[PATCH] rust: devres: add 'static bound to Devres<T>

[PATCH] rust: devres: add 'static bound to Devres<T>

[Danilo Krummrich]

Devres::new() registers a callback with the C devres subsystem via
devres_node_add(). If the Devres is leaked (e.g. via
core::mem::forget(), which is safe), its Drop impl never runs, and the
devres release callback will revoke the inner Revocable on device
unbind, which drops T in place. If T contains non-'static references,
those may be dangling by that point.

Add a 'static bound to prevent storing types with borrowed data in
Devres.

Fixes: 76c01ded724b ("rust: add devres abstraction")
Signed-off-by: Danilo Krummrich <dakr@kernel.org>
---
 rust/kernel/devres.rs | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/rust/kernel/devres.rs b/rust/kernel/devres.rs
index 9e5f93aed20c..2e258d31a45c 100644
--- a/rust/kernel/devres.rs
+++ b/rust/kernel/devres.rs
@@ -122,7 +122,7 @@ struct Inner<T> {
 /// # Ok(())
 /// # }
 /// ```
-pub struct Devres<T: Send> {
+pub struct Devres<T: Send + 'static> {
     dev: ARef<Device>,
     inner: Arc<Inner<T>>,
 }
@@ -184,7 +184,7 @@ pub(super) unsafe fn devres_node_remove(
     }
 }
 
-impl<T: Send> Devres<T> {
+impl<T: Send + 'static> Devres<T> {
     /// Creates a new [`Devres`] instance of the given `data`.
     ///
     /// The `data` encapsulated within the returned `Devres` instance' `data` will be
@@ -349,7 +349,7 @@ unsafe impl<T: Send> Send for Devres<T> {}
 // SAFETY: `Devres` can be shared with any task, if `T: Sync`.
 unsafe impl<T: Send + Sync> Sync for Devres<T> {}
 
-impl<T: Send> Drop for Devres<T> {
+impl<T: Send + 'static> Drop for Devres<T> {
     fn drop(&mut self) {
         // SAFETY: When `drop` runs, it is guaranteed that nobody is accessing the revocable data
         // anymore, hence it is safe not to wait for the grace period to finish.

base-commit: 56785dcb2ef6d3cff82ac33f2e34db94377416a3
-- 
2.54.0

Re: [PATCH] rust: devres: add 'static bound to Devres<T>

[Danilo Krummrich]

On Tue May 26, 2026 at 2:04 AM CEST, Danilo Krummrich wrote:
> Devres::new() registers a callback with the C devres subsystem via
> devres_node_add(). If the Devres is leaked (e.g. via
> core::mem::forget(), which is safe), its Drop impl never runs, and the
> devres release callback will revoke the inner Revocable on device
> unbind, which drops T in place. If T contains non-'static references,
> those may be dangling by that point.
>
> Add a 'static bound to prevent storing types with borrowed data in
> Devres.
>
> Fixes: 76c01ded724b ("rust: add devres abstraction")
> Signed-off-by: Danilo Krummrich <dakr@kernel.org>

Cc: stable@vger.kernel.org

Re: [PATCH] rust: devres: add 'static bound to Devres<T>

[Eliot Courtney]

On Tue May 26, 2026 at 9:04 AM JST, Danilo Krummrich wrote:
> Devres::new() registers a callback with the C devres subsystem via
> devres_node_add(). If the Devres is leaked (e.g. via
> core::mem::forget(), which is safe), its Drop impl never runs, and the
> devres release callback will revoke the inner Revocable on device
> unbind, which drops T in place. If T contains non-'static references,
> those may be dangling by that point.
>
> Add a 'static bound to prevent storing types with borrowed data in
> Devres.
>
> Fixes: 76c01ded724b ("rust: add devres abstraction")
> Signed-off-by: Danilo Krummrich <dakr@kernel.org>
> ---

Reviewed-by: Eliot Courtney <ecourtney@nvidia.com>

Re: [PATCH] rust: devres: add 'static bound to Devres<T>

[Alexandre Courbot]

On Tue May 26, 2026 at 9:04 AM JST, Danilo Krummrich wrote:
> Devres::new() registers a callback with the C devres subsystem via
> devres_node_add(). If the Devres is leaked (e.g. via
> core::mem::forget(), which is safe), its Drop impl never runs, and the
> devres release callback will revoke the inner Revocable on device
> unbind, which drops T in place. If T contains non-'static references,
> those may be dangling by that point.
>
> Add a 'static bound to prevent storing types with borrowed data in
> Devres.
>
> Fixes: 76c01ded724b ("rust: add devres abstraction")
> Signed-off-by: Danilo Krummrich <dakr@kernel.org>

Reviewed-by: Alexandre Courbot <acourbot@nvidia.com>

Re: [PATCH] rust: devres: add 'static bound to Devres<T>

[Gary Guo]

On Tue May 26, 2026 at 1:04 AM BST, Danilo Krummrich wrote:
> Devres::new() registers a callback with the C devres subsystem via
> devres_node_add(). If the Devres is leaked (e.g. via
> core::mem::forget(), which is safe), its Drop impl never runs, and the
> devres release callback will revoke the inner Revocable on device
> unbind, which drops T in place. If T contains non-'static references,
> those may be dangling by that point.
>
> Add a 'static bound to prevent storing types with borrowed data in
> Devres.

