From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-alma10-1.taild15c8.ts.net [100.103.45.18]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id C16F33B8127; Fri, 26 Jun 2026 18:37:07 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=100.103.45.18 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1782499033; cv=none; b=jWwJlMgewk5kbnl8/pGUOb2aE1blQLIGx0lCpAvl/5BaBbY2RqNBjlYGADypk03q7LgYlbiq1p5pdjKdHBmuuYL9eepXTF5iguPXt7CWH0Tl2q9/F21OcPRamfJgRE6s7Kfxy6qAuzF9x48ld6UAfyWNPdjBxWEtkFOQC/Mhbok= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1782499033; c=relaxed/simple; bh=9sj/cRMpLt+TlJNhxcoV/gazrjzc/lNtCfkjjafqrUg=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=sEuxmLYITNK22XKZ/mDC9gOrc9LcR+/vmFmyQ2FCRIYl96giaCo9/hjQQ/YsfocjG2BjawQTAZhriIzXq5FdI4A2Z/uan2ITQHJvDvrMaFn4wp1xmm9kfeyptFZ7TyoimulPg/oVDvUz608B8Qy5ytAg5Ntv92qVtXfvcY2tm8M= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=kyKfO1Q+; arc=none smtp.client-ip=100.103.45.18 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="kyKfO1Q+" Received: by smtp.kernel.org (Postfix) with ESMTPSA id 380691F00A3D; Fri, 26 Jun 2026 18:37:02 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=kernel.org; s=k20260515; t=1782499027; bh=vZGB6qCrIRYgQIhUbEYjio6sdJ2mRmJy/xD6B/oeiaA=; h=From:To:Cc:Subject:Date:In-Reply-To:References; b=kyKfO1Q+cbSv8VF0wxi+etrSA+L1wjWySaWAIb2gxgxeJsaGfkq/jvW3T1PXU08Pt gJSwxxIh/mdfXuDwGUMCcKmWyhBzWJ+pfA9wUn2WFklNYslO01YaSYjNeFG+zzqRGQ YftdKaAg25F0q3rzRbk3bHqFHQhtd67EjcTkjjosgXP9yowFjFR4GmezxV4fglyna1 Gh5PGFipjgc7F6BvqGLymvIyGGD4dQCbH/XyFwpVGlWbPWqwUyNXfXHrt5h1lds15o 2kGgc3W1QdqpzwewObnWCFpjy0NvfwaD45mhJh48XWc/86wdcHmsus0YkmxHhwT0MY ghYNmyGvbiDtA== From: Danilo Krummrich To: gregkh@linuxfoundation.org, rafael@kernel.org, dakr@kernel.org, ojeda@kernel.org, boqun@kernel.org, gary@garyguo.net, bjorn3_gh@protonmail.com, lossin@kernel.org, a.hindborg@kernel.org, aliceryhl@google.com, tmgross@umich.edu, acourbot@nvidia.com, ecourtney@nvidia.com, m.wilczynski@samsung.com, david.m.ertman@intel.com, ira.weiny@intel.com, leon@kernel.org, daniel.almeida@collabora.com, bhelgaas@google.com, kwilczynski@kernel.org Cc: driver-core@lists.linux.dev, linux-kernel@vger.kernel.org, nova-gpu@lists.linux.dev, dri-devel@lists.freedesktop.org, linux-pwm@vger.kernel.org, rust-for-linux@vger.kernel.org Subject: [PATCH v4 5/7] rust: devres: add DevresLt for ForLt-aware device resource access Date: Fri, 26 Jun 2026 20:36:12 +0200 Message-ID: <20260626183630.2585057-6-dakr@kernel.org> X-Mailer: git-send-email 2.54.0 In-Reply-To: <20260626183630.2585057-1-dakr@kernel.org> References: <20260626183630.2585057-1-dakr@kernel.org> Precedence: bulk X-Mailing-List: nova-gpu@lists.linux.dev List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Devres stores resources as T and returns &'a T from access(). For lifetime-parameterized types like Bar<'a, SIZE> that are transmuted to 'static for storage, this exposes the synthetic 'static lifetime to callers -- any method on the stored type that returns a reference with its lifetime parameter would yield a &'static reference, which is unsound. Add DevresLt, a thin wrapper around Devres> that shortens the stored 'static lifetime to the caller's borrow lifetime in all access methods. DevresLt::new() is unsafe because the caller must guarantee that the data remains valid for the device's full bound scope; the internal transmute from F::Of<'a> to F::Of<'static> would otherwise allow use-after-free. Two access patterns are provided: - CovariantForLt types get direct-reference accessors (access, try_access) that return shortened references via CovariantForLt::cast_ref. - Plain ForLt types use closure-based accessors (access_with, try_access_with) whose universally quantified lifetime prevents callers