Received: by 2002:a05:6358:11c7:b0:104:8066:f915 with SMTP id i7csp2339201rwl; Thu, 6 Apr 2023 08:55:20 -0700 (PDT) X-Google-Smtp-Source: AKy350aE0O125Ey/FrSVQnStNlvoJof3V7iJgzDN3xSD/16k/OzsYF2ohxSift5Ew72vGQQJevEu X-Received: by 2002:a17:90b:4d81:b0:23b:4376:f8cb with SMTP id oj1-20020a17090b4d8100b0023b4376f8cbmr11849670pjb.26.1680796519982; Thu, 06 Apr 2023 08:55:19 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1680796519; cv=none; d=google.com; s=arc-20160816; b=QgBprbQ1QWcJh6TEZt5x7PaBaIDyBMLPa6ff+5y+Sp/ZAcOgB61697S56bxH1PkiPc KyZO8c7nt0fv6PxyslONOUNaMlUYKuGc/9iBRZurAvCPhcythsjkMVMZnd2JtbU5B9/W aNV+V3/Fqaubuu83AXIwgPuPpw6rAPEYsxruoF1cn7zzWTf1L5V9JJI/YucB8wQtXmdP i5w6bbkFXs4hMGKqD0R5D4mhyUYn1J4SU84Ytu8SzeZ+SVHB+44m0FQSYuw5iwNqBxa6 hIbpYWd3oaZdtLf6SDbTj/+aQmMN48RJ4sivbElNY2mI7TgYUQTvLySMzKEJ5/DkVOlK vyBA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:in-reply-to:from :references:to:content-language:subject:user-agent:mime-version:date :message-id:dkim-signature; bh=GF5ZbrLbFRO9J+1/lw5Ti48h+AfWaIdVeyIEbC6184E=; b=FeaiOKuwqZAbNEd4etiOlDzV7LqOjNCduUBydGEQpPZngeKfddNEcxSD/Y8tcDWDMi UYLnM9WJwGjwi3UushIQ2iV7GDkP2kjU6KiCd6e5x2TMq5dROk1/u4kBh3m6RdOTxix+ InTV3s3q9v0MLEcFKZEbaXQNeKABCyFVJ4F0Q3QqpZ00TLwsTerfenN0ZfSpUi0QyjRk 6BcOzlzDmDrO+NF2wigoff3bvb7EiQpJRJTDr5i9RIeQbdJwj0GZljsMvdi+DHUoiHMS SjLkOWd3m3w5zmXUd/GAb6xsSNMcWtiFLn4SPr82LgdTWZ4Bh5THuo46JB+ZDeCcN1jC sLYA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@asahilina.net header.s=default header.b=VGPkywpE; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=asahilina.net Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id p19-20020a17090a931300b0023d1bcea88bsi4200680pjo.66.2023.04.06.08.55.07; Thu, 06 Apr 2023 08:55:19 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@asahilina.net header.s=default header.b=VGPkywpE; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=asahilina.net Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S239295AbjDFPyE (ORCPT + 99 others); Thu, 6 Apr 2023 11:54:04 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:58506 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229803AbjDFPyC (ORCPT ); Thu, 6 Apr 2023 11:54:02 -0400 Received: from mail.marcansoft.com (marcansoft.com [212.63.210.85]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 9CAB593E5; Thu, 6 Apr 2023 08:53:58 -0700 (PDT) Received: from [127.0.0.1] (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) (Authenticated sender: lina@asahilina.net) by mail.marcansoft.com (Postfix) with ESMTPSA id D921642529; Thu, 6 Apr 2023 15:53:49 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=asahilina.net; s=default; t=1680796436; bh=u/0wcm36nXuVm02z3BKP1S61gAbmdYMqyw/tOYXHGbg=; h=Date:Subject:To:References:From:In-Reply-To; b=VGPkywpELPrOy5WERRqLKqfXnUFWiyXfd71Z81jN0DPy6tH/JsyHIpymO1c6+ZhN/ wj8XGnA9i2tWyHN4ayd5wTh/CXmSDk5aV7gZhmRplM7utDTkCSqyNgBKtTHjx9sM61 2fgTxpiCrbOZkGYSaVxAEkR5tnShBmV8aGJAfxMOvDehTuw/aZxuFvwadAlkOLdFuO CYXoafc6kkIgWFDJYkK6y9siZPGDTvGI8ETsKJ1WRWpUxVjMV5BIU9eYc0+cpBB7f/ yeKt0vRxQLpC9keXqLG3eeHamhEymrjHecYNq8oYnkT8qLYgMyl1NFaEQcZwwi9kDC xH8CLjK1n9dWA== Message-ID: <2a419eff-3566-0aa3-7185-951edde22abb@asahilina.net> Date: Fri, 7 Apr 2023 00:53:47 +0900 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Thunderbird/102.9.0 Subject: Re: [PATCH RFC 07/18] rust: drm: mm: Add DRM MM Range Allocator abstraction Content-Language: en-US To: Maarten Lankhorst , Maxime Ripard , Thomas Zimmermann , David Airlie , Miguel Ojeda , Alex Gaynor , Wedson Almeida Filho , Boqun Feng , Gary Guo , =?UTF-8?Q?Bj=c3=b6rn_Roy_Baron?= , Sumit Semwal , =?UTF-8?Q?Christian_K=c3=b6nig?