Claude review: rust: device: Higher-Ranked Lifetime Types for device drivers

[Claude Code Review Bot <claude-review@example.com>]

Overall Series Review

Subject: rust: device: Higher-Ranked Lifetime Types for device drivers
Author: Danilo Krummrich <dakr@kernel.org>
Patches: 29
Reviewed: 2026-05-18T16:24:32.434878

---

This 27-patch series introduces **Higher-Ranked Lifetime Types (HRT)** to the Rust device driver abstractions in the Linux kernel. The core idea is elegant: by parameterizing driver data with a binding-scope lifetime `'bound`, the type system statically enforces that driver-owned resources cannot outlive the device binding. This eliminates an entire class of use-after-unbind bugs that previously required runtime checks (revocable `Devres<T>` wrappers with `Arc` overhead).

**Architecture:** The series introduces a `ForLt` trait (patch 16) that acts as a poor-man's higher-kinded type — necessary because Rust lacks native HKT support. Bus driver traits (`pci::Driver`, `platform::Driver`, etc.) gain a Generic Associated Type `type Data<'bound>: 'bound`, replacing the old `type IdInfo`. The C driver core is modified (patch 4) to call `post_unbind_rust` *before* `devres_release_all()`, which is essential for soundness — Rust destructors must run while resources are still live.

**Strengths:**
- Dramatically simplifies driver code: the PCI sample driver (patch 21) drops `PinnedDrop`, `Devres`, `ARef`, `Arc`, and `RevocableMutex` — replaced by plain references with lifetime tracking
- Sound design with formal covariance proofs in the `ForLt!()` macro
- Incremental migration path: drivers can still use `Devres<T>` where needed via `into_devres()`
- Well-structured patch ordering with clear logical progression

**Concerns:**
1. **The `transmute` in `into_devres()`** (patches 17, 19, 20) erases the `'bound` lifetime to `'static`. The safety argument ("Devres guarantees revocation before unbind") is sound *given* the C-side reordering in patch 4, but this creates a non-local safety invariant spanning Rust and C code.
2. **The unsafe self-referential init in nova-core** (patch 24) uses `unsafe { &*core::ptr::from_ref(bar) }` to create a self-referential borrow during pin-init. The safety comment is minimal.
3. **`ForLt` covariance enforcement** relies on a proc-macro-generated proof function — the soundness of the entire lifetime system rests on this macro being correct.
4. **The C-side change** (patch 4) reorders `devres_release_all` after `post_unbind_rust` for *all* drivers, not just Rust ones. This needs careful review from the driver core maintainers to ensure no C drivers depend on the current ordering.

**Verdict:** This is a well-designed series that represents a significant improvement to the Rust driver model's safety and ergonomics. The unsafe code is concentrated in a few well-identified locations with clear safety arguments. The main risk is the C-side reordering in patch 4 and its interaction with existing drivers.

---

---
Generated by Claude Code Patch Reviewer