The bound should be added on `Devres::new` instead.

Best,
Gary

>
> Fixes: 76c01ded724b ("rust: add devres abstraction")
> Signed-off-by: Danilo Krummrich <dakr@kernel.org>
> ---
>  rust/kernel/devres.rs | 6 +++---
>  1 file changed, 3 insertions(+), 3 deletions(-)
>
> diff --git a/rust/kernel/devres.rs b/rust/kernel/devres.rs
> index 9e5f93aed20c..2e258d31a45c 100644
> --- a/rust/kernel/devres.rs
> +++ b/rust/kernel/devres.rs
> @@ -122,7 +122,7 @@ struct Inner<T> {
>  /// # Ok(())
>  /// # }
>  /// ```
> -pub struct Devres<T: Send> {
> +pub struct Devres<T: Send + 'static> {
>      dev: ARef<Device>,
>      inner: Arc<Inner<T>>,
>  }
> @@ -184,7 +184,7 @@ pub(super) unsafe fn devres_node_remove(
>      }
>  }
>  
> -impl<T: Send> Devres<T> {
> +impl<T: Send + 'static> Devres<T> {
>      /// Creates a new [`Devres`] instance of the given `data`.
>      ///
>      /// The `data` encapsulated within the returned `Devres` instance' `data` will be
> @@ -349,7 +349,7 @@ unsafe impl<T: Send> Send for Devres<T> {}
>  // SAFETY: `Devres` can be shared with any task, if `T: Sync`.
>  unsafe impl<T: Send + Sync> Sync for Devres<T> {}
>  
> -impl<T: Send> Drop for Devres<T> {
> +impl<T: Send + 'static> Drop for Devres<T> {
>      fn drop(&mut self) {
>          // SAFETY: When `drop` runs, it is guaranteed that nobody is accessing the revocable data
>          // anymore, hence it is safe not to wait for the grace period to finish.
>
> base-commit: 56785dcb2ef6d3cff82ac33f2e34db94377416a3

Re: [PATCH] rust: devres: add 'static bound to Devres<T>

[Danilo Krummrich]

On Wed May 27, 2026 at 4:44 PM CEST, Gary Guo wrote:
> On Tue May 26, 2026 at 1:04 AM BST, Danilo Krummrich wrote:
>> Add a 'static bound to prevent storing types with borrowed data in
>> Devres.
>
> The bound should be added on `Devres::new` instead.

I did consider this as it is generally recommended to minimize bounds on
structs.

However, a Devres<T> with non-'static T is semantically nonsensical, not just
unconstructible, and I think type level bound represents that better.

Re: [PATCH] rust: devres: add 'static bound to Devres<T>

[Gary Guo]

On Wed May 27, 2026 at 7:04 PM BST, Danilo Krummrich wrote:
> On Wed May 27, 2026 at 4:44 PM CEST, Gary Guo wrote:
>> On Tue May 26, 2026 at 1:04 AM BST, Danilo Krummrich wrote:
>>> Add a 'static bound to prevent storing types with borrowed data in
>>> Devres.
>>
>> The bound should be added on `Devres::new` instead.
>
> I did consider this as it is generally recommended to minimize bounds on
> structs.
>
> However, a Devres<T> with non-'static T is semantically nonsensical, not just
> unconstructible, and I think type level bound represents that better.

Technically `Devres` can contain references to the registration, which is known
to outlive the bound device.

Best,
Gary

Re: [PATCH] rust: devres: add 'static bound to Devres<T>

[Danilo Krummrich]

On Wed May 27, 2026 at 8:07 PM CEST, Gary Guo wrote:
> On Wed May 27, 2026 at 7:04 PM BST, Danilo Krummrich wrote:
>> On Wed May 27, 2026 at 4:44 PM CEST, Gary Guo wrote:
>>> On Tue May 26, 2026 at 1:04 AM BST, Danilo Krummrich wrote:
>>>> Add a 'static bound to prevent storing types with borrowed data in
>>>> Devres.
>>>
>>> The bound should be added on `Devres::new` instead.
>>
>> I did consider this as it is generally recommended to minimize bounds on
>> structs.
>>
>> However, a Devres<T> with non-'static T is semantically nonsensical, not just
>> unconstructible, and I think type level bound represents that better.
>
> Technically `Devres` can contain references to the registration, which is known
> to outlive the bound device.