= , Luben Tuikov , Jarkko Sakkinen , Dave Hansen , Alyssa Rosenzweig , Karol Herbst , Ella Stanforth , Faith Ekstrand , Mary , linux-kernel@vger.kernel.org, dri-devel@lists.freedesktop.org, rust-for-linux@vger.kernel.org, linux-media@vger.kernel.org, linaro-mm-sig@lists.linaro.org, linux-sgx@vger.kernel.org, asahi@lists.linux.dev References: <20230307-rust-drm-v1-0-917ff5bc80a8@asahilina.net> <20230307-rust-drm-v1-7-917ff5bc80a8@asahilina.net> From: Asahi Lina In-Reply-To: Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-Spam-Status: No, score=-2.4 required=5.0 tests=DKIM_SIGNED,DKIM_VALID, DKIM_VALID_AU,DKIM_VALID_EF,NICE_REPLY_A,SPF_HELO_NONE,SPF_PASS autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 06/04/2023 23.15, Daniel Vetter wrote: > On Tue, Mar 07, 2023 at 11:25:32PM +0900, Asahi Lina wrote: >> drm_mm provides a simple range allocator, useful for managing virtual >> address ranges. Add a Rust abstraction to expose this module to Rust >> drivers. >> >> Signed-off-by: Asahi Lina > > In the cover letter you mentioned the design open about embedded the lock > into the rust wrappers. > > I think for a first step that's perfectly fine. > > Longer term we might want to ramp up some "proof of locking" > infrastructure in Rust, where callers can supply a lock guard and ideally > rust validates at compile time that it's for the right type, and at > runtime (like lockdep) that it's consistent and the callers don't mix up > locks (like using different locks for the same drm_mm allocator). That proof-of-lock tuff works in Rust too as far as I know. But the general thread safety story in Rust is much simpler, you just use methods that take &mut self when locking is the caller's responsibility. That effectively implies that there can only be one reference that can call those methods at any given time, thanks to the borrow checker. Shared references only give you &self, a locked Mutex upgrades that to &mut self, and that's how you get proof of locking at compile time, through and through, not just for the type but for the specific object. > There's a lot of libraries in the kernel that have this "caller ensures > locking" pattern. drm/sched also has these requirements. Yup, that all usually maps nicely to &mut self in Rust... except for the issue below. > There's two other things I'd like to bring up on this patch though, just > because it's a good example. But they're both really general points that > apply for all the rust wrappers. > > Documentation: > > In drm we try to document all the interfaces that drivers use with formal > docs. Yes there's some areas that are not great for historical reasons, > but for new stuff and new wrappers we're really trying: > > - This helps in telling internal (even across .c files or in rust across > modules within a crate) from stuff drivers access. Sure you have static > in C or pub in rust, but that doesn't tell you whether it's public all > the way to drivers. > > - ideally docs have a short intro section that explains the main concepts > and links to the main data structures and functions. Just to give > readers a good starting point to explore. > > - Linking all the things, so that readers can connect the different parts. > This is really important in C where e.g. get/put() or any such function > pairs all needed to be linked together. With rust I'm hoping that > rustdoc liberally sprinkles links already and we don't have to do this > as much. > > - Short explainers for parameters. For rust this also means type > parameters, for those even simplified examples of how drivers are > supposed to use them would help a lot in reading docs & understanding > concepts. > > - Ideally links from the rust to the sphinx side to linke relevant > chapters together. Often the