From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 3C6A1219A6E; Fri, 7 Mar 2025 13:10:37 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1741353038; cv=none; b=qETqwNXhHUpX8CLYcb5sgAYMMSc3NEgtGJN7u0DqfAI3+yNqt6Ipe85432nG81ode/TqsC/DYnSUun2I1Q7RUcU2R4+PCqJsdqeWtC1qrc3eOob+5GbBkJH+sdDjS8va4vmt3Dgv6zzSvTEqjnSq4ZGuVUiJJTWd+7vnd67pkYs= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1741353038; c=relaxed/simple; bh=On1TxkuTtVpZfupxDNGQBr8L3k1TD7Bi5xW0KQL47Lg=; h=From:To:Cc:Subject:In-Reply-To:References:Date:Message-ID: MIME-Version:Content-Type; b=GVkbkCDqDGBX9RyTpZ92ErsFeoNPqIoJ8Gi85+f9RhKJm29C8imxLJLCmZwHiBebQuyLKgrtLQLxiWj7/52PWusFXxIn/ydZRVW3T94UsSHMUZinqtoc3/e6hfZFqKJQJZ9iGWIedrLuBD0nP8WgqJLh/QTtMlk9w+tlF1SkswI= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=N7Cm5z1a; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="N7Cm5z1a" Received: by smtp.kernel.org (Postfix) with ESMTPSA id E7B37C4CED1; Fri, 7 Mar 2025 13:10:32 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1741353037; bh=On1TxkuTtVpZfupxDNGQBr8L3k1TD7Bi5xW0KQL47Lg=; h=From:To:Cc:Subject:In-Reply-To:References:Date:From; b=N7Cm5z1a99uZevJoycdhMKW3iDdunawWG2hKd5uHckjoLSPoyPAHPoWIIRidrIS2J iSv7/lhedUY56BqTW4PJRSgpHG34CYo7o1Z2o3NEVEvnakoZNfeefr4RzvZ0jzD1Hz gePvU0Ku50wPOdSKqbsMrFv+z+8ctFFPCdUFdwbm1TjjDvtdxcWxkwNOm/6YGD0tYA reGCxdV224tGPhNJD5xndHniqLzvylvjKsbqTcrK+asbd/3ciN5XhhBGFqdC/srBVu yHxIruS7Sl0HmwGc1S5pn4eKPBuO3JhUOfr4iANkE0yhvG/pS/bgjDVahZ+X+AVMOY /rKnZ5ZI+GPiA== From: Andreas Hindborg To: "Benno Lossin" Cc: "Miguel Ojeda" , "Anna-Maria Behnsen" , "Frederic Weisbecker" , "Thomas Gleixner" , "Danilo Krummrich" , "Alex Gaynor" , "Boqun Feng" , "Gary Guo" , =?utf-8?Q?Bj?= =?utf-8?Q?=C3=B6rn?= Roy Baron , "Alice Ryhl" , "Trevor Gross" , "Lyude Paul" , "Guangbo Cui" <2407018371@qq.com>, "Dirk Behme" , "Daniel Almeida" , "Tamir Duberstein" , "Markus Elfring" , , Subject: Re: [PATCH v10 01/13] rust: hrtimer: introduce hrtimer support In-Reply-To: (Benno Lossin's message of "Fri, 07 Mar 2025 12:43:18 +0000") References: <20250307-hrtimer-v3-v6-12-rc2-v10-0-0cf7e9491da4@kernel.org> <20250307-hrtimer-v3-v6-12-rc2-v10-1-0cf7e9491da4@kernel.org> User-Agent: mu4e 1.12.7; emacs 29.4 Date: Fri, 07 Mar 2025 14:10:21 +0100 Message-ID: <87y0xh3s1u.fsf@kernel.org> Precedence: bulk X-Mailing-List: rust-for-linux@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain "Benno Lossin" writes: > On Fri Mar 7, 2025 at 11:11 AM CET, Andreas Hindborg wrote: >> Add support for intrusive use of the hrtimer system. For now, >> only add support for embedding one timer per Rust struct. >> >> The hrtimer Rust API is based on the intrusive style pattern introduced by >> the Rust workqueue API. >> >> Acked-by: Frederic Weisbecker >> Signed-off-by: Andreas Hindborg > > Some smaller changes below, with those fixed: > > Reviewed-by: Benno Lossin Thanks! > >> --- >> rust/kernel/time.rs | 2 + >> rust/kernel/time/hrtimer.rs | 359 ++++++++++++++++++++++++++++++++++++++++++++ >> 2 files changed, 361 insertions(+) >> >> diff --git a/rust/kernel/time.rs b/rust/kernel/time.rs >> index 379c0f5772e5..fab1dadfa589 100644 >> --- a/rust/kernel/time.rs >> +++ b/rust/kernel/time.rs >> @@ -8,6 +8,8 @@ >> //! C header: [`include/linux/jiffies.h`](srctree/include/linux/jiffies.h). >> //! C header: [`include/linux/ktime.h`](srctree/include/linux/ktime.h). >> >> +pub mod hrtimer; >> + >> /// The number of nanoseconds per millisecond. >> pub const NSEC_PER_MSEC: i64 = bindings::NSEC_PER_MSEC as i64; >> >> diff --git a/rust/kernel/time/hrtimer.rs