From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-alma10-1.taild15c8.ts.net [100.103.45.18]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id E757272603; Sat, 30 May 2026 15:16:18 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=100.103.45.18 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780154180; cv=none; b=b3A74s9x7+HISWwK4zIxGxdhEIg4hDmce7pJGl6XPmucYWbDKFh/YZeLkzLuJGI4U/SrkQCIuAXs9CR6qUUzBh2LMDfRy2TWi2tTOlapzQ7slN3OztlP9jPCgwAGOz9AsmoUAcc0mMx/QJ6DMbwd3TufTOfzI7go9jebCCekNHk= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780154180; c=relaxed/simple; bh=f0GdUq+MhlYLfV4RgBdNdh/WhTPQgXHeUjOAGryZXyo=; h=Mime-Version:Content-Type:Date:Message-Id:Subject:Cc:To:From: References:In-Reply-To; b=kDIfXubGhwyFZZA09QqmO+cYLk02zCYO0TuVjGMNj9VPJnkdxxwSYyhvWhKHO0Vf0KMSS+sWpn2zZb3HVUcXwtLCnB2a0n3mP7MI8hfKRIFeZXZTAhSh9Dsyw7n6vw/t8hv2y1rnFC/CIur9VtmzLrxre22sC5D+075egXz+IJk= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=ivG9I9Wb; arc=none smtp.client-ip=100.103.45.18 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="ivG9I9Wb" Received: by smtp.kernel.org (Postfix) with ESMTPSA id 111F01F00893; Sat, 30 May 2026 15:16:11 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=kernel.org; s=k20260515; t=1780154178; bh=B3IwrE3HK9xQ/GsYTmA9pt7vQYdzp5OkBKwI6mjM0Ks=; h=Date:Subject:Cc:To:From:References:In-Reply-To; b=ivG9I9Wb1Fhio7A/1AlExKrVKTjWm24EHtORlfbrP5Dc4c4bL4JMnbjqDTqUA/GFw 2hr7JqaFVsRU72p3y/y0tKVuwPBZ1YqwRmNSTlIn/26d96dkH+Sy9RJ+UCy/TQRG9P FS/IoYmNxEQQnhqdfMEDa4BW6n5TRSFdF/H1ZXEdoBqvT/ZQ3PzfF4VnO2xdJercPK sX1uqzRFCchLdr9KtyGJY5K3Dppkt48lqnyW+qgP4Rh0Y1laLZMrIkSkM2Du8o+XGS mj3MkD12yXLxdzx/mmh7lN93ATCHzyYUyKnkzOqiOKnwCuMuEfsUjYPJRG5tWljvVg Twtc4kpXUkYDA== Precedence: bulk X-Mailing-List: rust-for-linux@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: Mime-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=UTF-8 Date: Sat, 30 May 2026 17:16:10 +0200 Message-Id: Subject: Re: [PATCH 3/4] rust: Add dma_fence abstractions Cc: "Miguel Ojeda" , "Boqun Feng" , "Gary Guo" , =?utf-8?q?Bj=C3=B6rn_Roy_Baron?= , "Benno Lossin" , "Andreas Hindborg" , "Alice Ryhl" , "Trevor Gross" , "Sumit Semwal" , =?utf-8?q?Christian_K=C3=B6nig?= , "Paul E. McKenney" , "Frederic Weisbecker" , "Neeraj Upadhyay" , "Joel Fernandes" , "Josh Triplett" , "Uladzislau Rezki" , "Steven Rostedt" , "Mathieu Desnoyers" , "Lai Jiangshan" , "Zqiang" , "Daniel Almeida" , "Greg Kroah-Hartman" , "Igor Korotin" , "Lorenzo Stoakes" , "Alexandre Courbot" , "FUJITA Tomonori" , "Krishna Ketan Rai" , "Shankari Anand" , , "Boris Brezillon" , , , , , , To: "Philipp Stanner" From: "Danilo Krummrich" References: <20260530143541.229628-2-phasta@kernel.org> <20260530143541.229628-5-phasta@kernel.org> In-Reply-To: <20260530143541.229628-5-phasta@kernel.org> (Not a full review, but a few drive-by comments.) On Sat May 30, 2026 at 4:35 PM CEST, Philipp Stanner wrote: > +#[allow(unused_unsafe)] What is this needed for? > +impl FenceCtx { > +impl PinnedDrop for FenceCtx { > + fn drop(self: Pin<&mut Self>) { > + // SAFETY: `rcu_barrier()` is always safe to be called. > + unsafe { bindings::rcu_barrier() }; We should probably add a safe function for this. > +impl FenceCbRegistration { > + /// Register a callback on a fence. > + /// > + /// On success the callback is pinned in place and will fire when th= e fence > + /// signals. On `AlreadySignaled` the callback is returned to the ca= ller so > + /// that owned resources can be reclaimed. > + pub fn new<'a>(fence: &'a Fence, callback: T) -> impl PinInit> + 'a > + where > + T: 'a, > + { > + // Uses `pin_init_from_closure` instead of `try_pin_init!` so th= at on > + // `-ENOENT` (already signaled) the callback can be read back fr= om the > + // partially-initialized slot and returned through the error. Seems a bit odd that this needs pin_init_from_closure(). You can still use try_pin_init!