[V7,03/16] rust: cpu: Add from_cpu()

Message ID	854f7b8c9cbcc7f38fe5ed548290f41224478b40.1736766672.git.viresh.kumar@linaro.org (mailing list archive)
State	New
Headers	show Received: from mail-pl1-f178.google.com (mail-pl1-f178.google.com [209.85.214.178]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id AF161239799 for <linux-pm@vger.kernel.org>; Mon, 13 Jan 2025 11:23:44 +0000 (UTC) From: Viresh Kumar <viresh.kumar@linaro.org> To: "Rafael J. Wysocki" <rafael@kernel.org>, Miguel Ojeda <ojeda@kernel.org>, Alex Gaynor <alex.gaynor@gmail.com>, Boqun Feng <boqun.feng@gmail.com>, Gary Guo <gary@garyguo.net>, =?utf-8?q?Bj=C3=B6rn_Roy_Baron?= <bjorn3_gh@protonmail.com>, Benno Lossin <benno.lossin@proton.me>, Andreas Hindborg <a.hindborg@kernel.org>, Alice Ryhl <aliceryhl@google.com>, Trevor Gross <tmgross@umich.edu> Cc: Viresh Kumar <viresh.kumar@linaro.org>, linux-pm@vger.kernel.org, Vincent Guittot <vincent.guittot@linaro.org>, linux-kernel@vger.kernel.org, rust-for-linux@vger.kernel.org Subject: [PATCH V7 03/16] rust: cpu: Add from_cpu() Date: Mon, 13 Jan 2025 16:52:58 +0530 Message-Id: <854f7b8c9cbcc7f38fe5ed548290f41224478b40.1736766672.git.viresh.kumar@linaro.org> In-Reply-To: <cover.1736766672.git.viresh.kumar@linaro.org> References: <cover.1736766672.git.viresh.kumar@linaro.org> Precedence: bulk MIME-Version: 1.0 Content-Transfer-Encoding: 8bit
Series	Rust bindings for cpufreq and OPP core + sample driver \| expand [V7,00/16] Rust bindings for cpufreq and OPP core + sample driver [V7,01/16] cpufreq: Use enum for cpufreq flags that use BIT() [V7,02/16] PM / OPP: Add reference counting helpers for Rust implementation [V7,03/16] rust: cpu: Add from_cpu() [V7,04/16] rust: device: Add property_present() [V7,05/16] rust: Add cpumask helpers [V7,06/16] rust: Add bindings for cpumask [V7,07/16] rust: Add bare minimal bindings for clk framework [V7,08/16] rust: Add initial bindings for OPP framework [V7,09/16] rust: Extend OPP bindings for the OPP table [V7,10/16] rust: Extend OPP bindings for the configuration options [V7,11/16] rust: Add initial bindings for cpufreq framework [V7,12/16] rust: Extend cpufreq bindings for policy and driver ops [V7,13/16] rust: Extend cpufreq bindings for driver registration [V7,14/16] rust: Extend OPP bindings with CPU frequency table [V7,15/16] cpufreq: Add Rust based cpufreq-dt driver [V7,16/16] DO-NOT_MERGE: cpufreq: Rename cpufreq-dt platdev

Viresh Kumar Jan. 13, 2025, 11:22 a.m. UTC

This implements cpu::from_cpu(), which returns a reference to
Device for a CPU. The C struct is created at initialization time for
CPUs and is never freed and so ARef isn't returned from this function.

The new helper will be used by Rust based cpufreq drivers.

Signed-off-by: Viresh Kumar <viresh.kumar@linaro.org>
---
 rust/bindings/bindings_helper.h |  1 +
 rust/kernel/cpu.rs              | 26 ++++++++++++++++++++++++++
 rust/kernel/lib.rs              |  1 +
 3 files changed, 28 insertions(+)
 create mode 100644 rust/kernel/cpu.rs

