From: Danilo Krummrich <dakr@kernel.org>
To: Greg KH <gregkh@linuxfoundation.org>
Cc: rafael@kernel.org, ojeda@kernel.org, alex.gaynor@gmail.com,
boqun.feng@gmail.com, gary@garyguo.net, bjorn3_gh@protonmail.com,
benno.lossin@proton.me, a.hindborg@kernel.org,
aliceryhl@google.com, tmgross@umich.edu,
david.m.ertman@intel.com, ira.weiny@intel.com, leon@kernel.org,
kwilczynski@kernel.org, bhelgaas@google.com,
rust-for-linux@vger.kernel.org, linux-kernel@vger.kernel.org,
linux-pci@vger.kernel.org
Subject: Re: [PATCH 2/8] rust: device: add drvdata accessors
Date: Tue, 1 Jul 2025 12:58:17 +0200 [thread overview]
Message-ID: <aGO_SS20fttVZM6D@pollux> (raw)
In-Reply-To: <2025070159-perkiness-bullion-da76@gregkh>
On Tue, Jul 01, 2025 at 11:27:54AM +0200, Greg KH wrote:
> On Sat, Jun 21, 2025 at 09:43:28PM +0200, Danilo Krummrich wrote:
> > +impl Device<Internal> {
> > + /// Store a pointer to the bound driver's private data.
> > + pub fn set_drvdata(&self, data: impl ForeignOwnable) {
> > + // SAFETY: By the type invariants, `self.as_raw()` is a valid pointer to a `struct device`.
> > + unsafe { bindings::dev_set_drvdata(self.as_raw(), data.into_foreign().cast()) }
> > + }
>
> Ah, but a driver's private data in the device is NOT a bus-specific
> thing, it's a driver-specific thing, so your previous patch about
> Internal being there for busses feels odd.
It's because we only want to allow the bus abstraction to call
Device::set_drvdata().
The reason is the lifecycle of the driver's private data:
It starts when the driver returns the private data object in probe(). In the bus
abstraction's probe() function, we're calling set_drvdata().
At this point the ownership of the object technically goes to the device. And it
is our responsibility to extract the object from dev->driver_data at some point
again through drvdata_obtain(). With calling drvdata_obtain() we take back
ownership of the object.
Obviously, we do this in the bus abstraction's remove() callback, where we then
let the object go out of scope, such that it's destructor gets called.
In contrast, drvdata_borrow() does what its name implies, it only borrows the
object from dev->driver_data, such that we can provide it for the driver to use.
In the bus abstraction's remove() callback, drvdata_obtain() must be able to
proof that the object we extract from dev->driver_data is the exact object that
we set when calling set_drvdata() from probe().
If we'd allow the driver to call set_drvdata() itself (which is unnecessary
anyways), drivers could:
1) Call set_drvdata() multiple times, where every previous call would leak the
object, since the pointer would be overwritten.
2) We'd loose any guarantee about the type we extract from dev->driver_data
in the bus abstraction's remove() callback wioth drvdata_obtain().
> > +
> > + /// Take ownership of the private data stored in this [`Device`].
> > + ///
> > + /// # Safety
> > + ///
> > + /// - Must only be called once after a preceding call to [`Device::set_drvdata`].
> > + /// - The type `T` must match the type of the `ForeignOwnable` previously stored by
> > + /// [`Device::set_drvdata`].
> > + pub unsafe fn drvdata_obtain<T: ForeignOwnable>(&self) -> T {
> > + // SAFETY: By the type invariants, `self.as_raw()` is a valid pointer to a `struct device`.
> > + let ptr = unsafe { bindings::dev_get_drvdata(self.as_raw()) };
> > +
> > + // SAFETY: By the safety requirements of this function, `ptr` comes from a previous call to
> > + // `into_foreign()`.
> > + unsafe { T::from_foreign(ptr.cast()) }
> > + }
> > +
> > + /// Borrow the driver's private data bound to this [`Device`].
> > + ///
> > + /// # Safety
> > + ///
> > + /// - Must only be called after a preceding call to [`Device::set_drvdata`] and before
> > + /// [`Device::drvdata_obtain`].
