From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <owner-linux-mm@kvack.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 2371AC02192
	for <linux-mm@archiver.kernel.org>; Mon,  3 Feb 2025 14:26:39 +0000 (UTC)
Received: by kanga.kvack.org (Postfix)
	id 3BDB16B0089; Mon,  3 Feb 2025 09:26:39 -0500 (EST)
Received: by kanga.kvack.org (Postfix, from userid 40)
	id 36DEF6B008A; Mon,  3 Feb 2025 09:26:39 -0500 (EST)
X-Delivered-To: int-list-linux-mm@kvack.org
Received: by kanga.kvack.org (Postfix, from userid 63042)
	id 2373E6B0093; Mon,  3 Feb 2025 09:26:39 -0500 (EST)
X-Delivered-To: linux-mm@kvack.org
Received: from relay.hostedemail.com (smtprelay0014.hostedemail.com [216.40.44.14])
	by kanga.kvack.org (Postfix) with ESMTP id 05E976B0089
	for <linux-mm@kvack.org>; Mon,  3 Feb 2025 09:26:38 -0500 (EST)
Received: from smtpin25.hostedemail.com (a10.router.float.18 [10.200.18.1])
	by unirelay02.hostedemail.com (Postfix) with ESMTP id BCAED1206F1
	for <linux-mm@kvack.org>; Mon,  3 Feb 2025 14:17:28 +0000 (UTC)
X-FDA: 83078836176.25.F59EAC2
Received: from mail.marcansoft.com (marcansoft.com [212.63.210.85])
	by imf10.hostedemail.com (Postfix) with ESMTP id 68ABAC0019
	for <linux-mm@kvack.org>; Mon,  3 Feb 2025 14:17:26 +0000 (UTC)
Authentication-Results: imf10.hostedemail.com;
	dkim=pass header.d=asahilina.net header.s=default header.b=Azvd4dao;
	spf=pass (imf10.hostedemail.com: domain of lina@asahilina.net designates 212.63.210.85 as permitted sender) smtp.mailfrom=lina@asahilina.net;
	dmarc=pass (policy=quarantine) header.from=asahilina.net
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com;
	s=arc-20220608; t=1738592247;
	h=from:from:sender:reply-to:subject:subject:date:date:
	 message-id:message-id:to:to:cc:cc:mime-version:mime-version:
	 content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references:dkim-signature;
	bh=Ok1iu+zVD/sAMss2ApNBT0fcH5JijXbKCROnxB+ihyQ=;
	b=urHgTlFPm8gDcY/6HYR+wHXy1y/pscIkf4Fo2DyDX2AgAdzn+tA4Tn90ijLWwUvcMbCerW
	hV715+CrjF2Gg2YXjI6bfivS09kakIqwKlyvUT/Zo2A8jvT03JEiPXOcpz4Mb5V3N8PJ5W
	ov7KM5ulqlFxtNwNMRH/IOczqC8vlNU=
ARC-Authentication-Results: i=1;
	imf10.hostedemail.com;
	dkim=pass header.d=asahilina.net header.s=default header.b=Azvd4dao;
	spf=pass (imf10.hostedemail.com: domain of lina@asahilina.net designates 212.63.210.85 as permitted sender) smtp.mailfrom=lina@asahilina.net;
	dmarc=pass (policy=quarantine) header.from=asahilina.net
ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1738592247; a=rsa-sha256;
	cv=none;
	b=byzVFUgObuJcul8r7SoAHZxaSFpmiFT4FEYPS4+297qKl1QMTITZcq1k+W2GC/7JjvbtKO
	H18TKQBbhnhOH8lkR1l8an3hoY2cLzdoQUc/2wMvkuTAKekp9pHh//oy3ZCAxaCFzwBqK1
	cgV7ukwrb5h5oOUe7ujCNDaXZ062CnY=
Received: from [127.0.0.1] (localhost [127.0.0.1])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(No client certificate requested)
	(Authenticated sender: lina@asahilina.net)
	by mail.marcansoft.com (Postfix) with ESMTPSA id E1E03434C6;
	Mon,  3 Feb 2025 14:17:20 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=asahilina.net;
	s=default; t=1738592242;
	bh=AmGoZl5uDwcwLndFyztdoPMsH68hsq6tadtWQvGFhGE=;
	h=Date:Subject:To:Cc:References:From:In-Reply-To;
	b=Azvd4daotMO0D6BBbypa++H//1buV1K3m4rrFlo+0WeseC31eQRFmovi6PaTFnGQo
	 EOVnlONb+d3ypGuEFRrZMByQNLvY6vCo4MzVzEBN3OSbk6D8yRjxPynhZomgHwVogM
	 1oOYaqR/ZxkQS8NgK5B8WK88LLC4kxQyNo5d/ktUMIEvZUNDCw9bMcvX2j9XXLX9bV
	 I9b339HgVjBkHVAm9AEHmqkyqzZYpiqTpaGg7EAxrvrmCyq6Pv+KB/sTZaTNEs6nb9
	 prFrfS6Qu567MGDJDw/IHNyEcfzpNd3YO28D/38QNOyozsCzJ2OHOQazZ1FG4b8T3f
	 uhlkcsN5hm48w==
Message-ID: <def0ac4e-6ec3-4f91-a3e6-02ce931c46f3@asahilina.net>
Date: Mon, 3 Feb 2025 23:17:20 +0900
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
Subject: Re: [PATCH 1/6] rust: types: Add Ownable/Owned types
To: Alice Ryhl <aliceryhl@google.com>
Cc: Miguel Ojeda <ojeda@kernel.org>, Alex Gaynor <alex.gaynor@gmail.com>,
 Boqun Feng <boqun.feng@gmail.com>, Gary Guo <gary@garyguo.net>,
 =?UTF-8?Q?Bj=C3=B6rn_Roy_Baron?= <bjorn3_gh@protonmail.com>,
 Benno Lossin <benno.lossin@proton.me>,
 Andreas Hindborg <a.hindborg@kernel.org>, Trevor Gross <tmgross@umich.edu>,
 Jann Horn <jannh@google.com>, Matthew Wilcox <willy@infradead.org>,
 Paolo Bonzini <pbonzini@redhat.com>, Danilo Krummrich <dakr@kernel.org>,
 Wedson Almeida Filho <wedsonaf@gmail.com>,
 Valentin Obst <kernel@valentinobst.de>,
 Andrew Morton <akpm@linux-foundation.org>, linux-mm@kvack.org,
 airlied@redhat.com, Abdiel Janulgue <abdiel.janulgue@gmail.com>,
 rust-for-linux@vger.kernel.org, linux-kernel@vger.kernel.org,
 asahi@lists.linux.dev
References: <20250202-rust-page-v1-0-e3170d7fe55e@asahilina.net>
 <20250202-rust-page-v1-1-e3170d7fe55e@asahilina.net>
 <CAH5fLggscATtCgQwCYSms77oSFOMkjTscRDqAOZsSgoHsOoPQw@mail.gmail.com>
Content-Language: en-US
From: Asahi Lina <lina@asahilina.net>
In-Reply-To: <CAH5fLggscATtCgQwCYSms77oSFOMkjTscRDqAOZsSgoHsOoPQw@mail.gmail.com>
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-Rspamd-Server: rspam05
X-Rspamd-Queue-Id: 68ABAC0019
X-Stat-Signature: my8hbrn9p4kbtzxewf6cn9ucmg1e69qc
X-Rspam-User: 
X-HE-Tag: 1738592246-112303
X-HE-Meta: U2FsdGVkX1+7is/ghdvvRhoIVB42DKJC7m8JKLdLHkhm5p5pVJUlvkc0hkFhBGaBMWnxv+LVgr4L1g5CsDhf6nEAdXjBZ+9Bymd2hEqe4i8Jmsk7tMunKQNCkWRwsXtAQZ7Sqy8rDeIZ3uHlwVO6bn2AftokYzTtmlLtxn1EdkOCDRrZFnknAck9Vj+cu1UPObFt6MOsn5Q0/APSf6LPk9pobJcJo4ezkxOgNYTwLXTC07IuFn46H5wcD0s3kF3vA8zpHG49I+yheBuZm1WVmkA4yp5YSY3130S6ZRHETe6zhUoJjLLZZh6mPYMpgw26CJi7DMporbbiQERCeCFjDNCybRY/tp96eFd8RXbnZmENRsA0Om+A1IHpOwyEWuBBZb9BhMx+fZMICrfFp7eaY6g3KjcJc46VyDa9U/4O05guvP1uF51pHLT8ff6bPuHdrwoEdHGb7NDlZmTHRqdc6ycdrOLta9uIavR64JiEu6Q7h2u2FflwP0uf/XxKogx0DMGMbBr/Gl5Fs8eBXoQJ4CfNMsC/hZxvSAWbHxEF9HL6AeSPA1bPNGr9/RiSwlYcxr3soWeESms5S26hGcXsHiALI08S2o8SARGyyJvMQFniLsjjCqt5rGrGUz3IWQBJIlYFvmztUSPYX02hRdG1FRcHszWjlO+yWGU89kl8+e1US7smiJPyeBPQbP6SEHI44CCO1w3DotznHz3vuku/LjE5szGLCOCyakWOqP+IX7Ft1oUQuYSfaUymMhXoa9fqJqsrAbXt5EBKVolSQrZPy+1KZGMKPkiScXQ3zj652djS8HjsCARJP2GDbxjOsscRbgkJQD2DzDNaXbLEmm4Vgd2qIg4gdWtHZCzY4q43zjjGJjSFPXa/Yq1Q7cE+u6vvk8LzHCy7KTMc2s5GD9xGU4jHJr6cL0OSK6J47R0uXLijgJCOPJnJltOhAWVhjwT8TSvTjK3z9D30L6kPMVp
 NbgY5imc
 DPuTQzfZAM+KF+Cdindma8L6UyCfHTiMRt4/DybpT3DT+sxfSShW43+vrH8NSgNylGTK798RFyj97P/0XyOav6vVs46hK3KEkrTY5WA66PX/l4FrwSGmERgr1jyMOZ+rZJg2lkoSbFVlDKVMzgNRn6SvJexwnpu6FXnXVGvVtsv1jy9C/5t3eZIPvS6VamtuieEqJEyH2ZRFsOd1glVEbU2zTt0NAJMe8iNx0d3l4U9sbSTkb31dTtEwNZrz7kiwBNdJPSoTPQo0pj+idUuy9jbZ6ip1yJjTIF8KSEw9kCcGbWNX49kUolDi0AavHpuyQvQpXfASQzZYptARLOeU6wbTbAhWtcB78Xq6o6BWI8VAvbjXBfucq83UfReR2iPeTTApiDxdZ/DVno37VMzqJAY++JaJou3VD/ZVMu7Osm42SpFvhk7h2kWq5NnUes+Ed8y3SVyrtqte/wFAWugaBFyZS4oTf3uWnQYF+T30Mz/iqCYw=
X-Bogosity: Unsure, tests=bogofilter, spamicity=0.500000, version=1.2.4
Sender: owner-linux-mm@kvack.org
Precedence: bulk
X-Loop: owner-majordomo@kvack.org
List-ID: <linux-mm.kvack.org>
List-Subscribe: <mailto:majordomo@kvack.org>
List-Unsubscribe: <mailto:majordomo@kvack.org>



