diff options
| author | Thomas Zimmermann <tzimmermann@suse.de> | 2025-06-11 09:01:34 +0200 | 
|---|---|---|
| committer | Thomas Zimmermann <tzimmermann@suse.de> | 2025-06-11 09:01:34 +0200 | 
| commit | c598d5eb9fb331ba17bc9ad67ae9a2231ca5aca5 (patch) | |
| tree | a5b6f4655cde4f19b6b157aa455723c0329bd719 /rust/kernel | |
| parent | 29a9b3a504c0d18bcc7f0547371409e9dcbc045e (diff) | |
| parent | 19272b37aa4f83ca52bdf9c16d5d81bdd1354494 (diff) | |
Merge drm/drm-next into drm-misc-next
Backmerging to forward to v6.16-rc1
Signed-off-by: Thomas Zimmermann <tzimmermann@suse.de>
Diffstat (limited to 'rust/kernel')
50 files changed, 6594 insertions, 437 deletions
| diff --git a/rust/kernel/alloc.rs b/rust/kernel/alloc.rs index fc9c9c41cd79..a2c49e5494d3 100644 --- a/rust/kernel/alloc.rs +++ b/rust/kernel/alloc.rs @@ -94,10 +94,10 @@ pub mod flags {      ///      /// A lower watermark is applied to allow access to "atomic reserves". The current      /// implementation doesn't support NMI and few other strict non-preemptive contexts (e.g. -    /// raw_spin_lock). The same applies to [`GFP_NOWAIT`]. +    /// `raw_spin_lock`). The same applies to [`GFP_NOWAIT`].      pub const GFP_ATOMIC: Flags = Flags(bindings::GFP_ATOMIC); -    /// Typical for kernel-internal allocations. The caller requires ZONE_NORMAL or a lower zone +    /// Typical for kernel-internal allocations. The caller requires `ZONE_NORMAL` or a lower zone      /// for direct access but can direct reclaim.      pub const GFP_KERNEL: Flags = Flags(bindings::GFP_KERNEL); diff --git a/rust/kernel/alloc/allocator_test.rs b/rust/kernel/alloc/allocator_test.rs index c37d4c0c64e9..d19c06ef0498 100644 --- a/rust/kernel/alloc/allocator_test.rs +++ b/rust/kernel/alloc/allocator_test.rs @@ -4,7 +4,7 @@  //! of those types (e.g. `CString`) use kernel allocators for instantiation.  //!  //! In order to allow userspace test cases to make use of such types as well, implement the -//! `Cmalloc` allocator within the allocator_test module and type alias all kernel allocators to +//! `Cmalloc` allocator within the `allocator_test` module and type alias all kernel allocators to  //! `Cmalloc`. The `Cmalloc` allocator uses libc's `realloc()` function as allocator backend.  #![allow(missing_docs)] diff --git a/rust/kernel/alloc/kbox.rs b/rust/kernel/alloc/kbox.rs index b77d32f3a58b..c386ff771d50 100644 --- a/rust/kernel/alloc/kbox.rs +++ b/rust/kernel/alloc/kbox.rs @@ -57,12 +57,50 @@ use pin_init::{InPlaceWrite, Init, PinInit, ZeroableOption};  /// assert!(KVBox::<Huge>::new_uninit(GFP_KERNEL).is_ok());  /// ```  /// +/// [`Box`]es can also be used to store trait objects by coercing their type: +/// +/// ``` +/// trait FooTrait {} +/// +/// struct FooStruct; +/// impl FooTrait for FooStruct {} +/// +/// let _ = KBox::new(FooStruct, GFP_KERNEL)? as KBox<dyn FooTrait>; +/// # Ok::<(), Error>(()) +/// ``` +///  /// # Invariants  ///  /// `self.0` is always properly aligned and either points to memory allocated with `A` or, for  /// zero-sized types, is a dangling, well aligned pointer.  #[repr(transparent)] -pub struct Box<T: ?Sized, A: Allocator>(NonNull<T>, PhantomData<A>); +#[cfg_attr(CONFIG_RUSTC_HAS_COERCE_POINTEE, derive(core::marker::CoercePointee))] +pub struct Box<#[cfg_attr(CONFIG_RUSTC_HAS_COERCE_POINTEE, pointee)] T: ?Sized, A: Allocator>( +    NonNull<T>, +    PhantomData<A>, +); + +// This is to allow coercion from `Box<T, A>` to `Box<U, A>` if `T` can be converted to the +// dynamically-sized type (DST) `U`. +#[cfg(not(CONFIG_RUSTC_HAS_COERCE_POINTEE))] +impl<T, U, A> core::ops::CoerceUnsized<Box<U, A>> for Box<T, A> +where +    T: ?Sized + core::marker::Unsize<U>, +    U: ?Sized, +    A: Allocator, +{ +} + +// This is to allow `Box<U, A>` to be dispatched on when `Box<T, A>` can be coerced into `Box<U, +// A>`. +#[cfg(not(CONFIG_RUSTC_HAS_COERCE_POINTEE))] +impl<T, U, A> core::ops::DispatchFromDyn<Box<U, A>> for Box<T, A> +where +    T: ?Sized + core::marker::Unsize<U>, +    U: ?Sized, +    A: Allocator, +{ +}  /// Type alias for [`Box`] with a [`Kmalloc`] allocator.  /// @@ -101,7 +139,7 @@ pub type VBox<T> = Box<T, super::allocator::Vmalloc>;  pub type KVBox<T> = Box<T, super::allocator::KVmalloc>;  // SAFETY: All zeros is equivalent to `None` (option layout optimization guarantee: -// https://doc.rust-lang.org/stable/std/option/index.html#representation). +// <https://doc.rust-lang.org/stable/std/option/index.html#representation>).  unsafe impl<T, A: Allocator> ZeroableOption for Box<T, A> {}  // SAFETY: `Box` is `Send` if `T` is `Send` because the `Box` owns a `T`. @@ -360,68 +398,70 @@ where      }  } -impl<T: 'static, A> ForeignOwnable for Box<T, A> +// SAFETY: The `into_foreign` function returns a pointer that is well-aligned. +unsafe impl<T: 'static, A> ForeignOwnable for Box<T, A>  where      A: Allocator,  { +    type PointedTo = T;      type Borrowed<'a> = &'a T;      type BorrowedMut<'a> = &'a mut T; -    fn into_foreign(self) -> *mut crate::ffi::c_void { -        Box::into_raw(self).cast() +    fn into_foreign(self) -> *mut Self::PointedTo { +        Box::into_raw(self)      } -    unsafe fn from_foreign(ptr: *mut crate::ffi::c_void) -> Self { +    unsafe fn from_foreign(ptr: *mut Self::PointedTo) -> Self {          // SAFETY: The safety requirements of this function ensure that `ptr` comes from a previous          // call to `Self::into_foreign`. -        unsafe { Box::from_raw(ptr.cast()) } +        unsafe { Box::from_raw(ptr) }      } -    unsafe fn borrow<'a>(ptr: *mut crate::ffi::c_void) -> &'a T { +    unsafe fn borrow<'a>(ptr: *mut Self::PointedTo) -> &'a T {          // SAFETY: The safety requirements of this method ensure that the object remains alive and          // immutable for the duration of 'a. -        unsafe { &*ptr.cast() } +        unsafe { &*ptr }      } -    unsafe fn borrow_mut<'a>(ptr: *mut crate::ffi::c_void) -> &'a mut T { -        let ptr = ptr.cast(); +    unsafe fn borrow_mut<'a>(ptr: *mut Self::PointedTo) -> &'a mut T {          // SAFETY: The safety requirements of this method ensure that the pointer is valid and that          // nothing else will access the value for the duration of 'a.          unsafe { &mut *ptr }      }  } -impl<T: 'static, A> ForeignOwnable for Pin<Box<T, A>> +// SAFETY: The `into_foreign` function returns a pointer that is well-aligned. +unsafe impl<T: 'static, A> ForeignOwnable for Pin<Box<T, A>>  where      A: Allocator,  { +    type PointedTo = T;      type Borrowed<'a> = Pin<&'a T>;      type BorrowedMut<'a> = Pin<&'a mut T>; -    fn into_foreign(self) -> *mut crate::ffi::c_void { +    fn into_foreign(self) -> *mut Self::PointedTo {          // SAFETY: We are still treating the box as pinned. -        Box::into_raw(unsafe { Pin::into_inner_unchecked(self) }).cast() +        Box::into_raw(unsafe { Pin::into_inner_unchecked(self) })      } -    unsafe fn from_foreign(ptr: *mut crate::ffi::c_void) -> Self { +    unsafe fn from_foreign(ptr: *mut Self::PointedTo) -> Self {          // SAFETY: The safety requirements of this function ensure that `ptr` comes from a previous          // call to `Self::into_foreign`. -        unsafe { Pin::new_unchecked(Box::from_raw(ptr.cast())) } +        unsafe { Pin::new_unchecked(Box::from_raw(ptr)) }      } -    unsafe fn borrow<'a>(ptr: *mut crate::ffi::c_void) -> Pin<&'a T> { +    unsafe fn borrow<'a>(ptr: *mut Self::PointedTo) -> Pin<&'a T> {          // SAFETY: The safety requirements for this function ensure that the object is still alive,          // so it is safe to dereference the raw pointer.          // The safety requirements of `from_foreign` also ensure that the object remains alive for          // the lifetime of the returned value. -        let r = unsafe { &*ptr.cast() }; +        let r = unsafe { &*ptr };          // SAFETY: This pointer originates from a `Pin<Box<T>>`.          unsafe { Pin::new_unchecked(r) }      } -    unsafe fn borrow_mut<'a>(ptr: *mut crate::ffi::c_void) -> Pin<&'a mut T> { -        let ptr = ptr.cast(); +    unsafe fn borrow_mut<'a>(ptr: *mut Self::PointedTo) -> Pin<&'a mut T> {          // SAFETY: The safety requirements for this function ensure that the object is still alive,          // so it is safe to dereference the raw pointer.          // The safety requirements of `from_foreign` also ensure that the object remains alive for diff --git a/rust/kernel/alloc/kvec.rs b/rust/kernel/alloc/kvec.rs index ae9d072741ce..1a0dd852a468 100644 --- a/rust/kernel/alloc/kvec.rs +++ b/rust/kernel/alloc/kvec.rs @@ -21,6 +21,9 @@ use core::{      slice::SliceIndex,  }; +mod errors; +pub use self::errors::{InsertError, PushError, RemoveError}; +  /// Create a [`KVec`] containing the arguments.  ///  /// New memory is allocated with `GFP_KERNEL`. @@ -90,6 +93,8 @@ macro_rules! kvec {  ///   without re-allocation. For ZSTs `self.layout`'s capacity is zero. However, it is legal for the  ///   backing buffer to be larger than `layout`.  /// +/// - `self.len()` is always less than or equal to `self.capacity()`. +///  /// - The `Allocator` type `A` of the vector is the exact same `Allocator` type the backing buffer  ///   was allocated with (and must be freed with).  pub struct Vec<T, A: Allocator> { @@ -183,17 +188,38 @@ where          self.len      } -    /// Forcefully sets `self.len` to `new_len`. +    /// Increments `self.len` by `additional`.      ///      /// # Safety      /// -    /// - `new_len` must be less than or equal to [`Self::capacity`]. -    /// - If `new_len` is greater than `self.len`, all elements within the interval -    ///   [`self.len`,`new_len`) must be initialized. +    /// - `additional` must be less than or equal to `self.capacity - self.len`. +    /// - All elements within the interval [`self.len`,`self.len + additional`) must be initialized.      #[inline] -    pub unsafe fn set_len(&mut self, new_len: usize) { -        debug_assert!(new_len <= self.capacity()); -        self.len = new_len; +    pub unsafe fn inc_len(&mut self, additional: usize) { +        // Guaranteed by the type invariant to never underflow. +        debug_assert!(additional <= self.capacity() - self.len()); +        // INVARIANT: By the safety requirements of this method this represents the exact number of +        // elements stored within `self`. +        self.len += additional; +    } + +    /// Decreases `self.len` by `count`. +    /// +    /// Returns a mutable slice to the elements forgotten by the vector. It is the caller's +    /// responsibility to drop these elements if necessary. +    /// +    /// # Safety +    /// +    /// - `count` must be less than or equal to `self.len`. +    unsafe fn dec_len(&mut self, count: usize) -> &mut [T] { +        debug_assert!(count <= self.len()); +        // INVARIANT: We relinquish ownership of the elements within the range `[self.len - count, +        // self.len)`, hence the updated value of `set.len` represents the exact number of elements +        // stored within `self`. +        self.len -= count; +        // SAFETY: The memory after `self.len()` is guaranteed to contain `count` initialized +        // elements of type `T`. +        unsafe { slice::from_raw_parts_mut(self.as_mut_ptr().add(self.len), count) }      }      /// Returns a slice of the entire vector. @@ -259,8 +285,8 @@ where      /// Returns a slice of `MaybeUninit<T>` for the remaining spare capacity of the vector.      pub fn spare_capacity_mut(&mut self) -> &mut [MaybeUninit<T>] {          // SAFETY: -        // - `self.len` is smaller than `self.capacity` and hence, the resulting pointer is -        //   guaranteed to be part of the same allocated object. +        // - `self.len` is smaller than `self.capacity` by the type invariant and hence, the +        //   resulting pointer is guaranteed to be part of the same allocated object.          // - `self.len` can not overflow `isize`.          let ptr = unsafe { self.as_mut_ptr().add(self.len) } as *mut MaybeUninit<T>; @@ -284,24 +310,170 @@ where      /// ```      pub fn push(&mut self, v: T, flags: Flags) -> Result<(), AllocError> {          self.reserve(1, flags)?; +        // SAFETY: The call to `reserve` was successful, so the capacity is at least one greater +        // than the length. +        unsafe { self.push_within_capacity_unchecked(v) }; +        Ok(()) +    } -        // SAFETY: -        // - `self.len` is smaller than `self.capacity` and hence, the resulting pointer is -        //   guaranteed to be part of the same allocated object. -        // - `self.len` can not overflow `isize`. -        let ptr = unsafe { self.as_mut_ptr().add(self.len) }; +    /// Appends an element to the back of the [`Vec`] instance without reallocating. +    /// +    /// Fails if the vector does not have capacity for the new element. +    /// +    /// # Examples +    /// +    /// ``` +    /// let mut v = KVec::with_capacity(10, GFP_KERNEL)?; +    /// for i in 0..10 { +    ///     v.push_within_capacity(i)?; +    /// } +    /// +    /// assert!(v.push_within_capacity(10).is_err()); +    /// # Ok::<(), Error>(()) +    /// ``` +    pub fn push_within_capacity(&mut self, v: T) -> Result<(), PushError<T>> { +        if self.len() < self.capacity() { +            // SAFETY: The length is less than the capacity. +            unsafe { self.push_within_capacity_unchecked(v) }; +            Ok(()) +        } else { +            Err(PushError(v)) +        } +    } -        // SAFETY: -        // - `ptr` is properly aligned and valid for writes. -        unsafe { core::ptr::write(ptr, v) }; +    /// Appends an element to the back of the [`Vec`] instance without reallocating. +    /// +    /// # Safety +    /// +    /// The length must be less than the capacity. +    unsafe fn push_within_capacity_unchecked(&mut self, v: T) { +        let spare = self.spare_capacity_mut(); + +        // SAFETY: By the safety requirements, `spare` is non-empty. +        unsafe { spare.get_unchecked_mut(0) }.write(v);          // SAFETY: We just initialised the first spare entry, so it is safe to increase the length -        // by 1. We also know that the new length is <= capacity because of the previous call to -        // `reserve` above. -        unsafe { self.set_len(self.len() + 1) }; +        // by 1. We also know that the new length is <= capacity because the caller guarantees that +        // the length is less than the capacity at the beginning of this function. +        unsafe { self.inc_len(1) }; +    } + +    /// Inserts an element at the given index in the [`Vec`] instance. +    /// +    /// Fails if the vector does not have capacity for the new element. Panics if the index is out +    /// of bounds. +    /// +    /// # Examples +    /// +    /// ``` +    /// use kernel::alloc::kvec::InsertError; +    /// +    /// let mut v = KVec::with_capacity(5, GFP_KERNEL)?; +    /// for i in 0..5 { +    ///     v.insert_within_capacity(0, i)?; +    /// } +    /// +    /// assert!(matches!(v.insert_within_capacity(0, 5), Err(InsertError::OutOfCapacity(_)))); +    /// assert!(matches!(v.insert_within_capacity(1000, 5), Err(InsertError::IndexOutOfBounds(_)))); +    /// assert_eq!(v, [4, 3, 2, 1, 0]); +    /// # Ok::<(), Error>(()) +    /// ``` +    pub fn insert_within_capacity( +        &mut self, +        index: usize, +        element: T, +    ) -> Result<(), InsertError<T>> { +        let len = self.len(); +        if index > len { +            return Err(InsertError::IndexOutOfBounds(element)); +        } + +        if len >= self.capacity() { +            return Err(InsertError::OutOfCapacity(element)); +        } + +        // SAFETY: This is in bounds since `index <= len < capacity`. +        let p = unsafe { self.as_mut_ptr().add(index) }; +        // INVARIANT: This breaks the Vec invariants by making `index` contain an invalid element, +        // but we restore the invariants below. +        // SAFETY: Both the src and dst ranges end no later than one element after the length. +        // Since the length is less than the capacity, both ranges are in bounds of the allocation. +        unsafe { ptr::copy(p, p.add(1), len - index) }; +        // INVARIANT: This restores the Vec invariants. +        // SAFETY: The pointer is in-bounds of the allocation. +        unsafe { ptr::write(p, element) }; +        // SAFETY: Index `len` contains a valid element due to the above copy and write. +        unsafe { self.inc_len(1) };          Ok(())      } +    /// Removes the last element from a vector and returns it, or `None` if it is empty. +    /// +    /// # Examples +    /// +    /// ``` +    /// let mut v = KVec::new(); +    /// v.push(1, GFP_KERNEL)?; +    /// v.push(2, GFP_KERNEL)?; +    /// assert_eq!(&v, &[1, 2]); +    /// +    /// assert_eq!(v.pop(), Some(2)); +    /// assert_eq!(v.pop(), Some(1)); +    /// assert_eq!(v.pop(), None); +    /// # Ok::<(), Error>(()) +    /// ``` +    pub fn pop(&mut self) -> Option<T> { +        if self.is_empty() { +            return None; +        } + +        let removed: *mut T = { +            // SAFETY: We just checked that the length is at least one. +            let slice = unsafe { self.dec_len(1) }; +            // SAFETY: The argument to `dec_len` was 1 so this returns a slice of length 1. +            unsafe { slice.get_unchecked_mut(0) } +        }; + +        // SAFETY: The guarantees of `dec_len` allow us to take ownership of this value. +        Some(unsafe { removed.read() }) +    } + +    /// Removes the element at the given index. +    /// +    /// # Examples +    /// +    /// ``` +    /// let mut v = kernel::kvec![1, 2, 3]?; +    /// assert_eq!(v.remove(1)?, 2); +    /// assert_eq!(v, [1, 3]); +    /// # Ok::<(), Error>(()) +    /// ``` +    pub fn remove(&mut self, i: usize) -> Result<T, RemoveError> { +        let value = { +            let value_ref = self.get(i).ok_or(RemoveError)?; +            // INVARIANT: This breaks the invariants by invalidating the value at index `i`, but we +            // restore the invariants below. +            // SAFETY: The value at index `i` is valid, because otherwise we would have already +            // failed with `RemoveError`. +            unsafe { ptr::read(value_ref) } +        }; + +        // SAFETY: We checked that `i` is in-bounds. +        let p = unsafe { self.as_mut_ptr().add(i) }; + +        // INVARIANT: After this call, the invalid value is at the last slot, so the Vec invariants +        // are restored after the below call to `dec_len(1)`. +        // SAFETY: `p.add(1).add(self.len - i - 1)` is `i+1+len-i-1 == len` elements after the +        // beginning of the vector, so this is in-bounds of the vector's allocation. +        unsafe { ptr::copy(p.add(1), p, self.len - i - 1) }; + +        // SAFETY: Since the check at the beginning of this call did not fail with `RemoveError`, +        // the length is at least one. +        unsafe { self.dec_len(1) }; + +        Ok(value) +    } +      /// Creates a new [`Vec`] instance with at least the given capacity.      ///      /// # Examples @@ -395,6 +567,26 @@ where          (ptr, len, capacity)      } +    /// Clears the vector, removing all values. +    /// +    /// Note that this method has no effect on the allocated capacity +    /// of the vector. +    /// +    /// # Examples +    /// +    /// ``` +    /// let mut v = kernel::kvec![1, 2, 3]?; +    /// +    /// v.clear(); +    /// +    /// assert!(v.is_empty()); +    /// # Ok::<(), Error>(()) +    /// ``` +    #[inline] +    pub fn clear(&mut self) { +        self.truncate(0); +    } +      /// Ensures that the capacity exceeds the length by at least `additional` elements.      ///      /// # Examples @@ -452,6 +644,80 @@ where          Ok(())      } + +    /// Shortens the vector, setting the length to `len` and drops the removed values. +    /// If `len` is greater than or equal to the current length, this does nothing. +    /// +    /// This has no effect on the capacity and will not allocate. +    /// +    /// # Examples +    /// +    /// ``` +    /// let mut v = kernel::kvec![1, 2, 3]?; +    /// v.truncate(1); +    /// assert_eq!(v.len(), 1); +    /// assert_eq!(&v, &[1]); +    /// +    /// # Ok::<(), Error>(()) +    /// ``` +    pub fn truncate(&mut self, len: usize) { +        if let Some(count) = self.len().checked_sub(len) { +            // SAFETY: `count` is `self.len() - len` so it is guaranteed to be less than or +            // equal to `self.len()`. +            let ptr: *mut [T] = unsafe { self.dec_len(count) }; + +            // SAFETY: the contract of `dec_len` guarantees that the elements in `ptr` are +            // valid elements whose ownership has been transferred to the caller. +            unsafe { ptr::drop_in_place(ptr) }; +        } +    } + +    /// Takes ownership of all items in this vector without consuming the allocation. +    /// +    /// # Examples +    /// +    /// ``` +    /// let mut v = kernel::kvec![0, 1, 2, 3]?; +    /// +    /// for (i, j) in v.drain_all().enumerate() { +    ///     assert_eq!(i, j); +    /// } +    /// +    /// assert!(v.capacity() >= 4); +    /// # Ok::<(), Error>(()) +    /// ``` +    pub fn drain_all(&mut self) -> DrainAll<'_, T> { +        // SAFETY: This does not underflow the length. +        let elems = unsafe { self.dec_len(self.len()) }; +        // INVARIANT: The first `len` elements of the spare capacity are valid values, and as we +        // just set the length to zero, we may transfer ownership to the `DrainAll` object. +        DrainAll { +            elements: elems.iter_mut(), +        } +    } + +    /// Removes all elements that don't match the provided closure. +    /// +    /// # Examples +    /// +    /// ``` +    /// let mut v = kernel::kvec![1, 2, 3, 4]?; +    /// v.retain(|i| *i % 2 == 0); +    /// assert_eq!(v, [2, 4]); +    /// # Ok::<(), Error>(()) +    /// ``` +    pub fn retain(&mut self, mut f: impl FnMut(&mut T) -> bool) { +        let mut num_kept = 0; +        let mut next_to_check = 0; +        while let Some(to_check) = self.get_mut(next_to_check) { +            if f(to_check) { +                self.swap(num_kept, next_to_check); +                num_kept += 1; +            } +            next_to_check += 1; +        } +        self.truncate(num_kept); +    }  }  impl<T: Clone, A: Allocator> Vec<T, A> { @@ -475,7 +741,7 @@ impl<T: Clone, A: Allocator> Vec<T, A> {          // SAFETY:          // - `self.len() + n < self.capacity()` due to the call to reserve above,          // - the loop and the line above initialized the next `n` elements. -        unsafe { self.set_len(self.len() + n) }; +        unsafe { self.inc_len(n) };          Ok(())      } @@ -506,7 +772,7 @@ impl<T: Clone, A: Allocator> Vec<T, A> {          //   the length by the same number.          // - `self.len() + other.len() <= self.capacity()` is guaranteed by the preceding `reserve`          //   call. -        unsafe { self.set_len(self.len() + other.len()) }; +        unsafe { self.inc_len(other.len()) };          Ok(())      } @@ -518,6 +784,33 @@ impl<T: Clone, A: Allocator> Vec<T, A> {          Ok(v)      } + +    /// Resizes the [`Vec`] so that `len` is equal to `new_len`. +    /// +    /// If `new_len` is smaller than `len`, the `Vec` is [`Vec::truncate`]d. +    /// If `new_len` is larger, each new slot is filled with clones of `value`. +    /// +    /// # Examples +    /// +    /// ``` +    /// let mut v = kernel::kvec![1, 2, 3]?; +    /// v.resize(1, 42, GFP_KERNEL)?; +    /// assert_eq!(&v, &[1]); +    /// +    /// v.resize(3, 42, GFP_KERNEL)?; +    /// assert_eq!(&v, &[1, 42, 42]); +    /// +    /// # Ok::<(), Error>(()) +    /// ``` +    pub fn resize(&mut self, new_len: usize, value: T, flags: Flags) -> Result<(), AllocError> { +        match new_len.checked_sub(self.len()) { +            Some(n) => self.extend_with(n, value, flags), +            None => { +                self.truncate(new_len); +                Ok(()) +            } +        } +    }  }  impl<T, A> Drop for Vec<T, A> @@ -757,12 +1050,13 @@ where              unsafe { ptr::copy(ptr, buf.as_ptr(), len) };              ptr = buf.as_ptr(); -            // SAFETY: `len` is guaranteed to be smaller than `self.layout.len()`. +            // SAFETY: `len` is guaranteed to be smaller than `self.layout.len()` by the type +            // invariant.              let layout = unsafe { ArrayLayout::<T>::new_unchecked(len) }; -            // SAFETY: `buf` points to the start of the backing buffer and `len` is guaranteed to be -            // smaller than `cap`. Depending on `alloc` this operation may shrink the buffer or leaves -            // it as it is. +            // SAFETY: `buf` points to the start of the backing buffer and `len` is guaranteed by +            // the type invariant to be smaller than `cap`. Depending on `realloc` this operation +            // may shrink the buffer or leave it as it is.              ptr = match unsafe {                  A::realloc(Some(buf.cast()), layout.into(), old_layout.into(), flags)              } { @@ -911,3 +1205,87 @@ where          }      }  } + +/// An iterator that owns all items in a vector, but does not own its allocation. +/// +/// # Invariants +/// +/// Every `&mut T` returned by the iterator references a `T` that the iterator may take ownership +/// of. +pub struct DrainAll<'vec, T> { +    elements: slice::IterMut<'vec, T>, +} + +impl<'vec, T> Iterator for DrainAll<'vec, T> { +    type Item = T; + +    fn next(&mut self) -> Option<T> { +        let elem: *mut T = self.elements.next()?; +        // SAFETY: By the type invariants, we may take ownership of this value. +        Some(unsafe { elem.read() }) +    } + +    fn size_hint(&self) -> (usize, Option<usize>) { +        self.elements.size_hint() +    } +} + +impl<'vec, T> Drop for DrainAll<'vec, T> { +    fn drop(&mut self) { +        if core::mem::needs_drop::<T>() { +            let iter = core::mem::take(&mut self.elements); +            let ptr: *mut [T] = iter.into_slice(); +            // SAFETY: By the type invariants, we own these values so we may destroy them. +            unsafe { ptr::drop_in_place(ptr) }; +        } +    } +} + +#[macros::kunit_tests(rust_kvec_kunit)] +mod tests { +    use super::*; +    use crate::prelude::*; + +    #[test] +    fn test_kvec_retain() { +        /// Verify correctness for one specific function. +        #[expect(clippy::needless_range_loop)] +        fn verify(c: &[bool]) { +            let mut vec1: KVec<usize> = KVec::with_capacity(c.len(), GFP_KERNEL).unwrap(); +            let mut vec2: KVec<usize> = KVec::with_capacity(c.len(), GFP_KERNEL).unwrap(); + +            for i in 0..c.len() { +                vec1.push_within_capacity(i).unwrap(); +                if c[i] { +                    vec2.push_within_capacity(i).unwrap(); +                } +            } + +            vec1.retain(|i| c[*i]); + +            assert_eq!(vec1, vec2); +        } + +        /// Add one to a binary integer represented as a boolean array. +        fn add(value: &mut [bool]) { +            let mut carry = true; +            for v in value { +                let new_v = carry != *v; +                carry = carry && *v; +                *v = new_v; +            } +        } + +        // This boolean array represents a function from index to boolean. We check that `retain` +        // behaves correctly for all possible boolean arrays of every possible length less than +        // ten. +        let mut func = KVec::with_capacity(10, GFP_KERNEL).unwrap(); +        for len in 0..10 { +            for _ in 0u32..1u32 << len { +                verify(&func); +                add(&mut func); +            } +            func.push_within_capacity(false).unwrap(); +        } +    } +} diff --git a/rust/kernel/alloc/kvec/errors.rs b/rust/kernel/alloc/kvec/errors.rs new file mode 100644 index 000000000000..348b8d27e102 --- /dev/null +++ b/rust/kernel/alloc/kvec/errors.rs @@ -0,0 +1,61 @@ +// SPDX-License-Identifier: GPL-2.0 + +//! Errors for the [`Vec`] type. + +use core::fmt::{self, Debug, Formatter}; +use kernel::prelude::*; + +/// Error type for [`Vec::push_within_capacity`]. +pub struct PushError<T>(pub T); + +impl<T> Debug for PushError<T> { +    fn fmt(&self, f: &mut Formatter<'_>) -> fmt::Result { +        write!(f, "Not enough capacity") +    } +} + +impl<T> From<PushError<T>> for Error { +    fn from(_: PushError<T>) -> Error { +        // Returning ENOMEM isn't appropriate because the system is not out of memory. The vector +        // is just full and we are refusing to resize it. +        EINVAL +    } +} + +/// Error type for [`Vec::remove`]. +pub struct RemoveError; + +impl Debug for RemoveError { +    fn fmt(&self, f: &mut Formatter<'_>) -> fmt::Result { +        write!(f, "Index out of bounds") +    } +} + +impl From<RemoveError> for Error { +    fn from(_: RemoveError) -> Error { +        EINVAL +    } +} + +/// Error type for [`Vec::insert_within_capacity`]. +pub enum InsertError<T> { +    /// The value could not be inserted because the index is out of bounds. +    IndexOutOfBounds(T), +    /// The value could not be inserted because the vector is out of capacity. +    OutOfCapacity(T), +} + +impl<T> Debug for InsertError<T> { +    fn fmt(&self, f: &mut Formatter<'_>) -> fmt::Result { +        match self { +            InsertError::IndexOutOfBounds(_) => write!(f, "Index out of bounds"), +            InsertError::OutOfCapacity(_) => write!(f, "Not enough capacity"), +        } +    } +} + +impl<T> From<InsertError<T>> for Error { +    fn from(_: InsertError<T>) -> Error { +        EINVAL +    } +} diff --git a/rust/kernel/auxiliary.rs b/rust/kernel/auxiliary.rs index 5c072960dee0..d2cfe1eeefb6 100644 --- a/rust/kernel/auxiliary.rs +++ b/rust/kernel/auxiliary.rs @@ -73,7 +73,9 @@ impl<T: Driver + 'static> Adapter<T> {                  // Let the `struct auxiliary_device` own a reference of the driver's private data.                  // SAFETY: By the type invariant `adev.as_raw` returns a valid pointer to a                  // `struct auxiliary_device`. -                unsafe { bindings::auxiliary_set_drvdata(adev.as_raw(), data.into_foreign()) }; +                unsafe { +                    bindings::auxiliary_set_drvdata(adev.as_raw(), data.into_foreign().cast()) +                };              }              Err(err) => return Error::to_errno(err),          } @@ -89,7 +91,7 @@ impl<T: Driver + 'static> Adapter<T> {          // SAFETY: `remove_callback` is only ever called after a successful call to          // `probe_callback`, hence it's guaranteed that `ptr` points to a valid and initialized          // `KBox<T>` pointer created through `KBox::into_foreign`. -        drop(unsafe { KBox::<T>::from_foreign(ptr) }); +        drop(unsafe { KBox::<T>::from_foreign(ptr.cast()) });      }  } @@ -234,7 +236,7 @@ impl Device {      extern "C" fn release(dev: *mut bindings::device) {          // SAFETY: By the type invariant `self.0.as_raw` is a pointer to the `struct device`          // embedded in `struct auxiliary_device`. -        let adev = unsafe { container_of!(dev, bindings::auxiliary_device, dev) }.cast_mut(); +        let adev = unsafe { container_of!(dev, bindings::auxiliary_device, dev) };          // SAFETY: `adev` points to the memory that has been allocated in `Registration::new`, via          // `KBox::new(Opaque::<bindings::auxiliary_device>::zeroed(), GFP_KERNEL)`. diff --git a/rust/kernel/block/mq/gen_disk.rs b/rust/kernel/block/mq/gen_disk.rs index 14806e1997fd..cd54cd64ea88 100644 --- a/rust/kernel/block/mq/gen_disk.rs +++ b/rust/kernel/block/mq/gen_disk.rs @@ -129,7 +129,7 @@ impl GenDiskBuilder {              get_unique_id: None,              // TODO: Set to THIS_MODULE. Waiting for const_refs_to_static feature to              // be merged (unstable in rustc 1.78 which is staged for linux 6.10) -            // https://github.com/rust-lang/rust/issues/119618 +            // <https://github.com/rust-lang/rust/issues/119618>              owner: core::ptr::null_mut(),              pr_ops: core::ptr::null_mut(),              free_disk: None, diff --git a/rust/kernel/clk.rs b/rust/kernel/clk.rs new file mode 100644 index 000000000000..6041c6d07527 --- /dev/null +++ b/rust/kernel/clk.rs @@ -0,0 +1,334 @@ +// SPDX-License-Identifier: GPL-2.0 + +//! Clock abstractions. +//! +//! C header: [`include/linux/clk.h`](srctree/include/linux/clk.h) +//! +//! Reference: <https://docs.kernel.org/driver-api/clk.html> + +use crate::ffi::c_ulong; + +/// The frequency unit. +/// +/// Represents a frequency in hertz, wrapping a [`c_ulong`] value. +/// +/// ## Examples +/// +/// ``` +/// use kernel::clk::Hertz; +/// +/// let hz = 1_000_000_000; +/// let rate = Hertz(hz); +/// +/// assert_eq!(rate.as_hz(), hz); +/// assert_eq!(rate, Hertz(hz)); +/// assert_eq!(rate, Hertz::from_khz(hz / 1_000)); +/// assert_eq!(rate, Hertz::from_mhz(hz / 1_000_000)); +/// assert_eq!(rate, Hertz::from_ghz(hz / 1_000_000_000)); +/// ``` +#[derive(Copy, Clone, PartialEq, Eq, Debug)] +pub struct Hertz(pub c_ulong); + +impl Hertz { +    /// Create a new instance from kilohertz (kHz) +    pub fn from_khz(khz: c_ulong) -> Self { +        Self(khz * 1_000) +    } + +    /// Create a new instance from megahertz (MHz) +    pub fn from_mhz(mhz: c_ulong) -> Self { +        Self(mhz * 1_000_000) +    } + +    /// Create a new instance from gigahertz (GHz) +    pub fn from_ghz(ghz: c_ulong) -> Self { +        Self(ghz * 1_000_000_000) +    } + +    /// Get the frequency in hertz +    pub fn as_hz(&self) -> c_ulong { +        self.0 +    } + +    /// Get the frequency in kilohertz +    pub fn as_khz(&self) -> c_ulong { +        self.0 / 1_000 +    } + +    /// Get the frequency in megahertz +    pub fn as_mhz(&self) -> c_ulong { +        self.0 / 1_000_000 +    } + +    /// Get the frequency in gigahertz +    pub fn as_ghz(&self) -> c_ulong { +        self.0 / 1_000_000_000 +    } +} + +impl From<Hertz> for c_ulong { +    fn from(freq: Hertz) -> Self { +        freq.0 +    } +} + +#[cfg(CONFIG_COMMON_CLK)] +mod common_clk { +    use super::Hertz; +    use crate::{ +        device::Device, +        error::{from_err_ptr, to_result, Result}, +        prelude::*, +    }; + +    use core::{ops::Deref, ptr}; + +    /// A reference-counted clock. +    /// +    /// Rust abstraction for the C [`struct clk`]. +    /// +    /// # Invariants +    /// +    /// A [`Clk`] instance holds either a pointer to a valid [`struct clk`] created by the C +    /// portion of the kernel or a NULL pointer. +    /// +    /// Instances of this type are reference-counted. Calling [`Clk::get`] ensures that the +    /// allocation remains valid for the lifetime of the [`Clk`]. +    /// +    /// ## Examples +    /// +    /// The following example demonstrates how to obtain and configure a clock for a device. +    /// +    /// ``` +    /// use kernel::c_str; +    /// use kernel::clk::{Clk, Hertz}; +    /// use kernel::device::Device; +    /// use kernel::error::Result; +    /// +    /// fn configure_clk(dev: &Device) -> Result { +    ///     let clk = Clk::get(dev, Some(c_str!("apb_clk")))?; +    /// +    ///     clk.prepare_enable()?; +    /// +    ///     let expected_rate = Hertz::from_ghz(1); +    /// +    ///     if clk.rate() != expected_rate { +    ///         clk.set_rate(expected_rate)?; +    ///     } +    /// +    ///     clk.disable_unprepare(); +    ///     Ok(()) +    /// } +    /// ``` +    /// +    /// [`struct clk`]: https://docs.kernel.org/driver-api/clk.html +    #[repr(transparent)] +    pub struct Clk(*mut bindings::clk); + +    impl Clk { +        /// Gets [`Clk`] corresponding to a [`Device`] and a connection id. +        /// +        /// Equivalent to the kernel's [`clk_get`] API. +        /// +        /// [`clk_get`]: https://docs.kernel.org/core-api/kernel-api.html#c.clk_get +        pub fn get(dev: &Device, name: Option<&CStr>) -> Result<Self> { +            let con_id = if let Some(name) = name { +                name.as_ptr() +            } else { +                ptr::null() +            }; + +            // SAFETY: It is safe to call [`clk_get`] for a valid device pointer. +            // +            // INVARIANT: The reference-count is decremented when [`Clk`] goes out of scope. +            Ok(Self(from_err_ptr(unsafe { +                bindings::clk_get(dev.as_raw(), con_id) +            })?)) +        } + +        /// Obtain the raw [`struct clk`] pointer. +        #[inline] +        pub fn as_raw(&self) -> *mut bindings::clk { +            self.0 +        } + +        /// Enable the clock. +        /// +        /// Equivalent to the kernel's [`clk_enable`] API. +        /// +        /// [`clk_enable`]: https://docs.kernel.org/core-api/kernel-api.html#c.clk_enable +        #[inline] +        pub fn enable(&self) -> Result { +            // SAFETY: By the type invariants, self.as_raw() is a valid argument for +            // [`clk_enable`]. +            to_result(unsafe { bindings::clk_enable(self.as_raw()) }) +        } + +        /// Disable the clock. +        /// +        /// Equivalent to the kernel's [`clk_disable`] API. +        /// +        /// [`clk_disable`]: https://docs.kernel.org/core-api/kernel-api.html#c.clk_disable +        #[inline] +        pub fn disable(&self) { +            // SAFETY: By the type invariants, self.as_raw() is a valid argument for +            // [`clk_disable`]. +            unsafe { bindings::clk_disable(self.as_raw()) }; +        } + +        /// Prepare the clock. +        /// +        /// Equivalent to the kernel's [`clk_prepare`] API. +        /// +        /// [`clk_prepare`]: https://docs.kernel.org/core-api/kernel-api.html#c.clk_prepare +        #[inline] +        pub fn prepare(&self) -> Result { +            // SAFETY: By the type invariants, self.as_raw() is a valid argument for +            // [`clk_prepare`]. +            to_result(unsafe { bindings::clk_prepare(self.as_raw()) }) +        } + +        /// Unprepare the clock. +        /// +        /// Equivalent to the kernel's [`clk_unprepare`] API. +        /// +        /// [`clk_unprepare`]: https://docs.kernel.org/core-api/kernel-api.html#c.clk_unprepare +        #[inline] +        pub fn unprepare(&self) { +            // SAFETY: By the type invariants, self.as_raw() is a valid argument for +            // [`clk_unprepare`]. +            unsafe { bindings::clk_unprepare(self.as_raw()) }; +        } + +        /// Prepare and enable the clock. +        /// +        /// Equivalent to calling [`Clk::prepare`] followed by [`Clk::enable`]. +        #[inline] +        pub fn prepare_enable(&self) -> Result { +            // SAFETY: By the type invariants, self.as_raw() is a valid argument for +            // [`clk_prepare_enable`]. +            to_result(unsafe { bindings::clk_prepare_enable(self.as_raw()) }) +        } + +        /// Disable and unprepare the clock. +        /// +        /// Equivalent to calling [`Clk::disable`] followed by [`Clk::unprepare`]. +        #[inline] +        pub fn disable_unprepare(&self) { +            // SAFETY: By the type invariants, self.as_raw() is a valid argument for +            // [`clk_disable_unprepare`]. +            unsafe { bindings::clk_disable_unprepare(self.as_raw()) }; +        } + +        /// Get clock's rate. +        /// +        /// Equivalent to the kernel's [`clk_get_rate`] API. +        /// +        /// [`clk_get_rate`]: https://docs.kernel.org/core-api/kernel-api.html#c.clk_get_rate +        #[inline] +        pub fn rate(&self) -> Hertz { +            // SAFETY: By the type invariants, self.as_raw() is a valid argument for +            // [`clk_get_rate`]. +            Hertz(unsafe { bindings::clk_get_rate(self.as_raw()) }) +        } + +        /// Set clock's rate. +        /// +        /// Equivalent to the kernel's [`clk_set_rate`] API. +        /// +        /// [`clk_set_rate`]: https://docs.kernel.org/core-api/kernel-api.html#c.clk_set_rate +        #[inline] +        pub fn set_rate(&self, rate: Hertz) -> Result { +            // SAFETY: By the type invariants, self.as_raw() is a valid argument for +            // [`clk_set_rate`]. +            to_result(unsafe { bindings::clk_set_rate(self.as_raw(), rate.as_hz()) }) +        } +    } + +    impl Drop for Clk { +        fn drop(&mut self) { +            // SAFETY: By the type invariants, self.as_raw() is a valid argument for [`clk_put`]. +            unsafe { bindings::clk_put(self.as_raw()) }; +        } +    } + +    /// A reference-counted optional clock. +    /// +    /// A lightweight wrapper around an optional [`Clk`]. An [`OptionalClk`] represents a [`Clk`] +    /// that a driver can function without but may improve performance or enable additional +    /// features when available. +    /// +    /// # Invariants +    /// +    /// An [`OptionalClk`] instance encapsulates a [`Clk`] with either a valid [`struct clk`] or +    /// `NULL` pointer. +    /// +    /// Instances of this type are reference-counted. Calling [`OptionalClk::get`] ensures that the +    /// allocation remains valid for the lifetime of the [`OptionalClk`]. +    /// +    /// ## Examples +    /// +    /// The following example demonstrates how to obtain and configure an optional clock for a +    /// device. The code functions correctly whether or not the clock is available. +    /// +    /// ``` +    /// use kernel::c_str; +    /// use kernel::clk::{OptionalClk, Hertz}; +    /// use kernel::device::Device; +    /// use kernel::error::Result; +    /// +    /// fn configure_clk(dev: &Device) -> Result { +    ///     let clk = OptionalClk::get(dev, Some(c_str!