On Mon Jun 23, 2025 at 7:31 PM CEST, Boqun Feng wrote:
> On Mon, Jun 23, 2025 at 05:26:14PM +0200, Benno Lossin wrote:
>> On Mon Jun 23, 2025 at 5:10 PM CEST, Alice Ryhl wrote:
>> > On Mon, Jun 9, 2025 at 12:47 PM Danilo Krummrich <dakr@xxxxxxxxxx> wrote:
>> >> On Sun, Jun 08, 2025 at 07:51:08PM -0300, Daniel Almeida wrote:
>> >> > + dev: &'a Device<Bound>,
>> >> > + irq: u32,
>> >> > + flags: Flags,
>> >> > + name: &'static CStr,
>> >> > + handler: T,
>> >> > + ) -> impl PinInit<Self, Error> + 'a {
>> >> > + let closure = move |slot: *mut Self| {
>> >> > + // SAFETY: The slot passed to pin initializer is valid for writing.
>> >> > + unsafe {
>> >> > + slot.write(Self {
>> >> > + inner: Devres::new(
>> >> > + dev,
>> >> > + RegistrationInner {
>> >> > + irq,
>> >> > + cookie: slot.cast(),
>> >> > + },
>> >> > + GFP_KERNEL,
>> >> > + )?,
>> >> > + handler,
>> >> > + _pin: PhantomPinned,
>> >> > + })
>> >> > + };
>> >> > +
>> >> > + // SAFETY:
>> >> > + // - The callbacks are valid for use with request_irq.
>> >> > + // - If this succeeds, the slot is guaranteed to be valid until the
>> >> > + // destructor of Self runs, which will deregister the callbacks
>> >> > + // before the memory location becomes invalid.
>> >> > + let res = to_result(unsafe {
>> >> > + bindings::request_irq(
>> >> > + irq,
>> >> > + Some(handle_irq_callback::<T>),
>> >> > + flags.into_inner() as usize,
>> >> > + name.as_char_ptr(),
>> >> > + slot.cast(),
>> >> > + )
>> >> > + });
>> >> > +
>> >> > + if res.is_err() {
>> >> > + // SAFETY: We are returning an error, so we can destroy the slot.
>> >> > + unsafe { core::ptr::drop_in_place(&raw mut (*slot).handler) };
>> >> > + }
>> >> > +
>> >> > + res
>> >> > + };
>> >> > +
>> >> > + // SAFETY:
>> >> > + // - if this returns Ok, then every field of `slot` is fully
>> >> > + // initialized.
>> >> > + // - if this returns an error, then the slot does not need to remain
>> >> > + // valid.
>> >> > + unsafe { pin_init_from_closure(closure) }
>> >>
>> >> Can't we use try_pin_init!() instead, move request_irq() into the initializer of
>> >> RegistrationInner and initialize inner last?
>> >
>> > We need a pointer to the entire struct when calling
>> > bindings::request_irq. I'm not sure this allows you to easily get one?
>> > I don't think using container_of! here is worth it.
>>
>> There is the `&this in` syntax (`this` is of type `NonNull<Self>`):
>>
>> try_pin_init!(&this in Self {
>> inner: Devres::new(
>> dev,
>> RegistrationInner {
>> irq,
>> cookie: this.as_ptr().cast(),
>> },
>> GFP_KERNEL,
>> )?,
>> handler,
>> _pin: {
>> to_result(unsafe {
>> bindings::request_irq(
>> irq,
>> Some(handle_irq_callback::<T>),
>> flags.into_inner() as usize,
>> name.as_char_ptr(),
>> slot.as_ptr().cast(),
>
> this is "this" instead of "slot", right?
>
>> )
>> })?;
>> PhantomPinned
>> },
>> })
>>
>> Last time around, I also asked this question and you replied with that
>> we need to abort the initializer when `request_irq` returns false and
>> avoid running `Self::drop` (thus we can't do it using `pin_chain`).
>>
>> I asked what we could do instead and you mentioned the `_: {}`
>> initializers and those would indeed solve it, but we can abuse the
>> `_pin` field for that :)
>>
>
> Hmm.. but if request_irq() fails, aren't we going to call `drop` on
> `inner`, which drops the `Devres` which will eventually call
> `RegistrationInner::drop()`? And that's a `free_irq()` without
> `request_irq()` succeeded.
That is indeed correct :(
But hold on, we aren't allowed to forget the `Devres`, it's a pinned
type and thus the pin guarantee is that it must be dropped before the
underlying memory is freed. So the current version is unsound.
---
Cheers,
Benno