bigger explanations are in .rst files with > DOT graphs (kms has a bunch I've added) or similar, and it doesn't make > that much sense to duplicate all that on the rust side I guess. But it > needs to be discoverable. > > This might be more a discussion topic for the rust people than you > directly. Still needed for the merge-ready patches eventually. I don't know much about the doc gen stuff on the Rust side so yeah, this is something I need to look into to make it pretty and complete... > Refcounting vs borrowing: > > This is honestly much more the eyebrow raising one than the locking. Very > often on the C side these datastructures all work with borrow semantics, > and you need to explicitly upgrade to a full reference (kref_get or > kref_get_unless_zero, depending whether it's a strong or weak reference) > if you need the object outside of the mutex/lock guard section. > > Again I think for now it's ok, but the sales pitch of rust is that it > enables borrow lifetime checking with no runtime cost. Plus viz the vm > cleanup example, if you have too many strong backreferences the cleanup > flow gets complicated. And it would suck if rust drivers have to add > complexity like the openrefcount for the vm example simply because we > can't model the borrow semantics well enough to be safe. > > So not something that's really bad here, but if we need to resort to full > refcounting already for simple datastructures then I'm getting a bit > worried about how well rust will cope with the really nasty borrowed > reference tricks we're playing in other areas. > > Again more a topic for the rust folks I think than specifically here about > drm_mm wrapping. Just to get things going I think this is fine. Yeeeeah... this is a *specific* problem. Drop. The Allocator itself is perfectly safe to implement without any locking, refcounting, or anything. You just make the methods take &mut self (as they already do), the caller can use it with a single reference or wrap it in an Arc> and share it, or whatever. The problem is the Node. When you Drop that, it has to go back to the Allocator. But now you're a different object, so no thread safety guarantees. And you need to keep the Allocator alive. So now to make a safe abstraction, you need refcounting and a mutex. Lifetimes just don't work here, sadly. Not for a useful abstraction. I'd love to hear from the other Rust folks whether they have any better ideas... One thing that *can* be done is making the Drop illegal (Rust can't do this "natively" but Linux already has hacks for that, we can make it fail to link if the Drop is ever called). Then you'd have to actively return the Node to the Allocator with a free function. Since Drop is forbidden, and Node is pinned, you'd always have to either return Node objects to the Allocator or leak them. You could drop the Allocator before its nodes, but as far as I know drm_mm can safely handle that (though it will complain), and then due to the previous guarantees the *only* thing you could do with orphan nodes is leak their memory, which is safe. It would work... but it breaks the whole Rust automagic Drop stuff. Thinking about this a bit, I think I want the current mutex/arc semantics for something like a memory allocator (which is one of my primary use cases for drm_mm), since I definitely don't want to be manually returning objects to their allocator all over the place, nor have overarching lifetime requirements that the allocator outlive its objects for safety (that sounds like a can of worms I don't want to open, I'd much rather use a refcount even if I "think" I can prove the lifetime bounds ad-hoc). But for something like a drm_mm that is tracking