From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from gabe.freedesktop.org (gabe.freedesktop.org [131.252.210.177]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id 77160C55184 for ; Fri, 20 Feb 2026 10:35:17 +0000 (UTC) Received: from gabe.freedesktop.org (localhost [127.0.0.1]) by gabe.freedesktop.org (Postfix) with ESMTP id C181A10E010; Fri, 20 Feb 2026 10:35:16 +0000 (UTC) Authentication-Results: gabe.freedesktop.org; dkim=pass (2048-bit key; unprotected) header.d=google.com header.i=@google.com header.b="G97tDMMG"; dkim-atps=neutral Received: from mail-wm1-f74.google.com (mail-wm1-f74.google.com [209.85.128.74]) by gabe.freedesktop.org (Postfix) with ESMTPS id 777E710E010 for ; Fri, 20 Feb 2026 10:35:15 +0000 (UTC) Received: by mail-wm1-f74.google.com with SMTP id 5b1f17b1804b1-483786a09b1so17124965e9.3 for ; Fri, 20 Feb 2026 02:35:15 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20230601; t=1771583714; x=1772188514; darn=lists.freedesktop.org; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:from:to:cc:subject:date:message-id:reply-to; bh=SuBBZbTgNeFNGP2KTDBOL9VXYwpq19RWtpTtqUl4jLA=; b=G97tDMMGkZMeXDcHJiLPJMyt+NZ6s0FmMlcSTwabI+ArSXYK9gGXP83gCSr+41f9sJ CCce4hGLe+TKCNph+14qG3YzN6SS0GMilDXXddB+OqYwfH8n2NRW4eJU/NGb+8T1NSRO KFtii+qHqpVU/X2B1W+1VgtIgW2CJJTJM4fUy9xsOp/mTpQUVTZG5ryYNhuy9eux7Xhq MXTfmd5O5VJQc6hbLoa65q6O0rND01p5cUx59eX+FSDylYfFEdbdvu2wvgxdDMvyWvtz i8vRna1H+YHzTLfkc/m/ozLSw5whoLHDTL6d8UJO+5lH12SJTR9tlVj9BPkD6jYzRtHu o4OQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1771583714; x=1772188514; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=SuBBZbTgNeFNGP2KTDBOL9VXYwpq19RWtpTtqUl4jLA=; b=BNWBDtHrBV7fqQwLS2Qcr6jibA9VXORUhmF6655DhDDTyYcRng64jRlkWPT5fmWNP1 bL9K6iV8gy4oooeEu8HMylm/ZtgCoAmcz87TvdK69nBqitV8nZeKPX2TqcMuTK2snNqd VAWkvnN43BWWvF4cttiGBehSr0UgNam71H+KHjAYRiUK2NXxTiYsOlBjscQSvUHbHgqn KPa+mapHVHWPr+RVHnBIwy9lpHd5Eq+J7W/LcRKTP+SQKQnOEBX0bE9g0gLoH9wyrGaa gL83pY27DdkEIH8ikGp3byD+WJL4m+XVg2ugk/8M7qtNPo4AbavMY80N/msiHWy0mcOB OMrA== X-Forwarded-Encrypted: i=1; AJvYcCXXPPtezEA5HAui2QgmzOx20DDTqLTxeph4epqAMoX+074+Z24sE1m3qKqGvBopZuwEZTi8j+Ja42Q=@lists.freedesktop.org X-Gm-Message-State: AOJu0YxpUnMZTKghQKiKcl46dA/f9THnJTqEKv20H3uzaYbryWN/A749 mmvITcJKEQp7fQNgtLm48z35in9H3LKwe3ctoriaGBh/L3Nb825KpUmeq6WVW9Vxfsmbeov5WjF 1wJEHAdiAn0B+d8Mozg== X-Received: from wmbdr17.prod.google.com ([2002:a05:600c:6091:b0:480:4a03:7b73]) (user=aliceryhl job=prod-delivery.src-stubby-dispatcher) by 2002:a05:600c:8b26:b0:465:a51d:d4 with SMTP id 5b1f17b1804b1-48398a47222mr123364405e9.6.1771583713704; Fri, 20 Feb 2026 02:35:13 -0800 (PST) Date: Fri, 20 Feb 2026 10:35:12 +0000 In-Reply-To: <20260220-unique-ref-v15-1-893ed86b06cc@kernel.org> Mime-Version: 1.0 References: <20260220-unique-ref-v15-0-893ed86b06cc@kernel.org> <20260220-unique-ref-v15-1-893ed86b06cc@kernel.org> Message-ID: Subject: Re: [PATCH v15 1/9] rust: types: Add Ownable/Owned types From: Alice Ryhl To: Andreas Hindborg Cc: Miguel Ojeda , Gary Guo , "=?utf-8?B?QmrDtnJu?= Roy Baron" , Benno Lossin , Trevor Gross , Danilo Krummrich , Greg Kroah-Hartman , Dave Ertman , Ira Weiny , Leon Romanovsky , Paul Moore , Serge Hallyn , "Rafael J. Wysocki" , David Airlie , Simona Vetter , Alexander Viro , Christian Brauner , Jan Kara , Igor Korotin , Daniel Almeida , Lorenzo Stoakes , "Liam R. Howlett" , Viresh Kumar , Nishanth Menon , Stephen Boyd , Bjorn Helgaas , "Krzysztof =?utf-8?Q?Wilczy=C5=84ski?=" , Boqun Feng , linux-kernel@vger.kernel.org, rust-for-linux@vger.kernel.org, linux-block@vger.kernel.org, linux-security-module@vger.kernel.org, dri-devel@lists.freedesktop.org, linux-fsdevel@vger.kernel.org, linux-mm@kvack.org, linux-pm@vger.kernel.org, linux-pci@vger.kernel.org, Asahi Lina , Oliver Mangold Content-Type: text/plain; charset="utf-8" X-BeenThere: dri-devel@lists.freedesktop.