On Wed Jun 10, 2026 at 5:21 PM BST, Lyude Paul wrote:
> When writing up some rust code that used faux devices for unit testing, I
> noticed that we never actually added the Bound device context to
> faux::Registration's AsRef<device::Device> implementation. This being said:
> the Registration object itself is proof that a driver is bound to the
> device - so this should be safe.
>
> Signed-off-by: Lyude Paul <[email protected]>
> Reviewed-by: Alexandre Courbot <[email protected]>
>
> ---
> V18:
> - Add notes from Danilo to safety comment.
>
> rust/kernel/faux.rs | 16 +++++++++++-----
> 1 file changed, 11 insertions(+), 5 deletions(-)
>
> diff --git a/rust/kernel/faux.rs b/rust/kernel/faux.rs
> index 43b4974f48cd2..20ab638885354 100644
> --- a/rust/kernel/faux.rs
> +++ b/rust/kernel/faux.rs
> @@ -25,7 +25,8 @@
> ///
> /// # Invariants
> ///
> -/// `self.0` always holds a valid pointer to an initialized and registered
> [`struct faux_device`].
> +/// - `self.0` always holds a valid pointer to an initialized and registered
> [`struct faux_device`].
> +/// - This object is proof that the object described by this `Registration`
> is bound to a device.
Sashiko mentioned that this added invariant is not justified in `// INVARIANT:`
comments. However, I think instead of adding additional justifcation there, the
safety comment below is sufficient and this doesn't need to be additional
invariant.
Just dropping this hunk should be okay I think.
> ///
> /// [`struct faux_device`]: srctree/include/linux/device/faux.h
> pub struct Registration(NonNull<bindings::faux_device>);
> @@ -59,10 +60,15 @@ fn as_raw(&self) -> *mut bindings::faux_device {
> }
> }
>
> -impl AsRef<device::Device> for Registration {
> - fn as_ref(&self) -> &device::Device {
> - // SAFETY: The underlying `device` in `faux_device` is guaranteed by
> the C API to be
> - // a valid initialized `device`.
> +impl AsRef<device::Device<device::Bound>> for Registration {
> + fn as_ref(&self) -> &device::Device<device::Bound> {
> + // SAFETY:
> + // - The underlying `device` in `faux_device` is guaranteed by the C
> API to be a valid
> + // initialized `device`.
> + // - faux_match() always returns 1, and probe runs synchronously
> (PROBE_FORCE_SYNCHRONOUS).
Please quote all code with backticks.
Best,
Gary
> + // - suppress_bind_attrs = true on faux_driver prevents
> userspace-triggered unbind via sysfs
> + // - mem::forget(Registration) is not a problem; if the Registration
> is leaked, the faux
> + // device stays bound forever.
> unsafe {
> device::Device::from_raw(addr_of_mut!((*self.as_raw()).dev)) }
> }
> }