On 2/3/25 6:13 PM, Alice Ryhl wrote:
> On Sun, Feb 2, 2025 at 2:06 PM Asahi Lina <lina@asahilina.net> wrote:
>>
>> By analogy to AlwaysRefCounted and ARef, an Ownable type is a (typically
>> C FFI) type that *may* be owned by Rust, but need not be. Unlike
>> AlwaysRefCounted, this mechanism expects the reference to be unique
>> within Rust, and does not allow cloning.
>>
>> Conceptually, this is similar to a KBox<T>, except that it delegates
>> resource management to the T instead of using a generic allocator.
>>
>> Signed-off-by: Asahi Lina <lina@asahilina.net>
> 
> Overall LGTM.
> 
>> +/// A subtrait of Ownable that asserts that an `Owned<T>` Rust reference is not only unique
>> +/// within Rust and keeps the `T` alive, but also guarantees that the C code follows the
>> +/// usual mutable reference requirements. That is, the kernel will never mutate the
>> +/// `T` (excluding internal mutability that follows the usual rules) while Rust owns it.
>> +///
>> +/// When this type is implemented for an [`Ownable`] type, it allows `Owned<T>` to be
>> +/// dereferenced into a &mut T.
>> +///
>> +/// # Safety
>> +///
>> +/// Implementers must ensure that the kernel never mutates the underlying type while
>> +/// Rust owns it.
>> +pub unsafe trait OwnableMut: Ownable {}
> 
> Giving out mutable references allows users to call core::mem::swap on
> the object. We must require that this is allowed.

