVANNljGGVlRQ93GXbKdeP4BAL2CYdSf2odeAiSP926f 8VvMYgO17j0x4H1kkJt4pw3YR0mvMPf25DbJxkP+1Fy4uPdK2x7u+CnvTohxPUtIcJJ2 lRq08/yfv6iagcLUZRNAR/c3bd/e0bOGQuLoTAVq328hLV4823aO7H0mvGVAAqO9Bf4u pyqYEnbThNivwRIBXpA1eOALuzFWBp/BM6GVy1T4rlAt4NjsZDt3y7QY3qBN4fNLaBLR EdjQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1771583714; x=1772188514; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=SuBBZbTgNeFNGP2KTDBOL9VXYwpq19RWtpTtqUl4jLA=; b=Tn0+BRDUmHq7sEDvds9xJXRlsEQQANcOomPkWUe0LGmXoNn/wGJI9kufiD4Xgig9uL 5CsHq7ZmlI++AP85ra5FYKrP/3WS6rQ1LadqRn4jlIsWF27kmiT3oOD068QhTdZEWsCV qgfcmJaSdirQy+N5lVpMJU/6yMkylkkMKYnCZUk3T/A4EB1I2d/jspaYOqq1HkjI5xiT F4AXPxPN2PLdDdT2hHS3gGBXCnDrMrlQ5wHnQnNPyN+8N7SPs51B/HxW36Rm5cPOrGcE 9PvzpxkIOZKAMqKG+i5RKDSdWsoh18SVVtGMaejvGYddUAH1EoNd4U4XsPn7/RKZe4a4 Lnyw== X-Forwarded-Encrypted: i=1; AJvYcCXz6loBWSExiaI6o5aRjnynlMdefq0SUgJdp1CBrMRcO1ohnEEPeJy6b85DGLZb09MhMa6k9hApymqDJV1z@vger.kernel.org X-Gm-Message-State: AOJu0Yyx4bXtikUah46lTX7KFg8LZwnZBo8Udm7fzvXunRbcf+8Np8+S sHH1XFts2g9F1fWclR21J9UpEkPQsWZrIK3A+ZSGsV8z/GfUWvSP6O2xIV/43Pp0Jb8x9pJCLS8 Gb80zkFGrvOyCISrY5w== X-Received: from wmbdr17.prod.google.com ([2002:a05:600c:6091:b0:480:4a03:7b73]) (user=aliceryhl job=prod-delivery.src-stubby-dispatcher) by 2002:a05:600c:8b26:b0:465:a51d:d4 with SMTP id 5b1f17b1804b1-48398a47222mr123364405e9.6.1771583713704; Fri, 20 Feb 2026 02:35:13 -0800 (PST) Date: Fri, 20 Feb 2026 10:35:12 +0000 In-Reply-To: <20260220-unique-ref-v15-1-893ed86b06cc@kernel.org> Precedence: bulk X-Mailing-List: linux-fsdevel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: Mime-Version: 1.0 References: <20260220-unique-ref-v15-0-893ed86b06cc@kernel.org> <20260220-unique-ref-v15-1-893ed86b06cc@kernel.org> Message-ID: Subject: Re: [PATCH v15 1/9] rust: types: Add Ownable/Owned types From: Alice Ryhl To: Andreas Hindborg Cc: Miguel Ojeda , Gary Guo , "=?utf-8?B?QmrDtnJu?= Roy Baron" , Benno Lossin , Trevor Gross , Danilo Krummrich , Greg Kroah-Hartman , Dave Ertman , Ira Weiny , Leon Romanovsky , Paul Moore , Serge Hallyn , "Rafael J. Wysocki" , David Airlie , Simona Vetter , Alexander Viro , Christian Brauner , Jan Kara , Igor Korotin , Daniel Almeida , Lorenzo Stoakes , "Liam R. Howlett" , Viresh Kumar , Nishanth Menon , Stephen Boyd , Bjorn Helgaas , "Krzysztof =?utf-8?Q?Wilczy=C5=84ski?=" , Boqun Feng , linux-kernel@vger.kernel.org, rust-for-linux@vger.kernel.org, linux-block@vger.kernel.org, linux-security-module@vger.kernel.org, dri-devel@lists.freedesktop.org, linux-fsdevel@vger.kernel.org, linux-mm@kvack.org, linux-pm@vger.kernel.org, linux-pci@vger.kernel.org, Asahi Lina , Oliver Mangold Content-Type: text/plain; charset="utf-8" On Fri, Feb 20, 2026 at 10:51:10AM +0100, Andreas Hindborg wrote: > From: Asahi Lina > > By analogy to `AlwaysRefCounted` and `ARef`, an `Ownable` type is a > (typically C FFI) type that *may* be owned by Rust, but need not be. Unlike > `AlwaysRefCounted`, this mechanism expects the reference to be unique > within Rust, and does not allow cloning. > > Conceptually, this is similar to a `KBox`, except that it delegates > resource management to the `T` instead of using a generic allocator. > > [ om: > - Split code into separate file and `pub use` it from types.rs. > - Make from_raw() and into_raw() public. > - Remove OwnableMut, and make DerefMut dependent on Unpin instead. > - Usage example/doctest for Ownable/Owned. > - Fixes