WIP: guard type split

Author: nbdd0121

rust/kernel/sync/lock.rs

@@ -13,37 +13,13 @@ use macros::pin_data;
 pub mod mutex;
 pub mod spinlock;
 
-/// The "backend" of a lock.
-///
-/// It is the actual implementation of the lock, without the need to repeat patterns used in all
-/// locks.
-///
-/// # Safety
-///
-/// - Implementers must ensure that only one thread/CPU may access the protected data once the lock
-/// is owned, that is, between calls to `lock` and `unlock`.
-/// - Implementers must also ensure that `relock` uses the same locking method as the original
-/// lock operation. For example, it should disable interrupts if [`IrqSaveBackend::lock_irqsave`]
-/// is used.
-pub unsafe trait Backend {
+pub unsafe trait EffectiveBackend {
     /// The state required by the lock.
     type State;
 
     /// The state required to be kept between lock and unlock.
     type GuardState;
 
-    /// Initialises the lock.
-    ///
-    /// # Safety
-    ///
-    /// `ptr` must be valid for write for the duration of the call, while `name` and `key` must
-    /// remain valid for read indefinitely.
-    unsafe fn init(
-        ptr: *mut Self::State,
-        name: *const core::ffi::c_char,
-        key: *mut bindings::lock_class_key,
-    );
-
     /// Acquires the lock, making the caller its owner.
     ///
     /// # Safety
@@ -71,6 +47,32 @@ pub unsafe trait Backend {
     }
 }
 
+/// The "backend" of a lock.
+///
+/// It is the actual implementation of the lock, without the need to repeat patterns used in all
+/// locks.
+///
+/// # Safety
+///
+/// - Implementers must ensure that only one thread/CPU may access the protected data once the lock
+/// is owned, that is, between calls to `lock` and `unlock`.
+/// - Implementers must also ensure that `relock` uses the same locking method as the original
+/// lock operation. For example, it should disable interrupts if [`IrqSaveBackend::lock_irqsave`]
+/// is used.
+pub unsafe trait Backend: EffectiveBackend {
+    /// Initialises the lock.
+    ///
+    /// # Safety
+    ///
+    /// `ptr` must be valid for write for the duration of the call, while `name` and `key` must
+    /// remain valid for read indefinitely.
+    unsafe fn init(
+        ptr: *mut Self::State,
+        name: *const core::ffi::c_char,
+        key: *mut bindings::lock_class_key,
+    );
+}
+
 /// The "backend" of a lock that supports the irq-save variant.
 ///
 /// # Safety
@@ -82,16 +84,7 @@ pub unsafe trait Backend {
 /// must disable interrupts on lock, and restore interrupt state on unlock. Implementers may use
 /// [`Backend::GuardState`] to store state needed to keep track of the interrupt state.
 pub unsafe trait IrqSaveBackend: Backend {
-    /// Acquires the lock, making the caller its owner.
-    ///
-    /// Before acquiring the lock, it disables interrupts, and returns the previous interrupt state
-    /// as its guard state so that the guard can restore it when it is dropped.
-    ///
-    /// # Safety
-    ///
-    /// Callers must ensure that [`Backend::init`] has been previously called.
-    #[must_use]
-    unsafe fn lock_irqsave(ptr: *mut Self::State) -> Self::GuardState;
+    type IrqSaveBackend: EffectiveBackend<State = Self::State>;
 }
 
 /// A mutual exclusion primitive.
@@ -154,10 +147,10 @@ impl<T: ?Sized, B: IrqSaveBackend> Lock<T, B> {
     /// Before acquiring the lock, it disables interrupts. When the guard is dropped, the interrupt
     /// state (either enabled or disabled) is restored to its state before
     /// [`lock_irqsave`](Self::lock_irqsave) was called.
-    pub fn lock_irqsave(&self) -> Guard<'_, T, B> {
+    pub fn lock_irqsave(&self) -> Guard<'_, T, B, B::IrqSaveBackend> {
         // SAFETY: The constructor of the type calls `init`, so the existence of the object proves
         // that `init` was called.
-        let state = unsafe { B::lock_irqsave(self.state.get()) };
+        let state = unsafe { B::IrqSaveBackend::lock(self.state.get()) };
         // SAFETY: The lock was just acquired.
         unsafe { Guard::new(self, state) }
     }
@@ -169,29 +162,29 @@ impl<T: ?Sized, B: IrqSaveBackend> Lock<T, B> {
 /// when a guard goes out of scope. It also provides a safe and convenient way to access the data
 /// protected by the lock.
 #[must_use = "the lock unlocks immediately when the guard is unused"]
-pub struct Guard<'a, T: ?Sized, B: Backend> {
+pub struct Guard<'a, T: ?Sized, B: Backend, E: EffectiveBackend<State = B::State> = B> {
     pub(crate) lock: &'a Lock<T, B>,
-    pub(crate) state: B::GuardState,
+    pub(crate) state: E::GuardState,
     _not_send: PhantomData<*mut ()>,
 }
 