Greg KH Jan. 14, 2025, 6:44 p.m. UTC | #1

On Mon, Jan 13, 2025 at 04:52:58PM +0530, Viresh Kumar wrote:
> This implements cpu::from_cpu(), which returns a reference to
> Device for a CPU. The C struct is created at initialization time for
> CPUs and is never freed and so ARef isn't returned from this function.
> 
> The new helper will be used by Rust based cpufreq drivers.
> 
> Signed-off-by: Viresh Kumar <viresh.kumar@linaro.org>
> ---
>  rust/bindings/bindings_helper.h |  1 +
>  rust/kernel/cpu.rs              | 26 ++++++++++++++++++++++++++
>  rust/kernel/lib.rs              |  1 +
>  3 files changed, 28 insertions(+)
>  create mode 100644 rust/kernel/cpu.rs
> 
> diff --git a/rust/bindings/bindings_helper.h b/rust/bindings/bindings_helper.h
> index e9fdceb568b8..d63e7f6d10ea 100644
> --- a/rust/bindings/bindings_helper.h
> +++ b/rust/bindings/bindings_helper.h
> @@ -10,6 +10,7 @@
>  #include <linux/blk-mq.h>
>  #include <linux/blk_types.h>
>  #include <linux/blkdev.h>
> +#include <linux/cpu.h>
>  #include <linux/cred.h>
>  #include <linux/errname.h>
>  #include <linux/ethtool.h>
> diff --git a/rust/kernel/cpu.rs b/rust/kernel/cpu.rs
> new file mode 100644
> index 000000000000..422e874627d2
> --- /dev/null
> +++ b/rust/kernel/cpu.rs
> @@ -0,0 +1,26 @@
> +// SPDX-License-Identifier: GPL-2.0
> +
> +//! Generic CPU definitions.
> +//!
> +//! C header: [`include/linux/cpu.h`](srctree/include/linux/cpu.h)
> +
> +use crate::{
> +    bindings,
> +    device::Device,
> +    error::Result,
> +    prelude::ENODEV,
> +};
> +
> +/// Creates a new instance of CPU's device.
> +pub fn from_cpu(cpu: u32) -> Result<&'static Device> {
> +    // SAFETY: The pointer returned by `get_cpu_device()`, if not `NULL`, is a valid pointer to
> +    // a `struct device` and is never freed by the C code.

I thought it was pointed out that it could be freed when a cpu was
hot-unplugged?  Or is that a different device in the cpu code?  We seem
to have 2 of them and it's not obvious which is which :(

thanks,

greg k-h

Viresh Kumar Jan. 15, 2025, 7:20 a.m. UTC | #2

On 14-01-25, 19:44, Greg KH wrote:
> > +pub fn from_cpu(cpu: u32) -> Result<&'static Device> {
> > +    // SAFETY: The pointer returned by `get_cpu_device()`, if not `NULL`, is a valid pointer to
> > +    // a `struct device` and is never freed by the C code.
> 
> I thought it was pointed out that it could be freed when a cpu was
> hot-unplugged?  Or is that a different device in the cpu code?  We seem
> to have 2 of them and it's not obvious which is which :(

I did reply [1] to that earlier. The CPU can get unregistered but the
memory for the device is never freed (it is part of struct cpu). Some
calls on the CPU device may fail later on (if called for an unregisted
dev), but should never crash the kernel.

Greg KH Jan. 15, 2025, 7:54 a.m. UTC | #3

On Wed, Jan 15, 2025 at 12:50:50PM +0530, Viresh Kumar wrote:
> On 14-01-25, 19:44, Greg KH wrote:
> > > +pub fn from_cpu(cpu: u32) -> Result<&'static Device> {
> > > +    // SAFETY: The pointer returned by `get_cpu_device()`, if not `NULL`, is a valid pointer to
> > > +    // a `struct device` and is never freed by the C code.
> > 
> > I thought it was pointed out that it could be freed when a cpu was
> > hot-unplugged?  Or is that a different device in the cpu code?  We seem
> > to have 2 of them and it's not obvious which is which :(
> 
> I did reply [1] to that earlier. The CPU can get unregistered but the
> memory for the device is never freed (it is part of struct cpu). Some
> calls on the CPU device may fail later on (if called for an unregisted
> dev), but should never crash the kernel.

Ah, but that's not really something that SAFETY should override, right?

Yes, you know your implementation of this will stop using the pointer in
the hotplug callback before it goes away but that's not documented here.
And having the device "fail" afterward isn't really ok either as you are
relying on the driver core to always check for this and I'm not so sure
that it always does on all codepaths.

