| /linux-6.15/rust/kernel/ |
| D | miscdevice.rs | 34 // SAFETY: All zeros is valid for this C type. in into_raw()
56 // SAFETY: It is allowed to call `misc_deregister` on a different thread from where you called
59 // SAFETY: All `&self` methods on this type are written to ensure that it is safe to call them in
68 // SAFETY: The initializer can write to the provided `slot`. in register()
71 // SAFETY: We just wrote the misc device options to the slot. The miscdevice will in register()
89 // SAFETY: This can only be called after a successful register(), which always in device()
101 // SAFETY: We know that the device is registered by the type invariants. in drop()
167 /// # Safety
172 // SAFETY: The pointers are valid and for a file being opened. in open()
178 // SAFETY: The open call of a file can access the private data. in open()
[all …]
|
| D | pci.rs | 30 // SAFETY: A call to `unregister` for a given instance of `RegType` is guaranteed to be valid if
40 // SAFETY: It's safe to set the fields of `struct pci_driver` on initialization. in register()
48 // SAFETY: `pdrv` is guaranteed to be a valid `RegType`. in register()
55 // SAFETY: `pdrv` is guaranteed to be a valid `RegType`. in unregister()
65 // SAFETY: The PCI bus only ever calls the probe callback with a valid pointer to a in probe_callback()
71 // SAFETY: `DeviceId` is a `#[repr(transparent)` wrapper of `struct pci_device_id` and in probe_callback()
79 // SAFETY: By the type invariant `pdev.as_raw` returns a valid pointer to a in probe_callback()
90 // SAFETY: The PCI bus only ever calls the remove callback with a valid pointer to a in remove_callback()
94 // SAFETY: `remove_callback` is only ever called after a successful call to in remove_callback()
162 // SAFETY:
[all …]
|
| D | transmute.rs | 12 /// # Safety
19 // SAFETY: Safety comments written in the macro invocation.
25 // SAFETY: All bit patterns are acceptable values of the types below.
29 // SAFETY: If all bit patterns are acceptable for individual values in an array, then all bit
44 /// this is a correctness requirement, but not a safety requirement.
46 /// # Safety
54 // SAFETY: Safety comments written in the macro invocation.
60 // SAFETY: Instances of the following types have no uninitialized portions.
67 // SAFETY: If individual values in an array have no uninitialized portions, then the array
|
| D | task.rs | 36 // SAFETY: Deref + addr-of below create a temporary `TaskRef` that cannot outlive the
46 // SAFETY: Deref + addr-of below create a temporary `PidNamespaceRef` that cannot outlive
99 // SAFETY: By design, the only way to access a `Task` is via the `current` function or via an
105 // SAFETY: It's OK to access `Task` through shared references from other threads because we're
125 // SAFETY: Getting the current pointer is always safe. in current_raw()
134 /// # Safety
153 // SAFETY: If the current thread is still running, the current task is valid. Given in current()
168 /// # Safety
239 // SAFETY: The current task's pid namespace is valid as long as the current task is running. in current_pid_ns()
242 // SAFETY: If the current thread is still running, the current task and its associated in current_pid_ns()
[all …]
|
| D | cred.rs | 34 // SAFETY:
39 // SAFETY: It's OK to access `Credential` through shared references from other threads because
46 /// # Safety
52 // SAFETY: The safety requirements guarantee the validity of the dereference, while the in from_ptr()
61 // SAFETY: The invariants of this type ensures that the pointer is valid. in get_secid()
69 // SAFETY: By the type invariant, we know that `self.0` is valid. Furthermore, the `euid` in euid()
76 // SAFETY: The type invariants guarantee that `Credential` is always ref-counted.
80 // SAFETY: The existence of a shared reference means that the refcount is nonzero. in inc_ref()
86 // SAFETY: The safety requirements guarantee that the refcount is nonzero. The cast is okay in dec_ref()
|
| D | workqueue.rs | 158 // SAFETY: Accesses to workqueues used by [`Queue`] are thread-safe.
