On Mon, May 12, 2025 at 01:41:13PM +0200, Miguel Ojeda wrote:
> On Fri, Apr 11, 2025 at 1:56 AM Danilo Krummrich <d...@kernel.org> wrote:
> >
> > + fn from_gem_obj(obj: *mut bindings::drm_gem_object) -> *mut Self {
> > + // SAFETY: All of our objects are Object<T>.
> > + unsafe { crate::container_of!(obj, Object<T>, obj).cast_mut() }
> > + }
>
> Doing something unrelated, I got a Clippy warning about this public
> function not being unsafe, and while the lint talks about potentially
> dereferecing a pointer, it is still the case the `container_of` uses
> `byte_sub` which is why the macro requires both the in and out pointer
> to be in bounds of the same allocation.
>
> So since someone may pass any pointer here, this should be unsafe, right?
>
> Even if that is not correct, the `// SAFETY` comment should
> nevertheless explain why that holds, no?
>
> I hope that helps.
Lyude's series [1] should address this and the other one you pointed out.
- Danilo
[1]
https://lore.kernel.org/rust-for-linux/20250501183717.2058109-1-ly...@redhat.com/
