On Thu, Sep 11, 2025 at 06:57:40PM -0400, Lyude Paul wrote:
> In order to implement the gem export callback, we need a type to represent
> struct dma_buf. So - this commit introduces a set of stub bindings for
> dma_buf. These bindings provide a ref-counted DmaBuf object, but don't
> currently implement any functionality for using the DmaBuf.
>
> Signed-off-by: Lyude Paul <ly...@redhat.com>
> Reviewed-by: Daniel Almeida <daniel.alme...@collabora.com>
>
> ---
> V3:
> * Rename as_ref() to from_raw()
> V4:
> * Add missing period to rustdoc at top of file
>
> rust/kernel/dma_buf.rs | 40 ++++++++++++++++++++++++++++++++++++++++
> rust/kernel/lib.rs | 1 +
> 2 files changed, 41 insertions(+)
> create mode 100644 rust/kernel/dma_buf.rs
>
> diff --git a/rust/kernel/dma_buf.rs b/rust/kernel/dma_buf.rs
> new file mode 100644
> index 0000000000000..50be3e4dd4098
> --- /dev/null
> +++ b/rust/kernel/dma_buf.rs
> @@ -0,0 +1,40 @@
> +// SPDX-License-Identifier: GPL-2.0
> +
> +//! DMA buffer API.
> +//!
> +//! C header: [`include/linux/dma-buf.h`](srctree/include/linux/dma-buf.h)
> +
> +use bindings;
> +use kernel::types::*;
> +
> +/// A DMA buffer object.
> +///
> +/// # Invariants
> +///
> +/// The data layout of this type is equivalent to that of `struct dma_buf`.
I can already deduce that from the fact that it's a repr(transparent)
wrapper around Opaque<bindings::dma_buf>. Invariants should provide
*additional* guarantees that can't be deduced just from the declaration.
I would reword this to say that it contains a valid dma_buf rather than
speaking about the layout.
> +#[repr(transparent)]
> +pub struct DmaBuf(Opaque<bindings::dma_buf>);
> +
> +// SAFETY: `struct dma_buf` is thread-safe
> +unsafe impl Send for DmaBuf {}
> +// SAFETY: `struct dma_buf` is thread-safe
> +unsafe impl Sync for DmaBuf {}
> +
> +#[expect(unused)]
By making these methods pub, you don't need this #[expect].
> +impl DmaBuf {
> + /// Convert from a `*mut bindings::dma_buf` to a [`DmaBuf`].
> + ///
> + /// # Safety
> + ///
> + /// The caller guarantees that `self_ptr` points to a valid initialized
> `struct dma_buf` for the
> + /// duration of the lifetime of `'a`, and promises to not violate rust's
> data aliasing rules
> + /// using the reference provided by this function.
I would just drop the sentence about the aliasing rules. If the caller
performs an unsafe operation on this DmaBuf, then the safety comment on
*that* unsafe operation should justify this - it's not needed here.
And if they violate the aliasing rules with a safe operation, then
probably that safe operation should be redesigned to prevent that,
rather than having a blanket statement here.
Alice
