From mboxrd@z Thu Jan  1 00:00:00 1970
From: Claude Code Review Bot <claude-review@example.com>
To: dri-devel-reviews@example.com
Subject: Claude review: rust: implement `ForeignOwnable` for `Owned`
Date: Mon, 23 Feb 2026 06:08:51 +1000
Message-ID: <review-patch8-20260220-unique-ref-v15-8-893ed86b06cc@kernel.org>
In-Reply-To: <20260220-unique-ref-v15-8-893ed86b06cc@kernel.org>
References: <20260220-unique-ref-v15-0-893ed86b06cc@kernel.org> <20260220-unique-ref-v15-8-893ed86b06cc@kernel.org>
X-Mailer: Claude Code Patch Reviewer
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
MIME-Version: 1.0

Patch Review

> +unsafe impl<T: Ownable + 'static> ForeignOwnable for Owned<T> {
> +    const FOREIGN_ALIGN: usize = core::mem::align_of::<Owned<T>>();

This looks incorrect. `Owned<T>` is `#[repr(transparent)]` over `NonNull<T>`, so `align_of::<Owned<T>>()` equals `align_of::<NonNull<T>>()`, which is pointer alignment (typically 8 on 64-bit). But `into_foreign` returns `self.ptr.as_ptr().cast()`, a pointer to `T`, whose alignment is `align_of::<T>()`. For a type `T` with alignment smaller than pointer alignment, `FOREIGN_ALIGN` would overstate the actual alignment of the returned pointer, violating the `ForeignOwnable` contract. This matters because the `XArray` checks `T::FOREIGN_ALIGN >= 4` at compile time -- an `Owned<T>` with small `T` alignment would pass this check but produce insufficiently aligned pointers.

The fix should be `core::mem::align_of::<T>()`, matching what `KBox` does:

```rust
const FOREIGN_ALIGN: usize = core::mem::align_of::<T>();
```

The SAFETY comment on the trait impl confirms this was the intent:

> // SAFETY: We derive the pointer to `T` from a valid `T`, so the returned
> // pointer satisfy alignment requirements of `T`.

The comment says "alignment requirements of T" -- so the constant should also reflect `T`, not `Owned<T>`.

> +    unsafe fn borrow_mut<'a>(ptr: *mut kernel::ffi::c_void) -> Self::BorrowedMut<'a> {
> +        let inner = unsafe { &mut *ptr.cast() };
> +        // SAFETY: We never move out of inner, and we do not hand out mutable
> +        // references when `T: !Unpin`.
> +        unsafe { Pin::new_unchecked(inner) }

The `Pin::new_unchecked` safety argument here is the same structural argument Alice flagged in patch 1 -- it would be more robust if pinning were a type invariant.

---
Generated by Claude Code Patch Reviewer