From: Jason Gunthorpe <jgg@nvidia.com>
To: Danilo Krummrich <dakr@kernel.org>
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
Johan Hovold <johan@kernel.org>,
"Rafael J . Wysocki" <rafael@kernel.org>,
Tzung-Bi Shih <tzungbi@kernel.org>,
Bartosz Golaszewski <bartosz.golaszewski@oss.qualcomm.com>,
Linus Walleij <linusw@kernel.org>,
Jonathan Corbet <corbet@lwn.net>, Shuah Khan <shuah@kernel.org>,
Laurent Pinchart <laurent.pinchart@ideasonboard.com>,
Wolfram Sang <wsa+renesas@sang-engineering.com>,
Simona Vetter <simona.vetter@ffwll.ch>,
Dan Williams <dan.j.williams@intel.com>,
linux-doc@vger.kernel.org, linux-kselftest@vger.kernel.org,
linux-kernel@vger.kernel.org
Subject: Re: [PATCH 0/3] Revert "revocable: Revocable resource management"
Date: Sun, 25 Jan 2026 20:07:30 -0400 [thread overview]
Message-ID: <20260126000730.GI1134360@nvidia.com> (raw)
In-Reply-To: <DFXV1QMQMTRK.2W8SWGVHS2K69@kernel.org>
On Sun, Jan 25, 2026 at 06:53:15PM +0100, Danilo Krummrich wrote:
>
> Let's take some DRM IOCTL for instance:
>
> struct MyDriver {
> bar: Devres<pci::Bar>,
> }
>
> fn ioctl_vm_create(
> drm: &drm::Device<MyDriver>,
> req: &mut uapi::drm_mydriver_vm_create,
> file: &drm::File<MyDriverFile>,
> ) -> Result<u32> {
> // Runs the closure in an (S)RCU read side critical section if the
> // resource is available, returns ENXIO otherwise.
> drm.bar.try_access_with(|bar| {
> // (S)RCU read side critical section starts here.
>
> bar.write32(...);
>
> // (S)RCU read side critical section ends here.
> }).ok_or(ENXIO)?;
>
> Ok(0)
> }
That's the whole issue with DRM right there - allowing driver code to
run after the driver has unregistered from the subsystem is
*dangerous* and creates all these bugs.
From a rust perspective I would argue you should be looking at every
one of those try_access_with() sites in drivers as a code smell that
says something is questionable in the driver or subsystem.
In many other subsystems a driver should *never* use
"try_access_with". Unfortunately the rust solution forces
synchronize_srcu()'s anyway (which Bartoz rightly pointed out as an
unacceptable performance issue). IMHO since rust has the Device<Bound>
stuff the revocable should have used rwsem, because the expectation
should be that the majority uses access, not try_access.
> I think those examples make it obvious why a revocable implementation on the C
> side can't provide the same value and ergonomics due to language limitations,
> yet I think it makes sense to start experimenting how subsystems can adopt this
> design-pattern in C.
The most important part of this pattern, IMHO, is documenting when you
are in a safe Device<Bound> scope or not.
What the C version of revocable does is just enforce it *everwhere*
without any thought as to if it is papering over a bigger problem.
In C protecting some limited "device resources" is not nearly good
enough for alot of drivers since the root issue here is often the
author doesn't understand the undocumented contexts when it is
"try_access_with" vs "access" and then makes a lot more errors than
just "device resources". :(
Frankly I don't think "iterating" is going to salvage this idea. The
real value from rust was not in creating a thin wrapper around
SRCU. It is in all the other stuff Danilo has explained.
