CC: Gary On Mon, Feb 24, 2025 at 10:40:00AM +0900, Alexandre Courbot wrote: > This inability to sleep while we are accessing registers seems very > constraining to me, if not dangerous. It is pretty common to have > functions intermingle hardware accesses with other operations that might > sleep, and this constraint means that in such cases the caller would > need to perform guard lifetime management manually: > > let bar_guard = bar.try_access()?; > /* do something non-sleeping with bar_guard */ > drop(bar_guard); > > /* do something that might sleep */ > > let bar_guard = bar.try_access()?; > /* do something non-sleeping with bar_guard */ > drop(bar_guard); > > ... > > Failure to drop the guard potentially introduces a race condition, which > will receive no compile-time warning and potentialy not even a runtime > one unless lockdep is enabled. This problem does not exist with the > equivalent C code AFAICT, which makes the Rust version actually more > error-prone and dangerous, the opposite of what we are trying to achieve > with Rust. Or am I missing something? Generally you are right, but you have to see it from a different perspective. What you describe is not an issue that comes from the design of the API, but is a limitation of Rust in the kernel. People are aware of the issue and with klint [1] there are solutions for that in the pipeline, see also [2] and [3]. [1] https://rust-for-linux.com/klint [2] https://github.com/Rust-for-Linux/klint/blob/trunk/doc/atomic_context.md [3] https://www.memorysafety.org/blog/gary-guo-klint-rust-tools/
