From: Alice Ryhl <aliceryhl@google.com>
To: Boqun Feng <boqun.feng@gmail.com>
Cc: "Daniel Almeida" <daniel.almeida@collabora.com>,
"Miguel Ojeda" <ojeda@kernel.org>, "Gary Guo" <gary@garyguo.net>,
"Björn Roy Baron" <bjorn3_gh@protonmail.com>,
"Andreas Hindborg" <a.hindborg@kernel.org>,
"Trevor Gross" <tmgross@umich.edu>,
"Danilo Krummrich" <dakr@kernel.org>,
"Greg Kroah-Hartman" <gregkh@linuxfoundation.org>,
"Rafael J. Wysocki" <rafael@kernel.org>,
"Thomas Gleixner" <tglx@linutronix.de>,
"Bjorn Helgaas" <bhelgaas@google.com>,
"Krzysztof Wilczy´nski" <kwilczynski@kernel.org>,
"Benno Lossin" <lossin@kernel.org>,
"Dirk Behme" <dirk.behme@gmail.com>,
linux-kernel@vger.kernel.org, rust-for-linux@vger.kernel.org,
linux-pci@vger.kernel.org
Subject: Re: [PATCH v2] rust: irq: add &Device<Bound> argument to irq callbacks
Date: Mon, 11 Aug 2025 16:37:44 +0200 [thread overview]
Message-ID: <CAH5fLgicWki8Z+ne9fMn4KbQYYz340FhpOONU5dCCMwfo0wnhg@mail.gmail.com> (raw)
In-Reply-To: <aJn-q-SebbQoyiyy@Mac.home>
On Mon, Aug 11, 2025 at 4:31 PM Boqun Feng <boqun.feng@gmail.com> wrote:
>
> On Mon, Aug 11, 2025 at 04:25:50PM +0200, Alice Ryhl wrote:
> > On Mon, Aug 11, 2025 at 4:24 PM Boqun Feng <boqun.feng@gmail.com> wrote:
> > >
> > > On Mon, Aug 11, 2025 at 04:05:31PM +0200, Alice Ryhl wrote:
> > > > On Mon, Aug 11, 2025 at 3:56 PM Boqun Feng <boqun.feng@gmail.com> wrote:
> > > > >
> > > > > On Mon, Aug 11, 2025 at 12:33:51PM +0000, Alice Ryhl wrote:
> > > > > [...]
> > > > > > @@ -207,8 +207,8 @@ pub fn new<'a>(
> > > > > > inner <- Devres::new(
> > > > > > request.dev,
> > > > > > try_pin_init!(RegistrationInner {
> > > > > > - // SAFETY: `this` is a valid pointer to the `Registration` instance
> > > > > > - cookie: unsafe { &raw mut (*this.as_ptr()).handler }.cast(),
> > > > > > + // INVARIANT: `this` is a valid pointer to the `Registration` instance
> > > > > > + cookie: this.as_ptr().cast::<c_void>(),
> > > > >
> > > > > At this moment the `Regstration` is not fully initialized...
> > > > >
> > > > > > irq: {
> > > > > > // SAFETY:
> > > > > > // - The callbacks are valid for use with request_irq.
> > > > > > @@ -221,7 +221,7 @@ pub fn new<'a>(
> > > > > > Some(handle_irq_callback::<T>),
> > > > > > flags.into_inner(),
> > > > > > name.as_char_ptr(),
> > > > > > - (&raw mut (*this.as_ptr()).handler).cast(),
> > > > > > + this.as_ptr().cast::<c_void>(),
> > > > > > )
> > > > >
> > > > > ... and interrupt can happen right after request_irq() ...
> > > > >
> > > > > > })?;
> > > > > > request.irq
> > > > > > @@ -258,9 +258,13 @@ pub fn synchronize(&self, dev: &Device<Bound>) -> Result {
> > > > > > ///
> > > > > > /// This function should be only used as the callback in `request_irq`.
> > > > > > unsafe extern "C" fn handle_irq_callback<T: Handler>(_irq: i32, ptr: *mut c_void) -> c_uint {
> > > > > > - // SAFETY: `ptr` is a pointer to T set in `Registration::new`
> > > > > > - let handler = unsafe { &*(ptr as *const T) };
> > > > > > - T::handle(handler) as c_uint
> > > > > > + // SAFETY: `ptr` is a pointer to `Registration<T>` set in `Registration::new`
> > > > > > + let registration = unsafe { &*(ptr as *const Registration<T>) };
> > > > >
> > > > > ... hence it's not correct to construct a reference to `Registration`
> > > > > here, but yes, both `handler` and the `device` part of `inner` has been
> > > > > properly initialized. So
> > > > >
> > > > > let registration = ptr.cast::<Registration<T>>();
> > > > >
> > > > > // SAFETY: The `data` part of `Devres` is `Opaque` and here we
> > > > > // only access `.device()`, which has been properly initialized
> > > > > // before `request_irq()`.