from smuggling in concrete short-lived references. Reviewed-by: Alexandre Courbot Signed-off-by: Danilo Krummrich --- rust/kernel/devres.rs | 106 ++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 106 insertions(+) diff --git a/rust/kernel/devres.rs b/rust/kernel/devres.rs index 11ce500e9b76..b7c075a39ba4 100644 --- a/rust/kernel/devres.rs +++ b/rust/kernel/devres.rs @@ -24,6 +24,8 @@ Arc, // }, types::{ + CovariantForLt, + ForLt, ForeignOwnable, Opaque, // }, @@ -365,6 +367,110 @@ fn drop(&mut self) { } } +/// Guard returned by [`DevresLt::try_access`]. +/// +/// Dereferences to `F::Of<'a>`, shortening the lifetime of the stored data to the guard's borrow +/// lifetime. +pub struct DevresGuard<'a, F: CovariantForLt>(RevocableGuard<'a, F::Of<'static>>); + +impl<'a, F: CovariantForLt> core::ops::Deref for DevresGuard<'a, F> { + type Target = F::Of<'a>; + + #[inline] + fn deref(&self) -> &Self::Target { + F::cast_ref(&*self.0) + } +} + +/// Device-managed resource with [`ForLt`](trait@ForLt)-aware access. +/// +/// `DevresLt` wraps [`Devres`] and shortens the stored `'static` lifetime to the caller's borrow +/// lifetime in all access methods. +/// +/// Types that implement [`trait@CovariantForLt`] get direct-reference accessors ([`Self::access`], +/// [`Self::try_access`]). Plain [`ForLt`](trait@ForLt) types use closure-based accessors +/// ([`Self::access_with`], [`Self::try_access_with`]). +pub struct DevresLt(Devres>) +where + for<'a> F::Of<'a>: Send; + +impl DevresLt +where + for<'a> F::Of<'a>: Send, +{ + /// Creates a new [`DevresLt`] instance of the given `data`. + /// + /// # Safety + /// + /// The data must remain valid for the device's full bound scope. [`DevresLt`] allows + /// access until the device is unbound, which may outlast `'a`. + pub unsafe fn new<'a, E>( + dev: &'a Device, + data: impl PinInit, E>, + ) -> Result + where + Error: From, + { + // SAFETY: The caller guarantees the data is valid for the device's full bound scope. + // Lifetimes do not affect layout, so F::Of<'a> and F::Of<'static> have identical + // representation; casting the slot pointer is sound. + let data = unsafe { + pin_init::pin_init_from_closure::, E>(move |slot| { + data.__pinned_init(slot.cast()) + }) + }; + + Ok(Self(Devres::new(dev, data)?)) + } + + /// Return a reference of the [`Device`] this [`DevresLt`] instance has been created with. + #[inline] + pub fn device(&self) -> &Device { + self.0.device() + } + + /// Obtain `&F::Of<'_>`, bypassing the [`Revocable`], through a closure. + /// + /// This method works like [`DevresLt::access`](DevresLt::access) but accepts any + /// [`trait@ForLt`] type, not just [`trait@CovariantForLt`]. + #[inline] + pub fn access_with(&self, dev: &Device, f: G) -> Result + where + G: for<'a> FnOnce(&F::Of<'a>) -> R, + { + self.0.access(dev).map(f) + } + + /// [`DevresLt`] accessor for [`Revocable::try_access_with`]. + #[inline] + pub fn try_access_with(&self, f: G) -> Option + where + G: for<'a> FnOnce(&F::Of<'a>) -> R, + { + self.0.data().try_access_with(f) + } +} + +impl DevresLt +where + for<'a> F::Of<'a>: Send, +{ + /// Obtain `&'a F::Of<'a>`, bypassing the [`Revocable`]. + /// + /// This method works like [`Devres::access`], but shortens the returned reference's lifetime + /// from `'static` to `'a` via [`CovariantForLt::cast_ref`]. + #[inline] + pub fn access<'a>(&'a self, dev: &'a Device) -> Result<&'a F::Of<'a>> { + self.0.access(dev).map(F::cast_ref) + } + + /// [`DevresLt`] accessor for [`Revocable::try_access`]. + #[inline] + pub fn try_access(&self) -> Option> { + self.0.data().try_access().map(DevresGuard) + } +} + /// Consume `data` and [`Drop::drop`] `data` once `dev` is unbound. fn register_foreign

(dev: &Device, data: P) -> Result where -- 2.54.0