160 // SAFETY: Accesses to workqueues used by [`Queue`] are thread-safe.
166 /// # Safety
171 // SAFETY: The `Queue` type is `#[repr(transparent)]`, so the pointer cast is valid. The in from_raw()
187 // SAFETY: We only return `false` if the `work_struct` is already in a workqueue. The other in enqueue()
239 // SAFETY: The `func` field is not structurally pinned. in project()
267 /// # Safety
287 /// # Safety
311 /// # Safety
321 /// # Safety
[all …]
|
| D | pid_namespace.rs | 35 /// # Safety
40 // SAFETY: The safety requirements guarantee the validity of the dereference, while the in from_ptr()
46 // SAFETY: Instances of `PidNamespace` are always reference-counted.
50 // SAFETY: The existence of a shared reference means that the refcount is nonzero. in inc_ref()
56 // SAFETY: The safety requirements guarantee that the refcount is non-zero. in dec_ref()
61 // SAFETY:
66 // SAFETY: It's OK to access `PidNamespace` through shared references from other threads because
|
| D | platform.rs | 26 // SAFETY: A call to `unregister` for a given instance of `RegType` is guaranteed to be valid if
41 // SAFETY: It's safe to set the fields of `struct platform_driver` on initialization. in register()
49 // SAFETY: `pdrv` is guaranteed to be a valid `RegType`. in register()
54 // SAFETY: `pdrv` is guaranteed to be a valid `RegType`. in unregister()
61 // SAFETY: The platform bus only ever calls the probe callback with a valid pointer to a in probe_callback()
71 // SAFETY: By the type invariant `pdev.as_raw` returns a valid pointer to a in probe_callback()
82 // SAFETY: `pdev` is a valid pointer to a `struct platform_device`. in remove_callback()
85 // SAFETY: `remove_callback` is only ever called after a successful call to in remove_callback()
202 // SAFETY: `ptr` was derived from `&self`. in deref()
213 // SAFETY: Instances of `Device` are always reference-counted.
[all …]
|
| D | rbtree.rs | 176 // SAFETY: An [`RBTree`] allows the same kinds of access to its values that a struct allows to its
180 // SAFETY: An [`RBTree`] allows the same kinds of access to its values that a struct allows to its
202 // SAFETY: by the invariants, all pointers are valid. in iter()
217 // SAFETY: by the invariants, all pointers are valid. in iter_mut()
242 // SAFETY: `self.root` is always a valid root node in cursor_front()
257 // SAFETY: `self.root` is always a valid root node in cursor_back()
327 // SAFETY: `raw_self` is a valid pointer to the `RBTree` (created from `self` above). in raw_entry()
331 // SAFETY: All links fields we create are in a `Node<K, V>`. in raw_entry()
334 // SAFETY: `node` is a non-null node so it is valid by the type invariants. in raw_entry()
336 // SAFETY: `curr` is a non-null node so it is valid by the type invariants. in raw_entry()
[all …]
|
| D | list.rs | 46 // SAFETY: This is a container of `ListArc<T, ID>`, and access to the container allows the same
54 // SAFETY: This is a container of `ListArc<T, ID>`, and access to the container allows the same
65 /// # Safety
82 /// # Safety
96 /// # Safety
112 /// # Safety
129 /// # Safety
155 // SAFETY: The only way to access/modify the pointers inside of `ListLinks<ID>` is via holding the
159 // SAFETY: The type is opaque so immutable references to a ListLinks are useless. Therefore, it's
176 /// # Safety
[all …]
|
| /linux-6.15/rust/kernel/alloc/ |
| D | kbox.rs | 103 // SAFETY: All zeros is equivalent to `None` (option layout optimization guarantee:
107 // SAFETY: `Box` is `Send` if `T` is `Send` because the `Box` owns a `T`.
