From: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
To: Danilo Krummrich <dakr@kernel.org>
Cc: dan.j.williams@intel.com, Jason Gunthorpe <jgg@nvidia.com>,
Bartosz Golaszewski <bartosz.golaszewski@oss.qualcomm.com>,
Johan Hovold <johan@kernel.org>,
Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
"Rafael J . Wysocki" <rafael@kernel.org>,
Tzung-Bi Shih <tzungbi@kernel.org>,
Linus Walleij <linusw@kernel.org>,
Jonathan Corbet <corbet@lwn.net>, Shuah Khan <shuah@kernel.org>,
Wolfram Sang <wsa+renesas@sang-engineering.com>,
Simona Vetter <simona.vetter@ffwll.ch>,
linux-doc@vger.kernel.org, linux-kselftest@vger.kernel.org,
linux-kernel@vger.kernel.org,
Bartosz Golaszewski <brgl@kernel.org>
Subject: Re: [PATCH 0/3] Revert "revocable: Revocable resource management"
Date: Thu, 29 Jan 2026 12:43:57 +0200 [thread overview]
Message-ID: <20260129104357.GB3317328@killaraus> (raw)
In-Reply-To: <DG0ZES9SRSKD.11UBH7B75WNSX@kernel.org>
On Thu, Jan 29, 2026 at 10:56:22AM +0100, Danilo Krummrich wrote:
> On Thu Jan 29, 2026 at 4:42 AM CET, dan.j.williams wrote:
> > Jason Gunthorpe wrote:
> >> On Thu, Jan 29, 2026 at 03:08:22AM +0200, Laurent Pinchart wrote:
> >> > > The latter already have robust schemes to help the driver shutdown and
> >> > > end the concurrent operations. ie cancel_work_sync(),
> >> > > del_timer_sync(), free_irq(), and *notifier_unregister().
> >> >
> >> > One a side note, devm_request_irq() is another of the devm_* helpers
> >> > that cause race conditions, as interrupt handlers can run right after
> >> > .remove() returns, which drivers will most likely not handle correctly.
> >>
> >> Yes! You *cannot* intermix devm and non-devm approaches without
> >> creating very subtle bugs exactly like this. If your subsystem does
> >> not provide a "devm register" helper its drivers shouldn't use devm.
> >
> > I wonder if we should have a proactive debug mode that checks for
> > idiomatic devres usage and flags:
> >
> > - registering devres actions while the driver is detached
>
> In Rust we already enforce this through the type system, i.e. we even fail to
> compile the code when this is violated. (I.e. for all scopes that guarantee that
> a device is bound (and will remain throughout) we give out a &Device<Bound>,
> which serves as a cookie.)
>
> In C I don't really see how that would be possible without additional locking,
> as the only thing we could check is dev->driver, which obviously is racy.
>
> > - registering devres actions for a device with a driver that has a
> > .remove() method
>
> This is perfectly valid, drivers might still be performing teardown operations
> on the device (if it did not get hot unplugged).
>
> > - passing a devres allocation to a kobject API
>
> Well, this is an ownership violation. Technically, devres owns this allocation
> and devres releases the allocation when the device is unbound. Which makes this
> allocation only ever valid to access from a scope that is guaranteed that the
> device is (and remains) bound.
>
> > - invoking devres release actions from a kobject release API
>
> This is similar to "registering devres actions while the driver is detached" and
> falls into the boarder problem class of "messing with devres objects outside of
> a Device<Bound> scope".
>
> Again, I think in C we can't properly protect against this. While we could also
> give out a "Device<Bound>" token for scopes where we can guarantee that the
> device is actually bound to a driver in C, we can't control the lifetime of the
> token as we can in Rust, which makes it pointless.
>
> So, the best thing we can probably do is document that "This must only be called
> from a scope that guarantees that the device remains bound throughout." for all
> the devres accessors.
>
> There may be one thing that comes to my mind that we could do though. While we
> can't catch those at compile time, we might be able to catch those on runtime.
C will not allow catching as many things as compile time as rust, that's
for sure, but I don't think it's the main issue here. The core of the
problem, in my opinion, is that we have seen a proliferation of devres
and similar helpers that were quickly adopted by drivers as it made
their life easier, *but* without any documentation of the caveats and
correct usage patterns. We have APIs that don't tell how to use them
correctly, so we can hardly blame driver developers for not doing it
right. In many cases we haven't even thought about what the right (and
wrong) usage patterns are, and in some cases the APIs have been
developed with so little awareness of these issues that there's no
correct usage pattern. Fixing this is the first step, then we can see
how to use the features provided by the programming language to minimize
the risk of incorrect usage.
> For instance, we could "abuse" lockdep and register a fake lock for a
> Device<Bound> scope and put a lockdep assert into all the devres accessors.