to documentation and commit message. > ] > > Link: https://lore.kernel.org/all/20250202-rust-page-v1-1-e3170d7fe55e@asahilina.net/ > Signed-off-by: Asahi Lina > Co-developed-by: Oliver Mangold > Signed-off-by: Oliver Mangold > Reviewed-by: Boqun Feng > Reviewed-by: Daniel Almeida > [ Andreas: Updated documentation, examples, and formatting ] > Reviewed-by: Gary Guo > Co-developed-by: Andreas Hindborg > Signed-off-by: Andreas Hindborg > +/// let result = NonNull::new(KBox::into_raw(result)) > +/// .expect("Raw pointer to newly allocation KBox is null, this should never happen."); KBox should probably have an into_raw_nonnull(). > +/// let foo = Foo::new().expect("Failed to allocate a Foo. This shouldn't happen"); > +/// assert!(*FOO_ALLOC_COUNT.lock() == 1); Use ? here. > +/// } > +/// // `foo` is out of scope now, so we expect no live allocations. > +/// assert!(*FOO_ALLOC_COUNT.lock() == 0); > +/// ``` > +pub unsafe trait Ownable { > + /// Releases the object. > + /// > + /// # Safety > + /// > + /// Callers must ensure that: > + /// - `this` points to a valid `Self`. > + /// - `*this` is no longer used after this call. > + unsafe fn release(this: NonNull); Honestly, not using it after this call may be too strong. I can imagine wanting a value where I have both an ARef<_> and Owned<_> reference to something similar to the existing Arc<_>/ListArc<_> pattern, and in that case the value may in fact be accessed after this call if you still have an ARef<_>. If you modify Owned<_> invariants and Owned::from_raw() safety requirements along the lines of what I say below, then this could just say that the caller must have permission to call this function. The concrete implementer can specify what that means more directly, but here all it means is that a prior call to Owned::from_raw() promised to give you permission to call it. > +/// A mutable reference to an owned `T`. > +/// > +/// The [`Ownable`] is automatically freed or released when an instance of [`Owned`] is > +/// dropped. > +/// > +/// # Invariants > +/// > +/// - The [`Owned`] has exclusive access to the instance of `T`. > +/// - The instance of `T` will stay alive at least as long as the [`Owned`] is alive. > +pub struct Owned { > + ptr: NonNull, > +} I think some more direct and less fuzzy invariants would be: - This `Owned` holds permissions to call `T::release()` on the value once. - Until `T::release()` is called, this `Owned` may perform mutable access on the `T`. - The `T` value is pinned. > + /// Get a pinned mutable reference to the data owned by this `Owned`. > + pub fn as_pin_mut(&mut self) -> Pin<&mut T> { > + // SAFETY: The type invariants guarantee that the object is valid, and that we can safely > + // return a mutable reference to it. > + let unpinned = unsafe { self.ptr.as_mut() }; > + > + // SAFETY: We never hand out unpinned mutable references to the data in > + // `Self`, unless the contained type is `Unpin`. > + unsafe { Pin::new_unchecked(unpinned) } I'd prefer if "pinned" was a type invariant, rather than make an argument about what kind of APIs exist. > +impl DerefMut for Owned { > + fn deref_mut(&mut self) -> &mut Self::Target { > + // SAFETY: The type invariants guarantee that the object is valid, and that we can safely > + // return a mutable reference to it. > + unsafe { self.ptr.as_mut() } Surely this safety comment should say something about pinning. Alice