From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id EDD21EBE; Fri, 7 Mar 2025 13:37:45 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1741354666; cv=none; b=Oafmxi3t7VRuT3NgHKSofCvYXJnD2KY12MykhAoXlDiajlq5EcjxV3xhKgC2/mfiWTSReCEpHrvyvroqCq8Fj++BC8zBb6Jba0ihYQi1EiBgRs6vvJavJqba1oA/4qYT2BvlrJWGtT2US8T253u2y+G7ylRTQTKbFX64SNsrIgw= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1741354666; c=relaxed/simple; bh=6twqrik2u9WyiixhLU/idbbx3nP34hgJ5afeu7rAbPg=; h=From:To:Cc:Subject:In-Reply-To:References:Date:Message-ID: MIME-Version:Content-Type; b=ijyD/weYRlq2IRt9nDbjPVFMdSBbg3xsusE53eHR9ZoAjntQdj4zwhh91GGIouG6N5vJ7/Fwai2AE9V3GTxRYLj1ieEkHsEDm/tEnCRYXlKzJzbg2aTP8dWYDx+2aPydbrqwNMK4K3lwT1McZ1Qus0tVcdsqgpmSLFMQDKQX2WM= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=lO/+hGsB; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="lO/+hGsB" Received: by smtp.kernel.org (Postfix) with ESMTPSA id E6638C4CED1; Fri, 7 Mar 2025 13:37:40 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1741354665; bh=6twqrik2u9WyiixhLU/idbbx3nP34hgJ5afeu7rAbPg=; h=From:To:Cc:Subject:In-Reply-To:References:Date:From; b=lO/+hGsBhVb5kx3ttrOjf9T0ePOXmTkU0/+R/Ff4wl8GPQoRZP+rYLVBRvhd6EwiX IEGY4Feqq8I6ftL/57O27h6wCXilz6kb4aNF3bc6ovFHf2DBrqLU3U0Dn3JJd113Bv 55Y7Ub7qgEi00jdsZAGLjsmufNJwODeIctZ1j8/G1dPfxLg8DGsJmvhTsYrTVqYgxt 8uIP9Q3JoPaIgRmA937ifVu72eaeYosRrPZocaOLXJd0sNgdPRrZRrSTgzvi4Xt+vT akG/fsl5al0Cz9XG07s5TAyzU5n/lZf+okt/ESeILjYOVF/ZwJsZBqBoV1O5aMaFzR xXRioKlSYjgWg== From: Andreas Hindborg To: "Benno Lossin" Cc: "Miguel Ojeda" , "Anna-Maria Behnsen" , "Frederic Weisbecker" , "Thomas Gleixner" , "Danilo Krummrich" , "Alex Gaynor" , "Boqun Feng" , "Gary Guo" , =?utf-8?Q?Bj?= =?utf-8?Q?=C3=B6rn?= Roy Baron , "Alice Ryhl" , "Trevor Gross" , "Lyude Paul" , "Guangbo Cui" <2407018371@qq.com>, "Dirk Behme" , "Daniel Almeida" , "Tamir Duberstein" , "Markus Elfring" , , Subject: Re: [PATCH v10 07/13] rust: hrtimer: implement `UnsafeHrTimerPointer` for `Pin<&T>` In-Reply-To: (Benno Lossin's message of "Fri, 07 Mar 2025 13:12:01 +0000") References: <20250307-hrtimer-v3-v6-12-rc2-v10-0-0cf7e9491da4@kernel.org> <20250307-hrtimer-v3-v6-12-rc2-v10-7-0cf7e9491da4@kernel.org> <6-QyjoxR_6TYuJVEXwdFAZrhFz52ZDU_4-r64epTLFpOAMc3jM_REWS-v_7TzdcgYmq1j74UmTnhYW5HdT98bQ==@protonmail.internalid> User-Agent: mu4e 1.12.7; emacs 29.4 Date: Fri, 07 Mar 2025 14:37:35 +0100 Message-ID: <87msdx3qsg.fsf@kernel.org> Precedence: bulk X-Mailing-List: rust-for-linux@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain "Benno Lossin" writes: > On Fri Mar 7, 2025 at 11:11 AM CET, Andreas Hindborg wrote: >> Allow pinned references to structs that contain a `HrTimer` node to be >> scheduled with the `hrtimer` subsystem. >> >> Acked-by: Frederic Weisbecker >> Reviewed-by: Lyude Paul >> Signed-off-by: Andreas Hindborg >> --- >> rust/kernel/time/hrtimer.rs | 2 + >> rust/kernel/time/hrtimer/pin.rs | 99 +++++++++++++++++++++++++++++++++++++++++ >> 2 files changed, 101 insertions(+) >> >> diff --git a/rust/kernel/time/hrtimer.rs b/rust/kernel/time/hrtimer.rs >> index d90a25785f87..2ca56397eade 100644 >> --- a/rust/kernel/time/hrtimer.rs >> +++ b/rust/kernel/time/hrtimer.rs >> @@ -439,3 +439,5 @@ unsafe fn timer_container_of(ptr: *mut $crate::time::hrtimer::HrTimer<$timer_typ >> >> mod arc; >> pub use arc::ArcHrTimerHandle; >> +mod pin; >> +pub use pin::PinHrTimerHandle; >> diff --git a/rust/kernel/time/hrtimer/pin.rs b/rust/kernel/time/hrtimer/pin.rs >> new file mode 100644 >> index 000000000000..6c9f2190f8e1 >> --- /dev/null >> +++ b/rust/kernel/time/hrtimer/pin.rs >> @@ -0,0 +1,99 @@ >> +// SPDX-License-Identifier: GPL-2.0 >> + >> +use super::HasHrTimer; >> +use super::HrTimer; >> +use super::HrTimerCallback; >> +use super::HrTimerHandle; >> +use super::RawHrTimerCallback; >> +use super::UnsafeHrTimerPointer; >> +use crate::time::Ktime; >> +use core::pin::Pin; >> + >> +/// A handle for a `Pin<&HasHrTimer>`. When the handle exists, the timer might be >> +/// running. >> +pub struct PinHrTimerHandle<'a, T> >> +where >> + T: HasHrTimer, >> +{ >> + pub(crate) inner: Pin<&'a T>, >> +} >> + >> +// SAFETY: We cancel the timer when the handle is dropped. The implementation of >> +// the `cancel` method will block if the timer handler is running. >> +unsafe impl<'a, T> HrTimerHandle for PinHrTimerHandle<'a, T> >> +where >> + T: HasHrTimer, >> +{ >> + fn cancel(&mut self) -> bool { >> + let self_ptr: *const T = self.inner.get_ref(); >> + >> + // SAFETY: As we got `self_ptr` from a reference above, it must point to >> + // a valid `T`. >> + let timer_ptr = unsafe { >::raw_get_timer(self_ptr) }; >> + >> + // SAFETY: As `timer_ptr` is derived from a reference, it must point to >> + // a valid and initialized `HrTimer`. >> + unsafe { HrTimer::::raw_cancel(timer_ptr) } >> + } >> +} >> + >> +impl<'a, T> Drop for PinHrTimerHandle<'a, T> >> +where >> + T: HasHrTimer, >> +{ >> + fn drop(&mut self) { >> + self.cancel(); >> + } >> +} >> + >> +// SAFETY: We capture the lifetime of `Self` when we create a `PinHrTimerHandle`, >> +// so `Self` will outlive the handle. >> +unsafe impl<'a, T> UnsafeHrTimerPointer for Pin<&'a T> >> +where >> + T: Send + Sync, >> + T: HasHrTimer, >> + T: HrTimerCallback = Self>, >> + Pin<&'a T>: RawHrTimerCallback = Self>, >> +{ >> + type TimerHandle = PinHrTimerHandle<'a, T>; >> + >> + unsafe fn start(self, expires: Ktime) -> Self::TimerHandle { >> + // Cast to pointer >> + let self_ptr: *const T = ::deref(&self); > > Why use deref? `get_ref` seems much cleaner. Sure. > >> + >> + // SAFETY: >> + // - As we derive `self_ptr` from a reference above, it must point to a >> + // valid `T`. >> + // - We keep `self` alive by wrapping it in a handle below. >> + unsafe { T::start(self_ptr, expires) }; >> + >> + PinHrTimerHandle { inner: self } >> + } >> +} >> + >> +impl<'a, T> RawHrTimerCallback for Pin<&'a T> >> +where >> + T: HasHrTimer, >> + T: HrTimerCallback = Self>, >> +{ >> + type CallbackTarget<'b> = Self; >> + >> + unsafe extern "C" fn run(ptr: *mut bindings::hrtimer) -> bindings::hrtimer_restart { >> + // `HrTimer` is `repr(C)` >> + let timer_ptr = ptr as *mut HrTimer; >> + >> + // SAFETY: By the safety requirement of this function, `timer_ptr` >> + // points to a `HrTimer` contained in an `T`. >> + let receiver_ptr = unsafe { T::timer_container_of(timer_ptr) }; >> + >> + // SAFETY: By the safety requirement of this function, `timer_ptr` >> + // points to a `HrTimer` contained in an `T`. > > This justification seems wrong it talks about `HrTimer`, but here we > have a `*const T`... Also see [1] (I am mainly interested in your > justification for the lifetime). > > [1]: https://doc.rust-lang.org/std/ptr/index.html#pointer-to-reference-conversion How is this: // SAFETY: // - By the safety requirement of this function, `timer_ptr` // points to a `HrTimer` contained in an `T`. // - The `PinHrTimerHandle` associated with this timer is guaranteed to // be alive until this method returns. As the handle borrows from // `T`, `T` is also guaranteed to be alive for the duration of this // function. Best regards, Andreas Hindborg