But, I'm ok with this for now, as you are just copying the bad C model
at the moment, but it really feels like a huge foot-gun waiting to go
off.  Any way to put some more documentation here as in "use this at
your own risk!"?

thanks,

greg k-h

Viresh Kumar Jan. 15, 2025, 7:58 a.m. UTC | #4

On 15-01-25, 08:54, Greg KH wrote:
> Ah, but that's not really something that SAFETY should override, right?
> 
> Yes, you know your implementation of this will stop using the pointer in
> the hotplug callback before it goes away but that's not documented here.
> And having the device "fail" afterward isn't really ok either as you are
> relying on the driver core to always check for this and I'm not so sure
> that it always does on all codepaths.
> 
> But, I'm ok with this for now, as you are just copying the bad C model
> at the moment, but it really feels like a huge foot-gun waiting to go
> off.  Any way to put some more documentation here as in "use this at
> your own risk!"?

What about marking it unsafe ? That would require callers to document
why it is safe to call this. And yes add more documentation here too.

Greg KH Jan. 15, 2025, 8:09 a.m. UTC | #5

On Wed, Jan 15, 2025 at 01:28:59PM +0530, Viresh Kumar wrote:
> On 15-01-25, 08:54, Greg KH wrote:
> > Ah, but that's not really something that SAFETY should override, right?
> > 
> > Yes, you know your implementation of this will stop using the pointer in
> > the hotplug callback before it goes away but that's not documented here.
> > And having the device "fail" afterward isn't really ok either as you are
> > relying on the driver core to always check for this and I'm not so sure
> > that it always does on all codepaths.
> > 
> > But, I'm ok with this for now, as you are just copying the bad C model
> > at the moment, but it really feels like a huge foot-gun waiting to go
> > off.  Any way to put some more documentation here as in "use this at
> > your own risk!"?
> 
> What about marking it unsafe ? That would require callers to document
> why it is safe to call this. And yes add more documentation here too.

Sure, that's fine with me.

Alice Ryhl Jan. 15, 2025, 8:10 a.m. UTC | #6

On Wed, Jan 15, 2025 at 8:54 AM Greg KH <gregkh@linuxfoundation.org> wrote:
>
> On Wed, Jan 15, 2025 at 12:50:50PM +0530, Viresh Kumar wrote:
> > On 14-01-25, 19:44, Greg KH wrote:
> > > > +pub fn from_cpu(cpu: u32) -> Result<&'static Device> {
> > > > +    // SAFETY: The pointer returned by `get_cpu_device()`, if not `NULL`, is a valid pointer to
> > > > +    // a `struct device` and is never freed by the C code.
> > >
> > > I thought it was pointed out that it could be freed when a cpu was
> > > hot-unplugged?  Or is that a different device in the cpu code?  We seem
> > > to have 2 of them and it's not obvious which is which :(
> >
> > I did reply [1] to that earlier. The CPU can get unregistered but the
> > memory for the device is never freed (it is part of struct cpu). Some
> > calls on the CPU device may fail later on (if called for an unregisted
> > dev), but should never crash the kernel.
>
> Ah, but that's not really something that SAFETY should override, right?
>
> Yes, you know your implementation of this will stop using the pointer in
> the hotplug callback before it goes away but that's not documented here.
> And having the device "fail" afterward isn't really ok either as you are
> relying on the driver core to always check for this and I'm not so sure
> that it always does on all codepaths.
>
> But, I'm ok with this for now, as you are just copying the bad C model
> at the moment, but it really feels like a huge foot-gun waiting to go
> off.  Any way to put some more documentation here as in "use this at
> your own risk!"?

On the C side, how do you normally prevent uses of the device after it
became invalid?

Alice

Viresh Kumar Jan. 15, 2025, 8:33 a.m. UTC | #7

On 15-01-25, 09:10, Alice Ryhl wrote:
> On the C side, how do you normally prevent uses of the device after it
> became invalid?

IIUC, the per-cpu variable (cpu_sys_devices) that stores the pointers
to CPU devices is cleared and later calls to get_cpu_device() returns
NULL.

The hot-unplug notifiers are fired for existing users (which have
registered for the notifier, like cpufreq), wherein they can remove
per-cpu sysfs files for example.

But otherwise there is no way in the C code to disallow users of the
CPU device pointer, if it is already fetched before the CPU is
removed. The device pointer's memory doesn't get free here though and
it works.

[V7,03/16] rust: cpu: Add from_cpu()

Commit Message

Comments

Patch