115 // SAFETY: `Box` is `Sync` if `T` is `Sync` because the `Box` owns a `T`.
130 /// # Safety
139 // INVARIANT: Validity of `raw` is guaranteed by the safety preconditions of this function. in from_raw()
140 // SAFETY: By the safety preconditions of this function, `raw` is not a NULL pointer. in from_raw()
155 /// // SAFETY: `ptr` comes from a previous call to `KBox::into_raw`.
171 // SAFETY: `Box::into_raw` always returns a properly aligned and dereferenceable pointer in leak()
186 /// # Safety
192 // SAFETY: `raw` comes from a previous call to `Box::into_raw`. By the safety requirements in assume_init()
[all …]
|
| /linux-6.15/Documentation/translations/zh_CN/rust/ |
| D | coding-guidelines.rst | 53 此外,就像文档一样,注释在句子的开头要大写,并以句号结束(即使是单句)。这包括 ``// SAFETY:``,
80 一种特殊的注释是 ``// SAFETY:`` 注释。这些注释必须出现在每个 ``unsafe`` 块之前,它们
85 // SAFETY: `p` is valid by the safety requirements.
88 ``// SAFETY:`` 注释不能与代码文档中的 ``# Safety`` 部分相混淆。 ``# Safety`` 部
90 ``// SAFETY:`` 注释显示了为什么一个(函数)调用者或(特性)实现者实际上尊重了
91 ``# Safety`` 部分或语言参考中的前提条件。
111 /// # Safety
127 // SAFETY: The safety contract must be upheld by the caller.
137 - 不安全的函数必须在 ``# Safety`` 部分记录其安全前提条件。
150 - 任何 ``unsafe`` 的代码块都必须在前面加上一个 ``// SAFETY:`` 的注释,描述里面
|
| /linux-6.15/rust/kernel/list/ |
| D | impl_list_item_mod.rs | 15 /// # Safety
26 /// # Safety
35 // SAFETY: The caller promises that the pointer is valid. The implementer promises that the in raw_get_list_links()
49 // SAFETY: The implementation of `raw_get_list_links` only compiles if the field has the
61 // SAFETY: The caller promises that the pointer is not dangling. We know that this
73 /// # Safety
91 // SAFETY: The implementation of `raw_get_list_links` only compiles if the field has the
104 // SAFETY: The caller promises that the pointer is not dangling.
127 // SAFETY: See GUARANTEES comment on each method.
135 // SAFETY: The caller guarantees that `me` points at a valid value of type `Self`.
[all …]
|
| /linux-6.15/rust/kernel/sync/ |
| D | lock.rs | 27 /// # Safety
49 /// # Safety
61 /// # Safety
69 /// # Safety
76 /// # Safety
83 /// # Safety
88 // SAFETY: The safety requirements ensure that the lock is initialised. in relock()
94 /// # Safety
121 // SAFETY: `Lock` can be transferred across thread boundaries iff the data it protects can.
124 // SAFETY: `Lock` serialises the interior mutability it provides, so it is `Sync` as long as the
[all …]
|
| D | arc.rs | 153 /// # Safety
159 // SAFETY: The caller guarantees that the pointer is valid. in container_of()
161 // SAFETY: We're computing the layout of a real struct that existed when compiling this in container_of()
172 // SAFETY: The pointer is in-bounds of an allocation both before and after offsetting the in container_of()
177 // SAFETY: The pointer can't be null since you can't have an `ArcInner<T>` value at the null in container_of()
192 // SAFETY: It is safe to send `Arc<T>` to another thread when the underlying `T` is `Sync` because
198 // SAFETY: It is safe to send `&Arc<T>` to another thread when the underlying `T` is `Sync`
230 // SAFETY: There are no safety requirements for this FFI call. in new()
238 // SAFETY: We just created `inner` with a reference count of 1, which is owned by the new in new()
247 /// # Safety
[all …]
|
| /linux-6.15/rust/kernel/time/hrtimer/ |
| D | pin_mut.rs | 19 // SAFETY: We cancel the timer when the handle is dropped. The implementation of
28 // SAFETY: As we got `self_ptr` from a reference above, it must point to in cancel()
32 // SAFETY: As `timer_ptr` is derived from a reference, it must point to in cancel()
47 // SAFETY: We capture the lifetime of `Self` when we create a
58 // SAFETY: in start()
64 // SAFETY: in start()
88 // SAFETY: By the safety requirement of this function, `timer_ptr` in run()
92 // SAFETY: in run()
93 // - By the safety requirement of this function, `timer_ptr` in run()
95 // - As per the safety requirements of the trait `HrTimerHandle`, the in run()
[all …]
|
| D | pin.rs | 21 // SAFETY: We cancel the timer when the handle is dropped. The implementation of
30 // SAFETY: As we got `self_ptr` from a reference above, it must point to in cancel()
34 // SAFETY: As `timer_ptr` is derived from a reference, it must point to in cancel()
49 // SAFETY: We capture the lifetime of `Self` when we create a `PinHrTimerHandle`,
63 // SAFETY: in start()
84 // SAFETY: By the safety requirement of this function, `timer_ptr` in run()
88 // SAFETY: in run()
89 // - By the safety requirement of this function, `timer_ptr` in run()
91 // - As per the safety requirements of the trait `HrTimerHandle`, the in run()
98 // SAFETY: `receiver_ref` only exists as pinned, so it is safe to pin it in run()
|
| D | tbox.rs | 28 // SAFETY: We implement drop below, and we cancel the timer in the drop
36 // SAFETY: As we obtained `self.inner` from a valid reference when we in cancel()
40 // SAFETY: As `timer_ptr` points into `T` and `T` is valid, `timer_ptr` in cancel()
53 // SAFETY: By type invariant, `self.inner` came from a `Box::into_raw` in drop()
70 // SAFETY: in start()
77 // SAFETY: in start()
104 // SAFETY: By C API contract `ptr` is the pointer we passed when in run()
108 // SAFETY: in run()
109 // - As per the safety requirements of the trait `HrTimerHandle`, the in run()
|
| /linux-6.15/rust/kernel/block/mq/ |
| D | operations.rs | 59 /// # Safety
76 // SAFETY: `bd.rq` is valid as required by the safety requirement for in queue_rq_callback()
83 // SAFETY: in queue_rq_callback()
85 // - By the safety requirements of this function, `request` is a valid in queue_rq_callback()
91 // SAFETY: We have exclusive access and we just set the refcount above. in queue_rq_callback()
96 // SAFETY: `bd` is valid as required by the safety requirement for in queue_rq_callback()
111 /// # Safety
121 /// # Safety
129 /// # Safety
142 /// # Safety
[all …]
|
| D | request.rs | 61 /// # Safety
69 // INVARIANT: By the safety requirements of this function, invariants are upheld. in aref_from_raw()
70 // SAFETY: By the safety requirement of this function, we own a in aref_from_raw()
81 /// # Safety
86 // SAFETY: By type invariant, `self.0` is a valid `struct request` and in start_unchecked()
124 // SAFETY: By type invariant, `this.0` was a valid `struct request`. The in end_ok()
136 /// # Safety
142 // SAFETY: By safety requirements for this function, `this` is a in wrapper_ptr()
146 // SAFETY: By C API contract, wrapper_ptr points to a valid allocation in wrapper_ptr()
154 // SAFETY: By type invariant, `self.0` is a valid allocation. Further, in wrapper_ref()
[all …]
|
| /linux-6.15/rust/pin-init/src/ |
| D | __internal.rs | 21 /// It is unsafe to create this type, since the closure needs to fulfill the same safety
25 // SAFETY: While constructing the `InitClosure`, the user promised that it upholds the
37 // SAFETY: While constructing the `InitClosure`, the user promised that it upholds the
52 /// # Safety
64 /// # Safety
82 /// # Safety
94 /// # Safety
119 // SAFETY: TODO.
