On Thu, Feb 12, 2026 at 8:59 AM Maxime Ripard <[email protected]> wrote: > It works *today*.
The code we have today is both safe and unsound. That is a bug, and it *must* be fixed. > And the "oh but driver is using the API" is kind of ironic in the > context of the Rust bindings which have globally been in that situation > for years. You can't argue it both ways. I don't really know what is meant by this. This API is for real Rust drivers that have already started landing upstream. Sometimes we merge APIs *before* their user lands, but not without a user. We generally are quite consistent that Rust APIs must have a real Rust driver that uses it. It's the usual no-dead-code rule in the kernel. > Either way, I'm not sure what the point of that submission was if you > will just dismiss diverging opinions, including attempts to compromise. It is true that we are unwilling to compromise on the requirement that APIs must be sound. It really does not matter how convenient the API is when it's this easy to get it wrong and decrement the refcount when you did not increment it. I'm sorry, but that's the way it is. In your latest email, the suggestion came up to make the API unsafe. That's more acceptable, but see my other email from half an hour ago. Alice
