Re: [PATCH 3/4] rust: pci: fix unrestricted &mut pci::Device

From: Benno Lossin
Date: Thu Mar 13 2025 - 10:34:10 EST


On Thu Mar 13, 2025 at 3:25 PM CET, Danilo Krummrich wrote:
> On Thu, Mar 13, 2025 at 10:44:38AM +0000, Benno Lossin wrote:
>> On Thu Mar 13, 2025 at 3:13 AM CET, Danilo Krummrich wrote:
>> > As by now, pci::Device is implemented as:
>> >
>> > #[derive(Clone)]
>> > pub struct Device(ARef<device::Device>);
>> >
>> > This may be convenient, but has the implication that drivers can call
>> > device methods that require a mutable reference concurrently at any
>> > point of time.
>>
>> Which methods take mutable references? The `set_master` method you
>> mentioned also took a shared reference before this patch.
>
> Yeah, that's basically a bug that I never fixed (until now), since making it
> take a mutable reference would not have changed anything in terms of
> accessibility.

Gotcha.

>> > impl AsRef<device::Device> for Device {
>> > fn as_ref(&self) -> &device::Device {
>> > - &self.0
>> > + // SAFETY: By the type invariant of `Self`, `self.as_raw()` is a pointer to a valid
>> > + // `struct pci_dev`.
>> > + let dev = unsafe { addr_of_mut!((*self.as_raw()).dev) };
>> > +
>> > + // SAFETY: `dev` points to a valid `struct device`.
>> > + unsafe { device::Device::as_ref(dev) }
>>
>> Why not use `&**self` instead (ie go through the `Deref` impl)?
>
> `&**self` gives us a `Device` (i.e. `pci::Device`), not a `device::Device`.

Ah, yeah then you'll have to use `unsafe`.

---
Cheers,
Benno