b/rust/kernel/time/hrtimer.rs >> new file mode 100644 >> index 000000000000..7d7d490f8b6f >> --- /dev/null >> +++ b/rust/kernel/time/hrtimer.rs >> @@ -0,0 +1,359 @@ >> +// SPDX-License-Identifier: GPL-2.0 >> + >> +//! Intrusive high resolution timers. >> +//! >> +//! Allows running timer callbacks without doing allocations at the time of >> +//! starting the timer. For now, only one timer per type is allowed. >> +//! >> +//! # Vocabulary >> +//! >> +//! States: >> +//! >> +//! - Stopped: initialized but not started, or cancelled, or not restarted. >> +//! - Started: initialized and started or restarted. >> +//! - Running: executing the callback. >> +//! >> +//! Operations: >> +//! >> +//! * Start >> +//! * Cancel >> +//! * Restart >> +//! >> +//! Events: >> +//! >> +//! * Expire >> +//! >> +//! ## State Diagram >> +//! >> +//! ```text >> +//! Return NoRestart >> +//! +---------------------------------------------------------------------+ >> +//! | | >> +//! | | >> +//! | | >> +//! | Return Restart | >> +//! | +------------------------+ | >> +//! | | | | >> +//! | | | | >> +//! v v | | >> +//! +-----------------+ Start +------------------+ +--------+-----+--+ >> +//! | +---------------->| | | | >> +//! Init | | | | Expire | | >> +//! --------->| Stopped | | Started +---------->| Running | >> +//! | | Cancel | | | | >> +//! | |<----------------+ | | | >> +//! +-----------------+ +---------------+--+ +-----------------+ >> +//! ^ | >> +//! | | >> +//! +---------+ >> +//! Restart >> +//! ``` >> +//! >> +//! >> +//! A timer is initialized in the **stopped** state. A stopped timer can be >> +//! **started** by the `start` operation, with an **expiry** time. After the >> +//! `start` operation, the timer is in the **started** state. When the timer >> +//! **expires**, the timer enters the **running** state and the handler is >> +//! executed. After the handler has returned, the timer may enter the >> +//! **started* or **stopped** state, depending on the return value of the >> +//! handler. A timer in the **started** or **running** state may be **canceled** >> +//! by the `cancel` operation. A timer that is cancelled enters the **stopped** >> +//! state. > > This looks very nice, thanks! > >> +//! >> +//! A `cancel` or `restart` operation on a timer in the **running** state takes >> +//! effect after the handler has returned and the timer has transitioned >> +//! out of the **running** state. >> +//! >> +//! A `restart` operation on a timer in the **stopped** state is equivalent to a >> +//! `start` operation. >> + >> +use crate::{init::PinInit, prelude::*, time::Ktime, types::Opaque}; >> +use core::marker::PhantomData; >> + >> +/// A timer backed by a C `struct hrtimer`. >> +/// >> +/// # Invariants >> +/// >> +/// * `self.timer` is initialized by `bindings::hrtimer_setup`. >> +#[pin_data] >> +#[repr(C)] >> +pub struct HrTimer { >> + #[pin] >> + timer: Opaque, >> + _t: PhantomData, >> +} >> + >> +// SAFETY: Ownership of an `HrTimer` can be moved to other threads and >> +// used/dropped from there. >> +unsafe impl Send for HrTimer {} >> + >> +// SAFETY: Timer operations are locked on the C side, so it is safe to operate >> +// on a timer from multiple threads. >> +unsafe impl Sync for HrTimer {} >> + >> +impl HrTimer { >> + /// Return an initializer for a new timer instance. >> + pub fn new() -> impl PinInit >> + where >> + T: HrTimerCallback, >> + { >> + pin_init!(Self { >> + // INVARIANT: We initialize `timer` with `hrtimer_setup` below. >> + timer <- Opaque::ffi_init(move |place: *mut bindings::hrtimer| { >> + // SAFETY: By design of `pin_init!