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Direct Rendering Infrastructure - Development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: dri-devel-bounces@lists.freedesktop.org Sender: "dri-devel" On Fri, Feb 20, 2026 at 10:51:10AM +0100, Andreas Hindborg wrote: > From: Asahi Lina > > By analogy to `AlwaysRefCounted` and `ARef`, an `Ownable` type is a > (typically C FFI) type that *may* be owned by Rust, but need not be. Unlike > `AlwaysRefCounted`, this mechanism expects the reference to be unique > within Rust, and does not allow cloning. > > Conceptually, this is similar to a `KBox`, except that it delegates > resource management to the `T` instead of using a generic allocator. > > [ om: > - Split code into separate file and `pub use` it from types.rs. > - Make from_raw() and into_raw() public. > - Remove OwnableMut, and make DerefMut dependent on Unpin instead. > - Usage example/doctest for Ownable/Owned. > - Fixes to documentation and commit message. > ] > > Link: https://lore.kernel.org/all/20250202-rust-page-v1-1-e3170d7fe55e@asahilina.net/ > Signed-off-by: Asahi Lina > Co-developed-by: Oliver Mangold > Signed-off-by: Oliver Mangold > Reviewed-by: Boqun Feng > Reviewed-by: Daniel Almeida > [ Andreas: Updated documentation, examples, and formatting ] > Reviewed-by: Gary Guo > Co-developed-by: Andreas Hindborg > Signed-off-by: Andreas Hindborg > +/// let result = NonNull::new(KBox::into_raw(result)) > +/// .expect("Raw pointer to newly allocation KBox is null, this should never happen."); KBox should probably have an into_raw_nonnull(). > +/// let foo = Foo::new().expect("Failed to allocate a Foo. This shouldn't happen"); > +/// assert!(*FOO_ALLOC_COUNT.lock() == 1); Use ? here. > +/// } > +/// // `foo` is out of scope now, so we expect no live allocations. > +/// assert!(*FOO_ALLOC_COUNT.lock() == 0); > +/// ``` > +pub unsafe trait Ownable { > + /// Releases the object. > + /// > + /// # Safety > + /// > + /// Callers must ensure that: > + /// - `this` points to a valid `Self`. > + /// - `*this` is no longer used after this call. > + unsafe fn release(this: NonNull); Honestly, not using it after this call may be too strong. I can imagine wanting a value where I have both an ARef<_> and Owned<_> reference to something similar to the existing Arc<_>/ListArc<_> pattern, and in that case the value may in fact be accessed after this call if you still have an ARef<_>. If you modify Owned<_> invariants and Owned::from_raw() safety requirements along the lines of what I say below, then this could just say that the caller must have permission to call this function. The concrete implementer can specify what that means more directly, but here all it means is that a prior call to Owned::from_raw() promised to give you permission to call it. > +/// A mutable reference to an owned `T`. > +/// > +/// The [`Ownable`] is automatically freed or released when an instance of [`Owned`] is > +/// dropped. > +/// > +/// # Invariants > +/// > +/// - The [`Owned`] has exclusive access to the instance of `T`. > +/// - The instance of `T` will stay alive at least as long as the [`Owned`] is alive. > +pub struct Owned { > + ptr: NonNull, > +} I think some more direct and less fuzzy invariants would be: - This `Owned` holds permissions to call `T::release()` on the value once. - Until `T::release()` is called, this `Owned` may perform mutable access on the `T`. - The `T` value is pinned. > + /// Get a pinned mutable reference to the data owned by this `Owned`. > + pub fn as_pin_mut(&mut self) -> Pin<&mut T> { > + // SAFETY: The type invariants guarantee that the object is valid, and that we can safely > + // return a mutable reference to it. > + let unpinned = unsafe { self.ptr.as_mut() }; > + > + // SAFETY: We never hand out unpinned mutable references to the data in > + // `Self`, unless the contained type is `Unpin`. > + unsafe { Pin::new_unchecked(unpinned) } I'd prefer if "pinned" was a type invariant, rather than make an argument about what kind of APIs exist. > +impl DerefMut for Owned { > + fn deref_mut(&mut self) -> &mut Self::Target { > + // SAFETY: The type invariants guarantee that the object is valid, and that we can safely > + // return a mutable reference to it. > + unsafe { self.ptr.as_mut() } Surely this safety comment should say something about pinning. Alice