With the Opaque<T>, the expectations are that Rust should not
make any assumptions on the layout or invariants of the wrapped
C types. That runs rather counter to ioctl arguments, which must
adhere to certain data-layout constraits. By using Opaque<T>,
ioctl handlers are forced to use unsafe code where non is acually
needed. This adds needless complexity and maintenance overhead,
brining no safety benefits.
Drop the use of Opaque for ioctl arguments as that is not the best
fit here.
Signed-off-by: Beata Michalska <beata.michal...@arm.com>
---
rust/kernel/drm/ioctl.rs | 11 +++++++----
1 file changed, 7 insertions(+), 4 deletions(-)
diff --git a/rust/kernel/drm/ioctl.rs b/rust/kernel/drm/ioctl.rs
index 445639404fb7..3425a835f9cd 100644
--- a/rust/kernel/drm/ioctl.rs
+++ b/rust/kernel/drm/ioctl.rs
@@ -83,7 +83,7 @@ pub mod internal {
///
/// ```ignore
/// fn foo(device: &kernel::drm::Device<Self>,
-/// data: &Opaque<uapi::argument_type>,
+/// data: &mut uapi::argument_type,
/// file: &kernel::drm::File<Self::File>,
/// ) -> Result<u32>
/// ```
@@ -138,9 +138,12 @@ pub mod internal {
// SAFETY: The ioctl argument has size
`_IOC_SIZE(cmd)`, which we
// asserted above matches the size of this type,
and all bit patterns of
// UAPI structs must be valid.
- let data = unsafe {
- &*(raw_data as *const
$crate::types::Opaque<$crate::uapi::$struct>)
- };
+ // The `ioctl` argument is exclusively owned by
the handler
+ // and guaranteed by the C implementation
(`drm_ioctl()`) to remain
+ // valid for the entire lifetime of the reference
taken here.
+ // There is no concurrent access or aliasing; no
other references
+ // to this object exist during this call.
+ let data = unsafe { &mut *(raw_data as *mut
$crate::uapi::$struct) };
// SAFETY: This is just the DRM file structure
let file = unsafe {
$crate::drm::File::as_ref(raw_file) };
--
2.25.1