`, `place` is a pointer to a >> + // live allocation. hrtimer_setup will initialize `place` and >> + // does not require `place` to be initialized prior to the call. >> + unsafe { >> + bindings::hrtimer_setup( >> + place, >> + Some(T::Pointer::run), >> + bindings::CLOCK_MONOTONIC as i32, >> + bindings::hrtimer_mode_HRTIMER_MODE_REL, >> + ); >> + } >> + }), >> + _t: PhantomData, >> + }) >> + } >> + >> + /// Get a pointer to the contained `bindings::hrtimer`. >> + /// >> + /// This function is useful to get access to the value without creating >> + /// intermediate references. >> + /// >> + /// # Safety >> + /// >> + /// `this` must point to a live allocation of at least the size of `Self`. >> + unsafe fn raw_get(this: *const Self) -> *mut bindings::hrtimer { >> + // SAFETY: The field projection to `timer` does not go out of bounds, >> + // because the caller of this function promises that `this` points to an >> + // allocation of at least the size of `Self`. >> + unsafe { Opaque::raw_get(core::ptr::addr_of!((*this).timer)) } >> + } >> + >> + /// Cancel an initialized and potentially running timer. >> + /// >> + /// If the timer handler is running, this function will block until the >> + /// handler returns. >> + /// >> + /// Note that the timer might be started by a concurrent start operation. If >> + /// so, the timer might not be in the **stopped** state when this function >> + /// returns. >> + /// >> + /// Users of the `HrTimer` API would not usually call this method directly. >> + /// Instead they would use the safe [`HrTimerHandle::cancel`] on the handle >> + /// returned when the timer was started. >> + /// >> + /// This function is useful to get access to the value without creating >> + /// intermediate references. >> + /// >> + /// # Safety >> + /// >> + /// `this` must point to a valid `Self`. >> + #[allow(dead_code)] >> + pub(crate) unsafe fn raw_cancel(this: *const Self) -> bool { >> + // SAFETY: `this` points to an allocation of at least `HrTimer` size. >> + let c_timer_ptr = unsafe { HrTimer::raw_get(this) }; >> + >> + // If the handler is running, this will wait for the handler to return >> + // before returning. >> + // SAFETY: `c_timer_ptr` is initialized and valid. Synchronization is >> + // handled on the C side. >> + unsafe { bindings::hrtimer_cancel(c_timer_ptr) != 0 } >> + } >> +} >> + >> +/// Implemented by pointer types that point to structs that contain a [`HrTimer`]. >> +/// >> +/// `Self` must be [`Sync`] because it is passed to timer callbacks in another >> +/// thread of execution (hard or soft interrupt context). >> +/// >> +/// Starting a timer returns a [`HrTimerHandle`] that can be used to manipulate >> +/// the timer. Note that it is OK to call the start function repeatedly, and >> +/// that more than one [`HrTimerHandle`] associated with a [`HrTimerPointer`] may >> +/// exist. A timer can be manipulated through any of the handles, and a handle >> +/// may represent a cancelled timer. >> +pub trait HrTimerPointer: Sync + Sized { >> + /// A handle representing a started or restarted timer. >> + /// >> + /// If the timer is running or if the timer callback is executing when the >> + /// handle is dropped, the drop method of [`HrTimerHandle`] should not return >> + /// until the timer is stopped and the callback has completed. >> + /// >> + /// Note: When implementing this trait, consider that it is not unsafe to >> + /// leak the handle. >> + type TimerHandle: HrTimerHandle; >> + >> + /// Start the timer with expiry after `expires` time units. If the timer was >> + /// already running, it is restarted with the new expiry time. >> + fn start(self, expires: Ktime) -> Self::TimerHandle; >> +} >> + >> +/// Implemented by [`HrTimerPointer`] implementers to give the C timer callback a >> +/// function to call. >> +// This is split from `HrTimerPointer` to make it easier to specify trait bounds. >> +pub trait RawHrTimerCallback { >> + /// This type is passed to [`HrTimerCallback::run`]. It may be a borrow of >> + /// [`Self::CallbackTarget`], or it may be `Self::CallbackTarget` if the > > This part of the docs no longer makes sense. You probably mean to say > `Self` instead, right? Yes: /// This passed passed to [`HrTimerCallback::run`]. It may be [`Self`], or a /// pointer type derived from [`Self`]. > >> + /// implementation can guarantee correct access (exclusive or shared >> + /// depending on the type) to the target during timer handler execution. >> + type CallbackTarget<'a>; >> + >> + /// Callback to be called from C when timer fires. >> + /// >> + /// # Safety >> + /// >> + /// Only to be called by C code in the `hrtimer` subsystem. `this` must point >> + /// to the `bindings::hrtimer` structure that was used to start the timer. >> + unsafe extern "C" fn run(this: *mut bindings::hrtimer) -> bindings::hrtimer_restart; >> +} >> + >> +/// Implemented by structs that can be the target of a timer callback. >> +pub trait HrTimerCallback { >> + /// The type whose [`RawHrTimerCallback::run`] method will be invoked when >> + /// the timer expires. >> + type Pointer<'a>: RawHrTimerCallback; >> + >> + /// Called by the timer logic when the timer fires. >> + fn run(this: as RawHrTimerCallback>::CallbackTarget<'_>) >> + where >> + Self: Sized; >> +} >> + >> +/// A handle representing a potentially running timer. >> +/// >> +/// More than one handle representing the same timer might exist. >> +/// >> +/// # Safety >> +/// >> +/// When dropped, the timer represented by this handle must be cancelled, if it >> +/// is running. If the timer handler is running when the handle is dropped, the >> +/// drop method must wait for the handler to return before returning. >> +/// >> +/// Note: One way to satisfy the safety requirement is to call `Self::cancel` in >> +/// the drop implementation for `Self.` >> +pub unsafe trait HrTimerHandle { >> + /// Cancel the timer. If the timer is in the running state, block till the >> + /// handler has returned. >> + /// >> + /// Note that the timer might be started by a concurrent start operation. If >> + /// so, the timer might not be in the **stopped** state when this function >> + /// returns. >> + /// >> + fn cancel(&mut self) -> bool; >> +} >> + >> +/// Implemented by structs that contain timer nodes. >> +/// >> +/// Clients of the timer API would usually safely implement this trait by using >> +/// the [`crate::impl_has_hr_timer`] macro. >> +/// >> +/// # Safety >> +/// >> +/// Implementers of this trait must ensure that the implementer has a [`HrTimer`] >> +/// field at the offset specified by `OFFSET` and that all trait methods are >> +/// implemented according to their documentation. >> +/// >> +/// [`impl_has_timer`]: crate::impl_has_timer > > This link is unused. Thanks. > >> +pub unsafe trait HasHrTimer { >> + /// Return a pointer to the [`HrTimer`] within `Self`. >> + /// >> + /// This function is useful to get access to the value without creating >> + /// intermediate references. >> + /// >> + /// # Safety >> + /// >> + /// `this` must point to a valid struct of type `Self`. > > I don't think that this is the correct requirement. The pointer `this` > must be valid (i.e. dereferenceable), but the value that we're pointing > at doesn't have to be valid, right? You are right: /// `this` must be a valid pointer. > > Same below. Right. I shall not update the safety requirement at the call sites, because "`this` must point to a valid `Self`" is a stronger requirement, so those are all fine. > >> + unsafe fn raw_get_timer(this: *const Self) -> *const HrTimer; >> + >> + /// Return a pointer to the struct that is containing the [`HrTimer`] pointed >> + /// to by `ptr`. >> + /// >> + /// This function is useful to get access to the value without creating >> + /// intermediate references. >> + /// >> + /// # Safety >> + /// >> + /// `ptr` must point to a [`HrTimer`] field in a struct of type `Self`. >> + unsafe fn timer_container_of(ptr: *mut HrTimer) -> *mut Self >> + where >> + Self: Sized; >> + >> + /// Get pointer to the contained `bindings::hrtimer` struct. >> + /// >> + /// This function is useful to get access to the value without creating >> + /// intermediate references. >> + /// >> + /// # Safety >> + /// >> + /// `this` must point to a valid `Self`. >> + unsafe fn c_timer_ptr(this: *const Self) -> *const bindings::hrtimer { >> + // SAFETY: `this` is a valid pointer to a `Self`. >> + let timer_ptr = unsafe { Self::raw_get_timer(this) }; >> + >> + // SAFETY: timer_ptr points to an allocation of at least `HrTimer` size. >> + unsafe { HrTimer::raw_get(timer_ptr) } >> + } >> + >> + /// Start the timer contained in the `Self` pointed to by `self_ptr`. If >> + /// it is already running it is removed and inserted. >> + /// >> + /// # Safety >> + /// >> + /// - `this` must point to a valid `Self`. > > Here the requirement is correct, since you need that for > `hrtimer_start_range_ns`. Yes. > >> + /// - Caller must ensure that `self` lives until the timer fires or is > > There is no `self`, do you mean the value living behind `this`? Yes, will change: /// - Caller must ensure that the pointee of `this` lives until the timer /// fires or is canceled. > >> + /// canceled. >> + unsafe fn start(this: *const Self, expires: Ktime) { >> + // SAFETY: By function safety requirement, `this`is a valid `Self`. >> + unsafe { >> + bindings::hrtimer_start_range_ns( >> + Self::c_timer_ptr(this).cast_mut(), >> + expires.to_ns(), >> + 0, >> + bindings::hrtimer_mode_HRTIMER_MODE_REL, >> + ); >> + } >> + } >> +} >> + >> +/// Use to implement the [`HasHrTimer`] trait. >> +/// >> +/// See [`module`] documentation for an example. >> +/// >> +/// [`module`]: crate::time::hrtimer >> +#[macro_export] >> +macro_rules! impl_has_hr_timer { >> + ( >> + impl$({$($generics:tt)*})? >> + HasHrTimer<$timer_type:ty> >> + for $self:ty >> + { self.$field:ident } >> + $($rest:tt)* >> + ) => { >> + // SAFETY: This implementation of `raw_get_timer` only compiles if the >> + // field has the right type. >> + unsafe impl$(<$($generics)*>)? $crate::time::hrtimer::HasHrTimer<$timer_type> for $self { >> + >> + #[inline] >> + unsafe fn raw_get_timer(this: *const Self) -> >> + *const $crate::time::hrtimer::HrTimer<$timer_type> >> + { >> + // SAFETY: The caller promises that the pointer is not dangling. >> + unsafe { >> + ::core::ptr::addr_of!((*this).$field) >> + } >> + } >> + >> + #[inline] >> + unsafe fn timer_container_of(ptr: *mut $crate::time::hrtimer::HrTimer<$timer_type>) -> >> + *mut Self > > This formatting looks a bit weird, (macro formatting is annoying, I > know). How would you change it? Best regards, Andreas Hindborg