("apb_clk")))?; +    /// +    ///     clk.prepare_enable()?; +    /// +    ///     let expected_rate = Hertz::from_ghz(1); +    /// +    ///     if clk.rate() != expected_rate { +    ///         clk.set_rate(expected_rate)?; +    ///     } +    /// +    ///     clk.disable_unprepare(); +    ///     Ok(()) +    /// } +    /// ``` +    /// +    /// [`struct clk`]: https://docs.kernel.org/driver-api/clk.html +    pub struct OptionalClk(Clk); + +    impl OptionalClk { +        /// Gets [`OptionalClk`] corresponding to a [`Device`] and a connection id. +        /// +        /// Equivalent to the kernel's [`clk_get_optional`] API. +        /// +        /// [`clk_get_optional`]: +        /// https://docs.kernel.org/core-api/kernel-api.html#c.clk_get_optional +        pub fn get(dev: &Device, name: Option<&CStr>) -> Result<Self> { +            let con_id = if let Some(name) = name { +                name.as_ptr() +            } else { +                ptr::null() +            }; + +            // SAFETY: It is safe to call [`clk_get_optional`] for a valid device pointer. +            // +            // INVARIANT: The reference-count is decremented when [`OptionalClk`] goes out of +            // scope. +            Ok(Self(Clk(from_err_ptr(unsafe { +                bindings::clk_get_optional(dev.as_raw(), con_id) +            })?))) +        } +    } + +    // Make [`OptionalClk`] behave like [`Clk`]. +    impl Deref for OptionalClk { +        type Target = Clk; + +        fn deref(&self) -> &Clk { +            &self.0 +        } +    } +} + +#[cfg(CONFIG_COMMON_CLK)] +pub use common_clk::*; diff --git a/rust/kernel/configfs.rs b/rust/kernel/configfs.rs new file mode 100644 index 000000000000..34d0bea4f9a5 --- /dev/null +++ b/rust/kernel/configfs.rs @@ -0,0 +1,1049 @@ +// SPDX-License-Identifier: GPL-2.0 + +//! configfs interface: Userspace-driven Kernel Object Configuration +//! +//! configfs is an in-memory pseudo file system for configuration of kernel +//! modules. Please see the [C documentation] for details and intended use of +//! configfs. +//! +//! This module does not support the following configfs features: +//! +//! - Items. All group children are groups. +//! - Symlink support. +//! - `disconnect_notify` hook. +//! - Default groups. +//! +//! See the [`rust_configfs.rs`] sample for a full example use of this module. +//! +//! C header: [`include/linux/configfs.h`](srctree/include/linux/configfs.h) +//! +//! # Example +//! +//! ```ignore +//! use kernel::alloc::flags; +//! use kernel::c_str; +//! use kernel::configfs_attrs; +//! use kernel::configfs; +//! use kernel::new_mutex; +//! use kernel::page::PAGE_SIZE; +//! use kernel::sync::Mutex; +//! use kernel::ThisModule; +//! +//! #[pin_data] +//! struct RustConfigfs { +//!     #[pin] +//!     config: configfs::Subsystem<Configuration>, +//! } +//! +//! impl kernel::InPlaceModule for RustConfigfs { +//!     fn init(_module: &'static ThisModule) -> impl PinInit<Self, Error> { +//!         pr_info!("Rust configfs sample (init)\n"); +//! +//!         let item_type = configfs_attrs! { +//!             container: configfs::Subsystem<Configuration>, +//!             data: Configuration, +//!             attributes: [ +//!                 message: 0, +//!                 bar: 1, +//!             ], +//!         }; +//! +//!         try_pin_init!(Self { +//!             config <- configfs::Subsystem::new( +//!                 c_str!("rust_configfs"), item_type, Configuration::new() +//!             ), +//!         }) +//!     } +//! } +//! +//! #[pin_data] +//! struct Configuration { +//!     message: &'static CStr, +//!     #[pin] +//!     bar: Mutex<(KBox<[u8; PAGE_SIZE]>, usize)>, +//! } +//! +//! impl Configuration { +//!     fn new() -> impl PinInit<Self, Error> { +//!         try_pin_init!(Self { +//!             message: c_str!("Hello World\n"), +//!             bar <- new_mutex!((KBox::new([0; PAGE_SIZE], flags::GFP_KERNEL)?, 0)), +//!         }) +//!     } +//! } +//! +//! #[vtable] +//! impl configfs::AttributeOperations<0> for Configuration { +//!     type Data = Configuration; +//! +//!     fn show(container: &Configuration, page: &mut [u8; PAGE_SIZE]) -> Result<usize> { +//!         pr_info!("Show message\n"); +//!         let data = container.message; +//!         page[0..data.len()].copy_from_slice(data); +//!         Ok(data.len()) +//!     } +//! } +//! +//! #[vtable] +//! impl configfs::AttributeOperations<1> for Configuration { +//!     type Data = Configuration; +//! +//!     fn show(container: &Configuration, page: &mut [u8; PAGE_SIZE]) -> Result<usize> { +//!         pr_info!("Show bar\n"); +//!         let guard = container.bar.lock(); +//!         let data = guard.0.as_slice(); +//!         let len = guard.1; +//!         page[0..len].copy_from_slice(&data[0..len]); +//!         Ok(len) +//!     } +//! +//!     fn store(container: &Configuration, page: &[u8]) -> Result { +//!         pr_info!("Store bar\n"); +//!         let mut guard = container.bar.lock(); +//!         guard.0[0..page.len()].copy_from_slice(page); +//!         guard.1 = page.len(); +//!         Ok(()) +//!     } +//! } +//! ``` +//! +//! [C documentation]: srctree/Documentation/filesystems/configfs.rst +//! [`rust_configfs.rs`]: srctree/samples/rust/rust_configfs.rs + +use crate::alloc::flags; +use crate::container_of; +use crate::page::PAGE_SIZE; +use crate::prelude::*; +use crate::str::CString; +use crate::sync::Arc; +use crate::sync::ArcBorrow; +use crate::types::Opaque; +use core::cell::UnsafeCell; +use core::marker::PhantomData; + +/// A configfs subsystem. +/// +/// This is the top level entrypoint for a configfs hierarchy. To register +/// with configfs, embed a field of this type into your kernel module struct. +#[pin_data(PinnedDrop)] +pub struct Subsystem<Data> { +    #[pin] +    subsystem: Opaque<bindings::configfs_subsystem>, +    #[pin] +    data: Data, +} + +// SAFETY: We do not provide any operations on `Subsystem`. +unsafe impl<Data> Sync for Subsystem<Data> {} + +// SAFETY: Ownership of `Subsystem` can safely be transferred to other threads. +unsafe impl<Data> Send for Subsystem<Data> {} + +impl<Data> Subsystem<Data> { +    /// Create an initializer for a [`Subsystem`]. +    /// +    /// The subsystem will appear in configfs as a directory name given by +    /// `name`. The attributes available in directory are specified by +    /// `item_type`. +    pub fn new( +        name: &'static CStr, +        item_type: &'static ItemType<Subsystem<Data>, Data>, +        data: impl PinInit<Data, Error>, +    ) -> impl PinInit<Self, Error> { +        try_pin_init!(Self { +            subsystem <- pin_init::zeroed().chain( +                |place: &mut Opaque<bindings::configfs_subsystem>| { +                    // SAFETY: We initialized the required fields of `place.group` above. +                    unsafe { +                        bindings::config_group_init_type_name( +                            &mut (*place.get()).su_group, +                            name.as_ptr(), +                            item_type.as_ptr(), +                        ) +                    }; + +                    // SAFETY: `place.su_mutex` is valid for use as a mutex. +                    unsafe { +                        bindings::__mutex_init( +                            &mut (*place.get()).su_mutex, +                            kernel::optional_name!().as_char_ptr(), +                            kernel::static_lock_class!().as_ptr(), +                        ) +                    } +                    Ok(()) +                } +            ), +            data <- data, +        }) +        .pin_chain(|this| { +            crate::error::to_result( +                // SAFETY: We initialized `this.subsystem` according to C API contract above. +                unsafe { bindings::configfs_register_subsystem(this.subsystem.get()) }, +            ) +        }) +    } +} + +#[pinned_drop] +impl<Data> PinnedDrop for Subsystem<Data> { +    fn drop(self: Pin<&mut Self>) { +        // SAFETY: We registered `self.subsystem` in the initializer returned by `Self::new`. +        unsafe { bindings::configfs_unregister_subsystem(self.subsystem.get()) }; +        // SAFETY: We initialized the mutex in `Subsystem::new`. +        unsafe { bindings::mutex_destroy(&raw mut (*self.subsystem.get()).su_mutex) }; +    } +} + +/// Trait that allows offset calculations for structs that embed a +/// `bindings::config_group`. +/// +/// Users of the configfs API should not need to implement this trait. +/// +/// # Safety +/// +/// - Implementers of this trait must embed a `bindings::config_group`. +/// - Methods must be implemented according to method documentation. +pub unsafe trait HasGroup<Data> { +    /// Return the address of the `bindings::config_group` embedded in [`Self`]. +    /// +    /// # Safety +    /// +    /// - `this` must be a valid allocation of at least the size of [`Self`]. +    unsafe fn group(this: *const Self) -> *const bindings::config_group; + +    /// Return the address of the [`Self`] that `group` is embedded in. +    /// +    /// # Safety +    /// +    /// - `group` must point to the `bindings::config_group` that is embedded in +    ///   [`Self`]. +    unsafe fn container_of(group: *const bindings::config_group) -> *const Self; +} + +// SAFETY: `Subsystem<Data>` embeds a field of type `bindings::config_group` +// within the `subsystem` field. +unsafe impl<Data> HasGroup<Data> for Subsystem<Data> { +    unsafe fn group(this: *const Self) -> *const bindings::config_group { +        // SAFETY: By impl and function safety requirement this projection is in bounds. +        unsafe { &raw const (*(*this).subsystem.get()).su_group } +    } + +    unsafe fn container_of(group: *const bindings::config_group) -> *const Self { +        // SAFETY: By impl and function safety requirement this projection is in bounds. +        let c_subsys_ptr = unsafe { container_of!(group, bindings::configfs_subsystem, su_group) }; +        let opaque_ptr = c_subsys_ptr.cast::<Opaque<bindings::configfs_subsystem>>(); +        // SAFETY: By impl and function safety requirement, `opaque_ptr` and the +        // pointer it returns, are within the same allocation. +        unsafe { container_of!(opaque_ptr, Subsystem<Data>, subsystem) } +    } +} + +/// A configfs group. +/// +/// To add a subgroup to configfs, pass this type as `ctype` to +/// [`crate::configfs_attrs`] when creating a group in [`GroupOperations::make_group`]. +#[pin_data] +pub struct Group<Data> { +    #[pin] +    group: Opaque<bindings::config_group>, +    #[pin] +    data: Data, +} + +impl<Data> Group<Data> { +    /// Create an initializer for a new group. +    /// +    /// When instantiated, the group will appear as a directory with the name +    /// given by `name` and it will contain attributes specified by `item_type`. +    pub fn new( +        name: CString, +        item_type: &'static ItemType<Group<Data>, Data>, +        data: impl PinInit<Data, Error>, +    ) -> impl PinInit<Self, Error> { +        try_pin_init!(Self { +            group <- pin_init::zeroed().chain(|v: &mut Opaque<bindings::config_group>| { +                let place = v.get(); +                let name = name.as_bytes_with_nul().as_ptr(); +                // SAFETY: It is safe to initialize a group once it has been zeroed. +                unsafe { +                    bindings::config_group_init_type_name(place, name.cast(), item_type.as_ptr()) +                }; +                Ok(()) +            }), +            data <- data, +        }) +    } +} + +// SAFETY: `Group<Data>` embeds a field of type `bindings::config_group` +// within the `group` field. +unsafe impl<Data> HasGroup<Data> for Group<Data> { +    unsafe fn group(this: *const Self) -> *const bindings::config_group { +        Opaque::raw_get( +            // SAFETY: By impl and function safety requirements this field +            // projection is within bounds of the allocation. +            unsafe { &raw const (*this).group }, +        ) +    } + +    unsafe fn container_of(group: *const bindings::config_group) -> *const Self { +        let opaque_ptr = group.cast::<Opaque<bindings::config_group>>(); +        // SAFETY: By impl and function safety requirement, `opaque_ptr` and +        // pointer it returns will be in the same allocation. +        unsafe { container_of!(opaque_ptr, Self, group) } +    } +} + +/// # Safety +/// +/// `this` must be a valid pointer. +/// +/// If `this` does not represent the root group of a configfs subsystem, +/// `this` must be a pointer to a `bindings::config_group` embedded in a +/// `Group<Parent>`. +/// +/// Otherwise, `this` must be a pointer to a `bindings::config_group` that +/// is embedded in a `bindings::configfs_subsystem` that is embedded in a +/// `Subsystem<Parent>`. +unsafe fn get_group_data<'a, Parent>(this: *mut bindings::config_group) -> &'a Parent { +    // SAFETY: `this` is a valid pointer. +    let is_root = unsafe { (*this).cg_subsys.is_null() }; + +    if !is_root { +        // SAFETY: By C API contact,`this` was returned from a call to +        // `make_group`. The pointer is known to be embedded within a +        // `Group<Parent>`. +        unsafe { &(*Group::<Parent>::container_of(this)).data } +    } else { +        // SAFETY: By C API contract, `this` is a pointer to the +        // `bindings::config_group` field within a `Subsystem<Parent>`. +        unsafe { &(*Subsystem::container_of(this)).data } +    } +} + +struct GroupOperationsVTable<Parent, Child>(PhantomData<(Parent, Child)>); + +impl<Parent, Child> GroupOperationsVTable<Parent, Child> +where +    Parent: GroupOperations<Child = Child>, +    Child: 'static, +{ +    /// # Safety +    /// +    /// `this` must be a valid pointer. +    /// +    /// If `this` does not represent the root group of a configfs subsystem, +    /// `this` must be a pointer to a `bindings::config_group` embedded in a +    /// `Group<Parent>`. +    /// +    /// Otherwise, `this` must be a pointer to a `bindings::config_group` that +    /// is embedded in a `bindings::configfs_subsystem` that is embedded in a +    /// `Subsystem<Parent>`. +    /// +    /// `name` must point to a null terminated string. +    unsafe extern "C" fn make_group( +        this: *mut bindings::config_group, +        name: *const kernel::ffi::c_char, +    ) -> *mut bindings::config_group { +        // SAFETY: By function safety requirements of this function, this call +        // is safe. +        let parent_data = unsafe { get_group_data(this) }; + +        let group_init = match Parent::make_group( +            parent_data, +            // SAFETY: By function safety requirements, name points to a null +            // terminated string. +            unsafe { CStr::from_char_ptr(name) }, +        ) { +            Ok(init) => init, +            Err(e) => return e.to_ptr(), +        }; + +        let child_group = <Arc<Group<Child>> as InPlaceInit<Group<Child>>>::try_pin_init( +            group_init, +            flags::GFP_KERNEL, +        ); + +        match child_group { +            Ok(child_group) => { +                let child_group_ptr = child_group.into_raw(); +                // SAFETY: We allocated the pointee of `child_ptr` above as a +                // `Group<Child>`. +                unsafe { Group::<Child>::group(child_group_ptr) }.cast_mut() +            } +            Err(e) => e.to_ptr(), +        } +    } + +    /// # Safety +    /// +    /// If `this` does not represent the root group of a configfs subsystem, +    /// `this` must be a pointer to a `bindings::config_group` embedded in a +    /// `Group<Parent>`. +    /// +    /// Otherwise, `this` must be a pointer to a `bindings::config_group` that +    /// is embedded in a `bindings::configfs_subsystem` that is embedded in a +    /// `Subsystem<Parent>`. +    /// +    /// `item` must point to a `bindings::config_item` within a +    /// `bindings::config_group` within a `Group<Child>`. +    unsafe extern "C" fn drop_item( +        this: *mut bindings::config_group, +        item: *mut bindings::config_item, +    ) { +        // SAFETY: By function safety requirements of this function, this call +        // is safe. +        let parent_data = unsafe { get_group_data(this) }; + +        // SAFETY: By function safety requirements, `item` is embedded in a +        // `config_group`. +        let c_child_group_ptr = unsafe { container_of!(item, bindings::config_group, cg_item) }; +        // SAFETY: By function safety requirements, `c_child_group_ptr` is +        // embedded within a `Group<Child>`. +        let r_child_group_ptr = unsafe { Group::<Child>::container_of(c_child_group_ptr) }; + +        if Parent::HAS_DROP_ITEM { +            // SAFETY: We called `into_raw` to produce `r_child_group_ptr` in +            // `make_group`. +            let arc: Arc<Group<Child>> = unsafe { Arc::from_raw(r_child_group_ptr.cast_mut()) }; + +            Parent::drop_item(parent_data, arc.as_arc_borrow()); +            arc.into_raw(); +        } + +        // SAFETY: By C API contract, we are required to drop a refcount on +        // `item`. +        unsafe { bindings::config_item_put(item) }; +    } + +    const VTABLE: bindings::configfs_group_operations = bindings::configfs_group_operations { +        make_item: None, +        make_group: Some(Self::make_group), +        disconnect_notify: None, +        drop_item: Some(Self::drop_item), +        is_visible: None, +        is_bin_visible: None, +    }; + +    const fn vtable_ptr() -> *const bindings::configfs_group_operations { +        &Self::VTABLE as *const bindings::configfs_group_operations +    } +} + +struct ItemOperationsVTable<Container, Data>(PhantomData<(Container, Data)>); + +impl<Data> ItemOperationsVTable<Group<Data>, Data> +where +    Data: 'static, +{ +    /// # Safety +    /// +    /// `this` must be a pointer to a `bindings::config_group` embedded in a +    /// `Group<Parent>`. +    /// +    /// This function will destroy the pointee of `this`. The pointee of `this` +    /// must not be accessed after the function returns. +    unsafe extern "C" fn release(this: *mut bindings::config_item) { +        // SAFETY: By function safety requirements, `this` is embedded in a +        // `config_group`. +        let c_group_ptr = unsafe { kernel::container_of!(this, bindings::config_group, cg_item) }; +        // SAFETY: By function safety requirements, `c_group_ptr` is +        // embedded within a `Group<Data>`. +        let r_group_ptr = unsafe { Group::<Data>::container_of(c_group_ptr) }; + +        // SAFETY: We called `into_raw` on `r_group_ptr` in +        // `make_group`. +        let pin_self: Arc<Group<Data>> = unsafe { Arc::from_raw(r_group_ptr.cast_mut()) }; +        drop(pin_self); +    } + +    const VTABLE: bindings::configfs_item_operations = bindings::configfs_item_operations { +        release: Some(Self::release), +        allow_link: None, +        drop_link: None, +    }; + +    const fn vtable_ptr() -> *const bindings::configfs_item_operations { +        &Self::VTABLE as *const bindings::configfs_item_operations +    } +} + +impl<Data> ItemOperationsVTable<Subsystem<Data>, Data> { +    const VTABLE: bindings::configfs_item_operations = bindings::configfs_item_operations { +        release: None, +        allow_link: None, +        drop_link: None, +    }; + +    const fn vtable_ptr() -> *const bindings::configfs_item_operations { +        &Self::VTABLE as *const bindings::configfs_item_operations +    } +} + +/// Operations implemented by configfs groups that can create subgroups. +/// +/// Implement this trait on structs that embed a [`Subsystem`] or a [`Group`]. +#[vtable] +pub trait GroupOperations { +    /// The child data object type. +    /// +    /// This group will create subgroups (subdirectories) backed by this kind of +    /// object. +    type Child: 'static; + +    /// Creates a new subgroup. +    /// +    /// The kernel will call this method in response to `mkdir(2)` in the +    /// directory representing `this`. +    /// +    /// To accept the request to create a group, implementations should +    /// return an initializer of a `Group<Self::Child>`. To prevent creation, +    /// return a suitable error. +    fn make_group(&self, name: &CStr) -> Result<impl PinInit<Group<Self::Child>, Error>>; + +    /// Prepares the group for removal from configfs. +    /// +    /// The kernel will call this method before the directory representing `_child` is removed from +    /// configfs. +    /// +    /// Implementations can use this method to do house keeping before configfs drops its +    /// reference to `Child`. +    /// +    /// NOTE: "drop" in the name of this function is not related to the Rust drop term. Rather, the +    /// name is inherited from the callback name in the underlying C code. +    fn drop_item(&self, _child: ArcBorrow<'_, Group<Self::Child>>) { +        kernel::build_error!(kernel::error::VTABLE_DEFAULT_ERROR) +    } +} + +/// A configfs attribute. +/// +/// An attribute appears as a file in configfs, inside a folder that represent +/// the group that the attribute belongs to. +#[repr(transparent)] +pub struct Attribute<const ID: u64, O, Data> { +    attribute: Opaque<bindings::configfs_attribute>, +    _p: PhantomData<(O, Data)>, +} + +// SAFETY: We do not provide any operations on `Attribute`. +unsafe impl<const ID: u64, O, Data> Sync for Attribute<ID, O, Data> {} + +// SAFETY: Ownership of `Attribute` can safely be transferred to other threads. +unsafe impl<const ID: u64, O, Data> Send for Attribute<ID, O, Data> {} + +impl<const ID: u64, O, Data> Attribute<ID, O, Data> +where +    O: AttributeOperations<ID, Data = Data>, +{ +    /// # Safety +    /// +    /// `item` must be embedded in a `bindings::config_group`. +    /// +    /// If `item` does not represent the root group of a configfs subsystem, +    /// the group must be embedded in a `Group<Data>`. +    /// +    /// Otherwise, the group must be a embedded in a +    /// `bindings::configfs_subsystem` that is embedded in a `Subsystem<Data>`. +    /// +    /// `page` must point to a writable buffer of size at least [`PAGE_SIZE`]. +    unsafe extern "C" fn show( +        item: *mut bindings::config_item, +        page: *mut kernel::ffi::c_char, +    ) -> isize { +        let c_group: *mut bindings::config_group = +            // SAFETY: By function safety requirements, `item` is embedded in a +            // `config_group`. +            unsafe { container_of!(item, bindings::config_group, cg_item) }; + +        // SAFETY: The function safety requirements for this function satisfy +        // the conditions for this call. +        let data: &Data = unsafe { get_group_data(c_group) }; + +        // SAFETY: By function safety requirements, `page` is writable for `PAGE_SIZE`. +        let ret = O::show(data, unsafe { &mut *(page as *mut [u8; PAGE_SIZE]) }); + +        match ret { +            Ok(size) => size as isize, +            Err(err) => err.to_errno() as isize, +        } +    } + +    /// # Safety +    /// +    /// `item` must be embedded in a `bindings::config_group`. +    /// +    /// If `item` does not represent the root group of a configfs subsystem, +    /// the group must be embedded in a `Group<Data>`. +    /// +    /// Otherwise, the group must be a embedded in a +    /// `bindings::configfs_subsystem` that is embedded in a `Subsystem<Data>`. +    /// +    /// `page` must point to a readable buffer of size at least `size`. +    unsafe extern "C" fn store( +        item: *mut bindings::config_item, +        page: *const kernel::ffi::c_char, +        size: usize, +    ) -> isize { +        let c_group: *mut bindings::config_group = +        // SAFETY: By function safety requirements, `item` is embedded in a +        // `config_group`. +            unsafe { container_of!(item, bindings::config_group, cg_item) }; + +        // SAFETY: The function safety requirements for this function satisfy +        // the conditions for this call. +        let data: &Data = unsafe { get_group_data(c_group) }; + +        let ret = O::store( +            data, +            // SAFETY: By function safety requirements, `page` is readable +            // for at least `size`. +            unsafe { core::slice::from_raw_parts(page.cast(), size) }, +        ); + +        match ret { +            Ok(()) => size as isize, +            Err(err) => err.to_errno() as isize, +        } +    } + +    /// Create a new attribute. +    /// +    /// The attribute will appear as a file with name given by `name`. +    pub const fn new(name: &'static CStr) -> Self { +        Self { +            attribute: Opaque::new(bindings::configfs_attribute { +                ca_name: name.as_char_ptr(), +                ca_owner: core::ptr::null_mut(), +                ca_mode: 0o660, +                show: Some(Self::show), +                store: if O::HAS_STORE { +                    Some(Self::store) +                } else { +                    None +                }, +            }), +            _p: PhantomData, +        } +    } +} + +/// Operations supported by an attribute. +/// +/// Implement this trait on type and pass that type as generic parameter when +/// creating an [`Attribute`]. The type carrying the implementation serve no +/// purpose other than specifying the attribute operations. +/// +/// This trait must be implemented on the `Data` type of for types that +/// implement `HasGroup<Data>`. The trait must be implemented once for each +/// attribute of the group. The constant type parameter `ID` maps the +/// implementation to a specific `Attribute`. `ID` must be passed when declaring +/// attributes via the [`kernel::configfs_attrs`] macro, to tie +/// `AttributeOperations` implementations to concrete named attributes. +#[vtable] +pub trait AttributeOperations<const ID: u64 = 0> { +    /// The type of the object that contains the field that is backing the +    /// attribute for this operation. +    type Data; + +    /// Renders the value of an attribute. +    /// +    /// This function is called by the kernel to read the value of an attribute. +    /// +    /// Implementations should write the rendering of the attribute to `page` +    /// and return the number of bytes written. +    fn show(data: &Self::Data, page: &mut [u8; PAGE_SIZE]) -> Result<usize>; + +    /// Stores the value of an attribute. +    /// +    /// This function is called by the kernel to update the value of an attribute. +    /// +    /// Implementations should parse the value from `page` and update internal +    /// state to reflect the parsed value. +    fn store(_data: &Self::Data, _page: &[u8]) -> Result { +        kernel::build_error!(kernel::error::VTABLE_DEFAULT_ERROR) +    } +} + +/// A list of attributes. +/// +/// This type is used to construct a new [`ItemType`]. It represents a list of +/// [`Attribute`] that will appear in the directory representing a [`Group`]. +/// Users should not directly instantiate this type, rather they should use the +/// [`kernel::configfs_attrs`] macro to declare a static set of attributes for a +/// group. +/// +/// # Note +/// +/// Instances of this type are constructed statically at compile by the +/// [`kernel::configfs_attrs`] macro. +#[repr(transparent)] +pub struct AttributeList<const N: usize, Data>( +    /// Null terminated Array of pointers to [`Attribute`]. The type is [`c_void`] +    /// to conform to the C API. +    UnsafeCell<[*mut kernel::ffi::c_void; N]>, +    PhantomData<Data>, +); + +// SAFETY: Ownership of `AttributeList` can safely be transferred to other threads. +unsafe impl<const N: usize, Data> Send for AttributeList<N, Data> {} + +// SAFETY: We do not provide any operations on `AttributeList` that need synchronization. +unsafe impl<const N: usize, Data> Sync for AttributeList<N, Data> {} + +impl<const N: usize, Data> AttributeList<N, Data> { +    /// # Safety +    /// +    /// This function must only be called by the [`kernel::configfs_attrs`] +    /// macro. +    #[doc(hidden)] +    pub const unsafe fn new() -> Self { +        Self(UnsafeCell::new([core::ptr::null_mut(); N]), PhantomData) +    } + +    /// # Safety +    /// +    /// The caller must ensure that there are no other concurrent accesses to +    /// `self`. That is, the caller has exclusive access to `self.` +    #[doc(hidden)] +    pub const unsafe fn add<const I: usize, const ID: u64, O>( +        &'static self, +        attribute: &'static Attribute<ID, O, Data>, +    ) where +        O: AttributeOperations<ID, Data = Data>, +    { +        // We need a space at the end of our list for a null terminator. +        const { assert!(I < N - 1, "Invalid attribute index") }; + +        // SAFETY: By function safety requirements, we have exclusive access to +        // `self` and the reference created below will be exclusive. +        unsafe { +            (&mut *self.0.get())[I] = (attribute as *const Attribute<ID, O, Data>) +                .cast_mut() +                .cast() +        }; +    } +} + +/// A representation of the attributes that will appear in a [`Group`] or +/// [`Subsystem`]. +/// +/// Users should not directly instantiate objects of this type. Rather, they +/// should use the [`kernel::configfs_attrs`] macro to statically declare the +/// shape of a [`Group`] or [`Subsystem`]. +#[pin_data] +pub struct ItemType<Container, Data> { +    #[pin] +    item_type: Opaque<bindings::config_item_type>, +    _p: PhantomData<(Container, Data)>, +} + +// SAFETY: We do not provide any operations on `ItemType` that need synchronization. +unsafe impl<Container, Data> Sync for ItemType<Container, Data> {} + +// SAFETY: Ownership of `ItemType` can safely be transferred to other threads. +unsafe impl<Container, Data> Send for ItemType<Container, Data> {} + +macro_rules! impl_item_type { +    ($tpe:ty) => { +        impl<Data> ItemType<$tpe, Data> { +            #[doc(hidden)] +            pub const fn new_with_child_ctor<const N: usize, Child>( +                owner: &'static ThisModule, +                attributes: &'static AttributeList<N, Data>, +            ) -> Self +            where +                Data: GroupOperations<Child = Child>, +                Child: 'static, +            { +                Self { +                    item_type: Opaque::new(bindings::config_item_type { +                        ct_owner: owner.as_ptr(), +                        ct_group_ops: GroupOperationsVTable::<Data, Child>::vtable_ptr().cast_mut(), +                        ct_item_ops: ItemOperationsVTable::<$tpe, Data>::vtable_ptr().cast_mut(), +                        ct_attrs: (attributes as *const AttributeList<N, Data>) +                            .cast_mut() +                            .cast(), +                        ct_bin_attrs: core::ptr::null_mut(), +                    }), +                    _p: PhantomData, +                } +            } + +            #[doc(hidden)] +            pub const fn new<const N: usize>( +                owner: &'static ThisModule, +                attributes: &'static AttributeList<N, Data>, +            ) -> Self { +                Self { +                    item_type: Opaque::new(bindings::config_item_type { +                        ct_owner: owner.as_ptr(), +                        ct_group_ops: core::ptr::null_mut(), +                        ct_item_ops: ItemOperationsVTable::<$tpe, Data>::vtable_ptr().cast_mut(), +                        ct_attrs: (attributes as *const AttributeList<N, Data>) +                            .cast_mut() +                            .cast(), +                        ct_bin_attrs: core::ptr::null_mut(), +                    }), +                    _p: PhantomData, +                } +            } +        } +    }; +} + +impl_item_type!(Subsystem<Data>); +impl_item_type!(Group<Data>); + +impl<Container, Data> ItemType<Container, Data> { +    fn as_ptr(&self) -> *const bindings::config_item_type { +        self.item_type.get() +    } +} + +/// Define a list of configfs attributes statically. +/// +/// Invoking the macro in the following manner: +/// +/// ```ignore +/// let item_type = configfs_attrs! { +///     container: configfs::Subsystem<Configuration>, +///     data: Configuration, +///     child: Child, +///     attributes: [ +///         message: 0, +///         bar: 1, +///     ], +/// }; +/// ``` +/// +/// Expands the following output: +/// +/// ```ignore +/// let item_type = { +///     static CONFIGURATION_MESSAGE_ATTR: kernel::configfs::Attribute< +///         0, +///         Configuration, +///         Configuration, +///     > = unsafe { +///         kernel::configfs::Attribute::new({ +///             const S: &str = "message\u{0}"; +///             const C: &kernel::str::CStr = match kernel::str::CStr::from_bytes_with_nul( +///                 S.as_bytes() +///             ) { +///                 Ok(v) => v, +///                 Err(_) => { +///                     core::panicking::panic_fmt(core::const_format_args!( +///                         "string contains interior NUL" +///                     )); +///                 } +///             }; +///             C +///         }) +///     }; +/// +///     static CONFIGURATION_BAR_ATTR: kernel::configfs::Attribute< +///             1, +///             Configuration, +///             Configuration +///     > = unsafe { +///         kernel::configfs::Attribute::new({ +///             const S: &str = "bar\u{0}"; +///             const C: &kernel::str::CStr = match kernel::str::CStr::from_bytes_with_nul( +///                 S.as_bytes() +///             ) { +///                 Ok(v) => v, +///                 Err(_) => { +///                     core::panicking::panic_fmt(core::const_format_args!( +///                         "string contains interior NUL" +///                     )); +///                 } +///             }; +///             C +///         }) +///     }; +/// +///     const N: usize = (1usize + (1usize + 0usize)) + 1usize; +/// +///     static CONFIGURATION_ATTRS: kernel::configfs::AttributeList<N, Configuration> = +///         unsafe { kernel::configfs::AttributeList::new() }; +/// +///     { +///         const N: usize = 0usize; +///         unsafe { CONFIGURATION_ATTRS.add::<N, 0, _>(&CONFIGURATION_MESSAGE_ATTR) }; +///     } +/// +///     { +///         const N: usize = (1usize + 0usize); +///         unsafe { CONFIGURATION_ATTRS.add::<N, 1, _>(&CONFIGURATION_BAR_ATTR) }; +///     } +/// +///     static CONFIGURATION_TPE: +///       kernel::configfs::ItemType<configfs::Subsystem<Configuration> ,Configuration> +///         = kernel::configfs::ItemType::< +///                 configfs::Subsystem<Configuration>, +///                 Configuration +///                 >::new_with_child_ctor::<N,Child>( +///             &THIS_MODULE, +///             &CONFIGURATION_ATTRS +///         ); +/// +///     &CONFIGURATION_TPE +/// } +/// ``` +#[macro_export] +macro_rules! configfs_attrs { +    ( +        container: $container:ty, +        data: $data:ty, +        attributes: [ +            $($name:ident: $attr:literal),* $(,)? +        ] $(,)? +    ) => { +        $crate::configfs_attrs!( +            count: +            @container($container), +            @data($data), +            @child(), +            @no_child(x), +            @attrs($($name $attr)*), +            @eat($($name $attr,)*), +            @assign(), +            @cnt(0usize), +        ) +    }; +    ( +        container: $container:ty, +        data: $data:ty, +        child: $child:ty, +        attributes: [ +            $($name:ident: $attr:literal),* $(,)? +        ] $(,)? +    ) => { +        $crate::configfs_attrs!( +            count: +            @container($container), +            @data($data), +            @child($child), +            @no_child(), +            @attrs($($name $attr)*), +            @eat($($name $attr,)*), +            @assign(), +            @cnt(0usize), +        ) +    }; +    (count: +     @container($container:ty), +     @data($data:ty), +     @child($($child:ty)?), +     @no_child($($no_child:ident)?), +     @attrs($($aname:ident $aattr:literal)*), +     @eat($name:ident $attr:literal, $($rname:ident $rattr:literal,)*), +     @assign($($assign:block)*), +     @cnt($cnt:expr), +    ) => { +        $crate::configfs_attrs!