From nobody Mon Feb 9 05:59:35 2026 Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id C059D2066CF for ; Tue, 13 May 2025 22:11:19 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=170.10.133.124 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1747174281; cv=none; b=ivZBiVbNsLGZK6/cC4XbM/+KkHKmWj5EVzLq1HJF76fRWmZ0rrQ7HHEoO5IVN/+IcHdUrD3/vbcvKUiTM6ikts0xbQjV3RILDdtPmCKzmeJdrrG7KzjyjyD/J8gICWwGBV+LU1fPdghgD1gnYKzu9xHQLrBxMh9bsIMkEFoAPXM= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1747174281; c=relaxed/simple; bh=7d0VgSPJROTSMaQPGs5A4pTzXg/ZW8CCULSCOL8oGRs=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=h8SZtnbUEBTwG2qlWYvKqSSpu71238U5v0YEzCcgsV5W+kPKY906R9rhUKzYu/DGAAe8/dtpkvUIL1/3G2uIOKVWd3FTfadiRp5l0ATULLFTzrDYP3zPsSLG1ehHAgYPJwdAFXnUV9TkGi6RhlvFHg3QWj+8plGv6gExUDNiz7k= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=redhat.com; spf=pass smtp.mailfrom=redhat.com; dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com header.b=GFEDFjgE; arc=none smtp.client-ip=170.10.133.124 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=redhat.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=redhat.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com header.b="GFEDFjgE" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1747174278; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=Tt1JSePFPFuckdQ49k5xhTN6H2hYpcBzjeDUG0vewRk=; b=GFEDFjgEU2lT4RrYJWRRj5FqIKrKAjgYzhqSo/k/+fatfFl/CSZxJw02DOsNdJ1YvrKBG8 s4//LVeBZOwxO4ROl9s8ziL2LaXdo3e7M1q4HBUpegXcCHLL3Ti7fd3Pa2Xvno1hNX1BZH nIwFSfjjJG3wJOABiKVHXFFc0SJpRok= Received: from mx-prod-mc-08.mail-002.prod.us-west-2.aws.redhat.com (ec2-35-165-154-97.us-west-2.compute.amazonaws.com [35.165.154.97]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-218-p7kry4B1MlGfHFKlsC4WMg-1; Tue, 13 May 2025 18:11:15 -0400 X-MC-Unique: p7kry4B1MlGfHFKlsC4WMg-1 X-Mimecast-MFC-AGG-ID: p7kry4B1MlGfHFKlsC4WMg_1747174269 Received: from mx-prod-int-05.mail-002.prod.us-west-2.aws.redhat.com (mx-prod-int-05.mail-002.prod.us-west-2.aws.redhat.com [10.30.177.17]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mx-prod-mc-08.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS id 82A9E1800374; Tue, 13 May 2025 22:11:08 +0000 (UTC) Received: from chopper.lyude.net (unknown [10.22.64.99]) by mx-prod-int-05.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTP id 8100C1944A82; Tue, 13 May 2025 22:11:03 +0000 (UTC) From: Lyude Paul To: dri-devel@lists.freedesktop.org, linux-kernel@vger.kernel.org, rust-for-linux@vger.kernel.org Cc: Daniel Almeida , Maarten Lankhorst , Maxime Ripard , Thomas Zimmermann , David Airlie , Simona Vetter , Miguel Ojeda , Alex Gaynor , Boqun Feng , Gary Guo , =?UTF-8?q?Bj=C3=B6rn=20Roy=20Baron?= , Benno Lossin , Andreas Hindborg , Alice Ryhl , Trevor Gross , Danilo Krummrich , Asahi Lina , Alyssa Rosenzweig Subject: [PATCH v2 2/4] rust: drm: gem: Refactor IntoGEMObject::from_gem_obj() to as_ref() Date: Tue, 13 May 2025 18:09:55 -0400 Message-ID: <20250513221046.903358-3-lyude@redhat.com> In-Reply-To: <20250513221046.903358-1-lyude@redhat.com> References: <20250513221046.903358-1-lyude@redhat.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-Scanned-By: MIMEDefang 3.0 on 10.30.177.17 Content-Type: text/plain; charset="utf-8" There's a few issues with this function, mainly: * This function -probably- should have been unsafe from the start. Pointers are not always necessarily valid, but you want a function that does field-projection for a pointer that can travel outside of the original struct to be unsafe, at least if I understand properly. * *mut Self is not terribly useful in this context, the majority of uses of from_gem_obj() grab a *mut Self and then immediately convert it into a &'a Self. It also goes against the ffi conventions we've set in the rest of the kernel thus far. * from_gem_obj() also doesn't follow the naming conventions in the rest of the DRM bindings at the moment, as_ref() would be a better name. So, let's: * Make from_gem_obj() unsafe * Convert it to return &'a Self * Rename it to as_ref() * Update all call locations Signed-off-by: Lyude Paul Reviewed-by: Daniel Almeida --- V2: * Apply Danilo's comments in lookup_handle() * Add safety comment from Daniel Signed-off-by: Lyude Paul --- rust/kernel/drm/gem/mod.rs | 69 ++++++++++++++++++++++++-------------- 1 file changed, 43 insertions(+), 26 deletions(-) diff --git a/rust/kernel/drm/gem/mod.rs b/rust/kernel/drm/gem/mod.rs index df8f9fdae5c22..1ea1f15d8313c 100644 --- a/rust/kernel/drm/gem/mod.rs +++ b/rust/kernel/drm/gem/mod.rs @@ -45,8 +45,14 @@ pub trait IntoGEMObject: Sized + super::private::Sealed { #[allow(clippy::wrong_self_convention)] fn into_gem_obj(&self) -> &Opaque; =20 - /// Converts a pointer to a `struct drm_gem_object` into a pointer to = `Self`. - fn from_gem_obj(obj: *mut bindings::drm_gem_object) -> *mut Self; + /// Converts a pointer to a `struct drm_gem_object` into a reference t= o `Self`. + /// + /// # Safety + /// + /// - `self_ptr` must be a valid pointer to `Self`. + /// - The caller promises that holding the immutable reference returne= d by this function does + /// not violate rust's data aliasing rules and remains valid through= out the lifetime of `'a`. + unsafe fn as_ref<'a>(self_ptr: *mut bindings::drm_gem_object) -> &'a S= elf; } =20 /// Trait which must be implemented by drivers using base GEM objects. @@ -63,14 +69,13 @@ extern "C" fn open_callback, U: = BaseObject>( let file =3D unsafe { drm::File::<<::Driver as drm::Driver>::File>::= as_ref(raw_file) }; - let obj =3D - <<::Driver as drm::Driver>::Object as IntoGEMO= bject>::from_gem_obj( - raw_obj, - ); - - // SAFETY: `from_gem_obj()` returns a valid pointer as long as the typ= e is correct and the - // `raw_obj` we got is valid. - match T::open(unsafe { &*obj }, file) { + // SAFETY: `open_callback` is specified in the AllocOps structure for = `Object`, ensuring that + // `raw_obj` is indeed contained within a `Object`. + let obj =3D unsafe { + <<::Driver as drm::Driver>::Object as IntoGEMO= bject>::as_ref(raw_obj) + }; + + match T::open(obj, file) { Err(e) =3D> e.to_errno(), Ok(()) =3D> 0, } @@ -84,14 +89,13 @@ extern "C" fn close_callback, U:= BaseObject>( let file =3D unsafe { drm::File::<<::Driver as drm::Driver>::File>::= as_ref(raw_file) }; - let obj =3D - <<::Driver as drm::Driver>::Object as IntoGEMO= bject>::from_gem_obj( - raw_obj, - ); - - // SAFETY: `from_gem_obj()` returns a valid pointer as long as the typ= e is correct and the - // `raw_obj` we got is valid. - T::close(unsafe { &*obj }, file); + // SAFETY: `close_callback` is specified in the AllocOps structure for= `Object`, ensuring + // that `raw_obj` is indeed contained within a `Object`. + let obj =3D unsafe { + <<::Driver as drm::Driver>::Object as IntoGEMO= bject>::as_ref(raw_obj) + }; + + T::close(obj, file); } =20 impl IntoGEMObject for Object { @@ -101,9 +105,10 @@ fn into_gem_obj(&self) -> &Opaque { &self.obj } =20 - fn from_gem_obj(obj: *mut bindings::drm_gem_object) -> *mut Self { - // SAFETY: All of our objects are Object. - unsafe { crate::container_of!(obj, Object, obj).cast_mut() } + unsafe fn as_ref<'a>(self_ptr: *mut bindings::drm_gem_object) -> &'a S= elf { + // SAFETY: `obj` is guaranteed to be in an `Object` via the saf= ety contract of this + // function + unsafe { &*crate::container_of!(self_ptr, Object, obj) } } } =20 @@ -144,11 +149,23 @@ fn lookup_handle( ) -> Result> { // SAFETY: The arguments are all valid per the type invariants. let ptr =3D unsafe { bindings::drm_gem_object_lookup(file.as_raw()= .cast(), handle) }; - let ptr =3D ::from_gem_obj(ptr); - let ptr =3D NonNull::new(ptr).ok_or(ENOENT)?; - - // SAFETY: We take ownership of the reference of `drm_gem_object_l= ookup()`. - Ok(unsafe { ARef::from_raw(ptr) }) + if ptr.is_null() { + return Err(ENOENT); + } + + // SAFETY: + // - A `drm::Driver` can only have a single `File` implementation. + // - `file` uses the same `drm::Driver` as `Self`. + // - Therefore, we're guaranteed that `ptr` must be a gem object e= mbedded within `Self`. + // - And we check if the pointer is null befoe calling as_ref(), e= nsuring that `ptr` is a + // valid pointer to an initialized `Self`. + let obj =3D unsafe { Self::as_ref(ptr) }; + + // SAFETY: + // - We take ownership of the reference of `drm_gem_object_lookup(= )`. + // - Our `NonNull` comes from an immutable reference, thus ensurin= g it is a valid pointer to + // `Self`. + Ok(unsafe { ARef::from_raw(obj.into()) }) } =20 /// Creates an mmap offset to map the object from userspace. --=20 2.49.0