VA ranges within a VM with all Nodes held internally, maybe I could manage it all internally and have all node destruction be handled via an explicit call into the Allocator. Maybe the mm abstraction should offer both options? The extra locking can be implemented in terms of the base unlocked version I think (perhaps with some Deref abuse for ergonomics)... I definitely want to hear more opinions about this from other Rust folks, since there are probably other options I haven't considered... Aside: This, and all the other DRM abstractions, were written before the pin_init stuff from y86 that is in review right now was ready. That may open up more interesting/ergonomic/efficient APIs for some cases, especially where Pin and embedding C types into user objects in some way are involved. So maybe there's room for improvement here. Just a sidenote. > > Cheers, Daniel > > >> --- >> rust/kernel/drm/mm.rs | 309 +++++++++++++++++++++++++++++++++++++++++++++++++ >> rust/kernel/drm/mod.rs | 1 + >> 2 files changed, 310 insertions(+) >> >> diff --git a/rust/kernel/drm/mm.rs b/rust/kernel/drm/mm.rs >> new file mode 100644 >> index 000000000000..83e27a7dcc7e >> --- /dev/null >> +++ b/rust/kernel/drm/mm.rs >> @@ -0,0 +1,309 @@ >> +// SPDX-License-Identifier: GPL-2.0 OR MIT >> + >> +//! DRM MM range allocator >> +//! >> +//! C header: [`include/linux/drm/drm_mm.h`](../../../../include/linux/drm/drm_mm.h) >> + >> +use crate::{ >> + bindings, >> + error::{to_result, Result}, >> + str::CStr, >> + sync::{Arc, LockClassKey, LockIniter, Mutex, UniqueArc}, >> + types::Opaque, >> +}; >> + >> +use alloc::boxed::Box; >> + >> +use core::{ >> + marker::{PhantomData, PhantomPinned}, >> + ops::Deref, >> + pin::Pin, >> +}; >> + >> +/// Type alias representing a DRM MM node. >> +pub type Node = Pin>>; >> + >> +/// Trait which must be implemented by the inner allocator state type provided by the user. >> +pub trait AllocInner { >> + /// Notification that a node was dropped from the allocator. >> + fn drop_object(&mut self, _start: u64, _size: u64, _color: usize, _object: &mut T) {} >> +} >> + >> +impl AllocInner for () {} >> + >> +/// Wrapper type for a `struct drm_mm` plus user AllocInner object. >> +/// >> +/// # Invariants >> +/// The `drm_mm` struct is valid and initialized. >> +struct MmInner, T>(Opaque, A, PhantomData); >> + >> +/// Represents a single allocated node in the MM allocator >> +pub struct NodeData, T> { >> + node: bindings::drm_mm_node, >> + mm: Arc>>, >> + valid: bool, >> + /// A drm_mm_node needs to be pinned because nodes reference each other in a linked list. >> + _pin: PhantomPinned, >> + inner: T, >> +} >> + >> +// SAFETY: Allocator ops take the mutex, and there are no mutable actions on the node. >> +unsafe impl, T: Send> Send for NodeData {} >> +unsafe impl, T: Sync> Sync for NodeData {} >> + >> +/// Available MM node insertion modes >> +#[repr(u32)] >> +pub enum InsertMode { >> + /// Search for the smallest hole (within the search range) that fits the desired node. >> + /// >> + /// Allocates the node from the bottom of the found hole. >> + Best = bindings::drm_mm_insert_mode_DRM_MM_INSERT_BEST, >> + >> + /// Search for the lowest hole (address closest to 0, within the search range) that fits the >> + /// desired node. >> + /// >> + /// Allocates the node from the bottom of the found hole. >> + Low = bindings::drm_mm_insert_mode_DRM_MM_INSERT_LOW, >> + >> + /// Search for the highest hole (address closest to U64_MAX, within the search range) that fits >> + /// the desired node. >> + /// >> + /// Allocates the node from the top of the found hole. The specified alignment for the node is >> + /// applied to the base of the node (`Node.start()`). >> + High = bindings::drm_mm_insert_mode_DRM_MM_INSERT_HIGH, >> + >> + /// Search for the most recently evicted hole (within the search range) that fits the desired >> + /// node. This is appropriate for use immediately after performing an eviction scan and removing >> + /// the selected nodes to form a hole. >> + /// >> + /// Allocates the node from the bottom of the found hole. >> + Evict = bindings::drm_mm_insert_mode_DRM_MM_INSERT_EVICT, >> +} >> + >> +/// A clonable, interlocked reference to the allocator state. >> +/// >> +/// This is useful to perform actions on the user-supplied `AllocInner` type given just a Node, >> +/// without immediately taking the lock. >> +#[derive(Clone)] >> +pub struct InnerRef, T>(Arc>>); >> + >> +impl, T> InnerRef { >> + /// Operate on the user `AllocInner` implementation, taking the lock. >> + pub fn with(&self, cb: impl FnOnce(&mut A) -> RetVal) -> RetVal { >> + let mut l = self.0.lock(); >> + cb(&mut l.1) >> + } >> +} >> + >> +impl, T> NodeData { >> + /// Returns the color of the node (an opaque value) >> + pub fn color(&self) -> usize { >> + self.node.color as usize >> + } >> + >> + /// Returns the start address of the node >> + pub fn start(&self) -> u64 { >> + self.node.start >> + } >> + >> + /// Returns the size of the node in bytes >> + pub fn size(&self) -> u64 { >> + self.node.size >> + } >> + >> + /// Operate on the user `AllocInner` implementation associated with this node's allocator. >> + pub fn with_inner(&self, cb: impl FnOnce(&mut A) -> RetVal) -> RetVal { >> + let mut l = self.mm.lock(); >> + cb(&mut l.1) >> + } >> + >> + /// Return a clonable, detached reference to the allocator inner data. >> + pub fn alloc_ref(&self) -> InnerRef { >> + InnerRef(self.mm.clone()) >> + } >> + >> + /// Return a mutable reference to the inner data. >> + pub fn inner_mut(self: Pin<&mut Self>) -> &mut T { >> + // SAFETY: This is okay because inner is not structural >> + unsafe { &mut self.get_unchecked_mut().inner } >> + } >> +} >> + >> +impl, T> Deref for NodeData { >> + type Target = T; >> + >> + fn deref(&self) -> &Self::Target { >> + &self.inner >> + } >> +} >> + >> +impl, T> Drop for NodeData { >> + fn drop(&mut self) { >> + if self.valid { >> + let mut guard = self.mm.lock(); >> + >> + // Inform the user allocator that a node is being dropped. >> + guard >> + .1 >> + .drop_object(self.start(), self.size(), self.color(), &mut self.inner); >> + // SAFETY: The MM lock is still taken, so we can safely remove the node. >> + unsafe { bindings::drm_mm_remove_node(&mut self.node) }; >> + } >> + } >> +} >> + >> +/// An instance of a DRM MM range allocator. >> +pub struct Allocator, T> { >> + mm: Arc>>, >> + _p: PhantomData, >> +} >> + >> +impl, T> Allocator { >> + /// Create a new range allocator for the given start and size range of addresses. >> + /// >> + /// The user may optionally provide an inner object representing allocator state, which will >> + /// be protected by the same lock. If not required, `()` can be used. >> + pub fn new( >> + start: u64, >> + size: u64, >> + inner: A, >> + name: &'static CStr, >> + lock_key: &'static LockClassKey, >> + ) -> Result> { >> + // SAFETY: We call `Mutex::init_lock` below. >> + let mut mm: Pin>>> = UniqueArc::try_new(unsafe { >> + Mutex::new(MmInner(Opaque::uninit(), inner, PhantomData)) >> + })? >> + .into(); >> + >> + mm.as_mut().init_lock(name, lock_key); >> + >> + unsafe { >> + // SAFETY: The Opaque instance provides a valid pointer, and it is initialized after >> + // this call. >> + bindings::drm_mm_init(mm.lock().0.get(), start, size); >> + } >> + >> + Ok(Allocator { >> + mm: mm.into(), >> + _p: PhantomData, >> + }) >> + } >> + >> + /// Insert