124 // SAFETY: TODO.
149 // SAFETY: As we are being dropped, we only call this once. And since `self.is_init` is in drop()
[all …]
|
| D | alloc.rs | 20 // SAFETY: All zeros is equivalent to `None` (option layout optimization guarantee:
39 // SAFETY: We delegate to `init` and only change the error type. in pin_init()
56 // SAFETY: We delegate to `init` and only change the error type. in init()
106 // SAFETY: the Arc has just been created and has no external references in try_pin_init()
110 // SAFETY: When init errors/panics, slot will get deallocated but not dropped, in try_pin_init()
113 // SAFETY: All fields have been initialized and this is the only `Arc` to that data. in try_pin_init()
124 // SAFETY: the Arc has just been created and has no external references in try_init()
128 // SAFETY: When init errors/panics, slot will get deallocated but not dropped, in try_init()
131 // SAFETY: All fields have been initialized. in try_init()
141 // SAFETY: When init errors/panics, slot will get deallocated but not dropped, in write_init()
[all …]
|
| /linux-6.15/rust/kernel/time/ |
| D | hrtimer.rs | 89 // SAFETY: Ownership of an `HrTimer` can be moved to other threads and
93 // SAFETY: Timer operations are locked on the C side, so it is safe to operate
106 // SAFETY: By design of `pin_init!`, `place` is a pointer to a in new()
128 /// # Safety
132 // SAFETY: The field projection to `timer` does not go out of bounds, in raw_get()
154 /// # Safety
158 // SAFETY: `this` points to an allocation of at least `HrTimer` size. in raw_cancel()
163 // SAFETY: `c_timer_ptr` is initialized and valid. Synchronization is in raw_cancel()
201 /// # Safety
209 /// # Safety
[all …]
|
| /linux-6.15/rust/kernel/net/ |
| D | phy.rs | 79 /// # Safety
89 // SAFETY: by the function requirements the pointer is valid and we have unique access for in from_raw()
97 // SAFETY: The struct invariant ensures that we may access in phy_id()
105 // SAFETY: The struct invariant ensures that we may access in state()
130 // SAFETY: The struct invariant ensures that we may access in is_link_up()
142 // SAFETY: The struct invariant ensures that we may access in is_autoneg_enabled()
155 // SAFETY: The struct invariant ensures that we may access in is_autoneg_completed()
164 // SAFETY: The struct invariant ensures that we may access in set_speed()
177 // SAFETY: The struct invariant ensures that we may access in set_duplex()
196 // SAFETY: `phydev` is pointing to a valid object by the type invariant of `Self`. in read_paged()
[all …]
|
| /linux-6.15/rust/kernel/fs/ |
| D | file.rs | 183 // SAFETY: This file is known to not have any active `fdget_pos` calls that did not take the
187 // SAFETY: This file is known to not have any active `fdget_pos` calls that did not take the
191 // SAFETY: The type invariants guarantee that `File` is always ref-counted. This implementation
196 // SAFETY: The existence of a shared reference means that the refcount is nonzero. in inc_ref()
202 // SAFETY: To call this method, the caller passes us ownership of a normal refcount, so we in dec_ref()
226 // SAFETY: The type invariants guarantee that `LocalFile` is always ref-counted. This implementation
231 // SAFETY: The existence of a shared reference means that the refcount is nonzero. in inc_ref()
237 // SAFETY: To call this method, the caller passes us ownership of a normal refcount, so we in dec_ref()
254 // SAFETY: FFI call, there are no requirements on `fd`. in fget()
257 // SAFETY: `bindings::fget` created a refcount, and we pass ownership of it to the `ARef`. in fget()
[all …]
|