() with &this in Self an a _: initializer at the end in the wo= rst case. But the fence and callback fields should be fine to initialize "norma= lly"? > + // > + // SAFETY: `pin_init_from_closure` requires: > + // - On `Ok(())`: the slot is fully initialized and valid for `D= rop`. > + // - On `Err(_)`: the slot is clean, i.e.: no partially-initiali= zed fields > + // remain, and the slot can be deallocated without dropping. > + // > + // We uphold this as follows: > + // - On success: all three fields are initialized. Ok(()) is ret= urned. > + // - On ENOENT (already signaled): `callback` and `fence` are re= ad back > + // from the slot via `ptr::read`, leaving the slot clean. `cb`= was > + // initialized by `dma_fence_add_callback` (it calls > + // `INIT_LIST_HEAD(&cb->node)` even on error), but `cb` is > + // `Opaque` which has no `Drop`, so not dropping= it is > + // fine. The callback is returned through `AlreadySignaled(T)`= . > + // - On other errors: same cleanup as ENOENT, error returned as > + // `Other(e)`. > + unsafe { > + pin_init_from_closure(move |slot: *mut Self| { > + let slot_callback =3D &raw mut (*slot).callback; > + let slot_fence =3D &raw mut (*slot).fence; > + let slot_cb =3D &raw mut (*slot).cb; > + > + // Write callback and fence first =E2=80=94 must be visi= ble before > + // dma_fence_add_callback makes the registration live. > + core::ptr::write(slot_callback, callback); > + core::ptr::write(slot_fence, ARef::from(fence)); > + > + let ret =3D to_result(bindings::dma_fence_add_callback( > + fence.inner.get(), > + Opaque::cast_into(slot_cb), > + Some(Self::dma_fence_callback), > + )); > + > + match ret { > + Ok(()) =3D> Ok(()), > + Err(e) =3D> { > + // Read back what we wrote to leave the slot cle= an. > + let cb_back =3D core::ptr::read(slot_callback); > + let _fence_back =3D core::ptr::read(slot_fence); What's the purpose of _fence_back? > + > + if e.to_errno() =3D=3D ENOENT.to_errno() { > + Err(CallbackError::AlreadySignaled(cb_back)) > + } else { > + Err(CallbackError::Other(e)) > + } > + } > + } > + }) > + } > + } > + /// Signal the fence. This will invoke all registered callbacks. > + pub fn signal(self, res: Result) { > + let fence =3D self.as_raw(); > + let mut fence_flags: usize =3D 0; > + let flag_ptr =3D &raw mut fence_flags; > + > + // SAFETY: Once a `DriverFence` is initialized, the inner `fence= ` is > + // valid and initialized. It is valid until the refcount drops > + // to 0, which can earliest happen once the `DriverFence` has be= en dropped. > + unsafe { > + bindings::dma_fence_lock_irqsave(fence, flag_ptr); > + if !bindings::dma_fence_is_signaled_locked(fence) { > + if let Err(err) =3D res { > + bindings::dma_fence_set_error(fence, err.to_errno())= ; > + } > + bindings::dma_fence_signal_locked(fence); > + } > + bindings::dma_fence_unlock_irqrestore(fence, flag_ptr); > + } Please use a single unsafe block per unsafe function call, here and in a fe= w other places. > + } > +} > + > +// SAFETY: Fences are literally designed to be shared between threads. > +unsafe impl Send for DriverFence {= } > + > +impl Deref for DriverFence { > + type Target =3D F; > + > + fn deref(&self) -> &Self::Target { > + // SAFETY: Thanks to refcounting, `data` is always valid as long= as `self` is. > + let data =3D unsafe { &*self.data.as_ptr() }; > + > + &data.data > + } > +} > + > +/// A borrowed [`DriverFence`]. All you can do with it is access your us= er data > +/// and obtain a [`Fence`]. > +pub struct DriverFenceBorrow { This misses the lifetime bound, which is the purpose of this struct. > + /// The actual content of the fence. Lives in a raw pointer so that = its > + /// memory can be managed independently. Valid until both the [`Driv= erFence`] > + /// and all associated [`Fence`]s have disappeared. > + data: NonNull>, Why not use ManuallyDrop? This way you would only need a Deref= impl to &'a DriverFence. This way you basically reimplement the DriverFence type just without the destructor.