Re: [PATCH] rust: drm: fix unsound initialization in drm::Device::new

[Gary Guo]

On Wed Apr 29, 2026 at 9:03 AM BST, Alice Ryhl wrote:
>
>> @@ -133,6 +140,10 @@ pub fn new(dev: &device::Device, data: impl PinInit<T::Data, Error>) -> Result<A
>>          .cast();
>>          let raw_drm = NonNull::new(from_err_ptr(raw_drm)?).ok_or(ENOMEM)?;
>>  
>> +        // SAFETY: `raw_drm` is a valid pointer to `Self`, given that `__drm_dev_alloc` was
>> +        // successful.
>> +        let drm_dev = unsafe { Self::into_drm_device(raw_drm) };
>> +
>>          // SAFETY: `raw_drm` is a valid pointer to `Self`.
>>          let raw_data = unsafe { ptr::addr_of_mut!((*raw_drm.as_ptr()).data) };
>>  
>> @@ -140,15 +151,14 @@ pub fn new(dev: &device::Device, data: impl PinInit<T::Data, Error>) -> Result<A
>>          // - `raw_data` is a valid pointer to uninitialized memory.
>>          // - `raw_data` will not move until it is dropped.
>>          unsafe { data.__pinned_init(raw_data) }.inspect_err(|_| {
>> -            // SAFETY: `raw_drm` is a valid pointer to `Self`, given that `__drm_dev_alloc` was
>> -            // successful.
>> -            let drm_dev = unsafe { Self::into_drm_device(raw_drm) };
>> -
>>              // SAFETY: `__drm_dev_alloc()` was successful, hence `drm_dev` must be valid and the
>>              // refcount must be non-zero.
>>              unsafe { bindings::drm_dev_put(drm_dev) };
>>          })?;
>>  
>> +        // SAFETY: `drm_dev` is still private to this function.
>> +        unsafe { (*drm_dev).driver = &Self::VTABLE };
>
> It would be bad if this ended up being a reference to a local variable.
> Please use `&const { Self::VTABLE }` so that it doesn't compile if this
> occurs.

Self::VTABLE and `const {}` are both just constants and there's no difference
here.

If you want to guaranteed static promotion it should be

    const { &Self::VTABLE }

Best,
Gary