 // SAFETY: `Guard` is sync when the data protected by the lock is also sync.
-unsafe impl<T: Sync + ?Sized, B: Backend> Sync for Guard<'_, T, B> {}
+unsafe impl<T: Sync + ?Sized, B: Backend, E: EffectiveBackend<State = B::State>> Sync for Guard<'_, T, B, E> {}
 
-impl<T: ?Sized, B: Backend> Guard<'_, T, B> {
+impl<T: ?Sized, B: Backend, E: EffectiveBackend<State = B::State>> Guard<'_, T, B, E> {
     pub(crate) fn do_unlocked(&mut self, cb: impl FnOnce()) {
         // SAFETY: The caller owns the lock, so it is safe to unlock it.
-        unsafe { B::unlock(self.lock.state.get(), &self.state) };
+        unsafe { E::unlock(self.lock.state.get(), &self.state) };
 
         // SAFETY: The lock was just unlocked above and is being relocked now.
         let _relock =
-            ScopeGuard::new(|| unsafe { B::relock(self.lock.state.get(), &mut self.state) });
+            ScopeGuard::new(|| unsafe { E::relock(self.lock.state.get(), &mut self.state) });
 
         cb();
     }
 }
 
-impl<T: ?Sized, B: Backend> core::ops::Deref for Guard<'_, T, B> {
+impl<T: ?Sized, B: Backend, E: EffectiveBackend<State = B::State>> core::ops::Deref for Guard<'_, T, B, E> {
     type Target = T;
 
     fn deref(&self) -> &Self::Target {
@@ -200,27 +193,27 @@ impl<T: ?Sized, B: Backend> core::ops::Deref for Guard<'_, T, B> {
     }
 }
 
-impl<T: ?Sized, B: Backend> core::ops::DerefMut for Guard<'_, T, B> {
+impl<T: ?Sized, B: Backend, E: EffectiveBackend<State = B::State>> core::ops::DerefMut for Guard<'_, T, B, E> {
     fn deref_mut(&mut self) -> &mut Self::Target {
         // SAFETY: The caller owns the lock, so it is safe to deref the protected data.
         unsafe { &mut *self.lock.data.get() }
     }
 }
 
-impl<T: ?Sized, B: Backend> Drop for Guard<'_, T, B> {
+impl<T: ?Sized, B: Backend, E: EffectiveBackend<State = B::State>> Drop for Guard<'_, T, B, E> {
     fn drop(&mut self) {
         // SAFETY: The caller owns the lock, so it is safe to unlock it.
-        unsafe { B::unlock(self.lock.state.get(), &self.state) };
+        unsafe { E::unlock(self.lock.state.get(), &self.state) };
     }
 }
 
-impl<'a, T: ?Sized, B: Backend> Guard<'a, T, B> {
+impl<'a, T: ?Sized, B: Backend, E: EffectiveBackend<State = B::State>> Guard<'a, T, B, E> {
     /// Constructs a new immutable lock guard.
     ///
     /// # Safety
     ///
     /// The caller must ensure that it owns the lock.
-    pub(crate) unsafe fn new(lock: &'a Lock<T, B>, state: B::GuardState) -> Self {
+    pub(crate) unsafe fn new(lock: &'a Lock<T, B>, state: E::GuardState) -> Self {
         Self {
             lock,
             state,

rust/kernel/sync/lock/mutex.rs

@@ -90,20 +90,10 @@ pub type Mutex<T> = super::Lock<T, MutexBackend>;
 pub struct MutexBackend;
 
 // SAFETY: The underlying kernel `struct mutex` object ensures mutual exclusion.
-unsafe impl super::Backend for MutexBackend {
+unsafe impl super::EffectiveBackend for MutexBackend {
     type State = bindings::mutex;
     type GuardState = ();
 
-    unsafe fn init(
-        ptr: *mut Self::State,
-        name: *const core::ffi::c_char,
-        key: *mut bindings::lock_class_key,
-    ) {
-        // SAFETY: The safety requirements ensure that `ptr` is valid for writes, and `name` and
-        // `key` are valid for read indefinitely.
-        unsafe { bindings::__mutex_init(ptr, name, key) }
-    }
-
     unsafe fn lock(ptr: *mut Self::State) -> Self::GuardState {
         // SAFETY: The safety requirements of this function ensure that `ptr` points to valid
         // memory, and that it has been initialised before.
@@ -116,3 +106,16 @@ unsafe impl super::Backend for MutexBackend {
         unsafe { bindings::mutex_unlock(ptr) };
     }
 }
+
+// SAFETY: The underlying kernel `struct mutex` object ensures mutual exclusion.
+unsafe impl super::Backend for MutexBackend {
+    unsafe fn init(
+        ptr: *mut Self::State,
+        name: *const core::ffi::c_char,
+        key: *mut bindings::lock_class_key,
+    ) {
+        // SAFETY: The safety requirements ensure that `ptr` is valid for writes, and `name` and
+        // `key` are valid for read indefinitely.
+        unsafe { bindings::__mutex_init(ptr, name, key) }
+    }
+}

rust/kernel/sync/lock/spinlock.rs

@@ -96,12 +96,31 @@ pub type SpinLock<T> = super::Lock<T, SpinLockBackend>;
 /// A kernel `spinlock_t` lock backend.
 pub struct SpinLockBackend;
 
+pub struct SpinLockIrqSaveBackend;
+
 // SAFETY: The underlying kernel `spinlock_t` object ensures mutual exclusion. `relock` uses the
 // same scheme as `unlock` to figure out which locking method was used originally.
-unsafe impl super::Backend for SpinLockBackend {
+unsafe impl super::EffectiveBackend for SpinLockBackend {
     type State = bindings::spinlock_t;
-    type GuardState = Option<core::ffi::c_ulong>;
+    type GuardState = ();
 
+    unsafe fn lock(ptr: *mut Self::State) -> Self::GuardState {
+        // SAFETY: The safety requirements of this function ensure that `ptr` points to valid
+        // memory, and that it has been initialised before.
+        unsafe { bindings::spin_lock(ptr) };
+        ()
+    }
+
+    unsafe fn unlock(ptr: *mut Self::State, _: &Self::GuardState) {
+        unsafe { bindings::spin_unlock(ptr) }
+    }
+
+    unsafe fn relock(ptr: *mut Self::State, _: &mut Self::GuardState) {
+        unsafe { Self::lock(ptr) };
+    }
+}
+
+unsafe impl super::Backend for SpinLockBackend {
     unsafe fn init(
         ptr: *mut Self::State,
         name: *const core::ffi::c_char,
@@ -111,34 +130,28 @@ unsafe impl super::Backend for SpinLockBackend {
         // `key` are valid for read indefinitely.
         unsafe { bindings::__spin_lock_init(ptr, name, key) }
     }
+}
+
+unsafe impl super::EffectiveBackend for SpinLockIrqSaveBackend {
+    type State = bindings::spinlock_t;
+    type GuardState = core::ffi::c_ulong;
 
     unsafe fn lock(ptr: *mut Self::State) -> Self::GuardState {
         // SAFETY: The safety requirements of this function ensure that `ptr` points to valid
         // memory, and that it has been initialised before.
-        unsafe { bindings::spin_lock(ptr) };
-        None
+        unsafe { bindings::spin_lock_irqsave(ptr) }
     }
 
     unsafe fn unlock(ptr: *mut Self::State, guard_state: &Self::GuardState) {
-        match guard_state {
-            // SAFETY: The safety requirements of this function ensure that `ptr` is valid and that
-            // the caller is the owner of the mutex.
-            Some(flags) => unsafe { bindings::spin_unlock_irqrestore(ptr, *flags) },
-            // SAFETY: The safety requirements of this function ensure that `ptr` is valid and that
-            // the caller is the owner of the mutex.
-            None => unsafe { bindings::spin_unlock(ptr) },
-        }
+        // SAFETY: The safety requirements of this function ensure that `ptr` is valid and that
+        // the caller is the owner of the mutex.
+        unsafe { bindings::spin_unlock_irqrestore(ptr, *guard_state) }
     }
 
-    unsafe fn relock(ptr: *mut Self::State, guard_state: &mut Self::GuardState) {
-        let _ = match guard_state {
-            // SAFETY: The safety requiments of this function ensure that `ptr` has been
-            // initialised.
-            None => unsafe { Self::lock(ptr) },
-            // SAFETY: The safety requiments of this function ensure that `ptr` has been
-            // initialised.
-            Some(_) => unsafe { Self::lock_irqsave(ptr) },
-        };
+    unsafe fn relock(ptr: *mut Self::State, _guard_state: &mut Self::GuardState) {
+        // SAFETY: The safety requiments of this function ensure that `ptr` has been
+        // initialised.
+        unsafe { bindings::spin_lock_irqsave(ptr); }
     }
 }
 
@@ -147,9 +160,5 @@ unsafe impl super::Backend for SpinLockBackend {
 // interrupt state, and the `irqrestore` variant of the lock release functions to restore the state
 // in `unlock` -- we use the guard context to determine which method was used to acquire the lock.
 unsafe impl IrqSaveBackend for SpinLockBackend {
-    unsafe fn lock_irqsave(ptr: *mut Self::State) -> Self::GuardState {
-        // SAFETY: The safety requirements of this function ensure that `ptr` points to valid
-        // memory, and that it has been initialised before.
-        Some(unsafe { bindings::spin_lock_irqsave(ptr) })
-    }
+    type IrqSaveBackend = SpinLockIrqSaveBackend;
 }