> > + /// - The type `T` must match the type of the `ForeignOwnable` previously stored by
> > + /// [`Device::set_drvdata`].
> > + pub unsafe fn drvdata_borrow<T: ForeignOwnable>(&self) -> T::Borrowed<'_> {
> > + // SAFETY: By the type invariants, `self.as_raw()` is a valid pointer to a `struct device`.
> > + let ptr = unsafe { bindings::dev_get_drvdata(self.as_raw()) };
> > +
> > + // SAFETY: By the safety requirements of this function, `ptr` comes from a previous call to
> > + // `into_foreign()`.
> > + unsafe { T::borrow(ptr.cast()) }
> > + }
> > +}
>
> Why can't this be part of Core?
Device::drvdata_borrow() itself can indeed be part of Core. It has to remain
unsafe though, because the type T has to match the type that the driver returned
from probe().
Instead, we should provide a reference of the driver's private data in every bus
callback, such that drivers don't need unsafe code.
In order to not tempt drivers to use the unsafe method drvdata_borrow()
directly, I went for hiding it behind the BusInternal device context.
next prev parent reply other threads:[~2025-07-01 10:58 UTC|newest]
Thread overview: 27+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-06-21 19:43 [PATCH 0/8] Device: generic accessors for drvdata + Driver::unbind() Danilo Krummrich
2025-06-21 19:43 ` [PATCH 1/8] rust: device: introduce device::Internal Danilo Krummrich
2025-07-01 9:26 ` Greg KH
2025-07-01 10:41 ` Danilo Krummrich
2025-07-01 12:32 ` Danilo Krummrich
2025-07-03 15:06 ` Greg KH
2025-06-21 19:43 ` [PATCH 2/8] rust: device: add drvdata accessors Danilo Krummrich
2025-07-01 9:27 ` Greg KH
2025-07-01 10:58 ` Danilo Krummrich [this message]
2025-07-01 13:12 ` Danilo Krummrich
2025-07-05 11:15 ` Benno Lossin
2025-07-05 15:06 ` Danilo Krummrich
2025-07-05 21:38 ` Benno Lossin
2025-07-07 7:46 ` Alexandre Courbot
2025-07-07 9:40 ` Danilo Krummrich
2025-06-21 19:43 ` [PATCH 3/8] rust: platform: use generic device " Danilo Krummrich
2025-06-21 19:43 ` [PATCH 4/8] rust: pci: " Danilo Krummrich
2025-07-01 9:30 ` Greg KH
2025-06-21 19:43 ` [PATCH 5/8] rust: auxiliary: " Danilo Krummrich
2025-06-21 19:43 ` [PATCH 6/8] rust: platform: implement Driver::unbind() Danilo Krummrich
2025-06-21 19:43 ` [PATCH 7/8] rust: pci: " Danilo Krummrich
2025-06-21 19:43 ` [PATCH 8/8] samples: rust: pci: reset pci-testdev in unbind() Danilo Krummrich
2025-07-01 9:25 ` [PATCH 0/8] Device: generic accessors for drvdata + Driver::unbind() Greg KH
2025-07-01 10:40 ` Danilo Krummrich
2025-07-07 7:18 ` Alexandre Courbot
2025-07-07 9:26 ` Danilo Krummrich
2025-07-08 22:25 ` Danilo Krummrich
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=aGO_SS20fttVZM6D@pollux \
--to=dakr@kernel.org \
--cc=a.hindborg@kernel.org \
--cc=alex.gaynor@gmail.com \
--cc=aliceryhl@google.com \
--cc=benno.lossin@proton.me \
--cc=bhelgaas@google.com \
--cc=bjorn3_gh@protonmail.com \
--cc=boqun.feng@gmail.com \
--cc=david.m.ertman@intel.com \
--cc=gary@garyguo.net \
--cc=gregkh@linuxfoundation.org \
--cc=ira.weiny@intel.com \
--cc=kwilczynski@kernel.org \
--cc=leon@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-pci@vger.kernel.org \
--cc=ojeda@kernel.org \
--cc=rafael@kernel.org \
--cc=rust-for-linux@vger.kernel.org \
--cc=tmgross@umich.edu \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).