Jason
next prev parent reply other threads:[~2026-01-26 0:07 UTC|newest]
Thread overview: 70+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-01-24 17:05 [PATCH 0/3] Revert "revocable: Revocable resource management" Johan Hovold
2026-01-24 17:05 ` [PATCH 1/3] Revert "selftests: revocable: Add kselftest cases" Johan Hovold
2026-01-24 17:05 ` [PATCH 2/3] Revert "revocable: Add Kunit test cases" Johan Hovold
2026-01-24 17:05 ` [PATCH 3/3] Revert "revocable: Revocable resource management" Johan Hovold
2026-01-24 17:37 ` Johan Hovold
2026-01-24 17:46 ` Danilo Krummrich
2026-01-26 13:20 ` Johan Hovold
2026-01-27 15:57 ` Tzung-Bi Shih
2026-01-24 18:42 ` [PATCH 0/3] " Laurent Pinchart
2026-01-24 19:08 ` Danilo Krummrich
2026-01-25 12:47 ` Greg Kroah-Hartman
2026-01-25 13:22 ` Laurent Pinchart
2026-01-25 14:07 ` Danilo Krummrich
2026-01-29 1:09 ` Laurent Pinchart
2026-01-25 13:24 ` Laurent Pinchart
2026-01-25 17:53 ` Danilo Krummrich
2026-01-26 0:07 ` Jason Gunthorpe [this message]
2026-01-26 16:08 ` Danilo Krummrich
2026-01-26 17:07 ` Jason Gunthorpe
2026-01-26 22:36 ` Danilo Krummrich
2026-01-28 23:40 ` Laurent Pinchart
2026-01-26 13:50 ` Johan Hovold
2026-01-27 21:18 ` Bartosz Golaszewski
2026-01-27 23:52 ` Jason Gunthorpe
2026-01-28 9:40 ` Bartosz Golaszewski
2026-01-28 10:01 ` Wolfram Sang
2026-01-28 15:05 ` Jason Gunthorpe
2026-01-28 15:20 ` Bartosz Golaszewski
2026-01-28 16:01 ` Jason Gunthorpe
2026-01-30 11:27 ` Bartosz Golaszewski
2026-01-28 16:58 ` Wolfram Sang
2026-01-29 1:08 ` Laurent Pinchart
2026-01-29 1:23 ` Jason Gunthorpe
2026-01-29 3:42 ` dan.j.williams
2026-01-29 9:56 ` Danilo Krummrich
2026-01-29 10:43 ` Laurent Pinchart
2026-01-30 0:36 ` dan.j.williams
2026-01-29 10:38 ` Laurent Pinchart
2026-01-29 13:34 ` Jason Gunthorpe
2026-01-29 14:52 ` Laurent Pinchart
2026-01-29 22:29 ` Danilo Krummrich
2026-01-30 9:10 ` Laurent Pinchart
2026-02-03 9:10 ` Maxime Ripard
2026-02-03 13:59 ` Laurent Pinchart
2026-01-28 15:48 ` Johan Hovold
2026-01-29 9:11 ` Bartosz Golaszewski
2026-01-29 10:56 ` Laurent Pinchart
2026-01-29 13:50 ` Bartosz Golaszewski
2026-01-29 14:28 ` Jason Gunthorpe
2026-01-29 14:45 ` Laurent Pinchart
2026-01-29 14:49 ` Laurent Pinchart
2026-01-29 22:00 ` Danilo Krummrich
2026-01-30 11:19 ` Bartosz Golaszewski
2026-01-29 13:27 ` Linus Walleij
2026-02-03 12:15 ` Johan Hovold
2026-02-03 12:26 ` Greg Kroah-Hartman
2026-02-03 12:30 ` [PATCH] driver core: disable revocable code from build Greg Kroah-Hartman
2026-02-03 13:20 ` Danilo Krummrich
2026-02-04 2:14 ` Tzung-Bi Shih
2026-02-04 5:28 ` [PATCH] selftests: Disable " Tzung-Bi Shih
2026-02-04 8:21 ` Greg Kroah-Hartman
2026-02-03 13:57 ` [PATCH 0/3] Revert "revocable: Revocable resource management" Laurent Pinchart
2026-02-03 15:44 ` Greg Kroah-Hartman
2026-02-04 14:36 ` Johan Hovold
2026-01-27 15:57 ` Tzung-Bi Shih
2026-01-28 14:23 ` Johan Hovold
2026-01-28 23:28 ` Laurent Pinchart
2026-01-29 15:01 ` Tzung-Bi Shih
2026-01-30 9:12 ` Laurent Pinchart
2026-01-30 17:41 ` Danilo Krummrich
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260126000730.GI1134360@nvidia.com \
--to=jgg@nvidia.com \
--cc=bartosz.golaszewski@oss.qualcomm.com \
--cc=corbet@lwn.net \
--cc=dakr@kernel.org \
--cc=dan.j.williams@intel.com \
--cc=gregkh@linuxfoundation.org \
--cc=johan@kernel.org \
--cc=laurent.pinchart@ideasonboard.com \
--cc=linusw@kernel.org \
--cc=linux-doc@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-kselftest@vger.kernel.org \
--cc=rafael@kernel.org \
--cc=shuah@kernel.org \
--cc=simona.vetter@ffwll.ch \
--cc=tzungbi@kernel.org \
--cc=wsa+renesas@sang-engineering.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox