Devres<T> stores resources as T and returns &'a T from access(). For lifetime-parameterized types like Bar<'a, SIZE> that are transmuted to 'static for storage, this exposes the synthetic 'static lifetime to callers -- any method on the stored type that returns a reference with its lifetime parameter would yield a &'static reference, which is unsound.
Add DevresLt<F: ForLt>, a thin wrapper around Devres<F::Of<'static>> that applies ForLt's lifetime-shortening operations in all access methods to shorten the stored 'static lifetime to the caller's borrow lifetime. DevresLt::new() is unsafe because the caller must guarantee that the data remains valid for the device's full bound scope; the internal transmute from F::Of<'a> to F::Of<'static> would otherwise allow use-after-free. Two access patterns are provided: - CovariantForLt types get direct-reference accessors (access, try_access) that return shortened references via CovariantForLt::cast_ref. - Plain ForLt types use closure-based accessors (access_with, try_access_with) whose universally quantified lifetime prevents callers from smuggling in concrete short-lived references. Signed-off-by: Danilo Krummrich <[email protected]> --- rust/kernel/devres.rs | 110 ++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 110 insertions(+) diff --git a/rust/kernel/devres.rs b/rust/kernel/devres.rs index 82cbd8b969fb..23db91377f5e 100644 --- a/rust/kernel/devres.rs +++ b/rust/kernel/devres.rs @@ -24,6 +24,8 @@ Arc, // }, types::{ + CovariantForLt, + ForLt, ForeignOwnable, Opaque, // }, @@ -365,6 +367,114 @@ fn drop(&mut self) { } } +/// Guard returned by [`DevresLt::try_access`]. +/// +/// Dereferences to `F::Of<'a>`, shortening the lifetime of the stored data to the guard's borrow +/// lifetime. +pub struct DevresGuard<'a, F: CovariantForLt>(RevocableGuard<'a, F::Of<'static>>); + +impl<'a, F: CovariantForLt> core::ops::Deref for DevresGuard<'a, F> { + type Target = F::Of<'a>; + + fn deref(&self) -> &Self::Target { + F::cast_ref(&*self.0) + } +} + +/// Device-managed resource with [`ForLt`](trait@ForLt)-aware access. +/// +/// `DevresLt` wraps [`Devres`] and shortens the stored `'static` lifetime to the caller's borrow +/// lifetime in all access methods. +/// +/// Types that implement [`trait@CovariantForLt`] get direct-reference accessors ([`Self::access`], +/// [`Self::try_access`]). Plain [`ForLt`](trait@ForLt) types use closure-based accessors +/// ([`Self::access_with`], [`Self::try_access_with`]). +pub struct DevresLt<F: ForLt>(Devres<F::Of<'static>>) +where + F::Of<'static>: Send; + +impl<F: ForLt> DevresLt<F> +where + F::Of<'static>: Send, +{ + /// Creates a new [`DevresLt`] instance of the given `data`. + /// + /// # Safety + /// + /// The data must remain valid for the device's full bound scope. [`DevresLt`] allows + /// access until the device is unbound, which may outlast `'a`. + pub unsafe fn new<'a, E>( + dev: &'a Device<Bound>, + data: impl PinInit<F::Of<'a>, E>, + ) -> Result<Self> + where + Error: From<E>, + { + // SAFETY: The caller guarantees the data is valid for the device's full bound scope. + // Lifetimes do not affect layout, so F::Of<'a> and F::Of<'static> have identical + // representation; casting the slot pointer is sound. + let data = unsafe { + pin_init::pin_init_from_closure::<F::Of<'static>, E>(move |slot| { + data.__pinned_init(slot.cast()) + }) + }; + + Ok(Self(Devres::new(dev, data)?)) + } + + /// Return a reference of the [`Device`] this [`DevresLt`] instance has been created with. + pub fn device(&self) -> &Device { + self.0.device() + } + + /// Obtain `&F::Of<'_>`, bypassing the [`Revocable`], through a closure. + /// + /// This method works like [`DevresLt::access`](DevresLt::access) but accepts any + /// [`trait@ForLt`] type, not just [`trait@CovariantForLt`]. + pub fn access_with<R, G>(&self, dev: &Device<Bound>, f: G) -> Result<R> + where + G: for<'a> FnOnce(&'a F::Of<'a>) -> R, + { + self.0.access(dev).map(|data| { + // SAFETY: The closure's HRTB `for<'a>` prevents the caller from smuggling in + // references with a concrete short lifetime, making the round-trip from `'static` + // sound regardless of variance. + f(unsafe { F::cast_ref_unchecked(data) }) + }) + } + + /// [`DevresLt`] accessor for [`Revocable::try_access_with`]. + pub fn try_access_with<R, G>(&self, f: G) -> Option<R> + where + G: for<'a> FnOnce(&'a F::Of<'a>) -> R, + { + self.0.data().try_access_with(|data| { + // SAFETY: The closure's HRTB `for<'a>` prevents the caller from smuggling in + // references with a concrete short lifetime, making the round-trip from `'static` + // sound regardless of variance. + f(unsafe { F::cast_ref_unchecked(data) }) + }) + } +} + +impl<F: CovariantForLt> DevresLt<F> +where + F::Of<'static>: Send, +{ + /// Obtain `&'a F::Of<'a>`, bypassing the [`Revocable`]. + /// + /// This method works like [`Devres::access`], but shortens the returned reference's lifetime + /// from `'static` to `'a` via [`CovariantForLt::cast_ref`]. + pub fn access<'a>(&'a self, dev: &'a Device<Bound>) -> Result<&'a F::Of<'a>> { + self.0.access(dev).map(F::cast_ref) + } + + /// [`DevresLt`] accessor for [`Revocable::try_access`]. + pub fn try_access(&self) -> Option<DevresGuard<'_, F>> { + self.0.data().try_access().map(DevresGuard) + } +} + /// Consume `data` and [`Drop::drop`] `data` once `dev` is unbound. fn register_foreign<P>(dev: &Device<Bound>, data: P) -> Result where -- 2.54.0