Hmm, yeah. I don't use this yet, and I'm not sure if it makes much sense
with that caveat. I'll drop it for v2.

> 
>> +impl<T: Ownable> Owned<T> {
>> +    /// Creates a new instance of [`Owned`].
>> +    ///
>> +    /// It takes over ownership of the underlying object.
>> +    ///
>> +    /// # Safety
>> +    ///
>> +    /// Callers must ensure that the underlying object is acquired and can be considered owned by
>> +    /// Rust.
>> +    pub(crate) unsafe fn from_raw(ptr: NonNull<T>) -> Self {
>> +        // INVARIANT: The safety requirements guarantee that the new instance now owns the
>> +        // reference.
>> +        Self {
>> +            ptr,
>> +            _p: PhantomData,
>> +        }
>> +    }
>> +
>> +    /// Consumes the `Owned`, returning a raw pointer.
>> +    ///
>> +    /// This function does not actually relinquish ownership of the object.
>> +    /// After calling this function, the caller is responsible for ownership previously managed
>> +    /// by the `Owned`.
>> +    #[allow(dead_code)]
>> +    pub(crate) fn into_raw(me: Self) -> NonNull<T> {
> 
> I would just make these methods public, like the ARef ones. Then you
> can drop the #[allow(dead_code)] annotation.

Does it make sense to ever have drivers doing this? I feel like these
methods should be limited to the kernel crate.

~~ Lina