> > > > > let device = unsafe { (*registration).inner.device() };
> > > > >
> > > > > // SAFETY: The irq callback is removed before the device is
> > > > > // unbound, so the fact that the irq callback is running implies
> > > > > // that the device has not yet been unbound.
> > > > > let device = unsafe { device.as_bound() };
> > > > >
> > > > > // SAFETY: `.handler` has been properly initialized before
> > > > > // `request_irq()`.
> > > > > T::handle(unsafe { &(*registration).handler }, device) as c_uint
> > > > >
> > > > > Thoughts? Similar for the threaded one.
> > > >
> > > > This code is no different. It creates a reference to `inner` before
> > > > the `irq` field is written. Of course, it's also no different in that
> > > > since data of a `Devres` is in `Opaque`, this is not actually UB.
> > > >
> > >
> > > Well, I think we need at least mentioning that it's safe because we
> > > don't access .inner.inner here, but..
> > >
> > > > What I can offer you is to use the closure form of pin-init to call
> > > > request_irq after initialization has fully completed.
> > > >
> > >
> > > .. now you mention this, I think we can just move the `request_irq()`
> > > to the initializer of `_pin`:
> > >
> > > ------>8
> > > diff --git a/rust/kernel/irq/request.rs b/rust/kernel/irq/request.rs
> > > index ae5d967fb9d6..3343964fc1ab 100644
> > > --- a/rust/kernel/irq/request.rs
> > > +++ b/rust/kernel/irq/request.rs
> > > @@ -209,26 +209,26 @@ pub fn new<'a>(
> > > try_pin_init!(RegistrationInner {
> > > // INVARIANT: `this` is a valid pointer to the `Registration` instance
> > > cookie: this.as_ptr().cast::<c_void>(),
> > > - irq: {
> > > - // SAFETY:
> > > - // - The callbacks are valid for use with request_irq.
> > > - // - If this succeeds, the slot is guaranteed to be valid until the
> > > - // destructor of Self runs, which will deregister the callbacks
> > > - // before the memory location becomes invalid.
> > > - to_result(unsafe {
> > > - bindings::request_irq(
> > > - request.irq,
> > > - Some(handle_irq_callback::<T>),
> > > - flags.into_inner(),
> > > - name.as_char_ptr(),
> > > - this.as_ptr().cast::<c_void>(),
> > > - )
> > > - })?;
> > > - request.irq
> > > - }
> > > + irq: request.irq
> > > })
> > > ),
> > > - _pin: PhantomPinned,
> > > + _pin: {
> > > + // SAFETY:
> > > + // - The callbacks are valid for use with request_irq.
> > > + // - If this succeeds, the slot is guaranteed to be valid until the
> > > + // destructor of Self runs, which will deregister the callbacks
> > > + // before the memory location becomes invalid.
> > > + to_result(unsafe {
> > > + bindings::request_irq(
> > > + request.irq,
> > > + Some(handle_irq_callback::<T>),
> > > + flags.into_inner(),
> > > + name.as_char_ptr(),
> > > + this.as_ptr().cast::<c_void>(),
> > > + )
> > > + })?;
> > > + PhantomPinned
> > > + },
> > > })
> > > }
> > >
> > >
> > > Thoughts?
> >
> > That calls free_irq if request_irq fails, which is illegal.
> >
>
> Ah, right. I was missing that. Then back to the "we have to mention that
> we are not accessing the data of Devres" suggestion, which I think is
> more appropriate for this case.
I will add:
// - When `request_irq` is called, everything that `handle_irq_callback`
// will touch has already been initialized, so it's safe for the callback
// to be called immediately.
Will you offer your Reviewed-by ?
Alice
next prev parent reply other threads:[~2025-08-11 14:37 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-08-11 12:33 [PATCH v2] rust: irq: add &Device<Bound> argument to irq callbacks Alice Ryhl
2025-08-11 12:38 ` Daniel Almeida
2025-08-11 13:56 ` Boqun Feng
2025-08-11 14:05 ` Alice Ryhl
2025-08-11 14:24 ` Boqun Feng
2025-08-11 14:25 ` Alice Ryhl
2025-08-11 14:31 ` Boqun Feng
2025-08-11 14:37 ` Alice Ryhl [this message]
2025-08-11 14:57 ` Boqun Feng
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CAH5fLgicWki8Z+ne9fMn4KbQYYz340FhpOONU5dCCMwfo0wnhg@mail.gmail.com \
--to=aliceryhl@google.com \
--cc=a.hindborg@kernel.org \
--cc=bhelgaas@google.com \
--cc=bjorn3_gh@protonmail.com \
--cc=boqun.feng@gmail.com \
--cc=dakr@kernel.org \
--cc=daniel.almeida@collabora.com \
--cc=dirk.behme@gmail.com \
--cc=gary@garyguo.net \
--cc=gregkh@linuxfoundation.org \
--cc=kwilczynski@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-pci@vger.kernel.org \
--cc=lossin@kernel.org \
--cc=ojeda@kernel.org \
--cc=rafael@kernel.org \
--cc=rust-for-linux@vger.kernel.org \
--cc=tglx@linutronix.de \
--cc=tmgross@umich.edu \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).