( +            count: +            @container($container), +            @data($data), +            @child($($child)?), +            @no_child($($no_child)?), +            @attrs($($aname $aattr)*), +            @eat($($rname $rattr,)*), +            @assign($($assign)* { +                const N: usize = $cnt; +                // The following macro text expands to a call to `Attribute::add`. + +                // SAFETY: By design of this macro, the name of the variable we +                // invoke the `add` method on below, is not visible outside of +                // the macro expansion. The macro does not operate concurrently +                // on this variable, and thus we have exclusive access to the +                // variable. +                unsafe { +                    $crate::macros::paste!( +                        [< $data:upper _ATTRS >] +                            .add::<N, $attr, _>(&[< $data:upper _ $name:upper _ATTR >]) +                    ) +                }; +            }), +            @cnt(1usize + $cnt), +        ) +    }; +    (count: +     @container($container:ty), +     @data($data:ty), +     @child($($child:ty)?), +     @no_child($($no_child:ident)?), +     @attrs($($aname:ident $aattr:literal)*), +     @eat(), +     @assign($($assign:block)*), +     @cnt($cnt:expr), +    ) => +    { +        $crate::configfs_attrs!( +            final: +            @container($container), +            @data($data), +            @child($($child)?), +            @no_child($($no_child)?), +            @attrs($($aname $aattr)*), +            @assign($($assign)*), +            @cnt($cnt), +        ) +    }; +    (final: +     @container($container:ty), +     @data($data:ty), +     @child($($child:ty)?), +     @no_child($($no_child:ident)?), +     @attrs($($name:ident $attr:literal)*), +     @assign($($assign:block)*), +     @cnt($cnt:expr), +    ) => +    { +        $crate::macros::paste!{ +            { +                $( +                    // SAFETY: We are expanding `configfs_attrs`. +                    static [< $data:upper _ $name:upper _ATTR >]: +                        $crate::configfs::Attribute<$attr, $data, $data> = +                            unsafe { +                                $crate::configfs::Attribute::new(c_str!(::core::stringify!($name))) +                            }; +                )* + + +                // We need space for a null terminator. +                const N: usize = $cnt + 1usize; + +                // SAFETY: We are expanding `configfs_attrs`. +                static [< $data:upper _ATTRS >]: +                $crate::configfs::AttributeList<N, $data> = +                    unsafe { $crate::configfs::AttributeList::new() }; + +                $($assign)* + +                $( +                    const [<$no_child:upper>]: bool = true; + +                    static [< $data:upper _TPE >] : $crate::configfs::ItemType<$container, $data>  = +                        $crate::configfs::ItemType::<$container, $data>::new::<N>( +                            &THIS_MODULE, &[<$ data:upper _ATTRS >] +                        ); +                )? + +                $( +                    static [< $data:upper _TPE >]: +                        $crate::configfs::ItemType<$container, $data>  = +                            $crate::configfs::ItemType::<$container, $data>:: +                            new_with_child_ctor::<N, $child>( +                                &THIS_MODULE, &[<$ data:upper _ATTRS >] +                            ); +                )? + +                & [< $data:upper _TPE >] +            } +        } +    }; + +} diff --git a/rust/kernel/cpu.rs b/rust/kernel/cpu.rs new file mode 100644 index 000000000000..10c5c3b25873 --- /dev/null +++ b/rust/kernel/cpu.rs @@ -0,0 +1,30 @@ +// SPDX-License-Identifier: GPL-2.0 + +//! Generic CPU definitions. +//! +//! C header: [`include/linux/cpu.h`](srctree/include/linux/cpu.h) + +use crate::{bindings, device::Device, error::Result, prelude::ENODEV}; + +/// Creates a new instance of CPU's device. +/// +/// # Safety +/// +/// Reference counting is not implemented for the CPU device in the C code. When a CPU is +/// hot-unplugged, the corresponding CPU device is unregistered, but its associated memory +/// is not freed. +/// +/// Callers must ensure that the CPU device is not used after it has been unregistered. +/// This can be achieved, for example, by registering a CPU hotplug notifier and removing +/// any references to the CPU device within the notifier's callback. +pub unsafe fn from_cpu(cpu: u32) -> Result<&'static Device> { +    // SAFETY: It is safe to call `get_cpu_device()` for any CPU. +    let ptr = unsafe { bindings::get_cpu_device(cpu) }; +    if ptr.is_null() { +        return Err(ENODEV); +    } + +    // SAFETY: The pointer returned by `get_cpu_device()`, if not `NULL`, is a valid pointer to +    // a `struct device` and is never freed by the C code. +    Ok(unsafe { Device::as_ref(ptr) }) +} diff --git a/rust/kernel/cpufreq.rs b/rust/kernel/cpufreq.rs new file mode 100644 index 000000000000..b0a9c6182aec --- /dev/null +++ b/rust/kernel/cpufreq.rs @@ -0,0 +1,1321 @@ +// SPDX-License-Identifier: GPL-2.0 + +//! CPU frequency scaling. +//! +//! This module provides rust abstractions for interacting with the cpufreq subsystem. +//! +//! C header: [`include/linux/cpufreq.h`](srctree/include/linux/cpufreq.h) +//! +//! Reference: <https://docs.kernel.org/admin-guide/pm/cpufreq.html> + +use crate::{ +    clk::Hertz, +    cpumask, +    device::{Bound, Device}, +    devres::Devres, +    error::{code::*, from_err_ptr, from_result, to_result, Result, VTABLE_DEFAULT_ERROR}, +    ffi::{c_char, c_ulong}, +    prelude::*, +    types::ForeignOwnable, +    types::Opaque, +}; + +#[cfg(CONFIG_COMMON_CLK)] +use crate::clk::Clk; + +use core::{ +    cell::UnsafeCell, +    marker::PhantomData, +    mem::MaybeUninit, +    ops::{Deref, DerefMut}, +    pin::Pin, +    ptr, +}; + +use macros::vtable; + +/// Maximum length of CPU frequency driver's name. +const CPUFREQ_NAME_LEN: usize = bindings::CPUFREQ_NAME_LEN as usize; + +/// Default transition latency value in nanoseconds. +pub const ETERNAL_LATENCY_NS: u32 = bindings::CPUFREQ_ETERNAL as u32; + +/// CPU frequency driver flags. +pub mod flags { +    /// Driver needs to update internal limits even if frequency remains unchanged. +    pub const NEED_UPDATE_LIMITS: u16 = 1 << 0; + +    /// Platform where constants like `loops_per_jiffy` are unaffected by frequency changes. +    pub const CONST_LOOPS: u16 = 1 << 1; + +    /// Register driver as a thermal cooling device automatically. +    pub const IS_COOLING_DEV: u16 = 1 << 2; + +    /// Supports multiple clock domains with per-policy governors in `cpu/cpuN/cpufreq/`. +    pub const HAVE_GOVERNOR_PER_POLICY: u16 = 1 << 3; + +    /// Allows post-change notifications outside of the `target()` routine. +    pub const ASYNC_NOTIFICATION: u16 = 1 << 4; + +    /// Ensure CPU starts at a valid frequency from the driver's freq-table. +    pub const NEED_INITIAL_FREQ_CHECK: u16 = 1 << 5; + +    /// Disallow governors with `dynamic_switching` capability. +    pub const NO_AUTO_DYNAMIC_SWITCHING: u16 = 1 << 6; +} + +/// Relations from the C code. +const CPUFREQ_RELATION_L: u32 = 0; +const CPUFREQ_RELATION_H: u32 = 1; +const CPUFREQ_RELATION_C: u32 = 2; + +/// Can be used with any of the above values. +const CPUFREQ_RELATION_E: u32 = 1 << 2; + +/// CPU frequency selection relations. +/// +/// CPU frequency selection relations, each optionally marked as "efficient". +#[derive(Copy, Clone, Debug, Eq, PartialEq)] +pub enum Relation { +    /// Select the lowest frequency at or above target. +    Low(bool), +    /// Select the highest frequency below or at target. +    High(bool), +    /// Select the closest frequency to the target. +    Close(bool), +} + +impl Relation { +    // Construct from a C-compatible `u32` value. +    fn new(val: u32) -> Result<Self> { +        let efficient = val & CPUFREQ_RELATION_E != 0; + +        Ok(match val & !CPUFREQ_RELATION_E { +            CPUFREQ_RELATION_L => Self::Low(efficient), +            CPUFREQ_RELATION_H => Self::High(efficient), +            CPUFREQ_RELATION_C => Self::Close(efficient), +            _ => return Err(EINVAL), +        }) +    } +} + +impl From<Relation> for u32 { +    // Convert to a C-compatible `u32` value. +    fn from(rel: Relation) -> Self { +        let (mut val, efficient) = match rel { +            Relation::Low(e) => (CPUFREQ_RELATION_L, e), +            Relation::High(e) => (CPUFREQ_RELATION_H, e), +            Relation::Close(e) => (CPUFREQ_RELATION_C, e), +        }; + +        if efficient { +            val |= CPUFREQ_RELATION_E; +        } + +        val +    } +} + +/// Policy data. +/// +/// Rust abstraction for the C `struct cpufreq_policy_data`. +/// +/// # Invariants +/// +/// A [`PolicyData`] instance always corresponds to a valid C `struct cpufreq_policy_data`. +/// +/// The callers must ensure that the `struct cpufreq_policy_data` is valid for access and remains +/// valid for the lifetime of the returned reference. +#[repr(transparent)] +pub struct PolicyData(Opaque<bindings::cpufreq_policy_data>); + +impl PolicyData { +    /// Creates a mutable reference to an existing `struct cpufreq_policy_data` pointer. +    /// +    /// # Safety +    /// +    /// The caller must ensure that `ptr` is valid for writing and remains valid for the lifetime +    /// of the returned reference. +    #[inline] +    pub unsafe fn from_raw_mut<'a>(ptr: *mut bindings::cpufreq_policy_data) -> &'a mut Self { +        // SAFETY: Guaranteed by the safety requirements of the function. +        // +        // INVARIANT: The caller ensures that `ptr` is valid for writing and remains valid for the +        // lifetime of the returned reference. +        unsafe { &mut *ptr.cast() } +    } + +    /// Returns a raw pointer to the underlying C `cpufreq_policy_data`. +    #[inline] +    pub fn as_raw(&self) -> *mut bindings::cpufreq_policy_data { +        let this: *const Self = self; +        this.cast_mut().cast() +    } + +    /// Wrapper for `cpufreq_generic_frequency_table_verify`. +    #[inline] +    pub fn generic_verify(&self) -> Result { +        // SAFETY: By the type invariant, the pointer stored in `self` is valid. +        to_result(unsafe { bindings::cpufreq_generic_frequency_table_verify(self.as_raw()) }) +    } +} + +/// The frequency table index. +/// +/// Represents index with a frequency table. +/// +/// # Invariants +/// +/// The index must correspond to a valid entry in the [`Table`] it is used for. +#[derive(Copy, Clone, PartialEq, Eq, Debug)] +pub struct TableIndex(usize); + +impl TableIndex { +    /// Creates an instance of [`TableIndex`]. +    /// +    /// # Safety +    /// +    /// The caller must ensure that `index` correspond to a valid entry in the [`Table`] it is used +    /// for. +    pub unsafe fn new(index: usize) -> Self { +        // INVARIANT: The caller ensures that `index` correspond to a valid entry in the [`Table`]. +        Self(index) +    } +} + +impl From<TableIndex> for usize { +    #[inline] +    fn from(index: TableIndex) -> Self { +        index.0 +    } +} + +/// CPU frequency table. +/// +/// Rust abstraction for the C `struct cpufreq_frequency_table`. +/// +/// # Invariants +/// +/// A [`Table`] instance always corresponds to a valid C `struct cpufreq_frequency_table`. +/// +/// The callers must ensure that the `struct cpufreq_frequency_table` is valid for access and +/// remains valid for the lifetime of the returned reference. +/// +/// ## Examples +/// +/// The following example demonstrates how to read a frequency value from [`Table`]. +/// +/// ``` +/// use kernel::cpufreq::{Policy, TableIndex}; +/// +/// fn show_freq(policy: &Policy) -> Result { +///     let table = policy.freq_table()?; +/// +///     // SAFETY: Index is a valid entry in the table. +///     let index = unsafe { TableIndex::new(0) }; +/// +///     pr_info!("The frequency at index 0 is: {:?}\n", table.freq(index)?); +///     pr_info!("The flags at index 0 is: {}\n", table.flags(index)); +///     pr_info!("The data at index 0 is: {}\n", table.data(index)); +///     Ok(()) +/// } +/// ``` +#[repr(transparent)] +pub struct Table(Opaque<bindings::cpufreq_frequency_table>); + +impl Table { +    /// Creates a reference to an existing C `struct cpufreq_frequency_table` pointer. +    /// +    /// # Safety +    /// +    /// The caller must ensure that `ptr` is valid for reading and remains valid for the lifetime +    /// of the returned reference. +    #[inline] +    pub unsafe fn from_raw<'a>(ptr: *const bindings::cpufreq_frequency_table) -> &'a Self { +        // SAFETY: Guaranteed by the safety requirements of the function. +        // +        // INVARIANT: The caller ensures that `ptr` is valid for reading and remains valid for the +        // lifetime of the returned reference. +        unsafe { &*ptr.cast() } +    } + +    /// Returns the raw mutable pointer to the C `struct cpufreq_frequency_table`. +    #[inline] +    pub fn as_raw(&self) -> *mut bindings::cpufreq_frequency_table { +        let this: *const Self = self; +        this.cast_mut().cast() +    } + +    /// Returns frequency at `index` in the [`Table`]. +    #[inline] +    pub fn freq(&self, index: TableIndex) -> Result<Hertz> { +        // SAFETY: By the type invariant, the pointer stored in `self` is valid and `index` is +        // guaranteed to be valid by its safety requirements. +        Ok(Hertz::from_khz(unsafe { +            (*self.as_raw().add(index.into())).frequency.try_into()? +        })) +    } + +    /// Returns flags at `index` in the [`Table`]. +    #[inline] +    pub fn flags(&self, index: TableIndex) -> u32 { +        // SAFETY: By the type invariant, the pointer stored in `self` is valid and `index` is +        // guaranteed to be valid by its safety requirements. +        unsafe { (*self.as_raw().add(index.into())).flags } +    } + +    /// Returns data at `index` in the [`Table`]. +    #[inline] +    pub fn data(&self, index: TableIndex) -> u32 { +        // SAFETY: By the type invariant, the pointer stored in `self` is valid and `index` is +        // guaranteed to be valid by its safety requirements. +        unsafe { (*self.as_raw().add(index.into())).driver_data } +    } +} + +/// CPU frequency table owned and pinned in memory, created from a [`TableBuilder`]. +pub struct TableBox { +    entries: Pin<KVec<bindings::cpufreq_frequency_table>>, +} + +impl TableBox { +    /// Constructs a new [`TableBox`] from a [`KVec`] of entries. +    /// +    /// # Errors +    /// +    /// Returns `EINVAL` if the entries list is empty. +    #[inline] +    fn new(entries: KVec<bindings::cpufreq_frequency_table>) -> Result<Self> { +        if entries.is_empty() { +            return Err(EINVAL); +        } + +        Ok(Self { +            // Pin the entries to memory, since we are passing its pointer to the C code. +            entries: Pin::new(entries), +        }) +    } + +    /// Returns a raw pointer to the underlying C `cpufreq_frequency_table`. +    #[inline] +    fn as_raw(&self) -> *const bindings::cpufreq_frequency_table { +        // The pointer is valid until the table gets dropped. +        self.entries.as_ptr() +    } +} + +impl Deref for TableBox { +    type Target = Table; + +    fn deref(&self) -> &Self::Target { +        // SAFETY: The caller owns TableBox, it is safe to deref. +        unsafe { Self::Target::from_raw(self.as_raw()) } +    } +} + +/// CPU frequency table builder. +/// +/// This is used by the CPU frequency drivers to build a frequency table dynamically. +/// +/// ## Examples +/// +/// The following example demonstrates how to create a CPU frequency table. +/// +/// ``` +/// use kernel::cpufreq::{TableBuilder, TableIndex}; +/// use kernel::clk::Hertz; +/// +/// let mut builder = TableBuilder::new(); +/// +/// // Adds few entries to the table. +/// builder.add(Hertz::from_mhz(700), 0, 1).unwrap(); +/// builder.add(Hertz::from_mhz(800), 2, 3).unwrap(); +/// builder.add(Hertz::from_mhz(900), 4, 5).unwrap(); +/// builder.add(Hertz::from_ghz(1), 6, 7).unwrap(); +/// +/// let table = builder.to_table().unwrap(); +/// +/// // SAFETY: Index values correspond to valid entries in the table. +/// let (index0, index2) = unsafe { (TableIndex::new(0), TableIndex::new(2)) }; +/// +/// assert_eq!(table.freq(index0), Ok(Hertz::from_mhz(700))); +/// assert_eq!(table.flags(index0), 0); +/// assert_eq!(table.data(index0), 1); +/// +/// assert_eq!(table.freq(index2), Ok(Hertz::from_mhz(900))); +/// assert_eq!(table.flags(index2), 4); +/// assert_eq!(table.data(index2), 5); +/// ``` +#[derive(Default)] +#[repr(transparent)] +pub struct TableBuilder { +    entries: KVec<bindings::cpufreq_frequency_table>, +} + +impl TableBuilder { +    /// Creates a new instance of [`TableBuilder`]. +    #[inline] +    pub fn new() -> Self { +        Self { +            entries: KVec::new(), +        } +    } + +    /// Adds a new entry to the table. +    pub fn add(&mut self, freq: Hertz, flags: u32, driver_data: u32) -> Result { +        // Adds the new entry at the end of the vector. +        Ok(self.entries.push( +            bindings::cpufreq_frequency_table { +                flags, +                driver_data, +                frequency: freq.as_khz() as u32, +            }, +            GFP_KERNEL, +        )?) +    } + +    /// Consumes the [`TableBuilder`] and returns [`TableBox`]. +    pub fn to_table(mut self) -> Result<TableBox> { +        // Add last entry to the table. +        self.add(Hertz(c_ulong::MAX), 0, 0)?; + +        TableBox::new(self.entries) +    } +} + +/// CPU frequency policy. +/// +/// Rust abstraction for the C `struct cpufreq_policy`. +/// +/// # Invariants +/// +/// A [`Policy`] instance always corresponds to a valid C `struct cpufreq_policy`. +/// +/// The callers must ensure that the `struct cpufreq_policy` is valid for access and remains valid +/// for the lifetime of the returned reference. +/// +/// ## Examples +/// +/// The following example demonstrates how to create a CPU frequency table. +/// +/// ``` +/// use kernel::cpufreq::{ETERNAL_LATENCY_NS, Policy}; +/// +/// fn update_policy(policy: &mut Policy) { +///     policy +///         .set_dvfs_possible_from_any_cpu(true) +///         .set_fast_switch_possible(true) +///         .set_transition_latency_ns(ETERNAL_LATENCY_NS); +/// +///     pr_info!("The policy details are: {:?}\n", (policy.cpu(), policy.cur())); +/// } +/// ``` +#[repr(transparent)] +pub struct Policy(Opaque<bindings::cpufreq_policy>); + +impl Policy { +    /// Creates a reference to an existing `struct cpufreq_policy` pointer. +    /// +    /// # Safety +    /// +    /// The caller must ensure that `ptr` is valid for reading and remains valid for the lifetime +    /// of the returned reference. +    #[inline] +    pub unsafe fn from_raw<'a>(ptr: *const bindings::cpufreq_policy) -> &'a Self { +        // SAFETY: Guaranteed by the safety requirements of the function. +        // +        // INVARIANT: The caller ensures that `ptr` is valid for reading and remains valid for the +        // lifetime of the returned reference. +        unsafe { &*ptr.cast() } +    } + +    /// Creates a mutable reference to an existing `struct cpufreq_policy` pointer. +    /// +    /// # Safety +    /// +    /// The caller must ensure that `ptr` is valid for writing and remains valid for the lifetime +    /// of the returned reference. +    #[inline] +    pub unsafe fn from_raw_mut<'a>(ptr: *mut bindings::cpufreq_policy) -> &'a mut Self { +        // SAFETY: Guaranteed by the safety requirements of the function. +        // +        // INVARIANT: The caller ensures that `ptr` is valid for writing and remains valid for the +        // lifetime of the returned reference. +        unsafe { &mut *ptr.cast() } +    } + +    /// Returns a raw mutable pointer to the C `struct cpufreq_policy`. +    #[inline] +    fn as_raw(&self) -> *mut bindings::cpufreq_policy { +        let this: *const Self = self; +        this.cast_mut().cast() +    } + +    #[inline] +    fn as_ref(&self) -> &bindings::cpufreq_policy { +        // SAFETY: By the type invariant, the pointer stored in `self` is valid. +        unsafe { &*self.as_raw() } +    } + +    #[inline] +    fn as_mut_ref(&mut self) -> &mut bindings::cpufreq_policy { +        // SAFETY: By the type invariant, the pointer stored in `self` is valid. +        unsafe { &mut *self.as_raw() } +    } + +    /// Returns the primary CPU for the [`Policy`]. +    #[inline] +    pub fn cpu(&self) -> u32 { +        self.as_ref().cpu +    } + +    /// Returns the minimum frequency for the [`Policy`]. +    #[inline] +    pub fn min(&self) -> Hertz { +        Hertz::from_khz(self.as_ref().min as usize) +    } + +    /// Set the minimum frequency for the [`Policy`]. +    #[inline] +    pub fn set_min(&mut self, min: Hertz) -> &mut Self { +        self.as_mut_ref().min = min.as_khz() as u32; +        self +    } + +    /// Returns the maximum frequency for the [`Policy`]. +    #[inline] +    pub fn max(&self) -> Hertz { +        Hertz::from_khz(self.as_ref().max as usize) +    } + +    /// Set the maximum frequency for the [`Policy`]. +    #[inline] +    pub fn set_max(&mut self, max: Hertz) -> &mut Self { +        self.as_mut_ref().max = max.as_khz() as u32; +        self +    } + +    /// Returns the current frequency for the [`Policy`]. +    #[inline] +    pub fn cur(&self) -> Hertz { +        Hertz::from_khz(self.as_ref().cur as usize) +    } + +    /// Returns the suspend frequency for the [`Policy`]. +    #[inline] +    pub fn suspend_freq(&self) -> Hertz { +        Hertz::from_khz(self.as_ref().suspend_freq as usize) +    } + +    /// Sets the suspend frequency for the [`Policy`]. +    #[inline] +    pub fn set_suspend_freq(&mut self, freq: Hertz) -> &mut Self { +        self.as_mut_ref().suspend_freq = freq.as_khz() as u32; +        self +    } + +    /// Provides a wrapper to the generic suspend routine. +    #[inline] +    pub fn generic_suspend(&mut self) -> Result { +        // SAFETY: By the type invariant, the pointer stored in `self` is valid. +        to_result(unsafe { bindings::cpufreq_generic_suspend(self.as_mut_ref()) }) +    } + +    /// Provides a wrapper to the generic get routine. +    #[inline] +    pub fn generic_get(&self) -> Result<u32> { +        // SAFETY: By the type invariant, the pointer stored in `self` is valid. +        Ok(unsafe { bindings::cpufreq_generic_get(self.cpu()) }) +    } + +    /// Provides a wrapper to the register with energy model using the OPP core. +    #[cfg(CONFIG_PM_OPP)] +    #[inline] +    pub fn register_em_opp(&mut self) { +        // SAFETY: By the type invariant, the pointer stored in `self` is valid. +        unsafe { bindings::cpufreq_register_em_with_opp(self.as_mut_ref()) }; +    } + +    /// Gets [`cpumask::Cpumask`] for a cpufreq [`Policy`]. +    #[inline] +    pub fn cpus(&mut self) -> &mut cpumask::Cpumask { +        // SAFETY: The pointer to `cpus` is valid for writing and remains valid for the lifetime of +        // the returned reference. +        unsafe { cpumask::CpumaskVar::as_mut_ref(&mut self.as_mut_ref().cpus) } +    } + +    /// Sets clock for the [`Policy`]. +    /// +    /// # Safety +    /// +    /// The caller must guarantee that the returned [`Clk`] is not dropped while it is getting used +    /// by the C code. +    #[cfg(CONFIG_COMMON_CLK)] +    pub unsafe fn set_clk(&mut self, dev: &Device, name: Option<&CStr>) -> Result<Clk> { +        let clk = Clk::get(dev, name)?; +        self.as_mut_ref().clk = clk.as_raw(); +        Ok(clk) +    } + +    /// Allows / disallows frequency switching code to run on any CPU. +    #[inline] +    pub fn set_dvfs_possible_from_any_cpu(&mut self, val: bool) -> &mut Self { +        self.as_mut_ref().dvfs_possible_from_any_cpu = val; +        self +    } + +    /// Returns if fast switching of frequencies is possible or not. +    #[inline] +    pub fn fast_switch_possible(&self) -> bool { +        self.as_ref().fast_switch_possible +    } + +    /// Enables / disables fast frequency switching. +    #[inline] +    pub fn set_fast_switch_possible(&mut self, val: bool) -> &mut Self { +        self.as_mut_ref().fast_switch_possible = val; +        self +    } + +    /// Sets transition latency (in nanoseconds) for the [`Policy`]. +    #[inline] +    pub fn set_transition_latency_ns(&mut self, latency_ns: u32) -> &mut Self { +        self.as_mut_ref().cpuinfo.transition_latency = latency_ns; +        self +    } + +    /// Sets cpuinfo `min_freq`. +    #[inline] +    pub fn set_cpuinfo_min_freq(&mut self, min_freq: Hertz) -> &mut Self { +        self.as_mut_ref().cpuinfo.min_freq = min_freq.as_khz() as u32; +        self +    } + +    /// Sets cpuinfo `max_freq`. +    #[inline] +    pub fn set_cpuinfo_max_freq(&mut self, max_freq: Hertz) -> &mut Self { +        self.as_mut_ref().cpuinfo.max_freq = max_freq.as_khz() as u32; +        self +    } + +    /// Set `transition_delay_us`, i.e. the minimum time between successive frequency change +    /// requests. +    #[inline] +    pub fn set_transition_delay_us(&mut self, transition_delay_us: u32) -> &mut Self { +        self.as_mut_ref().transition_delay_us = transition_delay_us; +        self +    } + +    /// Returns reference to the CPU frequency [`Table`] for the [`Policy`]. +    pub fn freq_table(&self) -> Result<&Table> { +        if self.as_ref().freq_table.is_null() { +            return Err(EINVAL); +        } + +        // SAFETY: The `freq_table` is guaranteed to be valid for reading and remains valid for the +        // lifetime of the returned reference. +        Ok(unsafe { Table::from_raw(self.as_ref().freq_table) }) +    } + +    /// Sets the CPU frequency [`Table`] for the [`Policy`]. +    /// +    /// # Safety +    /// +    /// The caller must guarantee that the [`Table`] is not dropped while it is getting used by the +    /// C code. +    #[inline] +    pub unsafe fn set_freq_table(&mut self, table: &Table) -> &mut Self { +        self.as_mut_ref().freq_table = table.as_raw(); +        self +    } + +    /// Returns the [`Policy`]'s private data. +    pub fn data<T: ForeignOwnable>(&mut self) -> Option<<T>::Borrowed<'_>> { +        if self.as_ref().driver_data.is_null() { +            None +        } else { +            // SAFETY: The data is earlier set from [`set_data`]. +            Some(unsafe { T::borrow(self.as_ref().driver_data.cast()) }) +        } +    } + +    /// Sets the private data of the [`Policy`] using a foreign-ownable wrapper. +    /// +    /// # Errors +    /// +    /// Returns `EBUSY` if private data is already set. +    fn set_data<T: ForeignOwnable>(&mut self, data: T) -> Result { +        if self.as_ref().driver_data.is_null() { +            // Transfer the ownership of the data to the foreign interface. +            self.as_mut_ref().driver_data = <T as ForeignOwnable>::into_foreign(data) as _; +            Ok(()) +        } else { +            Err(EBUSY) +        } +    } + +    /// Clears and returns ownership of the private data. +    fn clear_data<T: ForeignOwnable>(&mut self) -> Option<T> { +        if self.as_ref().driver_data.is_null() { +            None +        } else { +            let data = Some( +                // SAFETY: The data is earlier set by us from [`set_data`]. It is safe to take +                // back the ownership of the data from the foreign interface. +                unsafe { <T as ForeignOwnable>::from_foreign(self.as_ref().driver_data.cast()) }, +            ); +            self.as_mut_ref().driver_data = ptr::null_mut(); +            data +        } +    } +} + +/// CPU frequency policy created from a CPU number. +/// +/// This struct represents the CPU frequency policy obtained for a specific CPU, providing safe +/// access to the underlying `cpufreq_policy` and ensuring proper cleanup when the `PolicyCpu` is +/// dropped. +struct PolicyCpu<'a>(&'a mut Policy); + +impl<'a> PolicyCpu<'a> { +    fn from_cpu(cpu: u32) -> Result<Self> { +        // SAFETY: It is safe to call `cpufreq_cpu_get` for any valid CPU. +        let ptr = from_err_ptr(unsafe { bindings::cpufreq_cpu_get(cpu) })?; + +        Ok(Self( +            // SAFETY: The `ptr` is guaranteed to be valid and remains valid for the lifetime of +            // the returned reference. +            unsafe { Policy::from_raw_mut(ptr) }, +        )) +    } +} + +impl<'a> Deref for PolicyCpu<'a> { +    type Target = Policy; + +    fn deref(&self) -> &Self::Target { +        self.0 +    } +} + +impl<'a> DerefMut for PolicyCpu<'a> { +    fn deref_mut(&mut self) -> &mut Policy { +        self.0 +    } +} + +impl<'a> Drop for PolicyCpu<'a> { +    fn drop(&mut self) { +        // SAFETY: The underlying pointer is guaranteed to be valid for the lifetime of `self`. +        unsafe { bindings::cpufreq_cpu_put(self.0.as_raw()) }; +    } +} + +/// CPU frequency driver. +/// +/// Implement this trait to provide a CPU frequency driver and its callbacks. +/// +/// Reference: <https://docs.kernel.org/cpu-freq/cpu-drivers.html> +#[vtable] +pub trait Driver { +    /// Driver's name. +    const NAME: &'static CStr; + +    /// Driver's flags. +    const FLAGS: u16; + +    /// Boost support. +    const BOOST_ENABLED: bool; + +    /// Policy specific data. +    /// +    /// Require that `PData` implements `ForeignOwnable`. We guarantee to never move the underlying +    /// wrapped data structure. +    type PData: ForeignOwnable; + +    /// Driver's `init` callback. +    fn init(policy: &mut Policy) -> Result<Self::PData>; + +    /// Driver's `exit` callback. +    fn exit(_policy: &mut Policy, _data: Option<Self::PData>) -> Result { +        build_error!(VTABLE_DEFAULT_ERROR) +    } + +    /// Driver's `online` callback. +    fn online(_policy: &mut Policy) -> Result { +        build_error!(VTABLE_DEFAULT_ERROR) +    } + +    /// Driver's `offline` callback. +    fn offline(_policy: &mut Policy) -> Result { +        build_error!(VTABLE_DEFAULT_ERROR) +    } + +    /// Driver's `suspend` callback. +    fn suspend(_policy: &mut Policy) -> Result { +        build_error!(VTABLE_DEFAULT_ERROR) +    } + +    /// Driver's `resume` callback. +    fn resume(_policy: &mut Policy) -> Result { +        build_error!(VTABLE_DEFAULT_ERROR) +    } + +    /// Driver's `ready` callback. +    fn ready(_policy: &mut Policy) { +        build_error!(VTABLE_DEFAULT_ERROR) +    } + +    /// Driver's `verify` callback. +    fn verify(data: &mut PolicyData) -> Result; + +    /// Driver's `setpolicy` callback. +    fn setpolicy(_policy: &mut Policy) -> Result { +        build_error!(VTABLE_DEFAULT_ERROR) +    } + +    /// Driver's `target` callback. +    fn target(_policy: &mut Policy, _target_freq: u32, _relation: Relation) -> Result { +        build_error!(VTABLE_DEFAULT_ERROR) +    } + +    /// Driver's `target_index` callback. +    fn target_index(_policy: &mut Policy, _index: TableIndex) -> Result { +        build_error!(VTABLE_DEFAULT_ERROR) +    } + +    /// Driver's `fast_switch` callback. +    fn fast_switch(_policy: &mut Policy, _target_freq: u32) -> u32 { +        build_error!(VTABLE_DEFAULT_ERROR) +    } + +    /// Driver's `adjust_perf` callback. +    fn adjust_perf(_policy: &mut Policy, _min_perf: usize, _target_perf: usize, _capacity: usize) { +        build_error!(VTABLE_DEFAULT_ERROR) +    } + +    /// Driver's `get_intermediate` callback. +    fn get_intermediate(_policy: &mut Policy, _index: TableIndex) -> u32 { +        build_error!(VTABLE_DEFAULT_ERROR) +    } + +    /// Driver's `target_intermediate` callback. +    fn target_intermediate(_policy: &mut Policy, _index: TableIndex) -> Result { +        build_error!(VTABLE_DEFAULT_ERROR) +    } + +    /// Driver's `get` callback. +    fn get(_policy: &mut Policy) -> Result<u32> { +        build_error!(VTABLE_DEFAULT_ERROR) +    } + +    /// Driver's `update_limits` callback. +    fn update_limits(_policy: &mut Policy) { +        build_error!(VTABLE_DEFAULT_ERROR) +    } + +    /// Driver's `bios_limit` callback. +    fn bios_limit(_policy: &mut Policy, _limit: &mut u32) -> Result { +        build_error!(VTABLE_DEFAULT_ERROR) +    } + +    /// Driver's `set_boost` callback. +    fn set_boost(_policy: &mut Policy, _state: i32) -> Result { +        build_error!(VTABLE_DEFAULT_ERROR) +    } + +    /// Driver's `register_em` callback. +    fn register_em(_policy: &mut Policy) { +        build_error!(VTABLE_DEFAULT_ERROR) +    } +} + +/// CPU frequency driver Registration. +/// +/// ## Examples +/// +/// The following example demonstrates how to register a cpufreq driver. +/// +/// ``` +/// use kernel::{ +///     cpufreq, +///     c_str, +///     device::{Core, Device}, +///     macros::vtable, +///     of, platform, +///     sync::Arc, +/// }; +/// struct SampleDevice; +/// +/// #[derive(Default)] +/// struct SampleDriver; +/// +/// #[vtable] +/// impl cpufreq::Driver for SampleDriver { +///     const NAME: &'static CStr = c_str!("cpufreq-sample"); +///     const FLAGS: u16 = cpufreq::flags::NEED_INITIAL_FREQ_CHECK | cpufreq::flags::IS_COOLING_DEV; +///     const BOOST_ENABLED: bool = true; +/// +///     type PData = Arc<SampleDevice>; +/// +///     fn init(policy: &mut cpufreq::Policy) -> Result<Self::PData> { +///         // Initialize here +///         Ok(Arc::new(SampleDevice, GFP_KERNEL)?) +///     } +/// +///     fn exit(_policy: &mut cpufreq::Policy, _data: Option<Self::PData>) -> Result { +///         Ok(()) +///     } +/// +///     fn suspend(policy: &mut cpufreq::Policy) -> Result { +///         policy.generic_suspend() +///     } +/// +///     fn verify(data: &mut cpufreq::PolicyData) -> Result { +///         data.generic_verify() +///     } +/// +///     fn target_index(policy: &mut cpufreq::Policy, index: cpufreq::TableIndex) -> Result { +///         // Update CPU frequency +///         Ok(()) +///     } +/// +///     fn get(policy: &mut cpufreq::Policy) -> Result<u32> { +///         policy.generic_get() +///     } +/// } +/// +/// impl platform::Driver for SampleDriver { +///     type IdInfo = (); +///     const OF_ID_TABLE: Option<of::IdTable<Self::IdInfo>> = None; +/// +///     fn probe( +///         pdev: &platform::Device<Core>, +///         _id_info: Option<&Self::IdInfo>, +///     ) -> Result<Pin<KBox<Self>>> { +///         cpufreq::Registration::<SampleDriver>::new_foreign_owned(pdev.as_ref())?; +///         Ok(KBox::new(Self {}, GFP_KERNEL)?.into()) +///     } +/// } +/// ``` +#[repr(transparent)] +pub struct Registration<T: Driver>(KBox<UnsafeCell<bindings::cpufreq_driver>>, PhantomData<T>); + +/// SAFETY: `Registration` doesn't offer any methods or access to fields when shared between threads +/// or CPUs, so it is safe to share it. +unsafe impl<T: Driver> Sync for Registration<T> {} + +#[allow(clippy::non_send_fields_in_send_ty)] +/// SAFETY: Registration with and unregistration from the cpufreq subsystem can happen from any +/// thread. +unsafe impl<T: Driver> Send for Registration<T> {} + +impl<T: Driver> Registration<T> { +    const VTABLE: bindings::cpufreq_driver = bindings::cpufreq_driver { +        name: Self::copy_name(T::NAME), +        boost_enabled: T::BOOST_ENABLED, +        flags: T::FLAGS, + +        // Initialize mandatory callbacks. +        init: Some(Self::init_callback), +        verify: Some(Self::verify_callback), + +        // Initialize optional callbacks based on the traits of `T`. +        setpolicy: if T::HAS_SETPOLICY { +            Some(Self::setpolicy_callback) +        } else { +            None +        }, +        target: if T::HAS_TARGET { +            Some(Self::target_callback) +        } else { +            None +        }, +        target_index: if T::HAS_TARGET_INDEX { +            Some(Self::target_index_callback) +        } else { +            None +        }, +        fast_switch: if T::HAS_FAST_SWITCH { +            Some(Self::fast_switch_callback) +        } else { +            None +        }, +        adjust_perf: if T::HAS_ADJUST_PERF { +            Some(Self::adjust_perf_callback) +        } else { +            None +        }, +        get_intermediate: if T::HAS_GET_INTERMEDIATE { +            Some(Self::get_intermediate_callback) +        } else { +            None +        }, +        target_intermediate: if T::HAS_TARGET_INTERMEDIATE { +            Some(Self::target_intermediate_callback) +        } else { +            None +        }, +        get: if T::HAS_GET { +            Some(Self::get_callback) +        } else { +            None +        }, +        update_limits: if T::HAS_UPDATE_LIMITS { +            Some(Self::update_limits_callback) +        } else { +            None +        }, +        bios_limit: if T::HAS_BIOS_LIMIT { +            Some(Self::bios_limit_callback) +        } else { +            None +        }, +        online: if T::HAS_ONLINE { +            Some(Self::online_callback) +        } else { +            None +        }, +        offline: if T::HAS_OFFLINE { +            Some(Self::offline_callback) +        } else { +            None +        }, +        exit: if T::HAS_EXIT { +            Some(Self::exit_callback) +        } else { +            None +        }, +        suspend: if T::HAS_SUSPEND { +            Some(Self::suspend_callback) +        } else { +            None +        }, +        resume: if T::HAS_RESUME { +            Some(Self::resume_callback) +        } else { +            None +        }, +        ready: if T::HAS_READY { +            Some(Self::ready_callback) +        } else { +            None +        }, +        set_boost: if T::HAS_SET_BOOST { +            Some(Self::set_boost_callback) +        } else { +            None +        }, +        register_em: if T::HAS_REGISTER_EM { +            Some(Self::register_em_callback) +        } else { +            None +        }, +        // SAFETY: All zeros is a valid value for `bindings::cpufreq_driver`. +        ..unsafe { MaybeUninit::zeroed().assume_init() } +    }; + +    const fn copy_name(name: &'static CStr) -> [c_char; CPUFREQ_NAME_LEN] { +        let src = name.as_bytes_with_nul(); +        let mut dst = [0; CPUFREQ_NAME_LEN]; + +        build_assert!(src.len() <= CPUFREQ_NAME_LEN); + +        let mut i = 0; +        while i < src.len() { +            dst[i] = src[i]; +            i += 1; +        } + +        dst +    } + +    /// Registers a CPU frequency driver with the cpufreq core. +    pub fn new() -> Result<Self> { +        // We can't use `&Self::VTABLE` directly because the cpufreq core modifies some fields in +        // the C `struct cpufreq_driver`, which requires a mutable reference. +        let mut drv = KBox::new(UnsafeCell::new(Self::VTABLE), GFP_KERNEL)?; + +        // SAFETY: `drv` is guaranteed to be valid for the lifetime of `Registration`. +        to_result(unsafe { bindings::cpufreq_register_driver(drv.get_mut()) })?; + +        Ok(Self(drv, PhantomData)) +    } + +    /// Same as [`Registration::new`], but does not return a [`Registration`] instance. +    /// +    /// Instead the [`Registration`] is owned by [`Devres`] and will be revoked / dropped, once the +    /// device is detached. +    pub fn new_foreign_owned(dev: &Device<Bound>) -> Result { +        Devres::new_foreign_owned(dev, Self::new()?, GFP_KERNEL) +    } +} + +/// CPU frequency driver callbacks. +impl<T: Driver> Registration<T> { +    /// Driver's `init` callback. +    /// +    /// SAFETY: Called from C. Inputs must be valid pointers. +    extern "C" fn init_callback(ptr: *mut bindings::cpufreq_policy) -> kernel::ffi::c_int { +        from_result(|| { +            // SAFETY: The `ptr` is guaranteed to be valid by the contract with the C code for the +            // lifetime of `policy`. +            let policy = unsafe { Policy::from_raw_mut(ptr) }; + +            let data = T::init(policy)?; +            policy.set_data(data)?; +            Ok(0) +        }) +    } + +    /// Driver's `exit` callback. +    /// +    /// SAFETY: Called from C. Inputs must be valid pointers. +    extern "C" fn exit_callback(ptr: *mut bindings::cpufreq_policy) { +        // SAFETY: The `ptr` is guaranteed to be valid by the contract with the C code for the +        // lifetime of `policy`. +        let policy = unsafe { Policy::from_raw_mut(ptr) }; + +        let data = policy.clear_data(); +        let _ = T::exit(policy, data); +    } + +    /// Driver's `online` callback. +    /// +    /// SAFETY: Called from C. Inputs must be valid pointers. +    extern "C" fn online_callback(ptr: *mut bindings::cpufreq_policy) -> kernel::ffi::c_int { +        from_result(|| { +            // SAFETY: The `ptr` is guaranteed to be valid by the contract with the C code for the +            // lifetime of `policy`. +            let policy = unsafe { Policy::from_raw_mut(ptr) }; +            T::online(policy).map(|()| 0) +        }) +    } + +    /// Driver's `offline` callback. +    /// +    /// SAFETY: Called from C. Inputs must be valid pointers. +    extern "C" fn offline_callback(ptr: *mut bindings::cpufreq_policy) -> kernel::ffi::c_int { +        from_result(|| { +            // SAFETY: The `ptr` is guaranteed to be valid by the contract with the C code for the +            // lifetime of `policy`. +            let policy = unsafe { Policy::from_raw_mut(ptr) }; +            T::offline(policy).map(|()| 0) +        }) +    } + +    /// Driver's `suspend` callback. +    /// +    /// SAFETY: Called from C. Inputs must be valid pointers. +    extern "C" fn suspend_callback(ptr: *mut bindings::cpufreq_policy) -> kernel::ffi::c_int { +        from_result(|| { +            // SAFETY: The `ptr` is guaranteed to be valid by the contract with the C code for the +            // lifetime of `policy`. +            let policy = unsafe { Policy::from_raw_mut(ptr) }; +            T::suspend(policy).map(|()| 0) +        }) +    } + +    /// Driver's `resume` callback. +    /// +    /// SAFETY: Called from C. Inputs must be valid pointers. +    extern "C" fn resume_callback(ptr: *mut bindings::cpufreq_policy) -> kernel::ffi::c_int { +        from_result(|| { +            // SAFETY: The `ptr` is guaranteed to be valid by the contract with the C code for the +            // lifetime of `policy`. +            let policy = unsafe { Policy::from_raw_mut(ptr) }; +            T::resume(policy).map(|()| 0) +        }) +    } + +    /// Driver's `ready` callback. +    /// +    /// SAFETY: Called from C. Inputs must be valid pointers. +    extern "C" fn ready_callback(ptr: *mut bindings::cpufreq_policy) { +        // SAFETY: The `ptr` is guaranteed to be valid by the contract with the C code for the +        // lifetime of `policy`. +        let policy = unsafe { Policy::from_raw_mut(ptr) }; +        T::ready(policy); +    } + +    /// Driver's `verify` callback. +    /// +    /// SAFETY: Called from C. Inputs must be valid pointers. +    extern "C" fn verify_callback(ptr: *mut bindings::cpufreq_policy_data) -> kernel::ffi::c_int { +        from_result(|| { +            // SAFETY: The `ptr` is guaranteed to be valid by the contract with the C code for the +            // lifetime of `policy`. +            let data = unsafe { PolicyData::from_raw_mut(ptr) }; +            T::verify(data).map(|()| 0) +        }) +    } + +    /// Driver's `setpolicy` callback. +    /// +    /// SAFETY: Called from C. Inputs must be valid pointers. +    extern "C" fn setpolicy_callback(ptr: *mut bindings::cpufreq_policy) -> kernel::ffi::c_int { +        from_result(|| { +            // SAFETY: The `ptr` is guaranteed to be valid by the contract with the C code for the +            // lifetime of `policy`. +            let policy = unsafe { Policy::from_raw_mut(ptr) }; +            T::setpolicy(policy).map(|()| 0) +        }) +    } + +    /// Driver's `target` callback. +    /// +    /// SAFETY: Called from C. Inputs must be valid pointers. +    extern "C" fn target_callback( +        ptr: *mut bindings::cpufreq_policy, +        target_freq: u32, +        relation: u32, +    ) -> kernel::ffi::c_int { +        from_result(|| { +            // SAFETY: The `ptr` is guaranteed to be valid by the contract with the C code for the +            // lifetime of `policy`. +            let policy = unsafe { Policy::from_raw_mut(ptr) }; +            T::target(policy, target_freq, Relation::new(relation)?).map(|()| 0) +        }) +    } + +    /// Driver's `target_index` callback. +    /// +    /// SAFETY: Called from C. Inputs must be valid pointers. +    extern "C" fn target_index_callback( +        ptr: *mut bindings::cpufreq_policy, +        index: u32, +    ) -> kernel::ffi::c_int { +        from_result(|| { +            // SAFETY: The `ptr` is guaranteed to be valid by the contract with the C code for the +            // lifetime of `policy`. +            let policy = unsafe { Policy::from_raw_mut(ptr) }; + +            // SAFETY: The C code guarantees that `index` corresponds to a valid entry in the +            // frequency table. +            let index = unsafe { TableIndex::new(index as usize) }; + +            T::target_index(policy, index).map(|()| 0) +        }) +    } + +    /// Driver's `fast_switch` callback. +    /// +    /// SAFETY: Called from C. Inputs must be valid pointers. +    extern "C" fn fast_switch_callback( +        ptr: *mut bindings::cpufreq_policy, +        target_freq: u32, +    ) -> kernel::ffi::c_uint { +        // SAFETY: The `ptr` is guaranteed to be valid by the contract with the C code for the +        // lifetime of `policy`. +        let policy = unsafe { Policy::from_raw_mut(ptr) }; +        T::fast_switch(policy, target_freq) +    } + +    /// Driver's `adjust_perf` callback. +    extern "C" fn adjust_perf_callback( +        cpu: u32, +        min_perf: usize, +        target_perf: usize, +        capacity: usize, +    ) { +        if let Ok(mut policy) = PolicyCpu::from_cpu(cpu) { +            T::adjust_perf(&mut policy, min_perf, target_perf, capacity); +        } +    } + +    /// Driver's `get_intermediate` callback. +    /// +    /// SAFETY: Called from C. Inputs must be valid pointers. +    extern "C" fn get_intermediate_callback( +        ptr: *mut bindings::cpufreq_policy, +        index: u32, +    ) -> kernel::ffi::c_uint { +        // SAFETY: The `ptr` is guaranteed to be valid by the contract with the C code for the +        // lifetime of `policy`. +        let policy = unsafe { Policy::from_raw_mut(ptr) }; + +        // SAFETY: The C code guarantees that `index` corresponds to a valid entry in the +        // frequency table. +        let index = unsafe { TableIndex::new(index as usize) }; + +        T::get_intermediate(policy, index) +    } + +    /// Driver's `target_intermediate` callback. +    /// +    /// SAFETY: Called from C. Inputs must be valid pointers. +    extern "C" fn target_intermediate_callback( +        ptr: *mut bindings::cpufreq_policy, +        index: u32, +    ) -> kernel::ffi::c_int { +        from_result(|| { +            // SAFETY: The `ptr` is guaranteed to be valid by the contract with the C code for the +            // lifetime of `policy`. +            let policy = unsafe { Policy::from_raw_mut(ptr) }; + +            // SAFETY: The C code guarantees that `index` corresponds to a valid entry in the +            // frequency table. +            let index = unsafe { TableIndex::new(index as usize) }; + +            T::target_intermediate(policy, index).map(|()| 0) +        }) +    } + +    /// Driver's `get` callback. +    extern "C" fn get_callback(cpu: u32) -> kernel::ffi::c_uint { +        PolicyCpu::from_cpu(cpu).map_or(0, |mut policy| T::get(&mut policy).map_or(0, |f| f)) +    } + +    /// Driver's `update_limit` callback. +    extern "C" fn update_limits_callback(ptr: *mut bindings::cpufreq_policy) { +        // SAFETY: The `ptr` is guaranteed to be valid by the contract with the C code for the +        // lifetime of `policy`. +        let policy = unsafe { Policy::from_raw_mut(ptr) }; +        T::update_limits(policy); +    } + +    /// Driver's `bios_limit` callback. +    /// +    /// SAFETY: Called from C. Inputs must be valid pointers. +    extern "C" fn bios_limit_callback(cpu: i32, limit: *mut u32) -> kernel::ffi::c_int { +        from_result(|| { +            let mut policy = PolicyCpu::from_cpu(cpu as u32)?; + +            // SAFETY: `limit` is guaranteed by the C code to be valid. +            T::bios_limit(&mut policy, &mut (unsafe { *limit })).map(|()| 0) +        }) +    } + +    /// Driver's `set_boost` callback. +    /// +    /// SAFETY: Called from C. Inputs must be valid pointers. +    extern "C" fn set_boost_callback( +        ptr: *mut bindings::cpufreq_policy, +        state: i32, +    ) -> kernel::ffi::c_int { +        from_result(|| { +            // SAFETY: The `ptr` is guaranteed to be valid by the contract with the C code for the +            // lifetime of `policy`. +            let policy = unsafe { Policy::from_raw_mut(ptr) }; +            T::set_boost(policy, state).map(|()| 0) +        }) +    } + +    /// Driver's `register_em` callback. +    /// +    /// SAFETY: Called from C. Inputs must be valid pointers. +    extern "C" fn register_em_callback(ptr: *mut bindings::cpufreq_policy) { +        // SAFETY: The `ptr` is guaranteed to be valid by the contract with the C code for the +        // lifetime of `policy`. +        let policy = unsafe { Policy::from_raw_mut(ptr) }; +        T::register_em(policy); +    } +} + +impl<T: Driver> Drop for Registration<T> { +    /// Unregisters with the cpufreq core. +    fn drop(&mut self) { +        // SAFETY: `self.0` is guaranteed to be valid for the lifetime of `Registration`. +        unsafe { bindings::cpufreq_unregister_driver(self.0.get_mut()) }; +    } +} diff --git a/rust/kernel/cpumask.rs b/rust/kernel/cpumask.rs new file mode 100644 index 000000000000..c90bfac9346a --- /dev/null +++ b/rust/kernel/cpumask.rs @@ -0,0 +1,330 @@ +// SPDX-License-Identifier: GPL-2.0 + +//! CPU Mask abstractions. +//! +//! C header: [`include/linux/cpumask.h`](srctree/include/linux/cpumask.h) + +use crate::{ +    alloc::{AllocError, Flags}, +    prelude::*, +    types::Opaque, +}; + +#[cfg(CONFIG_CPUMASK_OFFSTACK)] +use core::ptr::{self, NonNull}; + +#[cfg(not(CONFIG_CPUMASK_OFFSTACK))] +use core::mem::MaybeUninit; + +use core::ops::{Deref, DerefMut}; + +/// A CPU Mask. +/// +/// Rust abstraction for the C `struct cpumask`. +/// +/// # Invariants +/// +/// A [`Cpumask`] instance always corresponds to a valid C `struct cpumask`. +/// +/// The callers must ensure that the `struct cpumask` is valid for access and +/// remains valid for the lifetime of the returned reference. +/// +/// ## Examples +/// +/// The following example demonstrates how to update a [`Cpumask`]. +/// +/// ``` +/// use kernel::bindings; +/// use kernel::cpumask::Cpumask; +/// +/// fn set_clear_cpu(ptr: *mut bindings::cpumask, set_cpu: u32, clear_cpu: i32) { +///     // SAFETY: The `ptr` is valid for writing and remains valid for the lifetime of the +///     // returned reference. +///     let mask = unsafe { Cpumask::as_mut_ref(ptr) }; +/// +///     mask.set(set_cpu); +///     mask.clear(clear_cpu); +/// } +/// ``` +#[repr(transparent)] +pub struct Cpumask(Opaque<bindings::cpumask>); + +impl Cpumask { +    /// Creates a mutable reference to an existing `struct cpumask` pointer. +    /// +    /// # Safety +    /// +    /// The caller must ensure that `ptr` is valid for writing and remains valid for the lifetime +    /// of the returned reference. +    pub unsafe fn as_mut_ref<'a>(ptr: *mut bindings::cpumask) -> &'a mut Self { +        // SAFETY: Guaranteed by the safety requirements of the function. +        // +        // INVARIANT: The caller ensures that `ptr` is valid for writing and remains valid for the +        // lifetime of the returned reference. +        unsafe { &mut *ptr.cast() } +    } + +    /// Creates a reference to an existing `struct cpumask` pointer. +    /// +    /// # Safety +    /// +    /// The caller must ensure that `ptr` is valid for reading and remains valid for the lifetime +    /// of the returned reference. +    pub unsafe fn as_ref<'a>(ptr: *const bindings::cpumask) -> &'a Self { +        // SAFETY: Guaranteed by the safety requirements of the function. +        // +        // INVARIANT: The caller ensures that `ptr` is valid for reading and remains valid for the +        // lifetime of the returned reference. +        unsafe { &*ptr.cast() } +    } + +    /// Obtain the raw `struct cpumask` pointer. +    pub fn as_raw(&self) -> *mut bindings::cpumask { +        let this: *const Self = self; +        this.cast_mut().cast() +    } + +    /// Set `cpu` in the cpumask. +    /// +    /// ATTENTION: Contrary to C, this Rust `set()` method is non-atomic. +    /// This mismatches kernel naming convention and corresponds to the C +    /// function `__cpumask_set_cpu()`. +    #[inline] +    pub fn set(&mut self, cpu: u32) { +        // SAFETY: By the type invariant, `self.as_raw` is a valid argument to `__cpumask_set_cpu`. +        unsafe { bindings::__cpumask_set_cpu(cpu, self.as_raw()) }; +    } + +    /// Clear `cpu` in the cpumask. +    /// +    /// ATTENTION: Contrary to C, this Rust `clear()` method is non-atomic. +    /// This mismatches kernel naming convention and corresponds to the C +    /// function `__cpumask_clear_cpu()`. +    #[inline] +    pub fn clear(&mut self, cpu: i32) { +        // SAFETY: By the type invariant, `self.as_raw` is a valid argument to +        // `__cpumask_clear_cpu`. +        unsafe { bindings::__cpumask_clear_cpu(cpu, self.as_raw()) }; +    } + +    /// Test `cpu` in the cpumask. +    /// +    /// Equivalent to the kernel's `cpumask_test_cpu` API. +    #[inline] +    pub fn test(&self, cpu: i32) -> bool { +        // SAFETY: By the type invariant, `self.as_raw` is a valid argument to `cpumask_test_cpu`. +        unsafe { bindings::cpumask_test_cpu(cpu, self.as_raw()) } +    } + +    /// Set all CPUs in the cpumask. +    /// +    /// Equivalent to the kernel's `cpumask_setall` API. +    #[inline] +    pub fn setall(&mut self) { +        // SAFETY: By the type invariant, `self.as_raw` is a valid argument to `cpumask_setall`. +        unsafe { bindings::cpumask_setall(self.as_raw()) }; +    } + +    /// Checks if cpumask is empty. +    /// +    /// Equivalent to the kernel's `cpumask_empty` API. +    #[inline] +    pub fn empty(&self) -> bool { +        // SAFETY: By the type invariant, `self.as_raw` is a valid argument to `cpumask_empty`. +        unsafe { bindings::cpumask_empty(self.as_raw()) } +    } + +    /// Checks if cpumask is full. +    /// +    /// Equivalent to the kernel's `cpumask_full` API. +    #[inline] +    pub fn full(&self) -> bool { +        // SAFETY: By the type invariant, `self.as_raw` is a valid argument to `cpumask_full`. +        unsafe { bindings::cpumask_full(self.as_raw()) } +    } + +    /// Get weight of the cpumask. +    /// +    /// Equivalent to the kernel's `cpumask_weight` API. +    #[inline] +    pub fn weight(&self) -> u32 { +        // SAFETY: By the type invariant, `self.as_raw` is a valid argument to `cpumask_weight`. +        unsafe { bindings::cpumask_weight(self.as_raw()) } +    } + +    /// Copy cpumask. +    /// +    /// Equivalent to the kernel's `cpumask_copy` API. +    #[inline] +    pub fn copy(&self, dstp: &mut Self) { +        // SAFETY: By the type invariant, `Self::as_raw` is a valid argument to `cpumask_copy`. +        unsafe { bindings::cpumask_copy(dstp.as_raw(), self.as_raw()) }; +    } +} + +/// A CPU Mask pointer. +/// +/// Rust abstraction for the C `struct cpumask_var_t`. +/// +/// # Invariants +/// +/// A [`CpumaskVar`] instance always corresponds to a valid C `struct cpumask_var_t`. +/// +/// The callers must ensure that the `struct cpumask_var_t` is valid for access and remains valid +/// for the lifetime of [`CpumaskVar`]. +/// +/// ## Examples +/// +/// The following example demonstrates how to create and update a [`CpumaskVar`]. +/// +/// ``` +/// use kernel::cpumask::CpumaskVar; +/// +/// let mut mask = CpumaskVar::new_zero(GFP_KERNEL).unwrap(); +/// +/// assert!(mask.empty()); +/// mask.set(2); +/// assert!(mask.test(2)); +/// mask.set(3); +/// assert!(mask.test(3)); +/// assert_eq!(mask.weight(), 2); +/// +/// let mask2 = CpumaskVar::try_clone(&mask).unwrap(); +/// assert!(mask2.test(2)); +/// assert!(mask2.test(3)); +/// assert_eq!(mask2.weight(), 2); +/// ``` +pub struct CpumaskVar { +    #[cfg(CONFIG_CPUMASK_OFFSTACK)] +    ptr: NonNull<Cpumask>, +    #[cfg(not(CONFIG_CPUMASK_OFFSTACK))] +    mask: Cpumask, +} + +impl CpumaskVar { +    /// Creates a zero-initialized instance of the [`CpumaskVar`]. +    pub fn new_zero(_flags: Flags) -> Result<Self, AllocError> { +        Ok(Self { +            #[cfg(CONFIG_CPUMASK_OFFSTACK)] +            ptr: { +                let mut ptr: *mut bindings::cpumask = ptr::null_mut(); + +                // SAFETY: It is safe to call this method as the reference to `ptr` is valid. +                // +                // INVARIANT: The associated memory is freed when the `CpumaskVar` goes out of +                // scope. +                unsafe { bindings::zalloc_cpumask_var(&mut ptr, _flags.as_raw()) }; +                NonNull::new(ptr.cast()).ok_or(AllocError)? +            }, + +            #[cfg(not(CONFIG_CPUMASK_OFFSTACK))] +            // SAFETY: FFI type is valid to be zero-initialized. +            // +            // INVARIANT: The associated memory is freed when the `CpumaskVar` goes out of scope. +            mask: unsafe { core::mem::zeroed() }, +        }) +    } + +    /// Creates an instance of the [`CpumaskVar`]. +    /// +    /// # Safety +    /// +    /// The caller must ensure that the returned [`CpumaskVar`] is properly initialized before +    /// getting used. +    pub unsafe fn new(_flags: Flags) -> Result<Self, AllocError> { +        Ok(Self { +            #[cfg(CONFIG_CPUMASK_OFFSTACK)] +            ptr: { +                let mut ptr: *mut bindings::cpumask = ptr::null_mut(); + +                // SAFETY: It is safe to call this method as the reference to `ptr` is valid. +                // +                // INVARIANT: The associated memory is freed when the `CpumaskVar` goes out of +                // scope. +                unsafe { bindings::alloc_cpumask_var(&mut ptr, _flags.as_raw()) }; +                NonNull::new(ptr.cast()).ok_or(AllocError)? +            }, +            #[cfg(not(CONFIG_CPUMASK_OFFSTACK))] +            // SAFETY: Guaranteed by the safety requirements of the function. +            // +            // INVARIANT: The associated memory is freed when the `CpumaskVar` goes out of scope. +            mask: unsafe { MaybeUninit::uninit().assume_init() }, +        }) +    } + +    /// Creates a mutable reference to an existing `struct cpumask_var_t` pointer. +    /// +    /// # Safety +    /// +    /// The caller must ensure that `ptr` is valid for writing and remains valid for the lifetime +    /// of the returned reference. +    pub unsafe fn as_mut_ref<'a>(ptr: *mut bindings::cpumask_var_t) -> &'a mut Self { +        // SAFETY: Guaranteed by the safety requirements of the function. +        // +        // INVARIANT: The caller ensures that `ptr` is valid for writing and remains valid for the +        // lifetime of the returned reference. +        unsafe { &mut *ptr.cast() } +    } + +    /// Creates a reference to an existing `struct cpumask_var_t` pointer. +    /// +    /// # Safety +    /// +    /// The caller must ensure that `ptr` is valid for reading and remains valid for the lifetime +    /// of the returned reference. +    pub unsafe fn as_ref<'a>(ptr: *const bindings::cpumask_var_t) -> &'a Self { +        // SAFETY: Guaranteed by the safety requirements of the function. +        // +        // INVARIANT: The caller ensures that `ptr` is valid for reading and remains valid for the +        // lifetime of the returned reference. +        unsafe { &*ptr.cast() } +    } + +    /// Clones cpumask. +    pub fn try_clone(cpumask: &Cpumask) -> Result<Self> { +        // SAFETY: The returned cpumask_var is initialized right after this call. +        let mut cpumask_var = unsafe { Self::new(GFP_KERNEL) }?; + +        cpumask.copy(&mut cpumask_var); +        Ok(cpumask_var) +    } +} + +// Make [`CpumaskVar`] behave like a pointer to [`Cpumask`]. +impl Deref for CpumaskVar { +    type Target = Cpumask; + +    #[cfg(CONFIG_CPUMASK_OFFSTACK)] +    fn deref(&self) -> &Self::Target { +        // SAFETY: The caller owns CpumaskVar, so it is safe to deref the cpumask. +        unsafe { &*self.ptr.as_ptr() } +    } + +    #[cfg(not(CONFIG_CPUMASK_OFFSTACK))] +    fn deref(&self) -> &Self::Target { +        &self.mask +    } +} + +impl DerefMut for CpumaskVar { +    #[cfg(CONFIG_CPUMASK_OFFSTACK)] +    fn deref_mut(&mut self) -> &mut Cpumask { +        // SAFETY: The caller owns CpumaskVar, so it is safe to deref the cpumask. +        unsafe { self.ptr.as_mut() } +    } + +    #[cfg(not(CONFIG_CPUMASK_OFFSTACK))] +    fn deref_mut(&mut self) -> &mut Cpumask { +        &mut self.mask +    } +} + +impl Drop for CpumaskVar { +    fn drop(&mut self) { +        #[cfg(CONFIG_CPUMASK_OFFSTACK)] +        // SAFETY: By the type invariant, `self.as_raw` is a valid argument to `free_cpumask_var`. +        unsafe { +            bindings::free_cpumask_var(self.as_raw()) +        }; +    } +} diff --git a/rust/kernel/device.rs b/rust/kernel/device.rs index f08583fa39c9..dea06b79ecb5 100644 --- a/rust/kernel/device.rs +++ b/rust/kernel/device.rs @@ -345,7 +345,7 @@ macro_rules! impl_device_context_into_aref {  macro_rules! dev_printk {      ($method:ident, $dev:expr, $($f:tt)*) => {          { -            ($dev).$method(core::format_args!($($f)*)); +            ($dev).$method(::core::format_args!($($f)*));          }      }  } @@ -357,9 +357,10 @@ macro_rules! dev_printk {  /// Equivalent to the kernel's `dev_emerg` macro.  ///  /// Mimics the interface of [`std::print!`]. More information about the syntax is available from -/// [`core::fmt`] and `alloc::format!`. +/// [`core::fmt`] and [`std::format!`].  ///  /// [`std::print!`]: https://doc.rust-lang.org/std/macro.print.html +/// [`std::format!`]: https://doc.rust-lang.org/std/macro.format.html  ///  /// # Examples  /// @@ -382,9 +383,10 @@ macro_rules! dev_emerg {  /// Equivalent to the kernel's `dev_alert` macro.  ///  /// Mimics the interface of [`std::print!`]. More information about the syntax is available from -/// [`core::fmt`] and `alloc::format!`. +/// [`core::fmt`] and [`std::format!`].  ///  /// [`std::print!`]: https://doc.rust-lang.org/std/macro.print.html +/// [`std::format!`]: https://doc.rust-lang.org/std/macro.format.html  ///  /// # Examples  /// @@ -407,9 +409,10 @@ macro_rules! dev_alert {  /// Equivalent to the kernel's `dev_crit` macro.  ///  /// Mimics the interface of [`std::print!`]. More information about the syntax is available from -/// [`core::fmt`] and `alloc::format!`. +/// [`core::fmt`] and [`std::format!`].  ///  /// [`std::print!`]: https://doc.rust-lang.org/std/macro.print.html +/// [`std::format!`]: https://doc.rust-lang.org/std/macro.format.html  ///  /// # Examples  /// @@ -432,9 +435,10 @@ macro_rules! dev_crit {  /// Equivalent to the kernel's `dev_err` macro.  ///  /// Mimics the interface of [`std::print!`]. More information about the syntax is available from -/// [`core::fmt`] and `alloc::format!`. +/// [`core::fmt`] and [`std::format!`].  ///  /// [`std::print!`]: https://doc.rust-lang.org/std/macro.print.html +/// [`std::format!`]: https://doc.rust-lang.org/std/macro.format.html  ///  /// # Examples  /// @@ -457,9 +461,10 @@ macro_rules! dev_err {  /// Equivalent to the kernel's `dev_warn` macro.  ///  /// Mimics the interface of [`std::print!`]. More information about the syntax is available from -/// [`core::fmt`] and `alloc::format!`. +/// [`core::fmt`] and [`std::format!`].  ///  /// [`std::print!`]: https://doc.rust-lang.org/std/macro.print.html +/// [`std::format!`]: https://doc.rust-lang.org/std/macro.format.html  ///  /// # Examples  /// @@ -482,9 +487,10 @@ macro_rules! dev_warn {  /// Equivalent to the kernel's `dev_notice` macro.  ///  /// Mimics the interface of [`std::print!`]. More information about the syntax is available from -/// [`core::fmt`] and `alloc::format!`. +/// [`core::fmt`] and [`std::format!`].  ///  /// [`std::print!`]: https://doc.rust-lang.org/std/macro.print.html +/// [`std::format!`]: https://doc.rust-lang.org/std/macro.format.html  ///  /// # Examples  /// @@ -507,9 +513,10 @@ macro_rules! dev_notice {  /// Equivalent to the kernel's `dev_info` macro.  ///  /// Mimics the interface of [`std::print!`]. More information about the syntax is available from -/// [`core::fmt`] and `alloc::format!`. +/// [`core::fmt`] and [`std::format!`].  ///  /// [`std::print!`]: https://doc.rust-lang.org/std/macro.print.html +/// [`std::format!`]: https://doc.rust-lang.org/std/macro.format.html  ///  /// # Examples  /// @@ -532,9 +539,10 @@ macro_rules! dev_info {  /// Equivalent to the kernel's `dev_dbg` macro, except that it doesn't support dynamic debug yet.  ///  /// Mimics the interface of [`std::print!`]. More information about the syntax is available from -/// [`core::fmt`] and `alloc::format!`. +/// [`core::fmt`] and [`std::format!`].  ///  /// [`std::print!`]: https://doc.rust-lang.org/std/macro.print.html +/// [`std::format!`]: https://doc.rust-lang.org/std/macro.format.html  ///  /// # Examples  /// diff --git a/rust/kernel/device_id.rs b/rust/kernel/device_id.rs index e5859217a579..0a4eb56d98f2 100644 --- a/rust/kernel/device_id.rs +++ b/rust/kernel/device_id.rs @@ -159,7 +159,7 @@ macro_rules! module_device_table {                      "_", line!(),                      "_", stringify!($table_name))          ] -        static $module_table_name: [core::mem::MaybeUninit<u8>; $table_name.raw_ids().size()] = -            unsafe { core::mem::transmute_copy($table_name.raw_ids()) }; +        static $module_table_name: [::core::mem::MaybeUninit<u8>; $table_name.raw_ids().size()] = +            unsafe { ::core::mem::transmute_copy($table_name.raw_ids()) };      };  } diff --git a/rust/kernel/dma.rs b/rust/kernel/dma.rs index 605e01e35715..a33261c62e0c 100644 --- a/rust/kernel/dma.rs +++ b/rust/kernel/dma.rs @@ -94,7 +94,7 @@ pub mod attrs {      pub const DMA_ATTR_ALLOC_SINGLE_PAGES: Attrs = Attrs(bindings::DMA_ATTR_ALLOC_SINGLE_PAGES);      /// This tells the DMA-mapping subsystem to suppress allocation failure reports (similarly to -    /// __GFP_NOWARN). +    /// `__GFP_NOWARN`).      pub const DMA_ATTR_NO_WARN: Attrs = Attrs(bindings::DMA_ATTR_NO_WARN);      /// Used to indicate that the buffer is fully accessible at an elevated privilege level (and diff --git a/rust/kernel/drm/device.rs b/rust/kernel/drm/device.rs index 74c9a3dd719e..624d7a4c83ea 100644 --- a/rust/kernel/drm/device.rs +++ b/rust/kernel/drm/device.rs @@ -135,6 +135,8 @@ impl<T: drm::Driver> Device<T> {      ///      /// `ptr` must be a valid pointer to a `struct device` embedded in `Self`.      unsafe fn from_drm_device(ptr: *const bindings::drm_device) -> *mut Self { +        let ptr: *const Opaque<bindings::drm_device> = ptr.cast(); +          // SAFETY: By the safety requirements of this function `ptr` is a valid pointer to a          // `struct drm_device` embedded in `Self`.          unsafe { crate::container_of!(ptr, Self, dev) }.cast_mut() diff --git a/rust/kernel/drm/gem/mod.rs b/rust/kernel/drm/gem/mod.rs index d8765e61c6c2..4cd69fa84318 100644 --- a/rust/kernel/drm/gem/mod.rs +++ b/rust/kernel/drm/gem/mod.rs @@ -125,6 +125,8 @@ impl<T: DriverObject> IntoGEMObject for Object<T> {      }      unsafe fn as_ref<'a>(self_ptr: *mut bindings::drm_gem_object) -> &'a Self { +        let self_ptr: *mut Opaque<bindings::drm_gem_object> = self_ptr.cast(); +          // SAFETY: `obj` is guaranteed to be in an `Object<T>` via the safety contract of this          // function          unsafe { &*crate::container_of!(self_ptr, Object<T>, obj) } @@ -269,8 +271,10 @@ impl<T: DriverObject> Object<T> {      }      extern "C" fn free_callback(obj: *mut bindings::drm_gem_object) { +        let ptr: *mut Opaque<bindings::drm_gem_object> = obj.cast(); +          // SAFETY: All of our objects are of type `Object<T>`. -        let this = unsafe { crate::container_of!(obj, Self, obj) }.cast_mut(); +        let this = unsafe { crate::container_of!(ptr, Self, obj) };          // SAFETY: The C code only ever calls this callback with a valid pointer to a `struct          // drm_gem_object`. diff --git a/rust/kernel/fs/file.rs b/rust/kernel/fs/file.rs index 13a0e44cd1aa..72d84fb0e266 100644 --- a/rust/kernel/fs/file.rs +++ b/rust/kernel/fs/file.rs @@ -219,12 +219,13 @@ unsafe impl AlwaysRefCounted for File {  ///   must be on the same thread as this file.  ///  /// [`assume_no_fdget_pos`]: LocalFile::assume_no_fdget_pos +#[repr(transparent)]  pub struct LocalFile {      inner: Opaque<bindings::file>,  }  // SAFETY: The type invariants guarantee that `LocalFile` is always ref-counted. This implementation -// makes `ARef<File>` own a normal refcount. +// makes `ARef<LocalFile>` own a normal refcount.  unsafe impl AlwaysRefCounted for LocalFile {      #[inline]      fn inc_ref(&self) { @@ -235,7 +236,8 @@ unsafe impl AlwaysRefCounted for LocalFile {      #[inline]      unsafe fn dec_ref(obj: ptr::NonNull<LocalFile>) {          // SAFETY: To call this method, the caller passes us ownership of a normal refcount, so we -        // may drop it. The cast is okay since `File` has the same representation as `struct file`. +        // may drop it. The cast is okay since `LocalFile` has the same representation as +        // `struct file`.          unsafe { bindings::fput(obj.cast().as_ptr()) }      }  } @@ -273,7 +275,7 @@ impl LocalFile {      #[inline]      pub unsafe fn from_raw_file<'a>(ptr: *const bindings::file) -> &'a LocalFile {          // SAFETY: The caller guarantees that the pointer is not dangling and stays valid for the -        // duration of 'a. The cast is okay because `File` is `repr(transparent)`. +        // duration of `'a`. The cast is okay because `LocalFile` is `repr(transparent)`.          //          // INVARIANT: The caller guarantees that there are no problematic `fdget_pos` calls.          unsafe { &*ptr.cast() } @@ -347,7 +349,7 @@ impl File {      #[inline]      pub unsafe fn from_raw_file<'a>(ptr: *const bindings::file) -> &'a File {          // SAFETY: The caller guarantees that the pointer is not dangling and stays valid for the -        // duration of 'a. The cast is okay because `File` is `repr(transparent)`. +        // duration of `'a`. The cast is okay because `File` is `repr(transparent)`.          //          // INVARIANT: The caller guarantees that there are no problematic `fdget_pos` calls.          unsafe { &*ptr.cast() } diff --git a/rust/kernel/kunit.rs b/rust/kernel/kunit.rs index 1604fb6a5b1b..4b8cdcb21e77 100644 --- a/rust/kernel/kunit.rs +++ b/rust/kernel/kunit.rs @@ -6,6 +6,7 @@  //!  //! Reference: <https://docs.kernel.org/dev-tools/kunit/index.html> +use crate::prelude::*;  use core::{ffi::c_void, fmt};  /// Prints a KUnit error-level message. @@ -40,8 +41,6 @@ pub fn info(args: fmt::Arguments<'_>) {      }  } -use macros::kunit_tests; -  /// Asserts that a boolean expression is `true` at runtime.  ///  /// Public but hidden since it should only be used from generated tests. @@ -59,7 +58,7 @@ macro_rules! kunit_assert {              }              static FILE: &'static $crate::str::CStr = $crate::c_str!($file); -            static LINE: i32 = core::line!() as i32 - $diff; +            static LINE: i32 = ::core::line!() as i32 - $diff;              static CONDITION: &'static $crate::str::CStr = $crate::c_str!(stringify!($condition));              // SAFETY: FFI call without safety requirements. @@ -130,11 +129,11 @@ macro_rules! kunit_assert {              unsafe {                  $crate::bindings::__kunit_do_failed_assertion(                      kunit_test, -                    core::ptr::addr_of!(LOCATION.0), +                    ::core::ptr::addr_of!(LOCATION.0),                      $crate::bindings::kunit_assert_type_KUNIT_ASSERTION, -                    core::ptr::addr_of!(ASSERTION.0.assert), +                    ::core::ptr::addr_of!(ASSERTION.0.assert),                      Some($crate::bindings::kunit_unary_assert_format), -                    core::ptr::null(), +                    ::core::ptr::null(),                  );              } @@ -164,6 +163,31 @@ macro_rules! kunit_assert_eq {      }};  } +trait TestResult { +    fn is_test_result_ok(&self) -> bool; +} + +impl TestResult for () { +    fn is_test_result_ok(&self) -> bool { +        true +    } +} + +impl<T, E> TestResult for Result<T, E> { +    fn is_test_result_ok(&self) -> bool { +        self.is_ok() +    } +} + +/// Returns whether a test result is to be considered OK. +/// +/// This will be `assert!`ed from the generated tests. +#[doc(hidden)] +#[expect(private_bounds)] +pub fn is_test_result_ok(t: impl TestResult) -> bool { +    t.is_test_result_ok() +} +  /// Represents an individual test case.  ///  /// The [`kunit_unsafe_test_suite!`] macro expects a NULL-terminated list of valid test cases. @@ -323,7 +347,6 @@ mod tests {      #[test]      fn rust_test_kunit_example_test() { -        #![expect(clippy::eq_op)]          assert_eq!(1 + 1, 2);      } diff --git a/rust/kernel/lib.rs b/rust/kernel/lib.rs index ab0286857061..6b4774b2b1c3 100644 --- a/rust/kernel/lib.rs +++ b/rust/kernel/lib.rs @@ -12,20 +12,34 @@  //! do so first instead of bypassing this crate.  #![no_std] -#![feature(arbitrary_self_types)] -#![cfg_attr(CONFIG_RUSTC_HAS_COERCE_POINTEE, feature(derive_coerce_pointee))] -#![cfg_attr(not(CONFIG_RUSTC_HAS_COERCE_POINTEE), feature(coerce_unsized))] -#![cfg_attr(not(CONFIG_RUSTC_HAS_COERCE_POINTEE), feature(dispatch_from_dyn))] -#![cfg_attr(not(CONFIG_RUSTC_HAS_COERCE_POINTEE), feature(unsize))] +// +// Please see https://github.com/Rust-for-Linux/linux/issues/2 for details on +// the unstable features in use. +// +// Stable since Rust 1.79.0.  #![feature(inline_const)] +// +// Stable since Rust 1.81.0.  #![feature(lint_reasons)] -// Stable in Rust 1.82 +// +// Stable since Rust 1.82.0.  #![feature(raw_ref_op)] -// Stable in Rust 1.83 +// +// Stable since Rust 1.83.0.  #![feature(const_maybe_uninit_as_mut_ptr)]  #![feature(const_mut_refs)]  #![feature(const_ptr_write)]  #![feature(const_refs_to_cell)] +// +// Expected to become stable. +#![feature(arbitrary_self_types)] +// +// `feature(derive_coerce_pointee)` is expected to become stable. Before Rust +// 1.84.0, it did not exist, so enable the predecessor features. +#![cfg_attr(CONFIG_RUSTC_HAS_COERCE_POINTEE, feature(derive_coerce_pointee))] +#![cfg_attr(not(CONFIG_RUSTC_HAS_COERCE_POINTEE), feature(coerce_unsized))] +#![cfg_attr(not(CONFIG_RUSTC_HAS_COERCE_POINTEE), feature(dispatch_from_dyn))] +#![cfg_attr(not(CONFIG_RUSTC_HAS_COERCE_POINTEE), feature(unsize))]  // Ensure conditional compilation based on the kernel configuration works;  // otherwise we may silently break things like initcall handling. @@ -44,6 +58,13 @@ pub mod auxiliary;  pub mod block;  #[doc(hidden)]  pub mod build_assert; +pub mod clk; +#[cfg(CONFIG_CONFIGFS_FS)] +pub mod configfs; +pub mod cpu; +#[cfg(CONFIG_CPU_FREQ)] +pub mod cpufreq; +pub mod cpumask;  pub mod cred;  pub mod device;  pub mod device_id; @@ -65,9 +86,12 @@ pub mod jump_label;  pub mod kunit;  pub mod list;  pub mod miscdevice; +pub mod mm;  #[cfg(CONFIG_NET)]  pub mod net;  pub mod of; +#[cfg(CONFIG_PM_OPP)] +pub mod opp;  pub mod page;  #[cfg(CONFIG_PCI)]  pub mod pci; @@ -92,6 +116,7 @@ pub mod transmute;  pub mod types;  pub mod uaccess;  pub mod workqueue; +pub mod xarray;  #[doc(hidden)]  pub use bindings; @@ -194,7 +219,7 @@ fn panic(info: &core::panic::PanicInfo<'_>) -> ! {  /// }  ///  /// let test = Test { a: 10, b: 20 }; -/// let b_ptr = &test.b; +/// let b_ptr: *const _ = &test.b;  /// // SAFETY: The pointer points at the `b` field of a `Test`, so the resulting pointer will be  /// // in-bounds of the same allocation as `b_ptr`.  /// let test_alias = unsafe { container_of!(b_ptr, Test, b) }; @@ -202,13 +227,19 @@ fn panic(info: &core::panic::PanicInfo<'_>) -> ! {  /// ```  #[macro_export]  macro_rules! container_of { -    ($ptr:expr, $type:ty, $($f:tt)*) => {{ -        let ptr = $ptr as *const _ as *const u8; -        let offset: usize = ::core::mem::offset_of!($type, $($f)*); -        ptr.sub(offset) as *const $type +    ($field_ptr:expr, $Container:ty, $($fields:tt)*) => {{ +        let offset: usize = ::core::mem::offset_of!($Container, $($fields)*); +        let field_ptr = $field_ptr; +        let container_ptr = field_ptr.byte_sub(offset).cast::<$Container>(); +        $crate::assert_same_type(field_ptr, (&raw const (*container_ptr).$($fields)*).cast_mut()); +        container_ptr      }}  } +/// Helper for [`container_of!`]. +#[doc(hidden)] +pub fn assert_same_type<T>(_: T, _: T) {} +  /// Helper for `.rs.S` files.  #[doc(hidden)]  #[macro_export] diff --git a/rust/kernel/list.rs b/rust/kernel/list.rs index a335c3b1ff5e..c391c30b80f8 100644 --- a/rust/kernel/list.rs +++ b/rust/kernel/list.rs @@ -35,6 +35,114 @@ pub use self::arc_field::{define_list_arc_field_getter, ListArcField};  /// * All prev/next pointers in `ListLinks` fields of items in the list are valid and form a cycle.  /// * For every item in the list, the list owns the associated [`ListArc`] reference and has  ///   exclusive access to the `ListLinks` field. +/// +/// # Examples +/// +/// ``` +/// use kernel::list::*; +/// +/// #[pin_data] +/// struct BasicItem { +///     value: i32, +///     #[pin] +///     links: ListLinks, +/// } +/// +/// impl BasicItem { +///     fn new(value: i32) -> Result<ListArc<Self>> { +///         ListArc::pin_init(try_pin_init!(Self { +///             value, +///             links <- ListLinks::new(), +///         }), GFP_KERNEL) +///     } +/// } +/// +/// impl_has_list_links! { +///     impl HasListLinks<0> for BasicItem { self.links } +/// } +/// impl_list_arc_safe! { +///     impl ListArcSafe<0> for BasicItem { untracked; } +/// } +/// impl_list_item! { +///     impl ListItem<0> for BasicItem { using ListLinks; } +/// } +/// +/// // Create a new empty list. +/// let mut list = List::new(); +/// { +///     assert!(list.is_empty()); +/// } +/// +/// // Insert 3 elements using `push_back()`. +/// list.push_back(BasicItem::new(15)?); +/// list.push_back(BasicItem::new(10)?); +/// list.push_back(BasicItem::new(30)?); +/// +/// // Iterate over the list to verify the nodes were inserted correctly. +/// // [15, 10, 30] +/// { +///     let mut iter = list.iter(); +///     assert_eq!(iter.next().unwrap().value, 15); +///     assert_eq!(iter.next().unwrap().value, 10); +///     assert_eq!(iter.next().unwrap().value, 30); +///     assert!(iter.next().is_none()); +/// +///     // Verify the length of the list. +///     assert_eq!(list.iter().count(), 3); +/// } +/// +/// // Pop the items from the list using `pop_back()` and verify the content. +/// { +///     assert_eq!(list.pop_back().unwrap().value, 30); +///     assert_eq!(list.pop_back().unwrap().value, 10); +///     assert_eq!(list.pop_back().unwrap().value, 15); +/// } +/// +/// // Insert 3 elements using `push_front()`. +/// list.push_front(BasicItem::new(15)?); +/// list.push_front(BasicItem::new(10)?); +/// list.push_front(BasicItem::new(30)?); +/// +/// // Iterate over the list to verify the nodes were inserted correctly. +/// // [30, 10, 15] +/// { +///     let mut iter = list.iter(); +///     assert_eq!(iter.next().unwrap().value, 30); +///     assert_eq!(iter.next().unwrap().value, 10); +///     assert_eq!(iter.next().unwrap().value, 15); +///     assert!(iter.next().is_none()); +/// +///     // Verify the length of the list. +///     assert_eq!(list.iter().count(), 3); +/// } +/// +/// // Pop the items from the list using `pop_front()` and verify the content. +/// { +///     assert_eq!(list.pop_front().unwrap().value, 30); +///     assert_eq!(list.pop_front().unwrap().value, 10); +/// } +/// +/// // Push `list2` to `list` through `push_all_back()`. +/// // list: [15] +/// // list2: [25, 35] +/// { +///     let mut list2 = List::new(); +///     list2.push_back(BasicItem::new(25)?); +///     list2.push_back(BasicItem::new(35)?); +/// +///     list.push_all_back(&mut list2); +/// +///     // list: [15, 25, 35] +///     // list2: [] +///     let mut iter = list.iter(); +///     assert_eq!(iter.next().unwrap().value, 15); +///     assert_eq!(iter.next().unwrap().value, 25); +///     assert_eq!(iter.next().unwrap().value, 35); +///     assert!(iter.next().is_none()); +///     assert!(list2.is_empty()); +/// } +/// # Result::<(), Error>::Ok(()) +/// ```  pub struct List<T: ?Sized + ListItem<ID>, const ID: u64 = 0> {      first: *mut ListLinksFields,      _ty: PhantomData<ListArc<T, ID>>, @@ -319,7 +427,7 @@ impl<T: ?Sized + ListItem<ID>, const ID: u64> List<T, ID> {      /// Removes the last item from this list.      pub fn pop_back(&mut self) -> Option<ListArc<T, ID>> { -        if self.first.is_null() { +        if self.is_empty() {              return None;          } @@ -331,7 +439,7 @@ impl<T: ?Sized + ListItem<ID>, const ID: u64> List<T, ID> {      /// Removes the first item from this list.      pub fn pop_front(&mut self) -> Option<ListArc<T, ID>> { -        if self.first.is_null() { +        if self.is_empty() {              return None;          } diff --git a/rust/kernel/list/arc.rs b/rust/kernel/list/arc.rs index 13c50df37b89..d92bcf665c89 100644 --- a/rust/kernel/list/arc.rs +++ b/rust/kernel/list/arc.rs @@ -74,7 +74,7 @@ pub unsafe trait TryNewListArc<const ID: u64 = 0>: ListArcSafe<ID> {  ///  /// * The `untracked` strategy does not actually keep track of whether a [`ListArc`] exists. When  ///   using this strategy, the only way to create a [`ListArc`] is using a [`UniqueArc`]. -/// * The `tracked_by` strategy defers the tracking to a field of the struct. The user much specify +/// * The `tracked_by` strategy defers the tracking to a field of the struct. The user must specify  ///   which field to defer the tracking to. The field must implement [`ListArcSafe`]. If the field  ///   implements [`TryNewListArc`], then the type will also implement [`TryNewListArc`].  /// @@ -96,7 +96,7 @@ macro_rules! impl_list_arc_safe {      } $($rest:tt)*) => {          impl$(<$($generics)*>)? $crate::list::ListArcSafe<$num> for $t {              unsafe fn on_create_list_arc_from_unique(self: ::core::pin::Pin<&mut Self>) { -                $crate::assert_pinned!($t, $field, $fty, inline); +                ::pin_init::assert_pinned!($t, $field, $fty, inline);                  // SAFETY: This field is structurally pinned as per the above assertion.                  let field = unsafe { @@ -464,7 +464,7 @@ where  /// A utility for tracking whether a [`ListArc`] exists using an atomic.  /// -/// # Invariant +/// # Invariants  ///  /// If the boolean is `false`, then there is no [`ListArc`] for this value.  #[repr(transparent)] diff --git a/rust/kernel/miscdevice.rs b/rust/kernel/miscdevice.rs index fa9ecc42602a..939278bc7b03 100644 --- a/rust/kernel/miscdevice.rs +++ b/rust/kernel/miscdevice.rs @@ -14,6 +14,7 @@ use crate::{      error::{to_result, Error, Result, VTABLE_DEFAULT_ERROR},      ffi::{c_int, c_long, c_uint, c_ulong},      fs::File, +    mm::virt::VmaNew,      prelude::*,      seq_file::SeqFile,      str::CStr, @@ -119,9 +120,25 @@ pub trait MiscDevice: Sized {          drop(device);      } +    /// Handle for mmap. +    /// +    /// This function is invoked when a user space process invokes the `mmap` system call on +    /// `file`. The function is a callback that is part of the VMA initializer. The kernel will do +    /// initial setup of the VMA before calling this function. The function can then interact with +    /// the VMA initialization by calling methods of `vma`. If the function does not return an +    /// error, the kernel will complete initialization of the VMA according to the properties of +    /// `vma`. +    fn mmap( +        _device: <Self::Ptr as ForeignOwnable>::Borrowed<'_>, +        _file: &File, +        _vma: &VmaNew, +    ) -> Result { +        build_error!(VTABLE_DEFAULT_ERROR) +    } +      /// Handler for ioctls.      /// -    /// The `cmd` argument is usually manipulated using the utilties in [`kernel::ioctl`]. +    /// The `cmd` argument is usually manipulated using the utilities in [`kernel::ioctl`].      ///      /// [`kernel::ioctl`]: mod@crate::ioctl      fn ioctl( @@ -200,7 +217,7 @@ impl<T: MiscDevice> MiscdeviceVTable<T> {          // type.          //          // SAFETY: The open call of a file can access the private data. -        unsafe { (*raw_file).private_data = ptr.into_foreign() }; +        unsafe { (*raw_file).private_data = ptr.into_foreign().cast() };          0      } @@ -211,7 +228,7 @@ impl<T: MiscDevice> MiscdeviceVTable<T> {      /// must be associated with a `MiscDeviceRegistration<T>`.      unsafe extern "C" fn release(_inode: *mut bindings::inode, file: *mut bindings::file) -> c_int {          // SAFETY: The release call of a file owns the private data. -        let private = unsafe { (*file).private_data }; +        let private = unsafe { (*file).private_data }.cast();          // SAFETY: The release call of a file owns the private data.          let ptr = unsafe { <T::Ptr as ForeignOwnable>::from_foreign(private) }; @@ -226,9 +243,36 @@ impl<T: MiscDevice> MiscdeviceVTable<T> {      /// # Safety      ///      /// `file` must be a valid file that is associated with a `MiscDeviceRegistration<T>`. +    /// `vma` must be a vma that is currently being mmap'ed with this file. +    unsafe extern "C" fn mmap( +        file: *mut bindings::file, +        vma: *mut bindings::vm_area_struct, +    ) -> c_int { +        // SAFETY: The mmap call of a file can access the private data. +        let private = unsafe { (*file).private_data }; +        // SAFETY: This is a Rust Miscdevice, so we call `into_foreign` in `open` and +        // `from_foreign` in `release`, and `fops_mmap` is guaranteed to be called between those +        // two operations. +        let device = unsafe { <T::Ptr as ForeignOwnable>::borrow(private.cast()) }; +        // SAFETY: The caller provides a vma that is undergoing initial VMA setup. +        let area = unsafe { VmaNew::from_raw(vma) }; +        // SAFETY: +        // * The file is valid for the duration of this call. +        // * There is no active fdget_pos region on the file on this thread. +        let file = unsafe { File::from_raw_file(file) }; + +        match T::mmap(device, file, area) { +            Ok(()) => 0, +            Err(err) => err.to_errno(), +        } +    } + +    /// # Safety +    /// +    /// `file` must be a valid file that is associated with a `MiscDeviceRegistration<T>`.      unsafe extern "C" fn ioctl(file: *mut bindings::file, cmd: c_uint, arg: c_ulong) -> c_long {          // SAFETY: The ioctl call of a file can access the private data. -        let private = unsafe { (*file).private_data }; +        let private = unsafe { (*file).private_data }.cast();          // SAFETY: Ioctl calls can borrow the private data of the file.          let device = unsafe { <T::Ptr as ForeignOwnable>::borrow(private) }; @@ -253,7 +297,7 @@ impl<T: MiscDevice> MiscdeviceVTable<T> {          arg: c_ulong,      ) -> c_long {          // SAFETY: The compat ioctl call of a file can access the private data. -        let private = unsafe { (*file).private_data }; +        let private = unsafe { (*file).private_data }.cast();          // SAFETY: Ioctl calls can borrow the private data of the file.          let device = unsafe { <T::Ptr as ForeignOwnable>::borrow(private) }; @@ -274,7 +318,7 @@ impl<T: MiscDevice> MiscdeviceVTable<T> {      /// - `seq_file` must be a valid `struct seq_file` that we can write to.      unsafe extern "C" fn show_fdinfo(seq_file: *mut bindings::seq_file, file: *mut bindings::file) {          // SAFETY: The release call of a file owns the private data. -        let private = unsafe { (*file).private_data }; +        let private = unsafe { (*file).private_data }.cast();          // SAFETY: Ioctl calls can borrow the private data of the file.          let device = unsafe { <T::Ptr as ForeignOwnable>::borrow(private) };          // SAFETY: @@ -291,6 +335,7 @@ impl<T: MiscDevice> MiscdeviceVTable<T> {      const VTABLE: bindings::file_operations = bindings::file_operations {          open: Some(Self::open),          release: Some(Self::release), +        mmap: if T::HAS_MMAP { Some(Self::mmap) } else { None },          unlocked_ioctl: if T::HAS_IOCTL {              Some(Self::ioctl)          } else { diff --git a/rust/kernel/mm.rs b/rust/kernel/mm.rs new file mode 100644 index 000000000000..43f525c0d16c --- /dev/null +++ b/rust/kernel/mm.rs @@ -0,0 +1,296 @@ +// SPDX-License-Identifier: GPL-2.0 + +// Copyright (C) 2024 Google LLC. + +//! Memory management. +//! +//! This module deals with managing the address space of userspace processes. Each process has an +//! instance of [`Mm`], which keeps track of multiple VMAs (virtual memory areas). Each VMA +//! corresponds to a region of memory that the userspace process can access, and the VMA lets you +//! control what happens when userspace reads or writes to that region of memory. +//! +//! C header: [`include/linux/mm.h`](srctree/include/linux/mm.h) + +use crate::{ +    bindings, +    types::{ARef, AlwaysRefCounted, NotThreadSafe, Opaque}, +}; +use core::{ops::Deref, ptr::NonNull}; + +pub mod virt; +use virt::VmaRef; + +#[cfg(CONFIG_MMU)] +pub use mmput_async::MmWithUserAsync; +mod mmput_async; + +/// A wrapper for the kernel's `struct mm_struct`. +/// +/// This represents the address space of a userspace process, so each process has one `Mm` +/// instance. It may hold many VMAs internally. +/// +/// There is a counter called `mm_users` that counts the users of the address space; this includes +/// the userspace process itself, but can also include kernel threads accessing the address space. +/// Once `mm_users` reaches zero, this indicates that the address space can be destroyed. To access +/// the address space, you must prevent `mm_users` from reaching zero while you are accessing it. +/// The [`MmWithUser`] type represents an address space where this is guaranteed, and you can +/// create one using [`mmget_not_zero`]. +/// +/// The `ARef<Mm>` smart pointer holds an `mmgrab` refcount. Its destructor may sleep. +/// +/// # Invariants +/// +/// Values of this type are always refcounted using `mmgrab`. +/// +/// [`mmget_not_zero`]: Mm::mmget_not_zero +#[repr(transparent)] +pub struct Mm { +    mm: Opaque<bindings::mm_struct>, +} + +// SAFETY: It is safe to call `mmdrop` on another thread than where `mmgrab` was called. +unsafe impl Send for Mm {} +// SAFETY: All methods on `Mm` can be called in parallel from several threads. +unsafe impl Sync for Mm {} + +// SAFETY: By the type invariants, this type is always refcounted. +unsafe impl AlwaysRefCounted for Mm { +    #[inline] +    fn inc_ref(&self) { +        // SAFETY: The pointer is valid since self is a reference. +        unsafe { bindings::mmgrab(self.as_raw()) }; +    } + +    #[inline] +    unsafe fn dec_ref(obj: NonNull<Self>) { +        // SAFETY: The caller is giving up their refcount. +        unsafe { bindings::mmdrop(obj.cast().as_ptr()) }; +    } +} + +/// A wrapper for the kernel's `struct mm_struct`. +/// +/// This type is like [`Mm`], but with non-zero `mm_users`. It can only be used when `mm_users` can +/// be proven to be non-zero at compile-time, usually because the relevant code holds an `mmget` +/// refcount. It can be used to access the associated address space. +/// +/// The `ARef<MmWithUser>` smart pointer holds an `mmget` refcount. Its destructor may sleep. +/// +/// # Invariants +/// +/// Values of this type are always refcounted using `mmget`. The value of `mm_users` is non-zero. +#[repr(transparent)] +pub struct MmWithUser { +    mm: Mm, +} + +// SAFETY: It is safe to call `mmput` on another thread than where `mmget` was called. +unsafe impl Send for MmWithUser {} +// SAFETY: All methods on `MmWithUser` can be called in parallel from several threads. +unsafe impl Sync for MmWithUser {} + +// SAFETY: By the type invariants, this type is always refcounted. +unsafe impl AlwaysRefCounted for MmWithUser { +    #[inline] +    fn inc_ref(&self) { +        // SAFETY: The pointer is valid since self is a reference. +        unsafe { bindings::mmget(self.as_raw()) }; +    } + +    #[inline] +    unsafe fn dec_ref(obj: NonNull<Self>) { +        // SAFETY: The caller is giving up their refcount. +        unsafe { bindings::mmput(obj.cast().as_ptr()) }; +    } +} + +// Make all `Mm` methods available on `MmWithUser`. +impl Deref for MmWithUser { +    type Target = Mm; + +    #[inline] +    fn deref(&self) -> &Mm { +        &self.mm +    } +} + +// These methods are safe to call even if `mm_users` is zero. +impl Mm { +    /// Returns a raw pointer to the inner `mm_struct`. +    #[inline] +    pub fn as_raw(&self) -> *mut bindings::mm_struct { +        self.mm.get() +    } + +    /// Obtain a reference from a raw pointer. +    /// +    /// # Safety +    /// +    /// The caller must ensure that `ptr` points at an `mm_struct`, and that it is not deallocated +    /// during the lifetime 'a. +    #[inline] +    pub unsafe fn from_raw<'a>(ptr: *const bindings::mm_struct) -> &'a Mm { +        // SAFETY: Caller promises that the pointer is valid for 'a. Layouts are compatible due to +        // repr(transparent). +        unsafe { &*ptr.cast() } +    } + +    /// Calls `mmget_not_zero` and returns a handle if it succeeds. +    #[inline] +    pub fn mmget_not_zero(&self) -> Option<ARef<MmWithUser>> { +        // SAFETY: The pointer is valid since self is a reference. +        let success = unsafe { bindings::mmget_not_zero(self.as_raw()) }; + +        if success { +            // SAFETY: We just created an `mmget` refcount. +            Some(unsafe { ARef::from_raw(NonNull::new_unchecked(self.as_raw().cast())) }) +        } else { +            None +        } +    } +} + +// These methods require `mm_users` to be non-zero. +impl MmWithUser { +    /// Obtain a reference from a raw pointer. +    /// +    /// # Safety +    /// +    /// The caller must ensure that `ptr` points at an `mm_struct`, and that `mm_users` remains +    /// non-zero for the duration of the lifetime 'a. +    #[inline] +    pub unsafe fn from_raw<'a>(ptr: *const bindings::mm_struct) -> &'a MmWithUser { +        // SAFETY: Caller promises that the pointer is valid for 'a. The layout is compatible due +        // to repr(transparent). +        unsafe { &*ptr.cast() } +    } + +    /// Attempt to access a vma using the vma read lock. +    /// +    /// This is an optimistic trylock operation, so it may fail if there is contention. In that +    /// case, you should fall back to taking the mmap read lock. +    /// +    /// When per-vma locks are disabled, this always returns `None`. +    #[inline] +    pub fn lock_vma_under_rcu(&self, vma_addr: usize) -> Option<VmaReadGuard<'_>> { +        #[cfg(CONFIG_PER_VMA_LOCK)] +        { +            // SAFETY: Calling `bindings::lock_vma_under_rcu` is always okay given an mm where +            // `mm_users` is non-zero. +            let vma = unsafe { bindings::lock_vma_under_rcu(self.as_raw(), vma_addr) }; +            if !vma.is_null() { +                return Some(VmaReadGuard { +                    // SAFETY: If `lock_vma_under_rcu` returns a non-null ptr, then it points at a +                    // valid vma. The vma is stable for as long as the vma read lock is held. +                    vma: unsafe { VmaRef::from_raw(vma) }, +                    _nts: NotThreadSafe, +                }); +            } +        } + +        // Silence warnings about unused variables. +        #[cfg(not(CONFIG_PER_VMA_LOCK))] +        let _ = vma_addr; + +        None +    } + +    /// Lock the mmap read lock. +    #[inline] +    pub fn mmap_read_lock(&self) -> MmapReadGuard<'_> { +        // SAFETY: The pointer is valid since self is a reference. +        unsafe { bindings::mmap_read_lock(self.as_raw()) }; + +        // INVARIANT: We just acquired the read lock. +        MmapReadGuard { +            mm: self, +            _nts: NotThreadSafe, +        } +    } + +    /// Try to lock the mmap read lock. +    #[inline] +    pub fn mmap_read_trylock(&self) -> Option<MmapReadGuard<'_>> { +        // SAFETY: The pointer is valid since self is a reference. +        let success = unsafe { bindings::mmap_read_trylock(self.as_raw()) }; + +        if success { +            // INVARIANT: We just acquired the read lock. +            Some(MmapReadGuard { +                mm: self, +                _nts: NotThreadSafe, +            }) +        } else { +            None +        } +    } +} + +/// A guard for the mmap read lock. +/// +/// # Invariants +/// +/// This `MmapReadGuard` guard owns the mmap read lock. +pub struct MmapReadGuard<'a> { +    mm: &'a MmWithUser, +    // `mmap_read_lock` and `mmap_read_unlock` must be called on the same thread +    _nts: NotThreadSafe, +} + +impl<'a> MmapReadGuard<'a> { +    /// Look up a vma at the given address. +    #[inline] +    pub fn vma_lookup(&self, vma_addr: usize) -> Option<&virt::VmaRef> { +        // SAFETY: By the type invariants we hold the mmap read guard, so we can safely call this +        // method. Any value is okay for `vma_addr`. +        let vma = unsafe { bindings::vma_lookup(self.mm.as_raw(), vma_addr) }; + +        if vma.is_null() { +            None +        } else { +            // SAFETY: We just checked that a vma was found, so the pointer references a valid vma. +            // +            // Furthermore, the returned vma is still under the protection of the read lock guard +            // and can be used while the mmap read lock is still held. That the vma is not used +            // after the MmapReadGuard gets dropped is enforced by the borrow-checker. +            unsafe { Some(virt::VmaRef::from_raw(vma)) } +        } +    } +} + +impl Drop for MmapReadGuard<'_> { +    #[inline] +    fn drop(&mut self) { +        // SAFETY: We hold the read lock by the type invariants. +        unsafe { bindings::mmap_read_unlock(self.mm.as_raw()) }; +    } +} + +/// A guard for the vma read lock. +/// +/// # Invariants +/// +/// This `VmaReadGuard` guard owns the vma read lock. +pub struct VmaReadGuard<'a> { +    vma: &'a VmaRef, +    // `vma_end_read` must be called on the same thread as where the lock was taken +    _nts: NotThreadSafe, +} + +// Make all `VmaRef` methods available on `VmaReadGuard`. +impl Deref for VmaReadGuard<'_> { +    type Target = VmaRef; + +    #[inline] +    fn deref(&self) -> &VmaRef { +        self.vma +    } +} + +impl Drop for VmaReadGuard<'_> { +    #[inline] +    fn drop(&mut self) { +        // SAFETY: We hold the read lock by the type invariants. +        unsafe { bindings::vma_end_read(self.vma.as_ptr()) }; +    } +} diff --git a/rust/kernel/mm/mmput_async.rs b/rust/kernel/mm/mmput_async.rs new file mode 100644 index 000000000000..9289e05f7a67 --- /dev/null +++ b/rust/kernel/mm/mmput_async.rs @@ -0,0 +1,68 @@ +// SPDX-License-Identifier: GPL-2.0 + +// Copyright (C) 2024 Google LLC. + +//! Version of `MmWithUser` using `mmput_async`. +//! +//! This is a separate file from `mm.rs` due to the dependency on `CONFIG_MMU=y`. +#![cfg(CONFIG_MMU)] + +use crate::{ +    bindings, +    mm::MmWithUser, +    types::{ARef, AlwaysRefCounted}, +}; +use core::{ops::Deref, ptr::NonNull}; + +/// A wrapper for the kernel's `struct mm_struct`. +/// +/// This type is identical to `MmWithUser` except that it uses `mmput_async` when dropping a +/// refcount. This means that the destructor of `ARef<MmWithUserAsync>` is safe to call in atomic +/// context. +/// +/// # Invariants +/// +/// Values of this type are always refcounted using `mmget`. The value of `mm_users` is non-zero. +#[repr(transparent)] +pub struct MmWithUserAsync { +    mm: MmWithUser, +} + +// SAFETY: It is safe to call `mmput_async` on another thread than where `mmget` was called. +unsafe impl Send for MmWithUserAsync {} +// SAFETY: All methods on `MmWithUserAsync` can be called in parallel from several threads. +unsafe impl Sync for MmWithUserAsync {} + +// SAFETY: By the type invariants, this type is always refcounted. +unsafe impl AlwaysRefCounted for MmWithUserAsync { +    #[inline] +    fn inc_ref(&self) { +        // SAFETY: The pointer is valid since self is a reference. +        unsafe { bindings::mmget(self.as_raw()) }; +    } + +    #[inline] +    unsafe fn dec_ref(obj: NonNull<Self>) { +        // SAFETY: The caller is giving up their refcount. +        unsafe { bindings::mmput_async(obj.cast().as_ptr()) }; +    } +} + +// Make all `MmWithUser` methods available on `MmWithUserAsync`. +impl Deref for MmWithUserAsync { +    type Target = MmWithUser; + +    #[inline] +    fn deref(&self) -> &MmWithUser { +        &self.mm +    } +} + +impl MmWithUser { +    /// Use `mmput_async` when dropping this refcount. +    #[inline] +    pub fn into_mmput_async(me: ARef<MmWithUser>) -> ARef<MmWithUserAsync> { +        // SAFETY: The layouts and invariants are compatible. +        unsafe { ARef::from_raw(ARef::into_raw(me).cast()) } +    } +} diff --git a/rust/kernel/mm/virt.rs b/rust/kernel/mm/virt.rs new file mode 100644 index 000000000000..31803674aecc --- /dev/null +++ b/rust/kernel/mm/virt.rs @@ -0,0 +1,471 @@ +// SPDX-License-Identifier: GPL-2.0 + +// Copyright (C) 2024 Google LLC. + +//! Virtual memory. +//! +//! This module deals with managing a single VMA in the address space of a userspace process. Each +//! VMA corresponds to a region of memory that the userspace process can access, and the VMA lets +//! you control what happens when userspace reads or writes to that region of memory. +//! +//! The module has several different Rust types that all correspond to the C type called +//! `vm_area_struct`. The different structs represent what kind of access you have to the VMA, e.g. +//! [`VmaRef`] is used when you hold the mmap or vma read lock. Using the appropriate struct +//! ensures that you can't, for example, accidentally call a function that requires holding the +//! write lock when you only hold the read lock. + +use crate::{ +    bindings, +    error::{code::EINVAL, to_result, Result}, +    mm::MmWithUser, +    page::Page, +    types::Opaque, +}; + +use core::ops::Deref; + +/// A wrapper for the kernel's `struct vm_area_struct` with read access. +/// +/// It represents an area of virtual memory. +/// +/// # Invariants +/// +/// The caller must hold the mmap read lock or the vma read lock. +#[repr(transparent)] +pub struct VmaRef { +    vma: Opaque<bindings::vm_area_struct>, +} + +// Methods you can call when holding the mmap or vma read lock (or stronger). They must be usable +// no matter what the vma flags are. +impl VmaRef { +    /// Access a virtual memory area given a raw pointer. +    /// +    /// # Safety +    /// +    /// Callers must ensure that `vma` is valid for the duration of 'a, and that the mmap or vma +    /// read lock (or stronger) is held for at least the duration of 'a. +    #[inline] +    pub unsafe fn from_raw<'a>(vma: *const bindings::vm_area_struct) -> &'a Self { +        // SAFETY: The caller ensures that the invariants are satisfied for the duration of 'a. +        unsafe { &*vma.cast() } +    } + +    /// Returns a raw pointer to this area. +    #[inline] +    pub fn as_ptr(&self) -> *mut bindings::vm_area_struct { +        self.vma.get() +    } + +    /// Access the underlying `mm_struct`. +    #[inline] +    pub fn mm(&self) -> &MmWithUser { +        // SAFETY: By the type invariants, this `vm_area_struct` is valid and we hold the mmap/vma +        // read lock or stronger. This implies that the underlying mm has a non-zero value of +        // `mm_users`. +        unsafe { MmWithUser::from_raw((*self.as_ptr()).vm_mm) } +    } + +    /// Returns the flags associated with the virtual memory area. +    /// +    /// The possible flags are a combination of the constants in [`flags`]. +    #[inline] +    pub fn flags(&self) -> vm_flags_t { +        // SAFETY: By the type invariants, the caller holds at least the mmap read lock, so this +        // access is not a data race. +        unsafe { (*self.as_ptr()).__bindgen_anon_2.vm_flags } +    } + +    /// Returns the (inclusive) start address of the virtual memory area. +    #[inline] +    pub fn start(&self) -> usize { +        // SAFETY: By the type invariants, the caller holds at least the mmap read lock, so this +        // access is not a data race. +        unsafe { (*self.as_ptr()).__bindgen_anon_1.__bindgen_anon_1.vm_start } +    } + +    /// Returns the (exclusive) end address of the virtual memory area. +    #[inline] +    pub fn end(&self) -> usize { +        // SAFETY: By the type invariants, the caller holds at least the mmap read lock, so this +        // access is not a data race. +        unsafe { (*self.as_ptr()).__bindgen_anon_1.__bindgen_anon_1.vm_end } +    } + +    /// Zap pages in the given page range. +    /// +    /// This clears page table mappings for the range at the leaf level, leaving all other page +    /// tables intact, and freeing any memory referenced by the VMA in this range. That is, +    /// anonymous memory is completely freed, file-backed memory has its reference count on page +    /// cache folio's dropped, any dirty data will still be written back to disk as usual. +    /// +    /// It may seem odd that we clear at the leaf level, this is however a product of the page +    /// table structure used to map physical memory into a virtual address space - each virtual +    /// address actually consists of a bitmap of array indices into page tables, which form a +    /// hierarchical page table level structure. +    /// +    /// As a result, each page table level maps a multiple of page table levels below, and thus +    /// span ever increasing ranges of pages. At the leaf or PTE level, we map the actual physical +    /// memory. +    /// +    /// It is here where a zap operates, as it the only place we can be certain of clearing without +    /// impacting any other virtual mappings. It is an implementation detail as to whether the +    /// kernel goes further in freeing unused page tables, but for the purposes of this operation +    /// we must only assume that the leaf level is cleared. +    #[inline] +    pub fn zap_page_range_single(&self, address: usize, size: usize) { +        let (end, did_overflow) = address.overflowing_add(size); +        if did_overflow || address < self.start() || self.end() < end { +            // TODO: call WARN_ONCE once Rust version of it is added +            return; +        } + +        // SAFETY: By the type invariants, the caller has read access to this VMA, which is +        // sufficient for this method call. This method has no requirements on the vma flags. The +        // address range is checked to be within the vma. +        unsafe { +            bindings::zap_page_range_single(self.as_ptr(), address, size, core::ptr::null_mut()) +        }; +    } + +    /// If the [`VM_MIXEDMAP`] flag is set, returns a [`VmaMixedMap`] to this VMA, otherwise +    /// returns `None`. +    /// +    /// This can be used to access methods that require [`VM_MIXEDMAP`] to be set. +    /// +    /// [`VM_MIXEDMAP`]: flags::MIXEDMAP +    #[inline] +    pub fn as_mixedmap_vma(&self) -> Option<&VmaMixedMap> { +        if self.flags() & flags::MIXEDMAP != 0 { +            // SAFETY: We just checked that `VM_MIXEDMAP` is set. All other requirements are +            // satisfied by the type invariants of `VmaRef`. +            Some(unsafe { VmaMixedMap::from_raw(self.as_ptr()) }) +        } else { +            None +        } +    } +} + +/// A wrapper for the kernel's `struct vm_area_struct` with read access and [`VM_MIXEDMAP`] set. +/// +/// It represents an area of virtual memory. +/// +/// This struct is identical to [`VmaRef`] except that it must only be used when the +/// [`VM_MIXEDMAP`] flag is set on the vma. +/// +/// # Invariants +/// +/// The caller must hold the mmap read lock or the vma read lock. The `VM_MIXEDMAP` flag must be +/// set. +/// +/// [`VM_MIXEDMAP`]: flags::MIXEDMAP +#[repr(transparent)] +pub struct VmaMixedMap { +    vma: VmaRef, +} + +// Make all `VmaRef` methods available on `VmaMixedMap`. +impl Deref for VmaMixedMap { +    type Target = VmaRef; + +    #[inline] +    fn deref(&self) -> &VmaRef { +        &self.vma +    } +} + +impl VmaMixedMap { +    /// Access a virtual memory area given a raw pointer. +    /// +    /// # Safety +    /// +    /// Callers must ensure that `vma` is valid for the duration of 'a, and that the mmap read lock +    /// (or stronger) is held for at least the duration of 'a. The `VM_MIXEDMAP` flag must be set. +    #[inline] +    pub unsafe fn from_raw<'a>(vma: *const bindings::vm_area_struct) -> &'a Self { +        // SAFETY: The caller ensures that the invariants are satisfied for the duration of 'a. +        unsafe { &*vma.cast() } +    } + +    /// Maps a single page at the given address within the virtual memory area. +    /// +    /// This operation does not take ownership of the page. +    #[inline] +    pub fn vm_insert_page(&self, address: usize, page: &Page) -> Result { +        // SAFETY: By the type invariant of `Self` caller has read access and has verified that +        // `VM_MIXEDMAP` is set. By invariant on `Page` the page has order 0. +        to_result(unsafe { bindings::vm_insert_page(self.as_ptr(), address, page.as_ptr()) }) +    } +} + +/// A configuration object for setting up a VMA in an `f_ops->mmap()` hook. +/// +/// The `f_ops->mmap()` hook is called when a new VMA is being created, and the hook is able to +/// configure the VMA in various ways to fit the driver that owns it. Using `VmaNew` indicates that +/// you are allowed to perform operations on the VMA that can only be performed before the VMA is +/// fully initialized. +/// +/// # Invariants +/// +/// For the duration of 'a, the referenced vma must be undergoing initialization in an +/// `f_ops->mmap()` hook. +pub struct VmaNew { +    vma: VmaRef, +} + +// Make all `VmaRef` methods available on `VmaNew`. +impl Deref for VmaNew { +    type Target = VmaRef; + +    #[inline] +    fn deref(&self) -> &VmaRef { +        &self.vma +    } +} + +impl VmaNew { +    /// Access a virtual memory area given a raw pointer. +    /// +    /// # Safety +    /// +    /// Callers must ensure that `vma` is undergoing initial vma setup for the duration of 'a. +    #[inline] +    pub unsafe fn from_raw<'a>(vma: *mut bindings::vm_area_struct) -> &'a Self { +        // SAFETY: The caller ensures that the invariants are satisfied for the duration of 'a. +        unsafe { &*vma.cast() } +    } + +    /// Internal method for updating the vma flags. +    /// +    /// # Safety +    /// +    /// This must not be used to set the flags to an invalid value. +    #[inline] +    unsafe fn update_flags(&self, set: vm_flags_t, unset: vm_flags_t) { +        let mut flags = self.flags(); +        flags |= set; +        flags &= !unset; + +        // SAFETY: This is not a data race: the vma is undergoing initial setup, so it's not yet +        // shared. Additionally, `VmaNew` is `!Sync`, so it cannot be used to write in parallel. +        // The caller promises that this does not set the flags to an invalid value. +        unsafe { (*self.as_ptr()).__bindgen_anon_2.__vm_flags = flags }; +    } + +    /// Set the `VM_MIXEDMAP` flag on this vma. +    /// +    /// This enables the vma to contain both `struct page` and pure PFN pages. Returns a reference +    /// that can be used to call `vm_insert_page` on the vma. +    #[inline] +    pub fn set_mixedmap(&self) -> &VmaMixedMap { +        // SAFETY: We don't yet provide a way to set VM_PFNMAP, so this cannot put the flags in an +        // invalid state. +        unsafe { self.update_flags(flags::MIXEDMAP, 0) }; + +        // SAFETY: We just set `VM_MIXEDMAP` on the vma. +        unsafe { VmaMixedMap::from_raw(self.vma.as_ptr()) } +    } + +    /// Set the `VM_IO` flag on this vma. +    /// +    /// This is used for memory mapped IO and similar. The flag tells other parts of the kernel to +    /// avoid looking at the pages. For memory mapped IO this is useful as accesses to the pages +    /// could have side effects. +    #[inline] +    pub fn set_io(&self) { +        // SAFETY: Setting the VM_IO flag is always okay. +        unsafe { self.update_flags(flags::IO, 0) }; +    } + +    /// Set the `VM_DONTEXPAND` flag on this vma. +    /// +    /// This prevents the vma from being expanded with `mremap()`. +    #[inline] +    pub fn set_dontexpand(&self) { +        // SAFETY: Setting the VM_DONTEXPAND flag is always okay. +        unsafe { self.update_flags(flags::DONTEXPAND, 0) }; +    } + +    /// Set the `VM_DONTCOPY` flag on this vma. +    /// +    /// This prevents the vma from being copied on fork. This option is only permanent if `VM_IO` +    /// is set. +    #[inline] +    pub fn set_dontcopy(&self) { +        // SAFETY: Setting the VM_DONTCOPY flag is always okay. +        unsafe { self.update_flags(flags::DONTCOPY, 0) }; +    } + +    /// Set the `VM_DONTDUMP` flag on this vma. +    /// +    /// This prevents the vma from being included in core dumps. This option is only permanent if +    /// `VM_IO` is set. +    #[inline] +    pub fn set_dontdump(&self) { +        // SAFETY: Setting the VM_DONTDUMP flag is always okay. +        unsafe { self.update_flags(flags::DONTDUMP, 0) }; +    } + +    /// Returns whether `VM_READ` is set. +    /// +    /// This flag indicates whether userspace is mapping this vma as readable. +    #[inline] +    pub fn readable(&self) -> bool { +        (self.flags() & flags::READ) != 0 +    } + +    /// Try to clear the `VM_MAYREAD` flag, failing if `VM_READ` is set. +    /// +    /// This flag indicates whether userspace is allowed to make this vma readable with +    /// `mprotect()`. +    /// +    /// Note that this operation is irreversible. Once `VM_MAYREAD` has been cleared, it can never +    /// be set again. +    #[inline] +    pub fn try_clear_mayread(&self) -> Result { +        if self.readable() { +            return Err(EINVAL); +        } +        // SAFETY: Clearing `VM_MAYREAD` is okay when `VM_READ` is not set. +        unsafe { self.update_flags(0, flags::MAYREAD) }; +        Ok(()) +    } + +    /// Returns whether `VM_WRITE` is set. +    /// +    /// This flag indicates whether userspace is mapping this vma as writable. +    #[inline] +    pub fn writable(&self) -> bool { +        (self.flags() & flags::WRITE) != 0 +    } + +    /// Try to clear the `VM_MAYWRITE` flag, failing if `VM_WRITE` is set. +    /// +    /// This flag indicates whether userspace is allowed to make this vma writable with +    /// `mprotect()`. +    /// +    /// Note that this operation is irreversible. Once `VM_MAYWRITE` has been cleared, it can never +    /// be set again. +    #[inline] +    pub fn try_clear_maywrite(&self) -> Result { +        if self.writable() { +            return Err(EINVAL); +        } +        // SAFETY: Clearing `VM_MAYWRITE` is okay when `VM_WRITE` is not set. +        unsafe { self.update_flags(0, flags::MAYWRITE) }; +        Ok(()) +    } + +    /// Returns whether `VM_EXEC` is set. +    /// +    /// This flag indicates whether userspace is mapping this vma as executable. +    #[inline] +    pub fn executable(&self) -> bool { +        (self.flags() & flags::EXEC) != 0 +    } + +    /// Try to clear the `VM_MAYEXEC` flag, failing if `VM_EXEC` is set. +    /// +    /// This flag indicates whether userspace is allowed to make this vma executable with +    /// `mprotect()`. +    /// +    /// Note that this operation is irreversible. Once `VM_MAYEXEC` has been cleared, it can never +    /// be set again. +    #[inline] +    pub fn try_clear_mayexec(&self) -> Result { +        if self.executable() { +            return Err(EINVAL); +        } +        // SAFETY: Clearing `VM_MAYEXEC` is okay when `VM_EXEC` is not set. +        unsafe { self.update_flags(0, flags::MAYEXEC) }; +        Ok(()) +    } +} + +/// The integer type used for vma flags. +#[doc(inline)] +pub use bindings::vm_flags_t; + +/// All possible flags for [`VmaRef`]. +pub mod flags { +    use super::vm_flags_t; +    use crate::bindings; + +    /// No flags are set. +    pub const NONE: vm_flags_t = bindings::VM_NONE as _; + +    /// Mapping allows reads. +    pub const READ: vm_flags_t = bindings::VM_READ as _; + +    /// Mapping allows writes. +    pub const WRITE: vm_flags_t = bindings::VM_WRITE as _; + +    /// Mapping allows execution. +    pub const EXEC: vm_flags_t = bindings::VM_EXEC as _; + +    /// Mapping is shared. +    pub const SHARED: vm_flags_t = bindings::VM_SHARED as _; + +    /// Mapping may be updated to allow reads. +    pub const MAYREAD: vm_flags_t = bindings::VM_MAYREAD as _; + +    /// Mapping may be updated to allow writes. +    pub const MAYWRITE: vm_flags_t = bindings::VM_MAYWRITE as _; + +    /// Mapping may be updated to allow execution. +    pub const MAYEXEC: vm_flags_t = bindings::VM_MAYEXEC as _; + +    /// Mapping may be updated to be shared. +    pub const MAYSHARE: vm_flags_t = bindings::VM_MAYSHARE as _; + +    /// Page-ranges managed without `struct page`, just pure PFN. +    pub const PFNMAP: vm_flags_t = bindings::VM_PFNMAP as _; + +    /// Memory mapped I/O or similar. +    pub const IO: vm_flags_t = bindings::VM_IO as _; + +    /// Do not copy this vma on fork. +    pub const DONTCOPY: vm_flags_t = bindings::VM_DONTCOPY as _; + +    /// Cannot expand with mremap(). +    pub const DONTEXPAND: vm_flags_t = bindings::VM_DONTEXPAND as _; + +    /// Lock the pages covered when they are faulted in. +    pub const LOCKONFAULT: vm_flags_t = bindings::VM_LOCKONFAULT as _; + +    /// Is a VM accounted object. +    pub const ACCOUNT: vm_flags_t = bindings::VM_ACCOUNT as _; + +    /// Should the VM suppress accounting. +    pub const NORESERVE: vm_flags_t = bindings::VM_NORESERVE as _; + +    /// Huge TLB Page VM. +    pub const HUGETLB: vm_flags_t = bindings::VM_HUGETLB as _; + +    /// Synchronous page faults. (DAX-specific) +    pub const SYNC: vm_flags_t = bindings::VM_SYNC as _; + +    /// Architecture-specific flag. +    pub const ARCH_1: vm_flags_t = bindings::VM_ARCH_1 as _; + +    /// Wipe VMA contents in child on fork. +    pub const WIPEONFORK: vm_flags_t = bindings::VM_WIPEONFORK as _; + +    /// Do not include in the core dump. +    pub const DONTDUMP: vm_flags_t = bindings::VM_DONTDUMP as _; + +    /// Not soft dirty clean area. +    pub const SOFTDIRTY: vm_flags_t = bindings::VM_SOFTDIRTY as _; + +    /// Can contain `struct page` and pure PFN pages. +    pub const MIXEDMAP: vm_flags_t = bindings::VM_MIXEDMAP as _; + +    /// MADV_HUGEPAGE marked this vma. +    pub const HUGEPAGE: vm_flags_t = bindings::VM_HUGEPAGE as _; + +    /// MADV_NOHUGEPAGE marked this vma. +    pub const NOHUGEPAGE: vm_flags_t = bindings::VM_NOHUGEPAGE as _; + +    /// KSM may merge identical pages. +    pub const MERGEABLE: vm_flags_t = bindings::VM_MERGEABLE as _; +} diff --git a/rust/kernel/net/phy.rs b/rust/kernel/net/phy.rs index a59469c785e3..32ea43ece646 100644 --- a/rust/kernel/net/phy.rs +++ b/rust/kernel/net/phy.rs @@ -421,6 +421,7 @@ impl<T: Driver> Adapter<T> {      /// `phydev` must be passed by the corresponding callback in `phy_driver`.      unsafe extern "C" fn match_phy_device_callback(          phydev: *mut bindings::phy_device, +        _phydrv: *const bindings::phy_driver,      ) -> crate::ffi::c_int {          // SAFETY: This callback is called only in contexts          // where we hold `phy_device->lock`, so the accessors on diff --git a/rust/kernel/opp.rs b/rust/kernel/opp.rs new file mode 100644 index 000000000000..a566fc3e7dcb --- /dev/null +++ b/rust/kernel/opp.rs @@ -0,0 +1,1146 @@ +// SPDX-License-Identifier: GPL-2.0 + +//! Operating performance points. +//! +//! This module provides rust abstractions for interacting with the OPP subsystem. +//! +//! C header: [`include/linux/pm_opp.h`](srctree/include/linux/pm_opp.h) +//! +//! Reference: <https://docs.kernel.org/power/opp.html> + +use crate::{ +    clk::Hertz, +    cpumask::{Cpumask, CpumaskVar}, +    device::Device, +    error::{code::*, from_err_ptr, from_result, to_result, Error, Result, VTABLE_DEFAULT_ERROR}, +    ffi::c_ulong, +    prelude::*, +    str::CString, +    types::{ARef, AlwaysRefCounted, Opaque}, +}; + +#[cfg(CONFIG_CPU_FREQ)] +/// Frequency table implementation. +mod freq { +    use super::*; +    use crate::cpufreq; +    use core::ops::Deref; + +    /// OPP frequency table. +    /// +    /// A [`cpufreq::Table`] created from [`Table`]. +    pub struct FreqTable { +        dev: ARef<Device>, +        ptr: *mut bindings::cpufreq_frequency_table, +    } + +    impl FreqTable { +        /// Creates a new instance of [`FreqTable`] from [`Table`]. +        pub(crate) fn new(table: &Table) -> Result<Self> { +            let mut ptr: *mut bindings::cpufreq_frequency_table = ptr::null_mut(); + +            // SAFETY: The requirements are satisfied by the existence of [`Device`] and its safety +            // requirements. +            to_result(unsafe { +                bindings::dev_pm_opp_init_cpufreq_table(table.dev.as_raw(), &mut ptr) +            })?; + +            Ok(Self { +                dev: table.dev.clone(), +                ptr, +            }) +        } + +        /// Returns a reference to the underlying [`cpufreq::Table`]. +        #[inline] +        fn table(&self) -> &cpufreq::Table { +            // SAFETY: The `ptr` is guaranteed by the C code to be valid. +            unsafe { cpufreq::Table::from_raw(self.ptr) } +        } +    } + +    impl Deref for FreqTable { +        type Target = cpufreq::Table; + +        #[inline] +        fn deref(&self) -> &Self::Target { +            self.table() +        } +    } + +    impl Drop for FreqTable { +        fn drop(&mut self) { +            // SAFETY: The pointer was created via `dev_pm_opp_init_cpufreq_table`, and is only +            // freed here. +            unsafe { +                bindings::dev_pm_opp_free_cpufreq_table(self.dev.as_raw(), &mut self.as_raw()) +            }; +        } +    } +} + +#[cfg(CONFIG_CPU_FREQ)] +pub use freq::FreqTable; + +use core::{marker::PhantomData, ptr}; + +use macros::vtable; + +/// Creates a null-terminated slice of pointers to [`Cstring`]s. +fn to_c_str_array(names: &[CString]) -> Result<KVec<*const u8>> { +    // Allocated a null-terminated vector of pointers. +    let mut list = KVec::with_capacity(names.len() + 1, GFP_KERNEL)?; + +    for name in names.iter() { +        list.push(name.as_ptr() as _, GFP_KERNEL)?; +    } + +    list.push(ptr::null(), GFP_KERNEL)?; +    Ok(list) +} + +/// The voltage unit. +/// +/// Represents voltage in microvolts, wrapping a [`c_ulong`] value. +/// +/// ## Examples +/// +/// ``` +/// use kernel::opp::MicroVolt; +/// +/// let raw = 90500; +/// let volt = MicroVolt(raw); +/// +/// assert_eq!(usize::from(volt), raw); +/// assert_eq!(volt, MicroVolt(raw)); +/// ``` +#[derive(Copy, Clone, PartialEq, Eq, Debug)] +pub struct MicroVolt(pub c_ulong); + +impl From<MicroVolt> for c_ulong { +    #[inline] +    fn from(volt: MicroVolt) -> Self { +        volt.0 +    } +} + +/// The power unit. +/// +/// Represents power in microwatts, wrapping a [`c_ulong`] value. +/// +/// ## Examples +/// +/// ``` +/// use kernel::opp::MicroWatt; +/// +/// let raw = 1000000; +/// let power = MicroWatt(raw); +/// +/// assert_eq!(usize::from(power), raw); +/// assert_eq!(power, MicroWatt(raw)); +/// ``` +#[derive(Copy, Clone, PartialEq, Eq, Debug)] +pub struct MicroWatt(pub c_ulong); + +impl From<MicroWatt> for c_ulong { +    #[inline] +    fn from(power: MicroWatt) -> Self { +        power.0 +    } +} + +/// Handle for a dynamically created [`OPP`]. +/// +/// The associated [`OPP`] is automatically removed when the [`Token`] is dropped. +/// +/// ## Examples +/// +/// The following example demonstrates how to create an [`OPP`] dynamically. +/// +/// ``` +/// use kernel::clk::Hertz; +/// use kernel::device::Device; +/// use kernel::error::Result; +/// use kernel::opp::{Data, MicroVolt, Token}; +/// use kernel::types::ARef; +/// +/// fn create_opp(dev: &ARef<Device>, freq: Hertz, volt: MicroVolt, level: u32) -> Result<Token> { +///     let data = Data::new(freq, volt, level, false); +/// +///     // OPP is removed once token goes out of scope. +///     data.add_opp(dev) +/// } +/// ``` +pub struct Token { +    dev: ARef<Device>, +    freq: Hertz, +} + +impl Token { +    /// Dynamically adds an [`OPP`] and returns a [`Token`] that removes it on drop. +    fn new(dev: &ARef<Device>, mut data: Data) -> Result<Self> { +        // SAFETY: The requirements are satisfied by the existence of [`Device`] and its safety +        // requirements. +        to_result(unsafe { bindings::dev_pm_opp_add_dynamic(dev.as_raw(), &mut data.0) })?; +        Ok(Self { +            dev: dev.clone(), +            freq: data.freq(), +        }) +    } +} + +impl Drop for Token { +    fn drop(&mut self) { +        // SAFETY: The requirements are satisfied by the existence of [`Device`] and its safety +        // requirements. +        unsafe { bindings::dev_pm_opp_remove(self.dev.as_raw(), self.freq.into()) }; +    } +} + +/// OPP data. +/// +/// Rust abstraction for the C `struct dev_pm_opp_data`, used to define operating performance +/// points (OPPs) dynamically. +/// +/// ## Examples +/// +/// The following example demonstrates how to create an [`OPP`] with [`Data`]. +/// +/// ``` +/// use kernel::clk::Hertz; +/// use kernel::device::Device; +/// use kernel::error::Result; +/// use kernel::opp::{Data, MicroVolt, Token}; +/// use kernel::types::ARef; +/// +/// fn create_opp(dev: &ARef<Device>, freq: Hertz, volt: MicroVolt, level: u32) -> Result<Token> { +///     let data = Data::new(freq, volt, level, false); +/// +///     // OPP is removed once token goes out of scope. +///     data.add_opp(dev) +/// } +/// ``` +#[repr(transparent)] +pub struct Data(bindings::dev_pm_opp_data); + +impl Data { +    /// Creates a new instance of [`Data`]. +    /// +    /// This can be used to define a dynamic OPP to be added to a device. +    pub fn new(freq: Hertz, volt: MicroVolt, level: u32, turbo: bool) -> Self { +        Self(bindings::dev_pm_opp_data { +            turbo, +            freq: freq.into(), +            u_volt: volt.into(), +            level, +        }) +    } + +    /// Adds an [`OPP`] dynamically. +    /// +    /// Returns a [`Token`] that ensures the OPP is automatically removed +    /// when it goes out of scope. +    #[inline] +    pub fn add_opp(self, dev: &ARef<Device>) -> Result<Token> { +        Token::new(dev, self) +    } + +    /// Returns the frequency associated with this OPP data. +    #[inline] +    fn freq(&self) -> Hertz { +        Hertz(self.0.freq) +    } +} + +/// [`OPP`] search options. +/// +/// ## Examples +/// +/// Defines how to search for an [`OPP`] in a [`Table`] relative to a frequency. +/// +/// ``` +/// use kernel::clk::Hertz; +/// use kernel::error::Result; +/// use kernel::opp::{OPP, SearchType, Table}; +/// use kernel::types::ARef; +/// +/// fn find_opp(table: &Table, freq: Hertz) -> Result<ARef<OPP>> { +///     let opp = table.opp_from_freq(freq, Some(true), None, SearchType::Exact)?; +/// +///     pr_info!("OPP frequency is: {:?}\n", opp.freq(None)); +///     pr_info!("OPP voltage is: {:?}\n", opp.voltage()); +///     pr_info!("OPP level is: {}\n", opp.level()); +///     pr_info!("OPP power is: {:?}\n", opp.power()); +/// +///     Ok(opp) +/// } +/// ``` +#[derive(Copy, Clone, Debug, Eq, PartialEq)] +pub enum SearchType { +    /// Match the exact frequency. +    Exact, +    /// Find the highest frequency less than or equal to the given value. +    Floor, +    /// Find the lowest frequency greater than or equal to the given value. +    Ceil, +} + +/// OPP configuration callbacks. +/// +/// Implement this trait to customize OPP clock and regulator setup for your device. +#[vtable] +pub trait ConfigOps { +    /// This is typically used to scale clocks when transitioning between OPPs. +    #[inline] +    fn config_clks(_dev: &Device, _table: &Table, _opp: &OPP, _scaling_down: bool) -> Result { +        build_error!(VTABLE_DEFAULT_ERROR) +    } + +    /// This provides access to the old and new OPPs, allowing for safe regulator adjustments. +    #[inline] +    fn config_regulators( +        _dev: &Device, +        _opp_old: &OPP, +        _opp_new: &OPP, +        _data: *mut *mut bindings::regulator, +        _count: u32, +    ) -> Result { +        build_error!(VTABLE_DEFAULT_ERROR) +    } +} + +/// OPP configuration token. +/// +/// Returned by the OPP core when configuration is applied to a [`Device`]. The associated +/// configuration is automatically cleared when the token is dropped. +pub struct ConfigToken(i32); + +impl Drop for ConfigToken { +    fn drop(&mut self) { +        // SAFETY: This is the same token value returned by the C code via `dev_pm_opp_set_config`. +        unsafe { bindings::dev_pm_opp_clear_config(self.0) }; +    } +} + +/// OPP configurations. +/// +/// Rust abstraction for the C `struct dev_pm_opp_config`. +/// +/// ## Examples +/// +/// The following example demonstrates how to set OPP property-name configuration for a [`Device`]. +/// +/// ``` +/// use kernel::device::Device; +/// use kernel::error::Result; +/// use kernel::opp::{Config, ConfigOps, ConfigToken}; +/// use kernel::str::CString; +/// use kernel::types::ARef; +/// use kernel::macros::vtable; +/// +/// #[derive(Default)] +/// struct Driver; +/// +/// #[vtable] +/// impl ConfigOps for Driver {} +/// +/// fn configure(dev: &ARef<Device>) -> Result<ConfigToken> { +///     let name = CString::try_from_fmt(fmt!("{}", "slow"))?; +/// +///     // The OPP configuration is cleared once the [`ConfigToken`] goes out of scope. +///     Config::<Driver>::new() +///         .set_prop_name(name)? +///         .set(dev) +/// } +/// ``` +#[derive(Default)] +pub struct Config<T: ConfigOps> +where +    T: Default, +{ +    clk_names: Option<KVec<CString>>, +    prop_name: Option<CString>, +    regulator_names: Option<KVec<CString>>, +    supported_hw: Option<KVec<u32>>, + +    // Tuple containing (required device, index) +    required_dev: Option<(ARef<Device>, u32)>, +    _data: PhantomData<T>, +} + +impl<T: ConfigOps + Default> Config<T> { +    /// Creates a new instance of [`Config`]. +    #[inline] +    pub fn new() -> Self { +        Self::default() +    } + +    /// Initializes clock names. +    pub fn set_clk_names(mut self, names: KVec<CString>) -> Result<Self> { +        if self.clk_names.is_some() { +            return Err(EBUSY); +        } + +        if names.is_empty() { +            return Err(EINVAL); +        } + +        self.clk_names = Some(names); +        Ok(self) +    } + +    /// Initializes property name. +    pub fn set_prop_name(mut self, name: CString) -> Result<Self> { +        if self.prop_name.is_some() { +            return Err(EBUSY); +        } + +        self.prop_name = Some(name); +        Ok(self) +    } + +    /// Initializes regulator names. +    pub fn set_regulator_names(mut self, names: KVec<CString>) -> Result<Self> { +        if self.regulator_names.is_some() { +            return Err(EBUSY); +        } + +        if names.is_empty() { +            return Err(EINVAL); +        } + +        self.regulator_names = Some(names); + +        Ok(self) +    } + +    /// Initializes required devices. +    pub fn set_required_dev(mut self, dev: ARef<Device>, index: u32) -> Result<Self> { +        if self.required_dev.is_some() { +            return Err(EBUSY); +        } + +        self.required_dev = Some((dev, index)); +        Ok(self) +    } + +    /// Initializes supported hardware. +    pub fn set_supported_hw(mut self, hw: KVec<u32>) -> Result<Self> { +        if self.supported_hw.is_some() { +            return Err(EBUSY); +        } + +        if hw.is_empty() { +            return Err(EINVAL); +        } + +        self.supported_hw = Some(hw); +        Ok(self) +    } + +    /// Sets the configuration with the OPP core. +    /// +    /// The returned [`ConfigToken`] will remove the configuration when dropped. +    pub fn set(self, dev: &Device) -> Result<ConfigToken> { +        let (_clk_list, clk_names) = match &self.clk_names { +            Some(x) => { +                let list = to_c_str_array(x)?; +                let ptr = list.as_ptr(); +                (Some(list), ptr) +            } +            None => (None, ptr::null()), +        }; + +        let (_regulator_list, regulator_names) = match &self.regulator_names { +            Some(x) => { +                let list = to_c_str_array(x)?; +                let ptr = list.as_ptr(); +                (Some(list), ptr) +            } +            None => (None, ptr::null()), +        }; + +        let prop_name = self +            .prop_name +            .as_ref() +            .map_or(ptr::null(), |p| p.as_char_ptr()); + +        let (supported_hw, supported_hw_count) = self +            .supported_hw +            .as_ref() +            .map_or((ptr::null(), 0), |hw| (hw.as_ptr(), hw.len() as u32)); + +        let (required_dev, required_dev_index) = self +            .required_dev +            .as_ref() +            .map_or((ptr::null_mut(), 0), |(dev, idx)| (dev.as_raw(), *idx)); + +        let mut config = bindings::dev_pm_opp_config { +            clk_names, +            config_clks: if T::HAS_CONFIG_CLKS { +                Some(Self::config_clks) +            } else { +                None +            }, +            prop_name, +            regulator_names, +            config_regulators: if T::HAS_CONFIG_REGULATORS { +                Some(Self::config_regulators) +            } else { +                None +            }, +            supported_hw, +            supported_hw_count, + +            required_dev, +            required_dev_index, +        }; + +        // SAFETY: The requirements are satisfied by the existence of [`Device`] and its safety +        // requirements. The OPP core guarantees not to access fields of [`Config`] after this call +        // and so we don't need to save a copy of them for future use. +        let ret = unsafe { bindings::dev_pm_opp_set_config(dev.as_raw(), &mut config) }; +        if ret < 0 { +            Err(Error::from_errno(ret)) +        } else { +            Ok(ConfigToken(ret)) +        } +    } + +    /// Config's clk callback. +    /// +    /// SAFETY: Called from C. Inputs must be valid pointers. +    extern "C" fn config_clks( +        dev: *mut bindings::device, +        opp_table: *mut bindings::opp_table, +        opp: *mut bindings::dev_pm_opp, +        _data: *mut kernel::ffi::c_void, +        scaling_down: bool, +    ) -> kernel::ffi::c_int { +        from_result(|| { +            // SAFETY: 'dev' is guaranteed by the C code to be valid. +            let dev = unsafe { Device::get_device(dev) }; +            T::config_clks( +                &dev, +                // SAFETY: 'opp_table' is guaranteed by the C code to be valid. +                &unsafe { Table::from_raw_table(opp_table, &dev) }, +                // SAFETY: 'opp' is guaranteed by the C code to be valid. +                unsafe { OPP::from_raw_opp(opp)? }, +                scaling_down, +            ) +            .map(|()| 0) +        }) +    } + +    /// Config's regulator callback. +    /// +    /// SAFETY: Called from C. Inputs must be valid pointers. +    extern "C" fn config_regulators( +        dev: *mut bindings::device, +        old_opp: *mut bindings::dev_pm_opp, +        new_opp: *mut bindings::dev_pm_opp, +        regulators: *mut *mut bindings::regulator, +        count: kernel::ffi::c_uint, +    ) -> kernel::ffi::c_int { +        from_result(|| { +            // SAFETY: 'dev' is guaranteed by the C code to be valid. +            let dev = unsafe { Device::get_device(dev) }; +            T::config_regulators( +                &dev, +                // SAFETY: 'old_opp' is guaranteed by the C code to be valid. +                unsafe { OPP::from_raw_opp(old_opp)? }, +                // SAFETY: 'new_opp' is guaranteed by the C code to be valid. +                unsafe { OPP::from_raw_opp(new_opp)? }, +                regulators, +                count, +            ) +            .map(|()| 0) +        }) +    } +} + +/// A reference-counted OPP table. +/// +/// Rust abstraction for the C `struct opp_table`. +/// +/// # Invariants +/// +/// The pointer stored in `Self` is non-null and valid for the lifetime of the [`Table`]. +/// +/// Instances of this type are reference-counted. +/// +/// ## Examples +/// +/// The following example demonstrates how to get OPP [`Table`] for a [`Cpumask`] and set its +/// frequency. +/// +/// ``` +/// # #![cfg(CONFIG_OF)] +/// use kernel::clk::Hertz; +/// use kernel::cpumask::Cpumask; +/// use kernel::device::Device; +/// use kernel::error::Result; +/// use kernel::opp::Table; +/// use kernel::types::ARef; +/// +/// fn get_table(dev: &ARef<Device>, mask: &mut Cpumask, freq: Hertz) -> Result<Table> { +///     let mut opp_table = Table::from_of_cpumask(dev, mask)?; +/// +///     if opp_table.opp_count()? == 0 { +///         return Err(EINVAL); +///     } +/// +///     pr_info!("Max transition latency is: {} ns\n", opp_table.max_transition_latency_ns()); +///     pr_info!("Suspend frequency is: {:?}\n", opp_table.suspend_freq()); +/// +///     opp_table.set_rate(freq)?; +///     Ok(opp_table) +/// } +/// ``` +pub struct Table { +    ptr: *mut bindings::opp_table, +    dev: ARef<Device>, +    #[allow(dead_code)] +    em: bool, +    #[allow(dead_code)] +    of: bool, +    cpus: Option<CpumaskVar>, +} + +/// SAFETY: It is okay to send ownership of [`Table`] across thread boundaries. +unsafe impl Send for Table {} + +/// SAFETY: It is okay to access [`Table`] through shared references from other threads because +/// we're either accessing properties that don't change or that are properly synchronised by C code. +unsafe impl Sync for Table {} + +impl Table { +    /// Creates a new reference-counted [`Table`] from a raw pointer. +    /// +    /// # Safety +    /// +    /// Callers must ensure that `ptr` is valid and non-null. +    unsafe fn from_raw_table(ptr: *mut bindings::opp_table, dev: &ARef<Device>) -> Self { +        // SAFETY: By the safety requirements, ptr is valid and its refcount will be incremented. +        // +        // INVARIANT: The reference-count is decremented when [`Table`] goes out of scope. +        unsafe { bindings::dev_pm_opp_get_opp_table_ref(ptr) }; + +        Self { +            ptr, +            dev: dev.clone(), +            em: false, +            of: false, +            cpus: None, +        } +    } + +    /// Creates a new reference-counted [`Table`] instance for a [`Device`]. +    pub fn from_dev(dev: &Device) -> Result<Self> { +        // SAFETY: The requirements are satisfied by the existence of the [`Device`] and its safety +        // requirements. +        // +        // INVARIANT: The reference-count is incremented by the C code and is decremented when +        // [`Table`] goes out of scope. +        let ptr = from_err_ptr(unsafe { bindings::dev_pm_opp_get_opp_table(dev.as_raw()) })?; + +        Ok(Self { +            ptr, +            dev: dev.into(), +            em: false, +            of: false, +            cpus: None, +        }) +    } + +    /// Creates a new reference-counted [`Table`] instance for a [`Device`] based on device tree +    /// entries. +    #[cfg(CONFIG_OF)] +    pub fn from_of(dev: &ARef<Device>, index: i32) -> Result<Self> { +        // SAFETY: The requirements are satisfied by the existence of the [`Device`] and its safety +        // requirements. +        // +        // INVARIANT: The reference-count is incremented by the C code and is decremented when +        // [`Table`] goes out of scope. +        to_result(unsafe { bindings::dev_pm_opp_of_add_table_indexed(dev.as_raw(), index) })?; + +        // Get the newly created [`Table`]. +        let mut table = Self::from_dev(dev)?; +        table.of = true; + +        Ok(table) +    } + +    /// Remove device tree based [`Table`]. +    #[cfg(CONFIG_OF)] +    #[inline] +    fn remove_of(&self) { +        // SAFETY: The requirements are satisfied by the existence of the [`Device`] and its safety +        // requirements. We took the reference from [`from_of`] earlier, it is safe to drop the +        // same now. +        unsafe { bindings::dev_pm_opp_of_remove_table(self.dev.as_raw()) }; +    } + +    /// Creates a new reference-counted [`Table`] instance for a [`Cpumask`] based on device tree +    /// entries. +    #[cfg(CONFIG_OF)] +    pub fn from_of_cpumask(dev: &Device, cpumask: &mut Cpumask) -> Result<Self> { +        // SAFETY: The cpumask is valid and the returned pointer will be owned by the [`Table`] +        // instance. +        // +        // INVARIANT: The reference-count is incremented by the C code and is decremented when +        // [`Table`] goes out of scope. +        to_result(unsafe { bindings::dev_pm_opp_of_cpumask_add_table(cpumask.as_raw()) })?; + +        // Fetch the newly created table. +        let mut table = Self::from_dev(dev)?; +        table.cpus = Some(CpumaskVar::try_clone(cpumask)?); + +        Ok(table) +    } + +    /// Remove device tree based [`Table`] for a [`Cpumask`]. +    #[cfg(CONFIG_OF)] +    #[inline] +    fn remove_of_cpumask(&self, cpumask: &Cpumask) { +        // SAFETY: The cpumask is valid and we took the reference from [`from_of_cpumask`] earlier, +        // it is safe to drop the same now. +        unsafe { bindings::dev_pm_opp_of_cpumask_remove_table(cpumask.as_raw()) }; +    } + +    /// Returns the number of [`OPP`]s in the [`Table`]. +    pub fn opp_count(&self) -> Result<u32> { +        // SAFETY: The requirements are satisfied by the existence of [`Device`] and its safety +        // requirements. +        let ret = unsafe { bindings::dev_pm_opp_get_opp_count(self.dev.as_raw()) }; +        if ret < 0 { +            Err(Error::from_errno(ret)) +        } else { +            Ok(ret as u32) +        } +    } + +    /// Returns max clock latency (in nanoseconds) of the [`OPP`]s in the [`Table`]. +    #[inline] +    pub fn max_clock_latency_ns(&self) -> usize { +        // SAFETY: The requirements are satisfied by the existence of [`Device`] and its safety +        // requirements. +        unsafe { bindings::dev_pm_opp_get_max_clock_latency(self.dev.as_raw()) } +    } + +    /// Returns max volt latency (in nanoseconds) of the [`OPP`]s in the [`Table`]. +    #[inline] +    pub fn max_volt_latency_ns(&self) -> usize { +        // SAFETY: The requirements are satisfied by the existence of [`Device`] and its safety +        // requirements. +        unsafe { bindings::dev_pm_opp_get_max_volt_latency(self.dev.as_raw()) } +    } + +    /// Returns max transition latency (in nanoseconds) of the [`OPP`]s in the [`Table`]. +    #[inline] +    pub fn max_transition_latency_ns(&self) -> usize { +        // SAFETY: The requirements are satisfied by the existence of [`Device`] and its safety +        // requirements. +        unsafe { bindings::dev_pm_opp_get_max_transition_latency(self.dev.as_raw()) } +    } + +    /// Returns the suspend [`OPP`]'s frequency. +    #[inline] +    pub fn suspend_freq(&self) -> Hertz { +        // SAFETY: The requirements are satisfied by the existence of [`Device`] and its safety +        // requirements. +        Hertz(unsafe { bindings::dev_pm_opp_get_suspend_opp_freq(self.dev.as_raw()) }) +    } + +    /// Synchronizes regulators used by the [`Table`]. +    #[inline] +    pub fn sync_regulators(&self) -> Result { +        // SAFETY: The requirements are satisfied by the existence of [`Device`] and its safety +        // requirements. +        to_result(unsafe { bindings::dev_pm_opp_sync_regulators(self.dev.as_raw()) }) +    } + +    /// Gets sharing CPUs. +    #[inline] +    pub fn sharing_cpus(dev: &Device, cpumask: &mut Cpumask) -> Result { +        // SAFETY: The requirements are satisfied by the existence of [`Device`] and its safety +        // requirements. +        to_result(unsafe { bindings::dev_pm_opp_get_sharing_cpus(dev.as_raw(), cpumask.as_raw()) }) +    } + +    /// Sets sharing CPUs. +    pub fn set_sharing_cpus(&mut self, cpumask: &mut Cpumask) -> Result { +        // SAFETY: The requirements are satisfied by the existence of [`Device`] and its safety +        // requirements. +        to_result(unsafe { +            bindings::dev_pm_opp_set_sharing_cpus(self.dev.as_raw(), cpumask.as_raw()) +        })?; + +        if let Some(mask) = self.cpus.as_mut() { +            // Update the cpumask as this will be used while removing the table. +            cpumask.copy(mask); +        } + +        Ok(()) +    } + +    /// Gets sharing CPUs from device tree. +    #[cfg(CONFIG_OF)] +    #[inline] +    pub fn of_sharing_cpus(dev: &Device, cpumask: &mut Cpumask) -> Result { +        // SAFETY: The requirements are satisfied by the existence of [`Device`] and its safety +        // requirements. +        to_result(unsafe { +            bindings::dev_pm_opp_of_get_sharing_cpus(dev.as_raw(), cpumask.as_raw()) +        }) +    } + +    /// Updates the voltage value for an [`OPP`]. +    #[inline] +    pub fn adjust_voltage( +        &self, +        freq: Hertz, +        volt: MicroVolt, +        volt_min: MicroVolt, +        volt_max: MicroVolt, +    ) -> Result { +        // SAFETY: The requirements are satisfied by the existence of [`Device`] and its safety +        // requirements. +        to_result(unsafe { +            bindings::dev_pm_opp_adjust_voltage( +                self.dev.as_raw(), +                freq.into(), +                volt.into(), +                volt_min.into(), +                volt_max.into(), +            ) +        }) +    } + +    /// Creates [`FreqTable`] from [`Table`]. +    #[cfg(CONFIG_CPU_FREQ)] +    #[inline] +    pub fn cpufreq_table(&mut self) -> Result<FreqTable> { +        FreqTable::new(self) +    } + +    /// Configures device with [`OPP`] matching the frequency value. +    #[inline] +    pub fn set_rate(&self, freq: Hertz) -> Result { +        // SAFETY: The requirements are satisfied by the existence of [`Device`] and its safety +        // requirements. +        to_result(unsafe { bindings::dev_pm_opp_set_rate(self.dev.as_raw(), freq.into()) }) +    } + +    /// Configures device with [`OPP`]. +    #[inline] +    pub fn set_opp(&self, opp: &OPP) -> Result { +        // SAFETY: The requirements are satisfied by the existence of [`Device`] and its safety +        // requirements. +        to_result(unsafe { bindings::dev_pm_opp_set_opp(self.dev.as_raw(), opp.as_raw()) }) +    } + +    /// Finds [`OPP`] based on frequency. +    pub fn opp_from_freq( +        &self, +        freq: Hertz, +        available: Option<bool>, +        index: Option<u32>, +        stype: SearchType, +    ) -> Result<ARef<OPP>> { +        let raw_dev = self.dev.as_raw(); +        let index = index.unwrap_or(0); +        let mut rate = freq.into(); + +        let ptr = from_err_ptr(match stype { +            SearchType::Exact => { +                if let Some(available) = available { +                    // SAFETY: The requirements are satisfied by the existence of [`Device`] and +                    // its safety requirements. The returned pointer will be owned by the new +                    // [`OPP`] instance. +                    unsafe { +                        bindings::dev_pm_opp_find_freq_exact_indexed( +                            raw_dev, rate, index, available, +                        ) +                    } +                } else { +                    return Err(EINVAL); +                } +            } + +            // SAFETY: The requirements are satisfied by the existence of [`Device`] and its safety +            // requirements. The returned pointer will be owned by the new [`OPP`] instance. +            SearchType::Ceil => unsafe { +                bindings::dev_pm_opp_find_freq_ceil_indexed(raw_dev, &mut rate, index) +            }, + +            // SAFETY: The requirements are satisfied by the existence of [`Device`] and its safety +            // requirements. The returned pointer will be owned by the new [`OPP`] instance. +            SearchType::Floor => unsafe { +                bindings::dev_pm_opp_find_freq_floor_indexed(raw_dev, &mut rate, index) +            }, +        })?; + +        // SAFETY: The `ptr` is guaranteed by the C code to be valid. +        unsafe { OPP::from_raw_opp_owned(ptr) } +    } + +    /// Finds [`OPP`] based on level. +    pub fn opp_from_level(&self, mut level: u32, stype: SearchType) -> Result<ARef<OPP>> { +        let raw_dev = self.dev.as_raw(); + +        let ptr = from_err_ptr(match stype { +            // SAFETY: The requirements are satisfied by the existence of [`Device`] and its safety +            // requirements. The returned pointer will be owned by the new [`OPP`] instance. +            SearchType::Exact => unsafe { bindings::dev_pm_opp_find_level_exact(raw_dev, level) }, + +            // SAFETY: The requirements are satisfied by the existence of [`Device`] and its safety +            // requirements. The returned pointer will be owned by the new [`OPP`] instance. +            SearchType::Ceil => unsafe { +                bindings::dev_pm_opp_find_level_ceil(raw_dev, &mut level) +            }, + +            // SAFETY: The requirements are satisfied by the existence of [`Device`] and its safety +            // requirements. The returned pointer will be owned by the new [`OPP`] instance. +            SearchType::Floor => unsafe { +                bindings::dev_pm_opp_find_level_floor(raw_dev, &mut level) +            }, +        })?; + +        // SAFETY: The `ptr` is guaranteed by the C code to be valid. +        unsafe { OPP::from_raw_opp_owned(ptr) } +    } + +    /// Finds [`OPP`] based on bandwidth. +    pub fn opp_from_bw(&self, mut bw: u32, index: i32, stype: SearchType) -> Result<ARef<OPP>> { +        let raw_dev = self.dev.as_raw(); + +        let ptr = from_err_ptr(match stype { +            // The OPP core doesn't support this yet. +            SearchType::Exact => return Err(EINVAL), + +            // SAFETY: The requirements are satisfied by the existence of [`Device`] and its safety +            // requirements. The returned pointer will be owned by the new [`OPP`] instance. +            SearchType::Ceil => unsafe { +                bindings::dev_pm_opp_find_bw_ceil(raw_dev, &mut bw, index) +            }, + +            // SAFETY: The requirements are satisfied by the existence of [`Device`] and its safety +            // requirements. The returned pointer will be owned by the new [`OPP`] instance. +            SearchType::Floor => unsafe { +                bindings::dev_pm_opp_find_bw_floor(raw_dev, &mut bw, index) +            }, +        })?; + +        // SAFETY: The `ptr` is guaranteed by the C code to be valid. +        unsafe { OPP::from_raw_opp_owned(ptr) } +    } + +    /// Enables the [`OPP`]. +    #[inline] +    pub fn enable_opp(&self, freq: Hertz) -> Result { +        // SAFETY: The requirements are satisfied by the existence of [`Device`] and its safety +        // requirements. +        to_result(unsafe { bindings::dev_pm_opp_enable(self.dev.as_raw(), freq.into()) }) +    } + +    /// Disables the [`OPP`]. +    #[inline] +    pub fn disable_opp(&self, freq: Hertz) -> Result { +        // SAFETY: The requirements are satisfied by the existence of [`Device`] and its safety +        // requirements. +        to_result(unsafe { bindings::dev_pm_opp_disable(self.dev.as_raw(), freq.into()) }) +    } + +    /// Registers with the Energy model. +    #[cfg(CONFIG_OF)] +    pub fn of_register_em(&mut self, cpumask: &mut Cpumask) -> Result { +        // SAFETY: The requirements are satisfied by the existence of [`Device`] and its safety +        // requirements. +        to_result(unsafe { +            bindings::dev_pm_opp_of_register_em(self.dev.as_raw(), cpumask.as_raw()) +        })?; + +        self.em = true; +        Ok(()) +    } + +    /// Unregisters with the Energy model. +    #[cfg(all(CONFIG_OF, CONFIG_ENERGY_MODEL))] +    #[inline] +    fn of_unregister_em(&self) { +        // SAFETY: The requirements are satisfied by the existence of [`Device`] and its safety +        // requirements. We registered with the EM framework earlier, it is safe to unregister now. +        unsafe { bindings::em_dev_unregister_perf_domain(self.dev.as_raw()) }; +    } +} + +impl Drop for Table { +    fn drop(&mut self) { +        // SAFETY: By the type invariants, we know that `self` owns a reference, so it is safe +        // to relinquish it now. +        unsafe { bindings::dev_pm_opp_put_opp_table(self.ptr) }; + +        #[cfg(CONFIG_OF)] +        { +            #[cfg(CONFIG_ENERGY_MODEL)] +            if self.em { +                self.of_unregister_em(); +            } + +            if self.of { +                self.remove_of(); +            } else if let Some(cpumask) = self.cpus.take() { +                self.remove_of_cpumask(&cpumask); +            } +        } +    } +} + +/// A reference-counted Operating performance point (OPP). +/// +/// Rust abstraction for the C `struct dev_pm_opp`. +/// +/// # Invariants +/// +/// The pointer stored in `Self` is non-null and valid for the lifetime of the [`OPP`]. +/// +/// Instances of this type are reference-counted. The reference count is incremented by the +/// `dev_pm_opp_get` function and decremented by `dev_pm_opp_put`. The Rust type `ARef<OPP>` +/// represents a pointer that owns a reference count on the [`OPP`]. +/// +/// A reference to the [`OPP`], &[`OPP`], isn't refcounted by the Rust code. +/// +/// ## Examples +/// +/// The following example demonstrates how to get [`OPP`] corresponding to a frequency value and +/// configure the device with it. +/// +/// ``` +/// use kernel::clk::Hertz; +/// use kernel::error::Result; +/// use kernel::opp::{SearchType, Table}; +/// +/// fn configure_opp(table: &Table, freq: Hertz) -> Result { +///     let opp = table.opp_from_freq(freq, Some(true), None, SearchType::Exact)?; +/// +///     if opp.freq(None) != freq { +///         return Err(EINVAL); +///     } +/// +///     table.set_opp(&opp) +/// } +/// ``` +#[repr(transparent)] +pub struct OPP(Opaque<bindings::dev_pm_opp>); + +/// SAFETY: It is okay to send the ownership of [`OPP`] across thread boundaries. +unsafe impl Send for OPP {} + +/// SAFETY: It is okay to access [`OPP`] through shared references from other threads because we're +/// either accessing properties that don't change or that are properly synchronised by C code. +unsafe impl Sync for OPP {} + +/// SAFETY: The type invariants guarantee that [`OPP`] is always refcounted. +unsafe impl AlwaysRefCounted for OPP { +    fn inc_ref(&self) { +        // SAFETY: The existence of a shared reference means that the refcount is nonzero. +        unsafe { bindings::dev_pm_opp_get(self.0.get()) }; +    } + +    unsafe fn dec_ref(obj: ptr::NonNull<Self>) { +        // SAFETY: The safety requirements guarantee that the refcount is nonzero. +        unsafe { bindings::dev_pm_opp_put(obj.cast().as_ptr()) } +    } +} + +impl OPP { +    /// Creates an owned reference to a [`OPP`] from a valid pointer. +    /// +    /// The refcount is incremented by the C code and will be decremented by `dec_ref` when the +    /// [`ARef`] object is dropped. +    /// +    /// # Safety +    /// +    /// The caller must ensure that `ptr` is valid and the refcount of the [`OPP`] is incremented. +    /// The caller must also ensure that it doesn't explicitly drop the refcount of the [`OPP`], as +    /// the returned [`ARef`] object takes over the refcount increment on the underlying object and +    /// the same will be dropped along with it. +    pub unsafe fn from_raw_opp_owned(ptr: *mut bindings::dev_pm_opp) -> Result<ARef<Self>> { +        let ptr = ptr::NonNull::new(ptr).ok_or(ENODEV)?; + +        // SAFETY: The safety requirements guarantee the validity of the pointer. +        // +        // INVARIANT: The reference-count is decremented when [`OPP`] goes out of scope. +        Ok(unsafe { ARef::from_raw(ptr.cast()) }) +    } + +    /// Creates a reference to a [`OPP`] from a valid pointer. +    /// +    /// The refcount is not updated by the Rust API unless the returned reference is converted to +    /// an [`ARef`] object. +    /// +    /// # Safety +    /// +    /// The caller must ensure that `ptr` is valid and remains valid for the duration of `'a`. +    #[inline] +    pub unsafe fn from_raw_opp<'a>(ptr: *mut bindings::dev_pm_opp) -> Result<&'a Self> { +        // SAFETY: The caller guarantees that the pointer is not dangling and stays valid for the +        // duration of 'a. The cast is okay because [`OPP`] is `repr(transparent)`. +        Ok(unsafe { &*ptr.cast() }) +    } + +    #[inline] +    fn as_raw(&self) -> *mut bindings::dev_pm_opp { +        self.0.get() +    } + +    /// Returns the frequency of an [`OPP`]. +    pub fn freq(&self, index: Option<u32>) -> Hertz { +        let index = index.unwrap_or(0); + +        // SAFETY: By the type invariants, we know that `self` owns a reference, so it is safe to +        // use it. +        Hertz(unsafe { bindings::dev_pm_opp_get_freq_indexed(self.as_raw(), index) }) +    } + +    /// Returns the voltage of an [`OPP`]. +    #[inline] +    pub fn voltage(&self) -> MicroVolt { +        // SAFETY: By the type invariants, we know that `self` owns a reference, so it is safe to +        // use it. +        MicroVolt(unsafe { bindings::dev_pm_opp_get_voltage(self.as_raw()) }) +    } + +    /// Returns the level of an [`OPP`]. +    #[inline] +    pub fn level(&self) -> u32 { +        // SAFETY: By the type invariants, we know that `self` owns a reference, so it is safe to +        // use it. +        unsafe { bindings::dev_pm_opp_get_level(self.as_raw()) } +    } + +    /// Returns the power of an [`OPP`]. +    #[inline] +    pub fn power(&self) -> MicroWatt { +        // SAFETY: By the type invariants, we know that `self` owns a reference, so it is safe to +        // use it. +        MicroWatt(unsafe { bindings::dev_pm_opp_get_power(self.as_raw()) }) +    } + +    /// Returns the required pstate of an [`OPP`]. +    #[inline] +    pub fn required_pstate(&self, index: u32) -> u32 { +        // SAFETY: By the type invariants, we know that `self` owns a reference, so it is safe to +        // use it. +        unsafe { bindings::dev_pm_opp_get_required_pstate(self.as_raw(), index) } +    } + +    /// Returns true if the [`OPP`] is turbo. +    #[inline] +    pub fn is_turbo(&self) -> bool { +        // SAFETY: By the type invariants, we know that `self` owns a reference, so it is safe to +        // use it. +        unsafe { bindings::dev_pm_opp_is_turbo(self.as_raw()) } +    } +} diff --git a/rust/kernel/page.rs b/rust/kernel/page.rs index f6126aca33a6..7c1b17246ed5 100644 --- a/rust/kernel/page.rs +++ b/rust/kernel/page.rs @@ -69,6 +69,7 @@ impl Page {      /// let page = Page::alloc_page(GFP_KERNEL | __GFP_ZERO)?;      /// # Ok::<(), kernel::alloc::AllocError>(())      /// ``` +    #[inline]      pub fn alloc_page(flags: Flags) -> Result<Self, AllocError> {          // SAFETY: Depending on the value of `gfp_flags`, this call may sleep. Other than that, it          // is always safe to call this method. @@ -251,6 +252,7 @@ impl Page {  }  impl Drop for Page { +    #[inline]      fn drop(&mut self) {          // SAFETY: By the type invariants, we have ownership of the page and can free it.          unsafe { bindings::__free_pages(self.page.as_ptr(), 0) }; diff --git a/rust/kernel/pci.rs b/rust/kernel/pci.rs index 38fc8d5ffbf9..8435f8132e38 100644 --- a/rust/kernel/pci.rs +++ b/rust/kernel/pci.rs @@ -89,7 +89,7 @@ impl<T: Driver + 'static> Adapter<T> {      extern "C" fn remove_callback(pdev: *mut bindings::pci_dev) {          // SAFETY: The PCI bus only ever calls the remove callback with a valid pointer to a          // `struct pci_dev`. -        let ptr = unsafe { bindings::pci_get_drvdata(pdev) }; +        let ptr = unsafe { bindings::pci_get_drvdata(pdev) }.cast();          // SAFETY: `remove_callback` is only ever called after a successful call to          // `probe_callback`, hence it's guaranteed that `ptr` points to a valid and initialized @@ -118,7 +118,9 @@ macro_rules! module_pci_driver {  };  } -/// Abstraction for bindings::pci_device_id. +/// Abstraction for the PCI device ID structure ([`struct pci_device_id`]). +/// +/// [`struct pci_device_id`]: https://docs.kernel.org/PCI/pci.html#c.pci_device_id  #[repr(transparent)]  #[derive(Clone, Copy)]  pub struct DeviceId(bindings::pci_device_id); @@ -173,7 +175,7 @@ unsafe impl RawDeviceId for DeviceId {      }  } -/// IdTable type for PCI +/// `IdTable` type for PCI.  pub type IdTable<T> = &'static dyn kernel::device_id::IdTable<DeviceId, T>;  /// Create a PCI `IdTable` with its alias for modpost. @@ -224,10 +226,11 @@ macro_rules! pci_device_table {  /// `Adapter` documentation for an example.  pub trait Driver: Send {      /// The type holding information about each device id supported by the driver. -    /// -    /// TODO: Use associated_type_defaults once stabilized: -    /// -    /// type IdInfo: 'static = (); +    // TODO: Use `associated_type_defaults` once stabilized: +    // +    // ``` +    // type IdInfo: 'static = (); +    // ```      type IdInfo: 'static;      /// The table of device ids supported by the driver. diff --git a/rust/kernel/platform.rs b/rust/kernel/platform.rs index 08849d92c074..5b21fa517e55 100644 --- a/rust/kernel/platform.rs +++ b/rust/kernel/platform.rs @@ -79,7 +79,7 @@ impl<T: Driver + 'static> Adapter<T> {      extern "C" fn remove_callback(pdev: *mut bindings::platform_device) {          // SAFETY: `pdev` is a valid pointer to a `struct platform_device`. -        let ptr = unsafe { bindings::platform_get_drvdata(pdev) }; +        let ptr = unsafe { bindings::platform_get_drvdata(pdev) }.cast();          // SAFETY: `remove_callback` is only ever called after a successful call to          // `probe_callback`, hence it's guaranteed that `ptr` points to a valid and initialized @@ -150,10 +150,11 @@ macro_rules! module_platform_driver {  ///```  pub trait Driver: Send {      /// The type holding driver private data about each device id supported by the driver. -    /// -    /// TODO: Use associated_type_defaults once stabilized: -    /// -    /// type IdInfo: 'static = (); +    // TODO: Use associated_type_defaults once stabilized: +    // +    // ``` +    // type IdInfo: 'static = (); +    // ```      type IdInfo: 'static;      /// The table of OF device ids supported by the driver. diff --git a/rust/kernel/prelude.rs b/rust/kernel/prelude.rs index baa774a351ce..2f30a398dddd 100644 --- a/rust/kernel/prelude.rs +++ b/rust/kernel/prelude.rs @@ -14,10 +14,15 @@  #[doc(no_inline)]  pub use core::pin::Pin; +pub use ::ffi::{ +    c_char, c_int, c_long, c_longlong, c_schar, c_short, c_uchar, c_uint, c_ulong, c_ulonglong, +    c_ushort, c_void, +}; +  pub use crate::alloc::{flags::*, Box, KBox, KVBox, KVVec, KVec, VBox, VVec, Vec};  #[doc(no_inline)] -pub use macros::{export, module, vtable}; +pub use macros::{export, kunit_tests, module, vtable};  pub use pin_init::{init, pin_data, pin_init, pinned_drop, InPlaceWrite, Init, PinInit, Zeroable}; diff --git a/rust/kernel/print.rs b/rust/kernel/print.rs index cf4714242e14..9783d960a97a 100644 --- a/rust/kernel/print.rs +++ b/rust/kernel/print.rs @@ -198,10 +198,11 @@ macro_rules! print_macro (  /// Equivalent to the kernel's [`pr_emerg`] macro.  ///  /// Mimics the interface of [`std::print!`]. See [`core::fmt`] and -/// `alloc::format!` for information about the formatting syntax. +/// [`std::format!`] for information about the formatting syntax.  ///  /// [`pr_emerg`]: https://docs.kernel.org/core-api/printk-basics.html#c.pr_emerg  /// [`std::print!`]: https://doc.rust-lang.org/std/macro.print.html +/// [`std::format!`]: https://doc.rust-lang.org/std/macro.format.html  ///  /// # Examples  /// @@ -222,10 +223,11 @@ macro_rules! pr_emerg (  /// Equivalent to the kernel's [`pr_alert`] macro.  ///  /// Mimics the interface of [`std::print!`]. See [`core::fmt`] and -/// `alloc::format!` for information about the formatting syntax. +/// [`std::format!`] for information about the formatting syntax.  ///  /// [`pr_alert`]: https://docs.kernel.org/core-api/printk-basics.html#c.pr_alert  /// [`std::print!`]: https://doc.rust-lang.org/std/macro.print.html +/// [`std::format!`]: https://doc.rust-lang.org/std/macro.format.html  ///  /// # Examples  /// @@ -246,10 +248,11 @@ macro_rules! pr_alert (  /// Equivalent to the kernel's [`pr_crit`] macro.  ///  /// Mimics the interface of [`std::print!`]. See [`core::fmt`] and -/// `alloc::format!` for information about the formatting syntax. +/// [`std::format!`] for information about the formatting syntax.  ///  /// [`pr_crit`]: https://docs.kernel.org/core-api/printk-basics.html#c.pr_crit  /// [`std::print!`]: https://doc.rust-lang.org/std/macro.print.html +/// [`std::format!`]: https://doc.rust-lang.org/std/macro.format.html  ///  /// # Examples  /// @@ -270,10 +273,11 @@ macro_rules! pr_crit (  /// Equivalent to the kernel's [`pr_err`] macro.  ///  /// Mimics the interface of [`std::print!`]. See [`core::fmt`] and -/// `alloc::format!` for information about the formatting syntax. +/// [`std::format!`] for information about the formatting syntax.  ///  /// [`pr_err`]: https://docs.kernel.org/core-api/printk-basics.html#c.pr_err  /// [`std::print!`]: https://doc.rust-lang.org/std/macro.print.html +/// [`std::format!`]: https://doc.rust-lang.org/std/macro.format.html  ///  /// # Examples  /// @@ -294,10 +298,11 @@ macro_rules! pr_err (  /// Equivalent to the kernel's [`pr_warn`] macro.  ///  /// Mimics the interface of [`std::print!`]. See [`core::fmt`] and -/// `alloc::format!` for information about the formatting syntax. +/// [`std::format!`] for information about the formatting syntax.  ///  /// [`pr_warn`]: https://docs.kernel.org/core-api/printk-basics.html#c.pr_warn  /// [`std::print!`]: https://doc.rust-lang.org/std/macro.print.html +/// [`std::format!`]: https://doc.rust-lang.org/std/macro.format.html  ///  /// # Examples  /// @@ -318,10 +323,11 @@ macro_rules! pr_warn (  /// Equivalent to the kernel's [`pr_notice`] macro.  ///  /// Mimics the interface of [`std::print!`]. See [`core::fmt`] and -/// `alloc::format!` for information about the formatting syntax. +/// [`std::format!`] for information about the formatting syntax.  ///  /// [`pr_notice`]: https://docs.kernel.org/core-api/printk-basics.html#c.pr_notice  /// [`std::print!`]: https://doc.rust-lang.org/std/macro.print.html +/// [`std::format!`]: https://doc.rust-lang.org/std/macro.format.html  ///  /// # Examples  /// @@ -342,10 +348,11 @@ macro_rules! pr_notice (  /// Equivalent to the kernel's [`pr_info`] macro.  ///  /// Mimics the interface of [`std::print!`]. See [`core::fmt`] and -/// `alloc::format!` for information about the formatting syntax. +/// [`std::format!`] for information about the formatting syntax.  ///  /// [`pr_info`]: https://docs.kernel.org/core-api/printk-basics.html#c.pr_info  /// [`std::print!`]: https://doc.rust-lang.org/std/macro.print.html +/// [`std::format!`]: https://doc.rust-lang.org/std/macro.format.html  ///  /// # Examples  /// @@ -368,10 +375,11 @@ macro_rules! pr_info (  /// yet.  ///  /// Mimics the interface of [`std::print!`]. See [`core::fmt`] and -/// `alloc::format!` for information about the formatting syntax. +/// [`std::format!`] for information about the formatting syntax.  ///  /// [`pr_debug`]: https://docs.kernel.org/core-api/printk-basics.html#c.pr_debug  /// [`std::print!`]: https://doc.rust-lang.org/std/macro.print.html +/// [`std::format!`]: https://doc.rust-lang.org/std/macro.format.html  ///  /// # Examples  /// @@ -395,11 +403,12 @@ macro_rules! pr_debug (  /// Equivalent to the kernel's [`pr_cont`] macro.  ///  /// Mimics the interface of [`std::print!`]. See [`core::fmt`] and -/// `alloc::format!` for information about the formatting syntax. +/// [`std::format!`] for information about the formatting syntax.  ///  /// [`pr_info!`]: crate::pr_info!  /// [`pr_cont`]: https://docs.kernel.org/core-api/printk-basics.html#c.pr_cont  /// [`std::print!`]: https://doc.rust-lang.org/std/macro.print.html +/// [`std::format!`]: https://doc.rust-lang.org/std/macro.format.html  ///  /// # Examples  /// diff --git a/rust/kernel/rbtree.rs b/rust/kernel/rbtree.rs index 5246b2c8a4ff..8d978c896747 100644 --- a/rust/kernel/rbtree.rs +++ b/rust/kernel/rbtree.rs @@ -424,7 +424,7 @@ where          while !node.is_null() {              // SAFETY: By the type invariant of `Self`, all non-null `rb_node` pointers stored in `self`              // point to the links field of `Node<K, V>` objects. -            let this = unsafe { container_of!(node, Node<K, V>, links) }.cast_mut(); +            let this = unsafe { container_of!(node, Node<K, V>, links) };              // SAFETY: `this` is a non-null node so it is valid by the type invariants.              let this_key = unsafe { &(*this).key };              // SAFETY: `node` is a non-null node so it is valid by the type invariants. @@ -496,7 +496,7 @@ impl<K, V> Drop for RBTree<K, V> {              // but it is not observable. The loop invariant is still maintained.              // SAFETY: `this` is valid per the loop invariant. -            unsafe { drop(KBox::from_raw(this.cast_mut())) }; +            unsafe { drop(KBox::from_raw(this)) };          }      }  } @@ -761,7 +761,7 @@ impl<'a, K, V> Cursor<'a, K, V> {          let next = self.get_neighbor_raw(Direction::Next);          // SAFETY: By the type invariant of `Self`, all non-null `rb_node` pointers stored in `self`          // point to the links field of `Node<K, V>` objects. -        let this = unsafe { container_of!(self.current.as_ptr(), Node<K, V>, links) }.cast_mut(); +        let this = unsafe { container_of!(self.current.as_ptr(), Node<K, V>, links) };          // SAFETY: `this` is valid by the type invariants as described above.          let node = unsafe { KBox::from_raw(this) };          let node = RBTreeNode { node }; @@ -806,7 +806,7 @@ impl<'a, K, V> Cursor<'a, K, V> {              unsafe { bindings::rb_erase(neighbor, addr_of_mut!(self.tree.root)) };              // SAFETY: By the type invariant of `Self`, all non-null `rb_node` pointers stored in `self`              // point to the links field of `Node<K, V>` objects. -            let this = unsafe { container_of!(neighbor, Node<K, V>, links) }.cast_mut(); +            let this = unsafe { container_of!(neighbor, Node<K, V>, links) };              // SAFETY: `this` is valid by the type invariants as described above.              let node = unsafe { KBox::from_raw(this) };              return Some(RBTreeNode { node }); @@ -912,7 +912,7 @@ impl<'a, K, V> Cursor<'a, K, V> {      unsafe fn to_key_value_raw<'b>(node: NonNull<bindings::rb_node>) -> (&'b K, *mut V) {          // SAFETY: By the type invariant of `Self`, all non-null `rb_node` pointers stored in `self`          // point to the links field of `Node<K, V>` objects. -        let this = unsafe { container_of!(node.as_ptr(), Node<K, V>, links) }.cast_mut(); +        let this = unsafe { container_of!(node.as_ptr(), Node<K, V>, links) };          // SAFETY: The passed `node` is the current node or a non-null neighbor,          // thus `this` is valid by the type invariants.          let k = unsafe { &(*this).key }; @@ -1021,7 +1021,7 @@ impl<K, V> Iterator for IterRaw<K, V> {          // SAFETY: By the type invariant of `IterRaw`, `self.next` is a valid node in an `RBTree`,          // and by the type invariant of `RBTree`, all nodes point to the links field of `Node<K, V>` objects. -        let cur = unsafe { container_of!(self.next, Node<K, V>, links) }.cast_mut(); +        let cur = unsafe { container_of!(self.next, Node<K, V>, links) };          // SAFETY: `self.next` is a valid tree node by the type invariants.          self.next = unsafe { bindings::rb_next(self.next) }; @@ -1216,7 +1216,7 @@ impl<'a, K, V> OccupiedEntry<'a, K, V> {          // SAFETY:          // - `self.node_links` is a valid pointer to a node in the tree.          // - We have exclusive access to the underlying tree, and can thus give out a mutable reference. -        unsafe { &mut (*(container_of!(self.node_links, Node<K, V>, links).cast_mut())).value } +        unsafe { &mut (*(container_of!(self.node_links, Node<K, V>, links))).value }      }      /// Converts the entry into a mutable reference to its value. @@ -1226,7 +1226,7 @@ impl<'a, K, V> OccupiedEntry<'a, K, V> {          // SAFETY:          // - `self.node_links` is a valid pointer to a node in the tree.          // - This consumes the `&'a mut RBTree<K, V>`, therefore it can give out a mutable reference that lives for `'a`. -        unsafe { &mut (*(container_of!(self.node_links, Node<K, V>, links).cast_mut())).value } +        unsafe { &mut (*(container_of!(self.node_links, Node<K, V>, links))).value }      }      /// Remove this entry from the [`RBTree`]. @@ -1239,9 +1239,7 @@ impl<'a, K, V> OccupiedEntry<'a, K, V> {          RBTreeNode {              // SAFETY: The node was a node in the tree, but we removed it, so we can convert it              // back into a box. -            node: unsafe { -                KBox::from_raw(container_of!(self.node_links, Node<K, V>, links).cast_mut()) -            }, +            node: unsafe { KBox::from_raw(container_of!(self.node_links, Node<K, V>, links)) },          }      } @@ -1272,8 +1270,7 @@ impl<'a, K, V> OccupiedEntry<'a, K, V> {          // SAFETY:          // - `self.node_ptr` produces a valid pointer to a node in the tree.          // - Now that we removed this entry from the tree, we can convert the node to a box. -        let old_node = -            unsafe { KBox::from_raw(container_of!(self.node_links, Node<K, V>, links).cast_mut()) }; +        let old_node = unsafe { KBox::from_raw(container_of!(self.node_links, Node<K, V>, links)) };          RBTreeNode { node: old_node }      } diff --git a/rust/kernel/static_assert.rs b/rust/kernel/static_assert.rs index 3115ee0ba8e9..a57ba14315a0 100644 --- a/rust/kernel/static_assert.rs +++ b/rust/kernel/static_assert.rs @@ -6,6 +6,10 @@  ///  /// Similar to C11 [`_Static_assert`] and C++11 [`static_assert`].  /// +/// An optional panic message can be supplied after the expression. +/// Currently only a string literal without formatting is supported +/// due to constness limitations of the [`assert!`] macro. +///  /// The feature may be added to Rust in the future: see [RFC 2790].  ///  /// [`_Static_assert`]: https://en.cppreference.com/w/c/language/_Static_assert @@ -25,10 +29,11 @@  ///     x + 2  /// }  /// static_assert!(f(40) == 42); +/// static_assert!(f(40) == 42, "f(x) must add 2 to the given input.");  /// ```  #[macro_export]  macro_rules! static_assert { -    ($condition:expr) => { -        const _: () = core::assert!($condition); +    ($condition:expr $(,$arg:literal)?) => { +        const _: () = ::core::assert!($condition $(,$arg)?);      };  } diff --git a/rust/kernel/std_vendor.rs b/rust/kernel/std_vendor.rs index 279bd353687a..abbab5050cc5 100644 --- a/rust/kernel/std_vendor.rs +++ b/rust/kernel/std_vendor.rs @@ -148,7 +148,7 @@ macro_rules! dbg {      };      ($val:expr $(,)?) => {          // Use of `match` here is intentional because it affects the lifetimes -        // of temporaries - https://stackoverflow.com/a/48732525/1063961 +        // of temporaries - <https://stackoverflow.com/a/48732525/1063961>          match $val {              tmp => {                  $crate::pr_info!("[{}:{}:{}] {} = {:#?}\n", diff --git a/rust/kernel/str.rs b/rust/kernel/str.rs index 878111cb77bc..a927db8e079c 100644 --- a/rust/kernel/str.rs +++ b/rust/kernel/str.rs @@ -6,7 +6,7 @@ use crate::alloc::{flags::*, AllocError, KVec};  use core::fmt::{self, Write};  use core::ops::{self, Deref, DerefMut, Index}; -use crate::error::{code::*, Error}; +use crate::prelude::*;  /// Byte string without UTF-8 validity guarantee.  #[repr(transparent)] @@ -73,7 +73,7 @@ impl fmt::Display for BStr {                  b'\r' => f.write_str("\\r")?,                  // Printable characters.                  0x20..=0x7e => f.write_char(b as char)?, -                _ => write!(f, "\\x{:02x}", b)?, +                _ => write!(f, "\\x{b:02x}")?,              }          }          Ok(()) @@ -109,7 +109,7 @@ impl fmt::Debug for BStr {                  b'\\' => f.write_str("\\\\")?,                  // Printable characters.                  0x20..=0x7e => f.write_char(b as char)?, -                _ => write!(f, "\\x{:02x}", b)?, +                _ => write!(f, "\\x{b:02x}")?,              }          }          f.write_char('"') @@ -447,7 +447,7 @@ impl fmt::Display for CStr {                  // Printable character.                  f.write_char(c as char)?;              } else { -                write!(f, "\\x{:02x}", c)?; +                write!(f, "\\x{c:02x}")?;              }          }          Ok(()) @@ -479,7 +479,7 @@ impl fmt::Debug for CStr {                  // Printable characters.                  b'\"' => f.write_str("\\\"")?,                  0x20..=0x7e => f.write_char(c as char)?, -                _ => write!(f, "\\x{:02x}", c)?, +                _ => write!(f, "\\x{c:02x}")?,              }          }          f.write_str("\"") @@ -572,30 +572,13 @@ macro_rules! c_str {      }};  } -#[cfg(test)] -#[expect(clippy::items_after_test_module)] +#[kunit_tests(rust_kernel_str)]  mod tests {      use super::*; -    struct String(CString); - -    impl String { -        fn from_fmt(args: fmt::Arguments<'_>) -> Self { -            String(CString::try_from_fmt(args).unwrap()) -        } -    } - -    impl Deref for String { -        type Target = str; - -        fn deref(&self) -> &str { -            self.0.to_str().unwrap() -        } -    } -      macro_rules! format {          ($($f:tt)*) => ({ -            &*String::from_fmt(kernel::fmt!($($f)*)) +            CString::try_from_fmt(::kernel::fmt!($($f)*))?.to_str()?          })      } @@ -614,91 +597,98 @@ mod tests {          \\xf0\\xf1\\xf2\\xf3\\xf4\\xf5\\xf6\\xf7\\xf8\\xf9\\xfa\\xfb\\xfc\\xfd\\xfe\\xff";      #[test] -    fn test_cstr_to_str() { +    fn test_cstr_to_str() -> Result {          let good_bytes = b"\xf0\x9f\xa6\x80\0"; -        let checked_cstr = CStr::from_bytes_with_nul(good_bytes).unwrap(); -        let checked_str = checked_cstr.to_str().unwrap(); +        let checked_cstr = CStr::from_bytes_with_nul(good_bytes)?; +        let checked_str = checked_cstr.to_str()?;          assert_eq!(checked_str, "🦀"); +        Ok(())      }      #[test] -    #[should_panic] -    fn test_cstr_to_str_panic() { +    fn test_cstr_to_str_invalid_utf8() -> Result {          let bad_bytes = b"\xc3\x28\0"; -        let checked_cstr = CStr::from_bytes_with_nul(bad_bytes).unwrap(); -        checked_cstr.to_str().unwrap(); +        let checked_cstr = CStr::from_bytes_with_nul(bad_bytes)?; +        assert!(checked_cstr.to_str().is_err()); +        Ok(())      }      #[test] -    fn test_cstr_as_str_unchecked() { +    fn test_cstr_as_str_unchecked() -> Result {          let good_bytes = b"\xf0\x9f\x90\xA7\0"; -        let checked_cstr = CStr::from_bytes_with_nul(good_bytes).unwrap(); +        let checked_cstr = CStr::from_bytes_with_nul(good_bytes)?;          // SAFETY: The contents come from a string literal which contains valid UTF-8.          let unchecked_str = unsafe { checked_cstr.as_str_unchecked() };          assert_eq!(unchecked_str, "🐧"); +        Ok(())      }      #[test] -    fn test_cstr_display() { -        let hello_world = CStr::from_bytes_with_nul(b"hello, world!\0").unwrap(); -        assert_eq!(format!("{}", hello_world), "hello, world!"); -        let non_printables = CStr::from_bytes_with_nul(b"\x01\x09\x0a\0").unwrap(); -        assert_eq!(format!("{}", non_printables), "\\x01\\x09\\x0a"); -        let non_ascii = CStr::from_bytes_with_nul(b"d\xe9j\xe0 vu\0").unwrap(); -        assert_eq!(format!("{}", non_ascii), "d\\xe9j\\xe0 vu"); -        let good_bytes = CStr::from_bytes_with_nul(b"\xf0\x9f\xa6\x80\0").unwrap(); -        assert_eq!(format!("{}", good_bytes), "\\xf0\\x9f\\xa6\\x80"); +    fn test_cstr_display() -> Result { +        let hello_world = CStr::from_bytes_with_nul(b"hello, world!\0")?; +        assert_eq!(format!("{hello_world}"), "hello, world!"); +        let non_printables = CStr::from_bytes_with_nul(b"\x01\x09\x0a\0")?; +        assert_eq!(format!("{non_printables}"), "\\x01\\x09\\x0a"); +        let non_ascii = CStr::from_bytes_with_nul(b"d\xe9j\xe0 vu\0")?; +        assert_eq!(format!("{non_ascii}"), "d\\xe9j\\xe0 vu"); +        let good_bytes = CStr::from_bytes_with_nul(b"\xf0\x9f\xa6\x80\0")?; +        assert_eq!(format!("{good_bytes}"), "\\xf0\\x9f\\xa6\\x80"); +        Ok(())      }      #[test] -    fn test_cstr_display_all_bytes() { +    fn test_cstr_display_all_bytes() -> Result {          let mut bytes: [u8; 256] = [0; 256];          // fill `bytes` with [1..=255] + [0]          for i in u8::MIN..=u8::MAX {              bytes[i as usize] = i.wrapping_add(1);          } -        let cstr = CStr::from_bytes_with_nul(&bytes).unwrap(); -        assert_eq!(format!("{}", cstr), ALL_ASCII_CHARS); +        let cstr = CStr::from_bytes_with_nul(&bytes)?; +        assert_eq!(format!("{cstr}"), ALL_ASCII_CHARS); +        Ok(())      }      #[test] -    fn test_cstr_debug() { -        let hello_world = CStr::from_bytes_with_nul(b"hello, world!\0").unwrap(); -        assert_eq!(format!("{:?}", hello_world), "\"hello, world!\""); -        let non_printables = CStr::from_bytes_with_nul(b"\x01\x09\x0a\0").unwrap(); -        assert_eq!(format!("{:?}", non_printables), "\"\\x01\\x09\\x0a\""); -        let non_ascii = CStr::from_bytes_with_nul(b"d\xe9j\xe0 vu\0").unwrap(); -        assert_eq!(format!("{:?}", non_ascii), "\"d\\xe9j\\xe0 vu\""); -        let good_bytes = CStr::from_bytes_with_nul(b"\xf0\x9f\xa6\x80\0").unwrap(); -        assert_eq!(format!("{:?}", good_bytes), "\"\\xf0\\x9f\\xa6\\x80\""); +    fn test_cstr_debug() -> Result { +        let hello_world = CStr::from_bytes_with_nul(b"hello, world!\0")?; +        assert_eq!(format!("{hello_world:?}"), "\"hello, world!\""); +        let non_printables = CStr::from_bytes_with_nul(b"\x01\x09\x0a\0")?; +        assert_eq!(format!("{non_printables:?}"), "\"\\x01\\x09\\x0a\""); +        let non_ascii = CStr::from_bytes_with_nul(b"d\xe9j\xe0 vu\0")?; +        assert_eq!(format!("{non_ascii:?}"), "\"d\\xe9j\\xe0 vu\""); +        let good_bytes = CStr::from_bytes_with_nul(b"\xf0\x9f\xa6\x80\0")?; +        assert_eq!(format!("{good_bytes:?}"), "\"\\xf0\\x9f\\xa6\\x80\""); +        Ok(())      }      #[test] -    fn test_bstr_display() { +    fn test_bstr_display() -> Result {          let hello_world = BStr::from_bytes(b"hello, world!"); -        assert_eq!(format!("{}", hello_world), "hello, world!"); +        assert_eq!(format!("{hello_world}"), "hello, world!");          let escapes = BStr::from_bytes(b"_\t_\n_\r_\\_\'_\"_"); -        assert_eq!(format!("{}", escapes), "_\\t_\\n_\\r_\\_'_\"_"); +        assert_eq!(format!("{escapes}"), "_\\t_\\n_\\r_\\_'_\"_");          let others = BStr::from_bytes(b"\x01"); -        assert_eq!(format!("{}", others), "\\x01"); +        assert_eq!(format!("{others}"), "\\x01");          let non_ascii = BStr::from_bytes(b"d\xe9j\xe0 vu"); -        assert_eq!(format!("{}", non_ascii), "d\\xe9j\\xe0 vu"); +        assert_eq!(format!("{non_ascii}"), "d\\xe9j\\xe0 vu");          let good_bytes = BStr::from_bytes(b"\xf0\x9f\xa6\x80"); -        assert_eq!(format!("{}", good_bytes), "\\xf0\\x9f\\xa6\\x80"); +        assert_eq!(format!("{good_bytes}"), "\\xf0\\x9f\\xa6\\x80"); +        Ok(())      }      #[test] -    fn test_bstr_debug() { +    fn test_bstr_debug() -> Result {          let hello_world = BStr::from_bytes(b"hello, world!"); -        assert_eq!(format!("{:?}", hello_world), "\"hello, world!\""); +        assert_eq!(format!("{hello_world:?}"), "\"hello, world!\"");          let escapes = BStr::from_bytes(b"_\t_\n_\r_\\_\'_\"_"); -        assert_eq!(format!("{:?}", escapes), "\"_\\t_\\n_\\r_\\\\_'_\\\"_\""); +        assert_eq!(format!("{escapes:?}"), "\"_\\t_\\n_\\r_\\\\_'_\\\"_\"");          let others = BStr::from_bytes(b"\x01"); -        assert_eq!(format!("{:?}", others), "\"\\x01\""); +        assert_eq!(format!("{others:?}"), "\"\\x01\"");          let non_ascii = BStr::from_bytes(b"d\xe9j\xe0 vu"); -        assert_eq!(format!("{:?}", non_ascii), "\"d\\xe9j\\xe0 vu\""); +        assert_eq!(format!("{non_ascii:?}"), "\"d\\xe9j\\xe0 vu\"");          let good_bytes = BStr::from_bytes(b"\xf0\x9f\xa6\x80"); -        assert_eq!(format!("{:?}", good_bytes), "\"\\xf0\\x9f\\xa6\\x80\""); +        assert_eq!(format!("{good_bytes:?}"), "\"\\xf0\\x9f\\xa6\\x80\""); +        Ok(())      }  } @@ -752,7 +742,7 @@ impl RawFormatter {      /// for the lifetime of the returned [`RawFormatter`].      pub(crate) unsafe fn from_buffer(buf: *mut u8, len: usize) -> Self {          let pos = buf as usize; -        // INVARIANT: We ensure that `end` is never less then `buf`, and the safety requirements +        // INVARIANT: We ensure that `end` is never less than `buf`, and the safety requirements          // guarantees that the memory region is valid for writes.          Self {              pos, @@ -886,7 +876,7 @@ impl CString {          // SAFETY: The number of bytes that can be written to `f` is bounded by `size`, which is          // `buf`'s capacity. The contents of the buffer have been initialised by writes to `f`. -        unsafe { buf.set_len(f.bytes_written()) }; +        unsafe { buf.inc_len(f.bytes_written()) };          // Check that there are no `NUL` bytes before the end.          // SAFETY: The buffer is valid for read because `f.bytes_written()` is bounded by `size` @@ -944,5 +934,5 @@ impl fmt::Debug for CString {  /// A convenience alias for [`core::format_args`].  #[macro_export]  macro_rules! fmt { -    ($($f:tt)*) => ( core::format_args!($($f)*) ) +    ($($f:tt)*) => ( ::core::format_args!($($f)*) )  } diff --git a/rust/kernel/sync/arc.rs b/rust/kernel/sync/arc.rs index 8484c814609a..c7af0aa48a0a 100644 --- a/rust/kernel/sync/arc.rs +++ b/rust/kernel/sync/arc.rs @@ -135,14 +135,15 @@ pub struct Arc<T: ?Sized> {      // meaningful with respect to dropck - but this may change in the future so this is left here      // out of an abundance of caution.      // -    // See https://doc.rust-lang.org/nomicon/phantom-data.html#generic-parameters-and-drop-checking +    // See <https://doc.rust-lang.org/nomicon/phantom-data.html#generic-parameters-and-drop-checking>      // for more detail on the semantics of dropck in the presence of `PhantomData`.      _p: PhantomData<ArcInner<T>>,  } +#[doc(hidden)]  #[pin_data]  #[repr(C)] -struct ArcInner<T: ?Sized> { +pub struct ArcInner<T: ?Sized> {      refcount: Opaque<bindings::refcount_t>,      data: T,  } @@ -371,18 +372,20 @@ impl<T: ?Sized> Arc<T> {      }  } -impl<T: 'static> ForeignOwnable for Arc<T> { +// SAFETY: The `into_foreign` function returns a pointer that is well-aligned. +unsafe impl<T: 'static> ForeignOwnable for Arc<T> { +    type PointedTo = ArcInner<T>;      type Borrowed<'a> = ArcBorrow<'a, T>;      type BorrowedMut<'a> = Self::Borrowed<'a>; -    fn into_foreign(self) -> *mut crate::ffi::c_void { -        ManuallyDrop::new(self).ptr.as_ptr().cast() +    fn into_foreign(self) -> *mut Self::PointedTo { +        ManuallyDrop::new(self).ptr.as_ptr()      } -    unsafe fn from_foreign(ptr: *mut crate::ffi::c_void) -> Self { +    unsafe fn from_foreign(ptr: *mut Self::PointedTo) -> Self {          // SAFETY: The safety requirements of this function ensure that `ptr` comes from a previous          // call to `Self::into_foreign`. -        let inner = unsafe { NonNull::new_unchecked(ptr.cast::<ArcInner<T>>()) }; +        let inner = unsafe { NonNull::new_unchecked(ptr) };          // SAFETY: By the safety requirement of this function, we know that `ptr` came from          // a previous call to `Arc::into_foreign`, which guarantees that `ptr` is valid and @@ -390,17 +393,17 @@ impl<T: 'static> ForeignOwnable for Arc<T> {          unsafe { Self::from_inner(inner) }      } -    unsafe fn borrow<'a>(ptr: *mut crate::ffi::c_void) -> ArcBorrow<'a, T> { +    unsafe fn borrow<'a>(ptr: *mut Self::PointedTo) -> ArcBorrow<'a, T> {          // SAFETY: The safety requirements of this function ensure that `ptr` comes from a previous          // call to `Self::into_foreign`. -        let inner = unsafe { NonNull::new_unchecked(ptr.cast::<ArcInner<T>>()) }; +        let inner = unsafe { NonNull::new_unchecked(ptr) };          // SAFETY: The safety requirements of `from_foreign` ensure that the object remains alive          // for the lifetime of the returned value.          unsafe { ArcBorrow::new(inner) }      } -    unsafe fn borrow_mut<'a>(ptr: *mut crate::ffi::c_void) -> ArcBorrow<'a, T> { +    unsafe fn borrow_mut<'a>(ptr: *mut Self::PointedTo) -> ArcBorrow<'a, T> {          // SAFETY: The safety requirements for `borrow_mut` are a superset of the safety          // requirements for `borrow`.          unsafe { Self::borrow(ptr) } @@ -489,7 +492,7 @@ impl<T: ?Sized> From<Pin<UniqueArc<T>>> for Arc<T> {  /// There are no mutable references to the underlying [`Arc`], and it remains valid for the  /// lifetime of the [`ArcBorrow`] instance.  /// -/// # Example +/// # Examples  ///  /// ```  /// use kernel::sync::{Arc, ArcBorrow}; diff --git a/rust/kernel/sync/rcu.rs b/rust/kernel/sync/rcu.rs index b51d9150ffe2..a32bef6e490b 100644 --- a/rust/kernel/sync/rcu.rs +++ b/rust/kernel/sync/rcu.rs @@ -17,6 +17,7 @@ pub struct Guard(NotThreadSafe);  impl Guard {      /// Acquires the RCU read side lock and returns a guard. +    #[inline]      pub fn new() -> Self {          // SAFETY: An FFI call with no additional requirements.          unsafe { bindings::rcu_read_lock() }; @@ -25,16 +26,19 @@ impl Guard {      }      /// Explicitly releases the RCU read side lock. +    #[inline]      pub fn unlock(self) {}  }  impl Default for Guard { +    #[inline]      fn default() -> Self {          Self::new()      }  }  impl Drop for Guard { +    #[inline]      fn drop(&mut self) {          // SAFETY: By the type invariants, the RCU read side is locked, so it is ok to unlock it.          unsafe { bindings::rcu_read_unlock() }; @@ -42,6 +46,7 @@ impl Drop for Guard {  }  /// Acquires the RCU read side lock. +#[inline]  pub fn read_lock() -> Guard {      Guard::new()  } diff --git a/rust/kernel/task.rs b/rust/kernel/task.rs index 9e6f6854948d..927413d85484 100644 --- a/rust/kernel/task.rs +++ b/rust/kernel/task.rs @@ -7,6 +7,7 @@  use crate::{      bindings,      ffi::{c_int, c_long, c_uint}, +    mm::MmWithUser,      pid_namespace::PidNamespace,      types::{ARef, NotThreadSafe, Opaque},  }; @@ -33,22 +34,20 @@ pub const TASK_NORMAL: c_uint = bindings::TASK_NORMAL as c_uint;  #[macro_export]  macro_rules! current {      () => { -        // SAFETY: Deref + addr-of below create a temporary `TaskRef` that cannot outlive the -        // caller. +        // SAFETY: This expression creates a temporary value that is dropped at the end of the +        // caller's scope. The following mechanisms ensure that the resulting `&CurrentTask` cannot +        // leave current task context: +        // +        // * To return to userspace, the caller must leave the current scope. +        // * Operations such as `begin_new_exec()` are necessarily unsafe and the caller of +        //   `begin_new_exec()` is responsible for safety. +        // * Rust abstractions for things such as a `kthread_use_mm()` scope must require the +        //   closure to be `Send`, so the `NotThreadSafe` field of `CurrentTask` ensures that the +        //   `&CurrentTask` cannot cross the scope in either direction.          unsafe { &*$crate::task::Task::current() }      };  } -/// Returns the currently running task's pid namespace. -#[macro_export] -macro_rules! current_pid_ns { -    () => { -        // SAFETY: Deref + addr-of below create a temporary `PidNamespaceRef` that cannot outlive -        // the caller. -        unsafe { &*$crate::task::Task::current_pid_ns() } -    }; -} -  /// Wraps the kernel's `struct task_struct`.  ///  /// # Invariants @@ -87,7 +86,7 @@ macro_rules! current_pid_ns {  /// impl State {  ///     fn new() -> Self {  ///         Self { -///             creator: current!().into(), +///             creator: ARef::from(&**current!()),  ///             index: 0,  ///         }  ///     } @@ -107,6 +106,44 @@ unsafe impl Send for Task {}  // synchronised by C code (e.g., `signal_pending`).  