Re: [PATCH v10 10/13] rust: hrtimer: implement `HrTimerPointer` for `Pin<Box<T>>`

[Andreas Hindborg <a.hindborg@kernel.org>]

"Benno Lossin" <benno.lossin@proton.me> writes:

> On Fri Mar 7, 2025 at 11:11 AM CET, Andreas Hindborg wrote:
>> Allow `Pin<Box<T>>` to be the target of a timer callback.
>>
>> Acked-by: Frederic Weisbecker <frederic@kernel.org>
>> Reviewed-by: Lyude Paul <lyude@redhat.com>
>> Signed-off-by: Andreas Hindborg <a.hindborg@kernel.org>
>> ---
>>  rust/kernel/time/hrtimer.rs      |   3 ++
>>  rust/kernel/time/hrtimer/tbox.rs | 109 +++++++++++++++++++++++++++++++++++++++
>>  2 files changed, 112 insertions(+)
>>
>> diff --git a/rust/kernel/time/hrtimer.rs b/rust/kernel/time/hrtimer.rs
>> index d2791fd624b7..991d37b0524a 100644
>> --- a/rust/kernel/time/hrtimer.rs
>> +++ b/rust/kernel/time/hrtimer.rs
>> @@ -443,3 +443,6 @@ unsafe fn timer_container_of(ptr: *mut $crate::time::hrtimer::HrTimer<$timer_typ
>>  pub use pin::PinHrTimerHandle;
>>  mod pin_mut;
>>  pub use pin_mut::PinMutHrTimerHandle;
>> +// `box` is a reserved keyword, so prefix with `t` for timer
>> +mod tbox;
>> +pub use tbox::BoxHrTimerHandle;
>> diff --git a/rust/kernel/time/hrtimer/tbox.rs b/rust/kernel/time/hrtimer/tbox.rs
>> new file mode 100644
>> index 000000000000..a3b2ed849050
>> --- /dev/null
>> +++ b/rust/kernel/time/hrtimer/tbox.rs
>> @@ -0,0 +1,109 @@
>> +// SPDX-License-Identifier: GPL-2.0
>> +
>> +use super::HasHrTimer;
>> +use super::HrTimer;
>> +use super::HrTimerCallback;
>> +use super::HrTimerHandle;
>> +use super::HrTimerPointer;
>> +use super::RawHrTimerCallback;
>> +use crate::prelude::*;
>> +use crate::time::Ktime;
>> +use core::mem::ManuallyDrop;
>> +use core::ptr::NonNull;
>> +
>> +/// A handle for a [`Box<HasHrTimer<T>>`] returned by a call to
>> +/// [`HrTimerPointer::start`].
>> +pub struct BoxHrTimerHandle<T, A>
>
> Should this type implement `Send` and `Sync` depending on `T`?

Yes. In practice `T` will always be `Send` and `Sync` because of bounds
on other traits.

I don't think we have to require `T: Sync`, because the handle does not ever
create shared references to the underlying `T`?

>
>> +where
>> +    T: HasHrTimer<T>,
>> +    A: crate::alloc::Allocator,
>> +{
>> +    pub(crate) inner: NonNull<T>,
>> +    _p: core::marker::PhantomData<A>,
>> +}
>> +
>> +// SAFETY: We implement drop below, and we cancel the timer in the drop
>> +// implementation.
>> +unsafe impl<T, A> HrTimerHandle for BoxHrTimerHandle<T, A>
>> +where
>> +    T: HasHrTimer<T>,
>> +    A: crate::alloc::Allocator,
>> +{
>> +    fn cancel(&mut self) -> bool {
>> +        // SAFETY: As we obtained `self.inner` from a valid reference when we
>> +        // created `self`, it must point to a valid `T`.
>> +        let timer_ptr = unsafe { <T as HasHrTimer<T>>::raw_get_timer(self.inner.as_ptr()) };
>> +
>> +        // SAFETY: As `timer_ptr` points into `T` and `T` is valid, `timer_ptr`
>> +        // must point to a valid `HrTimer` instance.
>> +        unsafe { HrTimer::<T>::raw_cancel(timer_ptr) }
>> +    }
>> +}
>> +
>> +impl<T, A> Drop for BoxHrTimerHandle<T, A>
>> +where
>> +    T: HasHrTimer<T>,
>> +    A: crate::alloc::Allocator,
>> +{
>> +    fn drop(&mut self) {
>> +        self.cancel();
>> +        // SAFETY: `self.inner` came from a `Box::into_raw` call
>
> Please add this as an invariant to `Self`.

OK.

>
>> +        drop(unsafe { Box::<T, A>::from_raw(self.inner.as_ptr()) })
>> +    }
>> +}
>> +
>> +impl<T, A> HrTimerPointer for Pin<Box<T, A>>
>> +where
>> +    T: 'static,
>> +    T: Send + Sync,
>> +    T: HasHrTimer<T>,
>> +    T: for<'a> HrTimerCallback<Pointer<'a> = Pin<Box<T, A>>>,
>> +    Pin<Box<T, A>>: for<'a> RawHrTimerCallback<CallbackTarget<'a> = Pin<&'a T>>,
>
> I don't think this is necessary.

Should I remove it? I feel like it communicates intent.

>
>> +    A: crate::alloc::Allocator,
>> +{
>> +    type TimerHandle = BoxHrTimerHandle<T, A>;
>> +
>> +    fn start(self, expires: Ktime) -> Self::TimerHandle {
>> +        // SAFETY:
>> +        //  - We will not move out of this box during timer callback (we pass an
>> +        //    immutable reference to the callback).
>> +        //  - `Box::into_raw` is guaranteed to return a valid pointer.
>> +        let inner =
>> +            unsafe { NonNull::new_unchecked(Box::into_raw(Pin::into_inner_unchecked(self))) };
>> +
>> +        // SAFETY:
>> +        //  - We keep `self` alive by wrapping it in a handle below.
>> +        //  - Since we generate the pointer passed to `start` from a valid
>> +        //    reference, it is a valid pointer.
>> +        unsafe { T::start(inner.as_ptr(), expires) };
>> +
>> +        BoxHrTimerHandle {
>> +            inner,
>> +            _p: core::marker::PhantomData,
>> +        }
>> +    }
>> +}
>> +
>> +impl<T, A> RawHrTimerCallback for Pin<Box<T, A>>
>> +where
>> +    T: 'static,
>> +    T: HasHrTimer<T>,
>> +    T: for<'a> HrTimerCallback<Pointer<'a> = Pin<Box<T, A>>>,
>> +    A: crate::alloc::Allocator,
>> +{
>> +    type CallbackTarget<'a> = Pin<&'a T>;
>
> Why isn't this `Pin<&'a mut T>`?

I don't think it matters much? There can be no other mutable references
while the callback is running, so why not a shared ref?

>
>> +
>> +    unsafe extern "C" fn run(ptr: *mut bindings::hrtimer) -> bindings::hrtimer_restart {
>> +        // `HrTimer` is `repr(C)`
>> +        let timer_ptr = ptr.cast::<super::HrTimer<T>>();
>> +
>> +        // SAFETY: By C API contract `ptr` is the pointer we passed when
>> +        // queuing the timer, so it is a `HrTimer<T>` embedded in a `T`.
>> +        let data_ptr = unsafe { T::timer_container_of(timer_ptr) };
>> +
>> +        // SAFETY: We called `Box::into_raw` when we queued the timer.
>> +        let tbox = ManuallyDrop::new(Box::into_pin(unsafe { Box::<T, A>::from_raw(data_ptr) }));
>
> Since you turn this into a reference below and never run the drop, why
> not turn the pointer directly into a reference?

You mean replace with `unsafe {&*data_ptr};`? I guess that could work,
but it hinges on `Box` being transparent which is more subtle than going
through the API.



Best regards,
Andreas Hindborg