Skip to content

Commit b03917e

Browse files
Konstantin Andrikopouloshtejun
Konstantin Andrikopoulos
authored and
htejun
committed
rust: add safety comment in workqueue traits
Add missing safety comments for the implementation of the unsafe traits WorkItemPointer and RawWorkItem for Arc<T> in workqueue.rs Link: #351. Co-developed-by: Vangelis Mamalakis <mamalakis@google.com> Signed-off-by: Vangelis Mamalakis <mamalakis@google.com> Suggested-by: Miguel Ojeda <ojeda@kernel.org> Reviewed-by: Alice Ryhl <aliceryhl@google.com> Signed-off-by: Konstantin Andrikopoulos <kernel@mandragore.io> Signed-off-by: Tejun Heo <tj@kernel.org>
1 parent 40384c8 commit b03917e

File tree

1 file changed

+16
-2
lines changed

1 file changed

+16
-2
lines changed

rust/kernel/workqueue.rs

Lines changed: 16 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -519,7 +519,15 @@ impl_has_work! {
519519
impl{T} HasWork<Self> for ClosureWork<T> { self.work }
520520
}
521521

522-
// SAFETY: TODO.
522+
// SAFETY: The `__enqueue` implementation in RawWorkItem uses a `work_struct` initialized with the
523+
// `run` method of this trait as the function pointer because:
524+
// - `__enqueue` gets the `work_struct` from the `Work` field, using `T::raw_get_work`.
525+
// - The only safe way to create a `Work` object is through `Work::new`.
526+
// - `Work::new` makes sure that `T::Pointer::run` is passed to `init_work_with_key`.
527+
// - Finally `Work` and `RawWorkItem` guarantee that the correct `Work` field
528+
// will be used because of the ID const generic bound. This makes sure that `T::raw_get_work`
529+
// uses the correct offset for the `Work` field, and `Work::new` picks the correct
530+
// implementation of `WorkItemPointer` for `Arc<T>`.
523531
unsafe impl<T, const ID: u64> WorkItemPointer<ID> for Arc<T>
524532
where
525533
T: WorkItem<ID, Pointer = Self>,
@@ -537,7 +545,13 @@ where
537545
}
538546
}
539547

540-
// SAFETY: TODO.
548+
// SAFETY: The `work_struct` raw pointer is guaranteed to be valid for the duration of the call to
549+
// the closure because we get it from an `Arc`, which means that the ref count will be at least 1,
550+
// and we don't drop the `Arc` ourselves. If `queue_work_on` returns true, it is further guaranteed
551+
// to be valid until a call to the function pointer in `work_struct` because we leak the memory it
552+
// points to, and only reclaim it if the closure returns false, or in `WorkItemPointer::run`, which
553+
// is what the function pointer in the `work_struct` must be pointing to, according to the safety
554+
// requirements of `WorkItemPointer`.
541555
unsafe impl<T, const ID: u64> RawWorkItem<ID> for Arc<T>
542556
where
543557
T: WorkItem<ID, Pointer = Self>,

0 commit comments

Comments
 (0)