>
> However, fixing up all the violations that come up when introducing this sounds
> like a huge pain. :)
--
Regards,
Laurent Pinchart
next prev parent reply other threads:[~2026-01-29 10:44 UTC|newest]
Thread overview: 70+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-01-24 17:05 [PATCH 0/3] Revert "revocable: Revocable resource management" Johan Hovold
2026-01-24 17:05 ` [PATCH 1/3] Revert "selftests: revocable: Add kselftest cases" Johan Hovold
2026-01-24 17:05 ` [PATCH 2/3] Revert "revocable: Add Kunit test cases" Johan Hovold
2026-01-24 17:05 ` [PATCH 3/3] Revert "revocable: Revocable resource management" Johan Hovold
2026-01-24 17:37 ` Johan Hovold
2026-01-24 17:46 ` Danilo Krummrich
2026-01-26 13:20 ` Johan Hovold
2026-01-27 15:57 ` Tzung-Bi Shih
2026-01-24 18:42 ` [PATCH 0/3] " Laurent Pinchart
2026-01-24 19:08 ` Danilo Krummrich
2026-01-25 12:47 ` Greg Kroah-Hartman
2026-01-25 13:22 ` Laurent Pinchart
2026-01-25 14:07 ` Danilo Krummrich
2026-01-29 1:09 ` Laurent Pinchart
2026-01-25 13:24 ` Laurent Pinchart
2026-01-25 17:53 ` Danilo Krummrich
2026-01-26 0:07 ` Jason Gunthorpe
2026-01-26 16:08 ` Danilo Krummrich
2026-01-26 17:07 ` Jason Gunthorpe
2026-01-26 22:36 ` Danilo Krummrich
2026-01-28 23:40 ` Laurent Pinchart
2026-01-26 13:50 ` Johan Hovold
2026-01-27 21:18 ` Bartosz Golaszewski
2026-01-27 23:52 ` Jason Gunthorpe
2026-01-28 9:40 ` Bartosz Golaszewski
2026-01-28 10:01 ` Wolfram Sang
2026-01-28 15:05 ` Jason Gunthorpe
2026-01-28 15:20 ` Bartosz Golaszewski
2026-01-28 16:01 ` Jason Gunthorpe
2026-01-30 11:27 ` Bartosz Golaszewski
2026-01-28 16:58 ` Wolfram Sang
2026-01-29 1:08 ` Laurent Pinchart
2026-01-29 1:23 ` Jason Gunthorpe
2026-01-29 3:42 ` dan.j.williams
2026-01-29 9:56 ` Danilo Krummrich
2026-01-29 10:43 ` Laurent Pinchart [this message]
2026-01-30 0:36 ` dan.j.williams
2026-01-29 10:38 ` Laurent Pinchart
2026-01-29 13:34 ` Jason Gunthorpe
2026-01-29 14:52 ` Laurent Pinchart
2026-01-29 22:29 ` Danilo Krummrich
2026-01-30 9:10 ` Laurent Pinchart
2026-02-03 9:10 ` Maxime Ripard
2026-02-03 13:59 ` Laurent Pinchart
2026-01-28 15:48 ` Johan Hovold
2026-01-29 9:11 ` Bartosz Golaszewski
2026-01-29 10:56 ` Laurent Pinchart
2026-01-29 13:50 ` Bartosz Golaszewski
2026-01-29 14:28 ` Jason Gunthorpe
2026-01-29 14:45 ` Laurent Pinchart
2026-01-29 14:49 ` Laurent Pinchart
2026-01-29 22:00 ` Danilo Krummrich
2026-01-30 11:19 ` Bartosz Golaszewski
2026-01-29 13:27 ` Linus Walleij
2026-02-03 12:15 ` Johan Hovold
2026-02-03 12:26 ` Greg Kroah-Hartman
2026-02-03 12:30 ` [PATCH] driver core: disable revocable code from build Greg Kroah-Hartman
2026-02-03 13:20 ` Danilo Krummrich
2026-02-04 2:14 ` Tzung-Bi Shih
2026-02-04 5:28 ` [PATCH] selftests: Disable " Tzung-Bi Shih
2026-02-04 8:21 ` Greg Kroah-Hartman
2026-02-03 13:57 ` [PATCH 0/3] Revert "revocable: Revocable resource management" Laurent Pinchart
2026-02-03 15:44 ` Greg Kroah-Hartman
2026-02-04 14:36 ` Johan Hovold
2026-01-27 15:57 ` Tzung-Bi Shih
2026-01-28 14:23 ` Johan Hovold
2026-01-28 23:28 ` Laurent Pinchart
2026-01-29 15:01 ` Tzung-Bi Shih
2026-01-30 9:12 ` Laurent Pinchart
2026-01-30 17:41 ` Danilo Krummrich
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260129104357.GB3317328@killaraus \
--to=laurent.pinchart@ideasonboard.com \
--cc=bartosz.golaszewski@oss.qualcomm.com \
--cc=brgl@kernel.org \
--cc=corbet@lwn.net \
--cc=dakr@kernel.org \
--cc=dan.j.williams@intel.com \
--cc=gregkh@linuxfoundation.org \
--cc=jgg@nvidia.com \
--cc=johan@kernel.org \
--cc=linusw@kernel.org \
--cc=linux-doc@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-kselftest@vger.kernel.org \
--cc=rafael@kernel.org \
--cc=shuah@kernel.org \
--cc=simona.vetter@ffwll.ch \
--cc=tzungbi@kernel.org \
--cc=wsa+renesas@sang-engineering.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox