On Wed, Feb 26, 2025 at 04:41:08PM -0800, Boqun Feng wrote: > And if you don't store the HrTimerHandle anywhere, like you drop() it > right after start a hrtimer, it will immediately stop the timer. Does > this make sense?
Oh, I understand that, but it is not sufficient in the kernel. You are making an implicit argument that something external to the rust universe will hold the module alive until all rust destructors are run. That is trivialy obvious in your example above. However, make it more complex. Run the destructor call for your hrtimer in a workqueue thread. Use workqueue.rs. Now you don't have this implicit argument anymore, and it will EAF things. Danilo argues this is a bug in workqueue.rs. Regardless, it seems like EAF is an overlooked topic in the safety analysis. Further, you and Danilo are making opposing correctness arguments: 1) all rust destructors run before module __exit completes 2) rust destructors can run after driver removal completes I understand the technical underpinnings why these are different, but I feel that if you can make #1 reliably true for __exit then it is highly desirable to use the same techniques to make it true for remove() too. Jason
