Re: [PATCH 1/2] rust: list: fix SAFETY comment in List::remove

Next message: Mark Brown: "linux-next: manual merge of the bpf-next tree with the powerpc tree"
Previous message: Jiri Pirko: "Re: [PATCH net-next v5 00/10] Decouple receive and transmit enablement in team driver"
In reply to: Alice Ryhl: "Re: [PATCH 1/2] rust: list: fix SAFETY comment in List::remove"
Next in thread: Christian Benton: "[PATCH 2/2] rust: list: fix SAFETY comments in impl_list_item_mod"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Gary Guo

Date: Tue Apr 07 2026 - 07:58:50 EST

On Tue Apr 7, 2026 at 9:15 AM BST, Alice Ryhl wrote:
> On Fri, Apr 03, 2026 at 10:08:15PM +0000, Christian Benton wrote:
>> The SAFETY comment for the call to ListLinks::fields in List::remove
>> was left as TODO. Fill it in: the call is safe because T::view_links
>> returns a reference to the ListLinks field of item, and references are
>> always valid and non-dangling.
>>
>> Signed-off-by: Christian Benton <t1bur0n.kernel.org@xxxxxxxxxxxxx>
>
> Thanks. I agree that `item` being a reference is the only thing needed
> for this to be sound, as reference implies that the pointer is not
> dangling.

(cc Philipp)

FWIW, I want to change `item` from a reference to a raw pointer. In Philipp's
WIP DRM job scheduler implementation, there is a case where the list is
conceptually a list of `UniqueArc`s; each job only needs to handle that is
sufficient to locate the item in the list and remove it.

I suggested to him that keeping a pointer and do a list iter with ptr
comparison is sufficient to achieve that without needing to do additional
reference counting. Of course I don't want to iterate the list when I could just
call `remove` function on the list itself; for that use case I want to change
the `remove` function to only require a pointer (with additional safety
requirement that it is valid).

It's orthogonal to this change as I'll probably be more careful about pointer
provenance too when making that change, so just a heads up.

Best,
Gary