That's technically true, but how would you express "outlives the device" as a
lifetime bound on Devres?

Additionally, if the borrowed data outlives the device bound, you don't need
device-managed revocation for it in the first place.

Re: [PATCH] rust: devres: add 'static bound to Devres<T>

[Gary Guo]

On Wed May 27, 2026 at 7:13 PM BST, Danilo Krummrich wrote:
> On Wed May 27, 2026 at 8:07 PM CEST, Gary Guo wrote:
>> On Wed May 27, 2026 at 7:04 PM BST, Danilo Krummrich wrote:
>>> On Wed May 27, 2026 at 4:44 PM CEST, Gary Guo wrote:
>>>> On Tue May 26, 2026 at 1:04 AM BST, Danilo Krummrich wrote:
>>>>> Add a 'static bound to prevent storing types with borrowed data in
>>>>> Devres.
>>>>
>>>> The bound should be added on `Devres::new` instead.
>>>
>>> I did consider this as it is generally recommended to minimize bounds on
>>> structs.
>>>
>>> However, a Devres<T> with non-'static T is semantically nonsensical, not just
>>> unconstructible, and I think type level bound represents that better.
>>
>> Technically `Devres` can contain references to the registration, which is known
>> to outlive the bound device.
>
> That's technically true, but how would you express "outlives the device" as a
> lifetime bound on Devres?

Just having the lifetime would mean it outlives the device (lifetimes that
cannot be guaranteed to outlive the device cannot be used in devres).

In a world with registration data, I would imagine all lifetime parameters on
registration data are also valid for `Devres`.

>
> Additionally, if the borrowed data outlives the device bound, you don't need
> device-managed revocation for it in the first place.

Resources that depend on both registration data and device resource perhaps?

Best,
Gary

Re: [PATCH] rust: devres: add 'static bound to Devres<T>

[Danilo Krummrich]

On Wed May 27, 2026 at 9:25 PM CEST, Gary Guo wrote:
> On Wed May 27, 2026 at 7:13 PM BST, Danilo Krummrich wrote:
>> On Wed May 27, 2026 at 8:07 PM CEST, Gary Guo wrote:
>>> On Wed May 27, 2026 at 7:04 PM BST, Danilo Krummrich wrote:
>>>> On Wed May 27, 2026 at 4:44 PM CEST, Gary Guo wrote:
>>>>> On Tue May 26, 2026 at 1:04 AM BST, Danilo Krummrich wrote:
>>>>>> Add a 'static bound to prevent storing types with borrowed data in
>>>>>> Devres.
>>>>>
>>>>> The bound should be added on `Devres::new` instead.
>>>>
>>>> I did consider this as it is generally recommended to minimize bounds on
>>>> structs.
>>>>
>>>> However, a Devres<T> with non-'static T is semantically nonsensical, not just
>>>> unconstructible, and I think type level bound represents that better.
>>>
>>> Technically `Devres` can contain references to the registration, which is known
>>> to outlive the bound device.
>>
>> That's technically true, but how would you express "outlives the device" as a
>> lifetime bound on Devres?
>
> Just having the lifetime would mean it outlives the device (lifetimes that
> cannot be guaranteed to outlive the device cannot be used in devres).
>
> In a world with registration data, I would imagine all lifetime parameters on
> registration data are also valid for `Devres`.

[...]

> Resources that depend on both registration data and device resource perhaps?

You'd still need a separate constructor for this, and I'm still not convinced
that this makes a lot of sense.

That said if you feel strongly about it, I don't mind moving the 'static bound
to new() too much.

Re: [PATCH] rust: devres: add 'static bound to Devres<T>

[Danilo Krummrich]

On Wed May 27, 2026 at 9:49 PM CEST, Danilo Krummrich wrote:
> That said if you feel strongly about it, I don't mind moving the 'static bound
> to new() too much.

Keeping the bound on the struct for now, given that we agree to move it if it
creeps to more places off-list.

Re: [PATCH] rust: devres: add 'static bound to Devres<T>

[Danilo Krummrich]

On Tue, 26 May 2026 02:04:41 +0200, Danilo Krummrich wrote:
> [PATCH] rust: devres: add 'static bound to Devres<T>

Applied, thanks!

  Branch: driver-core-testing
  Tree:   git://git.kernel.org/pub/scm/linux/kernel/git/driver-core/driver-core.git

[1/1] rust: devres: add 'static bound to Devres<T>
      commit: 016267b521b1

The patch will appear in the next linux-next integration (typically within 24
hours on weekdays).

The patch is in the driver-core-testing branch and will be promoted to
driver-core-next after validation.