When writing up some rust code that used faux devices for unit testing, I noticed that we never actually added the Bound device context to faux::Registration's AsRefdevice::Device implementation. This being said: the Registration object itself is proof that a driver is bound to the device - so this should be safe.
Signed-off-by: Lyude Paul lyude@redhat.com
--- V18: - Add notes from Danilo to safety comment.
rust/kernel/faux.rs | 16 +++++++++++----- 1 file changed, 11 insertions(+), 5 deletions(-)
diff --git a/rust/kernel/faux.rs b/rust/kernel/faux.rs index 43b4974f48cd2..20ab638885354 100644 --- a/rust/kernel/faux.rs +++ b/rust/kernel/faux.rs @@ -25,7 +25,8 @@ /// /// # Invariants /// -/// `self.0` always holds a valid pointer to an initialized and registered [`struct faux_device`]. +/// - `self.0` always holds a valid pointer to an initialized and registered [`struct faux_device`]. +/// - This object is proof that the object described by this `Registration` is bound to a device. /// /// [`struct faux_device`]: srctree/include/linux/device/faux.h pub struct Registration(NonNullbindings::faux_device); @@ -59,10 +60,15 @@ fn as_raw(&self) -> *mut bindings::faux_device { } }
-impl AsRefdevice::Device for Registration { - fn as_ref(&self) -> &device::Device { - // SAFETY: The underlying `device` in `faux_device` is guaranteed by the C API to be - // a valid initialized `device`. +impl AsRef<device::Devicedevice::Bound> for Registration { + fn as_ref(&self) -> &device::Devicedevice::Bound { + // SAFETY: + // - The underlying `device` in `faux_device` is guaranteed by the C API to be a valid + // initialized `device`. + // - faux_match() always returns 1, and probe runs synchronously (PROBE_FORCE_SYNCHRONOUS). + // - suppress_bind_attrs = true on faux_driver prevents userspace-triggered unbind via sysfs + // - mem::forget(Registration) is not a problem; if the Registration is leaked, the faux + // device stays bound forever. unsafe { device::Device::from_raw(addr_of_mut!((*self.as_raw()).dev)) } } }