From 91a9168a32099bba91709543213322dc2eb1afac Mon Sep 17 00:00:00 2001
From: Dario Nieuwenhuis <dirbaio@dirbaio.net>
Date: Wed, 24 Aug 2022 01:54:27 +0200
Subject: [PATCH] nrf/ppi: fix unsoundness due to task/event ptrs being public.

---
 embassy-nrf/src/ppi/mod.rs | 32 +++++++++++++++++++++++++-------
 1 file changed, 25 insertions(+), 7 deletions(-)

diff --git a/embassy-nrf/src/ppi/mod.rs b/embassy-nrf/src/ppi/mod.rs
index e3ac45d7..8f5ed14c 100644
--- a/embassy-nrf/src/ppi/mod.rs
+++ b/embassy-nrf/src/ppi/mod.rs
@@ -39,13 +39,22 @@ pub struct Ppi<'d, C: Channel, const EVENT_COUNT: usize, const TASK_COUNT: usize
 const REGISTER_DPPI_CONFIG_OFFSET: usize = 0x80 / core::mem::size_of::<u32>();
 
 /// Represents a task that a peripheral can do.
-/// When a task is subscribed to a PPI channel it will run when the channel is triggered by
-/// a published event.
 ///
-/// The pointer is to a task register
+/// When a task is subscribed to a PPI channel, it will run when the channel is triggered by
+/// a published event.
 #[derive(PartialEq, Eq, Clone, Copy)]
-pub struct Task(pub NonNull<u32>);
+pub struct Task(NonNull<u32>);
+
 impl Task {
+    /// Create a new `Task` from a task register pointer
+    ///
+    /// # Safety
+    ///
+    /// `ptr` must be a pointer to a valid `TASKS_*` register from an nRF peripheral.
+    pub unsafe fn new_unchecked(ptr: NonNull<u32>) -> Self {
+        Self(ptr)
+    }
+
     pub(crate) fn from_reg<T>(reg: &T) -> Self {
         Self(unsafe { NonNull::new_unchecked(reg as *const _ as *mut _) })
     }
@@ -63,12 +72,21 @@ impl Task {
 unsafe impl Send for Task {}
 
 /// Represents an event that a peripheral can publish.
-/// An event can be set to publish on a PPI channel when the event happens.
 ///
-/// The pointer is to an event register
+/// An event can be set to publish on a PPI channel when the event happens.
 #[derive(PartialEq, Eq, Clone, Copy)]
-pub struct Event(pub NonNull<u32>);
+pub struct Event(NonNull<u32>);
+
 impl Event {
+    /// Create a new `Event` from an event register pointer
+    ///
+    /// # Safety
+    ///
+    /// `ptr` must be a pointer to a valid `EVENTS_*` register from an nRF peripheral.
+    pub unsafe fn new_unchecked(ptr: NonNull<u32>) -> Self {
+        Self(ptr)
+    }
+
     pub(crate) fn from_reg<T>(reg: &T) -> Self {
         Self(unsafe { NonNull::new_unchecked(reg as *const _ as *mut _) })
     }