unsafe impl Sync for Task {} +/// Represents the [`Task`] in the `current` global. +/// +/// This type exists to provide more efficient operations that are only valid on the current task. +/// For example, to retrieve the pid-namespace of a task, you must use rcu protection unless it is +/// the current task. +/// +/// # Invariants +/// +/// Each value of this type must only be accessed from the task context it was created within. +/// +/// Of course, every thread is in a different task context, but for the purposes of this invariant, +/// these operations also permanently leave the task context: +/// +/// * Returning to userspace from system call context. +/// * Calling `release_task()`. +/// * Calling `begin_new_exec()` in a binary format loader. +/// +/// Other operations temporarily create a new sub-context: +/// +/// * Calling `kthread_use_mm()` creates a new context, and `kthread_unuse_mm()` returns to the +///   old context. +/// +/// This means that a `CurrentTask` obtained before a `kthread_use_mm()` call may be used again +/// once `kthread_unuse_mm()` is called, but it must not be used between these two calls. +/// Conversely, a `CurrentTask` obtained between a `kthread_use_mm()`/`kthread_unuse_mm()` pair +/// must not be used after `kthread_unuse_mm()`. +#[repr(transparent)] +pub struct CurrentTask(Task, NotThreadSafe); + +// Make all `Task` methods available on `CurrentTask`. +impl Deref for CurrentTask { +    type Target = Task; +    #[inline] +    fn deref(&self) -> &Task { +        &self.0 +    } +} +  /// The type of process identifiers (PIDs).  pub type Pid = bindings::pid_t; @@ -133,119 +170,29 @@ impl Task {      ///      /// # Safety      /// -    /// Callers must ensure that the returned object doesn't outlive the current task/thread. -    pub unsafe fn current() -> impl Deref<Target = Task> { -        struct TaskRef<'a> { -            task: &'a Task, -            _not_send: NotThreadSafe, +    /// Callers must ensure that the returned object is only used to access a [`CurrentTask`] +    /// within the task context that was active when this function was called. For more details, +    /// see the invariants section for [`CurrentTask`]. +    pub unsafe fn current() -> impl Deref<Target = CurrentTask> { +        struct TaskRef { +            task: *const CurrentTask,          } -        impl Deref for TaskRef<'_> { -            type Target = Task; +        impl Deref for TaskRef { +            type Target = CurrentTask;              fn deref(&self) -> &Self::Target { -                self.task +                // SAFETY: The returned reference borrows from this `TaskRef`, so it cannot outlive +                // the `TaskRef`, which the caller of `Task::current()` has promised will not +                // outlive the task/thread for which `self.task` is the `current` pointer. Thus, it +                // is okay to return a `CurrentTask` reference here. +                unsafe { &*self.task }              }          } -        let current = Task::current_raw();          TaskRef { -            // SAFETY: If the current thread is still running, the current task is valid. Given -            // that `TaskRef` is not `Send`, we know it cannot be transferred to another thread -            // (where it could potentially outlive the caller). -            task: unsafe { &*current.cast() }, -            _not_send: NotThreadSafe, -        } -    } - -    /// Returns a PidNamespace reference for the currently executing task's/thread's pid namespace. -    /// -    /// This function can be used to create an unbounded lifetime by e.g., storing the returned -    /// PidNamespace in a global variable which would be a bug. So the recommended way to get the -    /// current task's/thread's pid namespace is to use the [`current_pid_ns`] macro because it is -    /// safe. -    /// -    /// # Safety -    /// -    /// Callers must ensure that the returned object doesn't outlive the current task/thread. -    pub unsafe fn current_pid_ns() -> impl Deref<Target = PidNamespace> { -        struct PidNamespaceRef<'a> { -            task: &'a PidNamespace, -            _not_send: NotThreadSafe, -        } - -        impl Deref for PidNamespaceRef<'_> { -            type Target = PidNamespace; - -            fn deref(&self) -> &Self::Target { -                self.task -            } -        } - -        // The lifetime of `PidNamespace` is bound to `Task` and `struct pid`. -        // -        // The `PidNamespace` of a `Task` doesn't ever change once the `Task` is alive. A -        // `unshare(CLONE_NEWPID)` or `setns(fd_pidns/pidfd, CLONE_NEWPID)` will not have an effect -        // on the calling `Task`'s pid namespace. It will only effect the pid namespace of children -        // created by the calling `Task`. This invariant guarantees that after having acquired a -        // reference to a `Task`'s pid namespace it will remain unchanged. -        // -        // When a task has exited and been reaped `release_task()` will be called. This will set -        // the `PidNamespace` of the task to `NULL`. So retrieving the `PidNamespace` of a task -        // that is dead will return `NULL`. Note, that neither holding the RCU lock nor holding a -        // referencing count to -        // the `Task` will prevent `release_task()` being called. -        // -        // In order to retrieve the `PidNamespace` of a `Task` the `task_active_pid_ns()` function -        // can be used. There are two cases to consider: -        // -        // (1) retrieving the `PidNamespace` of the `current` task -        // (2) retrieving the `PidNamespace` of a non-`current` task -        // -        // From system call context retrieving the `PidNamespace` for case (1) is always safe and -        // requires neither RCU locking nor a reference count to be held. Retrieving the -        // `PidNamespace` after `release_task()` for current will return `NULL` but no codepath -        // like that is exposed to Rust. -        // -        // Retrieving the `PidNamespace` from system call context for (2) requires RCU protection. -        // Accessing `PidNamespace` outside of RCU protection requires a reference count that -        // must've been acquired while holding the RCU lock. Note that accessing a non-`current` -        // task means `NULL` can be returned as the non-`current` task could have already passed -        // through `release_task()`. -        // -        // To retrieve (1) the `current_pid_ns!()` macro should be used which ensure that the -        // returned `PidNamespace` cannot outlive the calling scope. The associated -        // `current_pid_ns()` function should not be called directly as it could be abused to -        // created an unbounded lifetime for `PidNamespace`. The `current_pid_ns!()` macro allows -        // Rust to handle the common case of accessing `current`'s `PidNamespace` without RCU -        // protection and without having to acquire a reference count. -        // -        // For (2) the `task_get_pid_ns()` method must be used. This will always acquire a -        // reference on `PidNamespace` and will return an `Option` to force the caller to -        // explicitly handle the case where `PidNamespace` is `None`, something that tends to be -        // forgotten when doing the equivalent operation in `C`. Missing RCU primitives make it -        // difficult to perform operations that are otherwise safe without holding a reference -        // count as long as RCU protection is guaranteed. But it is not important currently. But we -        // do want it in the future. -        // -        // Note for (2) the required RCU protection around calling `task_active_pid_ns()` -        // synchronizes against putting the last reference of the associated `struct pid` of -        // `task->thread_pid`. The `struct pid` stored in that field is used to retrieve the -        // `PidNamespace` of the caller. When `release_task()` is called `task->thread_pid` will be -        // `NULL`ed and `put_pid()` on said `struct pid` will be delayed in `free_pid()` via -        // `call_rcu()` allowing everyone with an RCU protected access to the `struct pid` acquired -        // from `task->thread_pid` to finish. -        // -        // SAFETY: The current task's pid namespace is valid as long as the current task is running. -        let pidns = unsafe { bindings::task_active_pid_ns(Task::current_raw()) }; -        PidNamespaceRef { -            // SAFETY: If the current thread is still running, the current task and its associated -            // pid namespace are valid. `PidNamespaceRef` is not `Send`, so we know it cannot be -            // transferred to another thread (where it could potentially outlive the current -            // `Task`). The caller needs to ensure that the PidNamespaceRef doesn't outlive the -            // current task/thread. -            task: unsafe { PidNamespace::from_ptr(pidns) }, -            _not_send: NotThreadSafe, +            // CAST: The layout of `struct task_struct` and `CurrentTask` is identical. +            task: Task::current_raw().cast(),          }      } @@ -328,6 +275,70 @@ impl Task {      }  } +impl CurrentTask { +    /// Access the address space of the current task. +    /// +    /// This function does not touch the refcount of the mm. +    #[inline] +    pub fn mm(&self) -> Option<&MmWithUser> { +        // SAFETY: The `mm` field of `current` is not modified from other threads, so reading it is +        // not a data race. +        let mm = unsafe { (*self.as_ptr()).mm }; + +        if mm.is_null() { +            return None; +        } + +        // SAFETY: If `current->mm` is non-null, then it references a valid mm with a non-zero +        // value of `mm_users`. Furthermore, the returned `&MmWithUser` borrows from this +        // `CurrentTask`, so it cannot escape the scope in which the current pointer was obtained. +        // +        // This is safe even if `kthread_use_mm()`/`kthread_unuse_mm()` are used. There are two +        // relevant cases: +        // * If the `&CurrentTask` was created before `kthread_use_mm()`, then it cannot be +        //   accessed during the `kthread_use_mm()`/`kthread_unuse_mm()` scope due to the +        //   `NotThreadSafe` field of `CurrentTask`. +        // * If the `&CurrentTask` was created within a `kthread_use_mm()`/`kthread_unuse_mm()` +        //   scope, then the `&CurrentTask` cannot escape that scope, so the returned `&MmWithUser` +        //   also cannot escape that scope. +        // In either case, it's not possible to read `current->mm` and keep using it after the +        // scope is ended with `kthread_unuse_mm()`. +        Some(unsafe { MmWithUser::from_raw(mm) }) +    } + +    /// Access the pid namespace of the current task. +    /// +    /// This function does not touch the refcount of the namespace or use RCU protection. +    /// +    /// To access the pid namespace of another task, see [`Task::get_pid_ns`]. +    #[doc(alias = "task_active_pid_ns")] +    #[inline] +    pub fn active_pid_ns(&self) -> Option<&PidNamespace> { +        // SAFETY: It is safe to call `task_active_pid_ns` without RCU protection when calling it +        // on the current task. +        let active_ns = unsafe { bindings::task_active_pid_ns(self.as_ptr()) }; + +        if active_ns.is_null() { +            return None; +        } + +        // The lifetime of `PidNamespace` is bound to `Task` and `struct pid`. +        // +        // The `PidNamespace` of a `Task` doesn't ever change once the `Task` is alive. +        // +        // From system call context retrieving the `PidNamespace` for the current task is always +        // safe and requires neither RCU locking nor a reference count to be held. Retrieving the +        // `PidNamespace` after `release_task()` for current will return `NULL` but no codepath +        // like that is exposed to Rust. +        // +        // SAFETY: If `current`'s pid ns is non-null, then it references a valid pid ns. +        // Furthermore, the returned `&PidNamespace` borrows from this `CurrentTask`, so it cannot +        // escape the scope in which the current pointer was obtained, e.g. it cannot live past a +        // `release_task()` call. +        Some(unsafe { PidNamespace::from_ptr(active_ns) }) +    } +} +  // SAFETY: The type invariants guarantee that `Task` is always refcounted.  unsafe impl crate::types::AlwaysRefCounted for Task {      fn inc_ref(&self) { diff --git a/rust/kernel/time.rs b/rust/kernel/time.rs index f509cb0eb71e..a8089a98da9e 100644 --- a/rust/kernel/time.rs +++ b/rust/kernel/time.rs @@ -5,14 +5,36 @@  //! This module contains the kernel APIs related to time and timers that  //! have been ported or wrapped for usage by Rust code in the kernel.  //! +//! There are two types in this module: +//! +//! - The [`Instant`] type represents a specific point in time. +//! - The [`Delta`] type represents a span of time. +//! +//! Note that the C side uses `ktime_t` type to represent both. However, timestamp +//! and timedelta are different. To avoid confusion, we use two different types. +//! +//! A [`Instant`] object can be created by calling the [`Instant::now()`] function. +//! It represents a point in time at which the object was created. +//! By calling the [`Instant::elapsed()`] method, a [`Delta`] object representing +//! the elapsed time can be created. The [`Delta`] object can also be created +//! by subtracting two [`Instant`] objects. +//! +//! A [`Delta`] type supports methods to retrieve the duration in various units. +//!  //! C header: [`include/linux/jiffies.h`](srctree/include/linux/jiffies.h).  //! C header: [`include/linux/ktime.h`](srctree/include/linux/ktime.h).  pub mod hrtimer; +/// The number of nanoseconds per microsecond. +pub const NSEC_PER_USEC: i64 = bindings::NSEC_PER_USEC as i64; +  /// The number of nanoseconds per millisecond.  pub const NSEC_PER_MSEC: i64 = bindings::NSEC_PER_MSEC as i64; +/// The number of nanoseconds per second. +pub const NSEC_PER_SEC: i64 = bindings::NSEC_PER_SEC as i64; +  /// The time unit of Linux kernel. One jiffy equals (1/HZ) second.  pub type Jiffies = crate::ffi::c_ulong; @@ -27,59 +49,44 @@ pub fn msecs_to_jiffies(msecs: Msecs) -> Jiffies {      unsafe { bindings::__msecs_to_jiffies(msecs) }  } -/// A Rust wrapper around a `ktime_t`. +/// A specific point in time. +/// +/// # Invariants +/// +/// The `inner` value is in the range from 0 to `KTIME_MAX`.  #[repr(transparent)] -#[derive(Copy, Clone)] -pub struct Ktime { +#[derive(Copy, Clone, PartialEq, PartialOrd, Eq, Ord)] +pub struct Instant {      inner: bindings::ktime_t,  } -impl Ktime { -    /// Create a `Ktime` from a raw `ktime_t`. -    #[inline] -    pub fn from_raw(inner: bindings::ktime_t) -> Self { -        Self { inner } -    } - +impl Instant {      /// Get the current time using `CLOCK_MONOTONIC`.      #[inline] -    pub fn ktime_get() -> Self { -        // SAFETY: It is always safe to call `ktime_get` outside of NMI context. -        Self::from_raw(unsafe { bindings::ktime_get() }) -    } - -    /// Divide the number of nanoseconds by a compile-time constant. -    #[inline] -    fn divns_constant<const DIV: i64>(self) -> i64 { -        self.to_ns() / DIV -    } - -    /// Returns the number of nanoseconds. -    #[inline] -    pub fn to_ns(self) -> i64 { -        self.inner +    pub fn now() -> Self { +        // INVARIANT: The `ktime_get()` function returns a value in the range +        // from 0 to `KTIME_MAX`. +        Self { +            // SAFETY: It is always safe to call `ktime_get()` outside of NMI context. +            inner: unsafe { bindings::ktime_get() }, +        }      } -    /// Returns the number of milliseconds. +    /// Return the amount of time elapsed since the [`Instant`].      #[inline] -    pub fn to_ms(self) -> i64 { -        self.divns_constant::<NSEC_PER_MSEC>() +    pub fn elapsed(&self) -> Delta { +        Self::now() - *self      }  } -/// Returns the number of milliseconds between two ktimes. -#[inline] -pub fn ktime_ms_delta(later: Ktime, earlier: Ktime) -> i64 { -    (later - earlier).to_ms() -} - -impl core::ops::Sub for Ktime { -    type Output = Ktime; +impl core::ops::Sub for Instant { +    type Output = Delta; +    // By the type invariant, it never overflows.      #[inline] -    fn sub(self, other: Ktime) -> Ktime { -        Self { -            inner: self.inner - other.inner, +    fn sub(self, other: Instant) -> Delta { +        Delta { +            nanos: self.inner - other.inner,          }      }  } @@ -149,3 +156,85 @@ impl ClockId {          self as bindings::clockid_t      }  } + +/// A span of time. +/// +/// This struct represents a span of time, with its value stored as nanoseconds. +/// The value can represent any valid i64 value, including negative, zero, and +/// positive numbers. +#[derive(Copy, Clone, PartialEq, PartialOrd, Eq, Ord, Debug)] +pub struct Delta { +    nanos: i64, +} + +impl Delta { +    /// A span of time equal to zero. +    pub const ZERO: Self = Self { nanos: 0 }; + +    /// Create a new [`Delta`] from a number of microseconds. +    /// +    /// The `micros` can range from -9_223_372_036_854_775 to 9_223_372_036_854_775. +    /// If `micros` is outside this range, `i64::MIN` is used for negative values, +    /// and `i64::MAX` is used for positive values due to saturation. +    #[inline] +    pub const fn from_micros(micros: i64) -> Self { +        Self { +            nanos: micros.saturating_mul(NSEC_PER_USEC), +        } +    } + +    /// Create a new [`Delta`] from a number of milliseconds. +    /// +    /// The `millis` can range from -9_223_372_036_854 to 9_223_372_036_854. +    /// If `millis` is outside this range, `i64::MIN` is used for negative values, +    /// and `i64::MAX` is used for positive values due to saturation. +    #[inline] +    pub const fn from_millis(millis: i64) -> Self { +        Self { +            nanos: millis.saturating_mul(NSEC_PER_MSEC), +        } +    } + +    /// Create a new [`Delta`] from a number of seconds. +    /// +    /// The `secs` can range from -9_223_372_036 to 9_223_372_036. +    /// If `secs` is outside this range, `i64::MIN` is used for negative values, +    /// and `i64::MAX` is used for positive values due to saturation. +    #[inline] +    pub const fn from_secs(secs: i64) -> Self { +        Self { +            nanos: secs.saturating_mul(NSEC_PER_SEC), +        } +    } + +    /// Return `true` if the [`Delta`] spans no time. +    #[inline] +    pub fn is_zero(self) -> bool { +        self.as_nanos() == 0 +    } + +    /// Return `true` if the [`Delta`] spans a negative amount of time. +    #[inline] +    pub fn is_negative(self) -> bool { +        self.as_nanos() < 0 +    } + +    /// Return the number of nanoseconds in the [`Delta`]. +    #[inline] +    pub const fn as_nanos(self) -> i64 { +        self.nanos +    } + +    /// Return the smallest number of microseconds greater than or equal +    /// to the value in the [`Delta`]. +    #[inline] +    pub const fn as_micros_ceil(self) -> i64 { +        self.as_nanos().saturating_add(NSEC_PER_USEC - 1) / NSEC_PER_USEC +    } + +    /// Return the number of milliseconds in the [`Delta`]. +    #[inline] +    pub const fn as_millis(self) -> i64 { +        self.as_nanos() / NSEC_PER_MSEC +    } +} diff --git a/rust/kernel/time/hrtimer.rs b/rust/kernel/time/hrtimer.rs index ce53f8579d18..9df3dcd2fa39 100644 --- a/rust/kernel/time/hrtimer.rs +++ b/rust/kernel/time/hrtimer.rs @@ -68,10 +68,26 @@  //! `start` operation.  use super::ClockId; -use crate::{prelude::*, time::Ktime, types::Opaque}; +use crate::{prelude::*, types::Opaque};  use core::marker::PhantomData;  use pin_init::PinInit; +/// A Rust wrapper around a `ktime_t`. +// NOTE: Ktime is going to be removed when hrtimer is converted to Instant/Delta. +#[repr(transparent)] +#[derive(Copy, Clone, PartialEq, PartialOrd, Eq, Ord)] +pub struct Ktime { +    inner: bindings::ktime_t, +} + +impl Ktime { +    /// Returns the number of nanoseconds. +    #[inline] +    pub fn to_ns(self) -> i64 { +        self.inner +    } +} +  /// A timer backed by a C `struct hrtimer`.  ///  /// # Invariants @@ -384,11 +400,9 @@ pub unsafe trait HasHrTimer<T> {  #[repr(u32)]  pub enum HrTimerRestart {      /// Timer should not be restarted. -    #[allow(clippy::unnecessary_cast)] -    NoRestart = bindings::hrtimer_restart_HRTIMER_NORESTART as u32, +    NoRestart = bindings::hrtimer_restart_HRTIMER_NORESTART,      /// Timer should be restarted. -    #[allow(clippy::unnecessary_cast)] -    Restart = bindings::hrtimer_restart_HRTIMER_RESTART as u32, +    Restart = bindings::hrtimer_restart_HRTIMER_RESTART,  }  impl HrTimerRestart { diff --git a/rust/kernel/time/hrtimer/arc.rs b/rust/kernel/time/hrtimer/arc.rs index 4a984d85b4a1..ccf1e66e5b2d 100644 --- a/rust/kernel/time/hrtimer/arc.rs +++ b/rust/kernel/time/hrtimer/arc.rs @@ -5,10 +5,10 @@ use super::HrTimer;  use super::HrTimerCallback;  use super::HrTimerHandle;  use super::HrTimerPointer; +use super::Ktime;  use super::RawHrTimerCallback;  use crate::sync::Arc;  use crate::sync::ArcBorrow; -use crate::time::Ktime;  /// A handle for an `Arc<HasHrTimer<T>>` returned by a call to  /// [`HrTimerPointer::start`]. diff --git a/rust/kernel/time/hrtimer/pin.rs b/rust/kernel/time/hrtimer/pin.rs index f760db265c7b..293ca9cf058c 100644 --- a/rust/kernel/time/hrtimer/pin.rs +++ b/rust/kernel/time/hrtimer/pin.rs @@ -4,9 +4,9 @@ use super::HasHrTimer;  use super::HrTimer;  use super::HrTimerCallback;  use super::HrTimerHandle; +use super::Ktime;  use super::RawHrTimerCallback;  use super::UnsafeHrTimerPointer; -use crate::time::Ktime;  use core::pin::Pin;  /// A handle for a `Pin<&HasHrTimer>`. When the handle exists, the timer might be diff --git a/rust/kernel/time/hrtimer/pin_mut.rs b/rust/kernel/time/hrtimer/pin_mut.rs index 90c0351d62e4..6033572d35ad 100644 --- a/rust/kernel/time/hrtimer/pin_mut.rs +++ b/rust/kernel/time/hrtimer/pin_mut.rs @@ -1,9 +1,9 @@  // SPDX-License-Identifier: GPL-2.0  use super::{ -    HasHrTimer, HrTimer, HrTimerCallback, HrTimerHandle, RawHrTimerCallback, UnsafeHrTimerPointer, +    HasHrTimer, HrTimer, HrTimerCallback, HrTimerHandle, Ktime, RawHrTimerCallback, +    UnsafeHrTimerPointer,  }; -use crate::time::Ktime;  use core::{marker::PhantomData, pin::Pin, ptr::NonNull};  /// A handle for a `Pin<&mut HasHrTimer>`. When the handle exists, the timer might diff --git a/rust/kernel/time/hrtimer/tbox.rs b/rust/kernel/time/hrtimer/tbox.rs index 2071cae07234..29526a5da203 100644 --- a/rust/kernel/time/hrtimer/tbox.rs +++ b/rust/kernel/time/hrtimer/tbox.rs @@ -5,9 +5,9 @@ use super::HrTimer;  use super::HrTimerCallback;  use super::HrTimerHandle;  use super::HrTimerPointer; +use super::Ktime;  use super::RawHrTimerCallback;  use crate::prelude::*; -use crate::time::Ktime;  use core::ptr::NonNull;  /// A handle for a [`Box<HasHrTimer<T>>`] returned by a call to diff --git a/rust/kernel/types.rs b/rust/kernel/types.rs index eee387727d1a..22985b6f6982 100644 --- a/rust/kernel/types.rs +++ b/rust/kernel/types.rs @@ -18,7 +18,19 @@ use pin_init::{PinInit, Zeroable};  ///  /// This trait is meant to be used in cases when Rust objects are stored in C objects and  /// eventually "freed" back to Rust. -pub trait ForeignOwnable: Sized { +/// +/// # Safety +/// +/// Implementers must ensure that [`into_foreign`] returns a pointer which meets the alignment +/// requirements of [`PointedTo`]. +/// +/// [`into_foreign`]: Self::into_foreign +/// [`PointedTo`]: Self::PointedTo +pub unsafe trait ForeignOwnable: Sized { +    /// Type used when the value is foreign-owned. In practical terms only defines the alignment of +    /// the pointer. +    type PointedTo; +      /// Type used to immutably borrow a value that is currently foreign-owned.      type Borrowed<'a>; @@ -27,16 +39,18 @@ pub trait ForeignOwnable: Sized {      /// Converts a Rust-owned object to a foreign-owned one.      /// -    /// The foreign representation is a pointer to void. There are no guarantees for this pointer. -    /// For example, it might be invalid, dangling or pointing to uninitialized memory. Using it in -    /// any way except for [`from_foreign`], [`try_from_foreign`], [`borrow`], or [`borrow_mut`] can -    /// result in undefined behavior. +    /// # Guarantees +    /// +    /// The return value is guaranteed to be well-aligned, but there are no other guarantees for +    /// this pointer. For example, it might be null, dangling, or point to uninitialized memory. +    /// Using it in any way except for [`ForeignOwnable::from_foreign`], [`ForeignOwnable::borrow`], +    /// [`ForeignOwnable::try_from_foreign`] can result in undefined behavior.      ///      /// [`from_foreign`]: Self::from_foreign      /// [`try_from_foreign`]: Self::try_from_foreign      /// [`borrow`]: Self::borrow      /// [`borrow_mut`]: Self::borrow_mut -    fn into_foreign(self) -> *mut crate::ffi::c_void; +    fn into_foreign(self) -> *mut Self::PointedTo;      /// Converts a foreign-owned object back to a Rust-owned one.      /// @@ -46,7 +60,7 @@ pub trait ForeignOwnable: Sized {      /// must not be passed to `from_foreign` more than once.      ///      /// [`into_foreign`]: Self::into_foreign -    unsafe fn from_foreign(ptr: *mut crate::ffi::c_void) -> Self; +    unsafe fn from_foreign(ptr: *mut Self::PointedTo) -> Self;      /// Tries to convert a foreign-owned object back to a Rust-owned one.      /// @@ -58,7 +72,7 @@ pub trait ForeignOwnable: Sized {      /// `ptr` must either be null or satisfy the safety requirements for [`from_foreign`].      ///      /// [`from_foreign`]: Self::from_foreign -    unsafe fn try_from_foreign(ptr: *mut crate::ffi::c_void) -> Option<Self> { +    unsafe fn try_from_foreign(ptr: *mut Self::PointedTo) -> Option<Self> {          if ptr.is_null() {              None          } else { @@ -81,7 +95,7 @@ pub trait ForeignOwnable: Sized {      ///      /// [`into_foreign`]: Self::into_foreign      /// [`from_foreign`]: Self::from_foreign -    unsafe fn borrow<'a>(ptr: *mut crate::ffi::c_void) -> Self::Borrowed<'a>; +    unsafe fn borrow<'a>(ptr: *mut Self::PointedTo) -> Self::Borrowed<'a>;      /// Borrows a foreign-owned object mutably.      /// @@ -109,21 +123,23 @@ pub trait ForeignOwnable: Sized {      /// [`from_foreign`]: Self::from_foreign      /// [`borrow`]: Self::borrow      /// [`Arc`]: crate::sync::Arc -    unsafe fn borrow_mut<'a>(ptr: *mut crate::ffi::c_void) -> Self::BorrowedMut<'a>; +    unsafe fn borrow_mut<'a>(ptr: *mut Self::PointedTo) -> Self::BorrowedMut<'a>;  } -impl ForeignOwnable for () { +// SAFETY: The `into_foreign` function returns a pointer that is dangling, but well-aligned. +unsafe impl ForeignOwnable for () { +    type PointedTo = ();      type Borrowed<'a> = ();      type BorrowedMut<'a> = (); -    fn into_foreign(self) -> *mut crate::ffi::c_void { +    fn into_foreign(self) -> *mut Self::PointedTo {          core::ptr::NonNull::dangling().as_ptr()      } -    unsafe fn from_foreign(_: *mut crate::ffi::c_void) -> Self {} +    unsafe fn from_foreign(_: *mut Self::PointedTo) -> Self {} -    unsafe fn borrow<'a>(_: *mut crate::ffi::c_void) -> Self::Borrowed<'a> {} -    unsafe fn borrow_mut<'a>(_: *mut crate::ffi::c_void) -> Self::BorrowedMut<'a> {} +    unsafe fn borrow<'a>(_: *mut Self::PointedTo) -> Self::Borrowed<'a> {} +    unsafe fn borrow_mut<'a>(_: *mut Self::PointedTo) -> Self::BorrowedMut<'a> {}  }  /// Runs a cleanup function/closure when dropped. diff --git a/rust/kernel/uaccess.rs b/rust/kernel/uaccess.rs index 80a9782b1c6e..6d70edd8086a 100644 --- a/rust/kernel/uaccess.rs +++ b/rust/kernel/uaccess.rs @@ -46,10 +46,9 @@ pub type UserPtr = usize;  ///  /// ```no_run  /// use kernel::ffi::c_void; -/// use kernel::error::Result;  /// use kernel::uaccess::{UserPtr, UserSlice};  /// -/// fn bytes_add_one(uptr: UserPtr, len: usize) -> Result<()> { +/// fn bytes_add_one(uptr: UserPtr, len: usize) -> Result {  ///     let (read, mut write) = UserSlice::new(uptr, len).reader_writer();  ///  ///     let mut buf = KVec::new(); @@ -68,7 +67,6 @@ pub type UserPtr = usize;  ///  /// ```no_run  /// use kernel::ffi::c_void; -/// use kernel::error::{code::EINVAL, Result};  /// use kernel::uaccess::{UserPtr, UserSlice};  ///  /// /// Returns whether the data in this region is valid. @@ -290,7 +288,7 @@ impl UserSliceReader {          // SAFETY: Since the call to `read_raw` was successful, so the next `len` bytes of the          // vector have been initialized. -        unsafe { buf.set_len(buf.len() + len) }; +        unsafe { buf.inc_len(len) };          Ok(())      }  } diff --git a/rust/kernel/workqueue.rs b/rust/kernel/workqueue.rs index f98bd02b838f..d092112d843f 100644 --- a/rust/kernel/workqueue.rs +++ b/rust/kernel/workqueue.rs @@ -429,51 +429,28 @@ impl<T: ?Sized, const ID: u64> Work<T, ID> {  ///  /// # Safety  /// -/// The [`OFFSET`] constant must be the offset of a field in `Self` of type [`Work<T, ID>`]. The -/// methods on this trait must have exactly the behavior that the definitions given below have. +/// The methods [`raw_get_work`] and [`work_container_of`] must return valid pointers and must be +/// true inverses of each other; that is, they must satisfy the following invariants: +/// - `work_container_of(raw_get_work(ptr)) == ptr` for any `ptr: *mut Self`. +/// - `raw_get_work(work_container_of(ptr)) == ptr` for any `ptr: *mut Work<T, ID>`.  ///  /// [`impl_has_work!`]: crate::impl_has_work -/// [`OFFSET`]: HasWork::OFFSET +/// [`raw_get_work`]: HasWork::raw_get_work +/// [`work_container_of`]: HasWork::work_container_of  pub unsafe trait HasWork<T, const ID: u64 = 0> { -    /// The offset of the [`Work<T, ID>`] field. -    const OFFSET: usize; - -    /// Returns the offset of the [`Work<T, ID>`] field. -    /// -    /// This method exists because the [`OFFSET`] constant cannot be accessed if the type is not -    /// [`Sized`]. -    /// -    /// [`OFFSET`]: HasWork::OFFSET -    #[inline] -    fn get_work_offset(&self) -> usize { -        Self::OFFSET -    } -      /// Returns a pointer to the [`Work<T, ID>`] field.      ///      /// # Safety      ///      /// The provided pointer must point at a valid struct of type `Self`. -    #[inline] -    unsafe fn raw_get_work(ptr: *mut Self) -> *mut Work<T, ID> { -        // SAFETY: The caller promises that the pointer is valid. -        unsafe { (ptr as *mut u8).add(Self::OFFSET) as *mut Work<T, ID> } -    } +    unsafe fn raw_get_work(ptr: *mut Self) -> *mut Work<T, ID>;      /// Returns a pointer to the struct containing the [`Work<T, ID>`] field.      ///      /// # Safety      ///      /// The pointer must point at a [`Work<T, ID>`] field in a struct of type `Self`. -    #[inline] -    unsafe fn work_container_of(ptr: *mut Work<T, ID>) -> *mut Self -    where -        Self: Sized, -    { -        // SAFETY: The caller promises that the pointer points at a field of the right type in the -        // right kind of struct. -        unsafe { (ptr as *mut u8).sub(Self::OFFSET) as *mut Self } -    } +    unsafe fn work_container_of(ptr: *mut Work<T, ID>) -> *mut Self;  }  /// Used to safely implement the [`HasWork<T, ID>`] trait. @@ -504,8 +481,6 @@ macro_rules! impl_has_work {          // SAFETY: The implementation of `raw_get_work` only compiles if the field has the right          // type.          unsafe impl$(<$($generics)+>)? $crate::workqueue::HasWork<$work_type $(, $id)?> for $self { -            const OFFSET: usize = ::core::mem::offset_of!(Self, $field) as usize; -              #[inline]              unsafe fn raw_get_work(ptr: *mut Self) -> *mut $crate::workqueue::Work<$work_type $(, $id)?> {                  // SAFETY: The caller promises that the pointer is not dangling. @@ -513,6 +488,15 @@ macro_rules! impl_has_work {                      ::core::ptr::addr_of_mut!((*ptr).$field)                  }              } + +            #[inline] +            unsafe fn work_container_of( +                ptr: *mut $crate::workqueue::Work<$work_type $(, $id)?>, +            ) -> *mut Self { +                // SAFETY: The caller promises that the pointer points at a field of the right type +                // in the right kind of struct. +                unsafe { $crate::container_of!(ptr, Self, $field) } +            }          }      )*};  } diff --git a/rust/kernel/xarray.rs b/rust/kernel/xarray.rs new file mode 100644 index 000000000000..75719e7bb491 --- /dev/null +++ b/rust/kernel/xarray.rs @@ -0,0 +1,275 @@ +// SPDX-License-Identifier: GPL-2.0 + +//! XArray abstraction. +//! +//! C header: [`include/linux/xarray.h`](srctree/include/linux/xarray.h) + +use crate::{ +    alloc, bindings, build_assert, +    error::{Error, Result}, +    types::{ForeignOwnable, NotThreadSafe, Opaque}, +}; +use core::{iter, marker::PhantomData, mem, pin::Pin, ptr::NonNull}; +use pin_init::{pin_data, pin_init, pinned_drop, PinInit}; + +/// An array which efficiently maps sparse integer indices to owned objects. +/// +/// This is similar to a [`crate::alloc::kvec::Vec<Option<T>>`], but more efficient when there are +/// holes in the index space, and can be efficiently grown. +/// +/// # Invariants +/// +/// `self.xa` is always an initialized and valid [`bindings::xarray`] whose entries are either +/// `XA_ZERO_ENTRY` or came from `T::into_foreign`. +/// +/// # Examples +/// +/// ```rust +/// use kernel::alloc::KBox; +/// use kernel::xarray::{AllocKind, XArray}; +/// +/// let xa = KBox::pin_init(XArray::new(AllocKind::Alloc1), GFP_KERNEL)?; +/// +/// let dead = KBox::new(0xdead, GFP_KERNEL)?; +/// let beef = KBox::new(0xbeef, GFP_KERNEL)?; +/// +/// let mut guard = xa.lock(); +/// +/// assert_eq!(guard.get(0), None); +/// +/// assert_eq!(guard.store(0, dead, GFP_KERNEL)?.as_deref(), None); +/// assert_eq!(guard.get(0).copied(), Some(0xdead)); +/// +/// *guard.get_mut(0).unwrap() = 0xffff; +/// assert_eq!(guard.get(0).copied(), Some(0xffff)); +/// +/// assert_eq!(guard.store(0, beef, GFP_KERNEL)?.as_deref().copied(), Some(0xffff)); +/// assert_eq!(guard.get(0).copied(), Some(0xbeef)); +/// +/// guard.remove(0); +/// assert_eq!(guard.get(0), None); +/// +/// # Ok::<(), Error>(()) +/// ``` +#[pin_data(PinnedDrop)] +pub struct XArray<T: ForeignOwnable> { +    #[pin] +    xa: Opaque<bindings::xarray>, +    _p: PhantomData<T>, +} + +#[pinned_drop] +impl<T: ForeignOwnable> PinnedDrop for XArray<T> { +    fn drop(self: Pin<&mut Self>) { +        self.iter().for_each(|ptr| { +            let ptr = ptr.as_ptr(); +            // SAFETY: `ptr` came from `T::into_foreign`. +            // +            // INVARIANT: we own the only reference to the array which is being dropped so the +            // broken invariant is not observable on function exit. +            drop(unsafe { T::from_foreign(ptr) }) +        }); + +        // SAFETY: `self.xa` is always valid by the type invariant. +        unsafe { bindings::xa_destroy(self.xa.get()) }; +    } +} + +/// Flags passed to [`XArray::new`] to configure the array's allocation tracking behavior. +pub enum AllocKind { +    /// Consider the first element to be at index 0. +    Alloc, +    /// Consider the first element to be at index 1. +    Alloc1, +} + +impl<T: ForeignOwnable> XArray<T> { +    /// Creates a new initializer for this type. +    pub fn new(kind: AllocKind) -> impl PinInit<Self> { +        let flags = match kind { +            AllocKind::Alloc => bindings::XA_FLAGS_ALLOC, +            AllocKind::Alloc1 => bindings::XA_FLAGS_ALLOC1, +        }; +        pin_init!(Self { +            // SAFETY: `xa` is valid while the closure is called. +            // +            // INVARIANT: `xa` is initialized here to an empty, valid [`bindings::xarray`]. +            xa <- Opaque::ffi_init(|xa| unsafe { +                bindings::xa_init_flags(xa, flags) +            }), +            _p: PhantomData, +        }) +    } + +    fn iter(&self) -> impl Iterator<Item = NonNull<T::PointedTo>> + '_ { +        let mut index = 0; + +        // SAFETY: `self.xa` is always valid by the type invariant. +        iter::once(unsafe { +            bindings::xa_find(self.xa.get(), &mut index, usize::MAX, bindings::XA_PRESENT) +        }) +        .chain(iter::from_fn(move || { +            // SAFETY: `self.xa` is always valid by the type invariant. +            Some(unsafe { +                bindings::xa_find_after(self.xa.get(), &mut index, usize::MAX, bindings::XA_PRESENT) +            }) +        })) +        .map_while(|ptr| NonNull::new(ptr.cast())) +    } + +    /// Attempts to lock the [`XArray`] for exclusive access. +    pub fn try_lock(&self) -> Option<Guard<'_, T>> { +        // SAFETY: `self.xa` is always valid by the type invariant. +        if (unsafe { bindings::xa_trylock(self.xa.get()) } != 0) { +            Some(Guard { +                xa: self, +                _not_send: NotThreadSafe, +            }) +        } else { +            None +        } +    } + +    /// Locks the [`XArray`] for exclusive access. +    pub fn lock(&self) -> Guard<'_, T> { +        // SAFETY: `self.xa` is always valid by the type invariant. +        unsafe { bindings::xa_lock(self.xa.get()) }; + +        Guard { +            xa: self, +            _not_send: NotThreadSafe, +        } +    } +} + +/// A lock guard. +/// +/// The lock is unlocked when the guard goes out of scope. +#[must_use = "the lock unlocks immediately when the guard is unused"] +pub struct Guard<'a, T: ForeignOwnable> { +    xa: &'a XArray<T>, +    _not_send: NotThreadSafe, +} + +impl<T: ForeignOwnable> Drop for Guard<'_, T> { +    fn drop(&mut self) { +        // SAFETY: +        // - `self.xa.xa` is always valid by the type invariant. +        // - The caller holds the lock, so it is safe to unlock it. +        unsafe { bindings::xa_unlock(self.xa.xa.get()) }; +    } +} + +/// The error returned by [`store`](Guard::store). +/// +/// Contains the underlying error and the value that was not stored. +pub struct StoreError<T> { +    /// The error that occurred. +    pub error: Error, +    /// The value that was not stored. +    pub value: T, +} + +impl<T> From<StoreError<T>> for Error { +    fn from(value: StoreError<T>) -> Self { +        value.error +    } +} + +impl<'a, T: ForeignOwnable> Guard<'a, T> { +    fn load<F, U>(&self, index: usize, f: F) -> Option<U> +    where +        F: FnOnce(NonNull<T::PointedTo>) -> U, +    { +        // SAFETY: `self.xa.xa` is always valid by the type invariant. +        let ptr = unsafe { bindings::xa_load(self.xa.xa.get(), index) }; +        let ptr = NonNull::new(ptr.cast())?; +        Some(f(ptr)) +    } + +    /// Provides a reference to the element at the given index. +    pub fn get(&self, index: usize) -> Option<T::Borrowed<'_>> { +        self.load(index, |ptr| { +            // SAFETY: `ptr` came from `T::into_foreign`. +            unsafe { T::borrow(ptr.as_ptr()) } +        }) +    } + +    /// Provides a mutable reference to the element at the given index. +    pub fn get_mut(&mut self, index: usize) -> Option<T::BorrowedMut<'_>> { +        self.load(index, |ptr| { +            // SAFETY: `ptr` came from `T::into_foreign`. +            unsafe { T::borrow_mut(ptr.as_ptr()) } +        }) +    } + +    /// