From mboxrd@z Thu Jan 1 00:00:00 1970 From: Claude Code Review Bot To: dri-devel-reviews@example.com Subject: Claude review: rust: device: Higher-Ranked Lifetime Types for device drivers Date: Mon, 18 May 2026 16:24:32 +1000 Message-ID: In-Reply-To: <20260517000149.3226762-1-dakr@kernel.org> References: <20260517000149.3226762-1-dakr@kernel.org> X-Mailer: Claude Code Patch Reviewer Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Overall Series Review Subject: rust: device: Higher-Ranked Lifetime Types for device drivers Author: Danilo Krummrich Patches: 29 Reviewed: 2026-05-18T16:24:32.434878 --- This 27-patch series introduces **Higher-Ranked Lifetime Types (HRT)** to t= he Rust device driver abstractions in the Linux kernel. The core idea is el= egant: by parameterizing driver data with a binding-scope lifetime `'bound`= , the type system statically enforces that driver-owned resources cannot ou= tlive the device binding. This eliminates an entire class of use-after-unbi= nd bugs that previously required runtime checks (revocable `Devres` wrap= pers with `Arc` overhead). **Architecture:** The series introduces a `ForLt` trait (patch 16) that act= s as a poor-man's higher-kinded type =E2=80=94 necessary because Rust lacks= native HKT support. Bus driver traits (`pci::Driver`, `platform::Driver`, = etc.) gain a Generic Associated Type `type Data<'bound>: 'bound`, replacing= the old `type IdInfo`. The C driver core is modified (patch 4) to call `po= st_unbind_rust` *before* `devres_release_all()`, which is essential for sou= ndness =E2=80=94 Rust destructors must run while resources are still live. **Strengths:** - Dramatically simplifies driver code: the PCI sample driver (patch 21) dro= ps `PinnedDrop`, `Devres`, `ARef`, `Arc`, and `RevocableMutex` =E2=80=94 re= placed by plain references with lifetime tracking - Sound design with formal covariance proofs in the `ForLt!()` macro - Incremental migration path: drivers can still use `Devres` where neede= d via `into_devres()` - Well-structured patch ordering with clear logical progression **Concerns:** 1. **The `transmute` in `into_devres()`** (patches 17, 19, 20) erases the `= 'bound` lifetime to `'static`. The safety argument ("Devres guarantees revo= cation before unbind") is sound *given* the C-side reordering in patch 4, b= ut this creates a non-local safety invariant spanning Rust and C code. 2. **The unsafe self-referential init in nova-core** (patch 24) uses `unsaf= e { &*core::ptr::from_ref(bar) }` to create a self-referential borrow durin= g pin-init. The safety comment is minimal. 3. **`ForLt` covariance enforcement** relies on a proc-macro-generated proo= f function =E2=80=94 the soundness of the entire lifetime system rests on t= his macro being correct. 4. **The C-side change** (patch 4) reorders `devres_release_all` after `pos= t_unbind_rust` for *all* drivers, not just Rust ones. This needs careful re= view from the driver core maintainers to ensure no C drivers depend on the = current ordering. **Verdict:** This is a well-designed series that represents a significant i= mprovement to the Rust driver model's safety and ergonomics. The unsafe cod= e is concentrated in a few well-identified locations with clear safety argu= ments. The main risk is the C-side reordering in patch 4 and its interactio= n with existing drivers. --- --- Generated by Claude Code Patch Reviewer