On Wed Jun 10, 2026 at 5:21 PM BST, Lyude Paul wrote:
When writing up some rust code that used faux devices for unit testing, I noticed that we never actually added the Bound device context to faux::Registration's AsRefdevice::Device implementation. This being said: the Registration object itself is proof that a driver is bound to the device - so this should be safe.
Signed-off-by: Lyude Paul lyude@redhat.com Reviewed-by: Alexandre Courbot acourbot@nvidia.com
V18:
- Add notes from Danilo to safety comment.
rust/kernel/faux.rs | 16 +++++++++++----- 1 file changed, 11 insertions(+), 5 deletions(-)
diff --git a/rust/kernel/faux.rs b/rust/kernel/faux.rs index 43b4974f48cd2..20ab638885354 100644 --- a/rust/kernel/faux.rs +++ b/rust/kernel/faux.rs @@ -25,7 +25,8 @@ /// /// # Invariants /// -/// `self.0` always holds a valid pointer to an initialized and registered [`struct faux_device`]. +/// - `self.0` always holds a valid pointer to an initialized and registered [`struct faux_device`]. +/// - This object is proof that the object described by this `Registration` is bound to a device.
Sashiko mentioned that this added invariant is not justified in `// INVARIANT:` comments. However, I think instead of adding additional justifcation there, the safety comment below is sufficient and this doesn't need to be additional invariant.
Just dropping this hunk should be okay I think.
/// /// [`struct faux_device`]: srctree/include/linux/device/faux.h pub struct Registration(NonNullbindings::faux_device); @@ -59,10 +60,15 @@ fn as_raw(&self) -> *mut bindings::faux_device { } } -impl AsRefdevice::Device for Registration {
- fn as_ref(&self) -> &device::Device {
// SAFETY: The underlying `device` in `faux_device` is guaranteed by the C API to be// a valid initialized `device`.+impl AsRef<device::Devicedevice::Bound> for Registration {
- fn as_ref(&self) -> &device::Devicedevice::Bound {
// SAFETY:// - The underlying `device` in `faux_device` is guaranteed by the C API to be a valid// initialized `device`.// - faux_match() always returns 1, and probe runs synchronously (PROBE_FORCE_SYNCHRONOUS).
Please quote all code with backticks.
Best, Gary
// - suppress_bind_attrs = true on faux_driver prevents userspace-triggered unbind via sysfs// - mem::forget(Registration) is not a problem; if the Registration is leaked, the faux// device stays bound forever. unsafe { device::Device::from_raw(addr_of_mut!((*self.as_raw()).dev)) }}