@@ -79,13 +79,29 @@ pub enum SeekFrom {
7979Current ( i64 ) ,
8080}
8181
82+ /// Called by the VFS when an inode should be opened.
83+ ///
84+ /// Calls `T::open` on the returned value of `A::convert`.
85+ ///
86+ /// # Safety
87+ ///
88+ /// The returned value of `A::convert` must be a valid non-null pointer and
89+ /// `T:open` must return a valid non-null pointer on an `Ok` result.
8290unsafe extern "C" fn open_callback < A : FileOpenAdapter , T : FileOpener < A :: Arg > > (
8391 inode : * mut bindings:: inode ,
8492 file : * mut bindings:: file ,
8593) -> c_types:: c_int {
8694 from_kernel_result ! {
95+ // SAFETY: `A::convert` must return a valid non-null pointer that
96+ // should point to data in the inode or file that lives longer
97+ // than the following use of `T::open`.
8798 let arg = unsafe { A :: convert( inode, file) } ;
99+ // SAFETY: `arg` was previously returned by `A::convert` and must
100+ // be a valid non-null pointer.
88101 let ptr = T :: open( unsafe { & * arg } ) ?. into_pointer( ) ;
102+ // SAFETY: `ptr` was previously returned by `T::open`. The returned
103+ // value should be a boxed value and should live the length of the
104+ // given file.
89105 unsafe { ( * file) . private_data = ptr as * mut c_types:: c_void } ;
90106 Ok ( 0 )
91107 }
@@ -556,7 +572,8 @@ pub trait FileOpenAdapter {
556572/// # Safety
557573///
558574/// This function must be called only when [`struct file_operations::open`] is being called for
559- /// a file that was registered by the implementer.
575+ /// a file that was registered by the implementer. The returned pointer must be valid and
576+ /// not-null.
560577unsafe fn convert ( _inode : * mut bindings:: inode , _file : * mut bindings:: file )
561578 -> * const Self :: Arg ;
562579}
0 commit comments