On Mon, Feb 24, 2025 at 01:07:19PM +0100, Danilo Krummrich wrote: > CC: Gary > > On Mon, Feb 24, 2025 at 10:40:00AM +0900, Alexandre Courbot wrote: > > This inability to sleep while we are accessing registers seems very > > constraining to me, if not dangerous. It is pretty common to have > > functions intermingle hardware accesses with other operations that might > > sleep, and this constraint means that in such cases the caller would > > need to perform guard lifetime management manually: > > > > let bar_guard = bar.try_access()?; > > /* do something non-sleeping with bar_guard */ > > drop(bar_guard); > > > > /* do something that might sleep */ > > > > let bar_guard = bar.try_access()?; > > /* do something non-sleeping with bar_guard */ > > drop(bar_guard); > > > > ... > > > > Failure to drop the guard potentially introduces a race condition, which > > will receive no compile-time warning and potentialy not even a runtime > > one unless lockdep is enabled. This problem does not exist with the > > equivalent C code AFAICT Without klint [1] it is exactly the same as in C, where I have to remember to not call into something that might sleep from atomic context. > > which makes the Rust version actually more > > error-prone and dangerous, the opposite of what we are trying to achieve > > with Rust. Or am I missing something? > > Generally you are right, but you have to see it from a different perspective. > > What you describe is not an issue that comes from the design of the API, but is > a limitation of Rust in the kernel. People are aware of the issue and with klint > [1] there are solutions for that in the pipeline, see also [2] and [3]. > > [1] https://rust-for-linux.com/klint > [2] https://github.com/Rust-for-Linux/klint/blob/trunk/doc/atomic_context.md > [3] https://www.memorysafety.org/blog/gary-guo-klint-rust-tools/