a new node into the allocator of a given size. >> + /// >> + /// `node` is the user `T` type data to store into the node. >> + pub fn insert_node(&mut self, node: T, size: u64) -> Result> { >> + self.insert_node_generic(node, size, 0, 0, InsertMode::Best) >> + } >> + >> + /// Insert a new node into the allocator of a given size, with configurable alignment, >> + /// color, and insertion mode. >> + /// >> + /// `node` is the user `T` type data to store into the node. >> + pub fn insert_node_generic( >> + &mut self, >> + node: T, >> + size: u64, >> + alignment: u64, >> + color: usize, >> + mode: InsertMode, >> + ) -> Result> { >> + self.insert_node_in_range(node, size, alignment, color, 0, u64::MAX, mode) >> + } >> + >> + /// Insert a new node into the allocator of a given size, with configurable alignment, >> + /// color, insertion mode, and sub-range to allocate from. >> + /// >> + /// `node` is the user `T` type data to store into the node. >> + #[allow(clippy::too_many_arguments)] >> + pub fn insert_node_in_range( >> + &mut self, >> + node: T, >> + size: u64, >> + alignment: u64, >> + color: usize, >> + start: u64, >> + end: u64, >> + mode: InsertMode, >> + ) -> Result> { >> + let mut mm_node = Box::try_new(NodeData { >> + // SAFETY: This C struct should be zero-initialized. >> + node: unsafe { core::mem::zeroed() }, >> + valid: false, >> + inner: node, >> + mm: self.mm.clone(), >> + _pin: PhantomPinned, >> + })?; >> + >> + let guard = self.mm.lock(); >> + // SAFETY: We hold the lock and all pointers are valid. >> + to_result(unsafe { >> + bindings::drm_mm_insert_node_in_range( >> + guard.0.get(), >> + &mut mm_node.node, >> + size, >> + alignment, >> + color as core::ffi::c_ulong, >> + start, >> + end, >> + mode as u32, >> + ) >> + })?; >> + >> + mm_node.valid = true; >> + >> + Ok(Pin::from(mm_node)) >> + } >> + >> + /// Insert a node into the allocator at a fixed start address. >> + /// >> + /// `node` is the user `T` type data to store into the node. >> + pub fn reserve_node( >> + &mut self, >> + node: T, >> + start: u64, >> + size: u64, >> + color: usize, >> + ) -> Result> { >> + let mut mm_node = Box::try_new(NodeData { >> + // SAFETY: This C struct should be zero-initialized. >> + node: unsafe { core::mem::zeroed() }, >> + valid: false, >> + inner: node, >> + mm: self.mm.clone(), >> + _pin: PhantomPinned, >> + })?; >> + >> + mm_node.node.start = start; >> + mm_node.node.size = size; >> + mm_node.node.color = color as core::ffi::c_ulong; >> + >> + let guard = self.mm.lock(); >> + // SAFETY: We hold the lock and all pointers are valid. >> + to_result(unsafe { bindings::drm_mm_reserve_node(guard.0.get(), &mut mm_node.node) })?; >> + >> + mm_node.valid = true; >> + >> + Ok(Pin::from(mm_node)) >> + } >> + >> + /// Operate on the inner user type `A`, taking the allocator lock >> + pub fn with_inner(&self, cb: impl FnOnce(&mut A) -> RetVal) -> RetVal { >> + let mut guard = self.mm.lock(); >> + cb(&mut guard.1) >> + } >> +} >> + >> +impl, T> Drop for MmInner { >> + fn drop(&mut self) { >> + // SAFETY: If the MmInner is dropped then all nodes are gone (since they hold references), >> + // so it is safe to tear down the allocator. >> + unsafe { >> + bindings::drm_mm_takedown(self.0.get()); >> + } >> + } >> +} >> + >> +// MmInner is safely Send if the AllocInner user type is Send. >> +unsafe impl, T> Send for MmInner {} >> diff --git a/rust/kernel/drm/mod.rs b/rust/kernel/drm/mod.rs >> index c44760a1332f..73fab2dee3af 100644 >> --- a/rust/kernel/drm/mod.rs >> +++ b/rust/kernel/drm/mod.rs >> @@ -7,3 +7,4 @@ pub mod drv; >> pub mod file; >> pub mod gem; >> pub mod ioctl; >> +pub mod mm; >> >> -- >> 2.35.1 >> > ~~ Lina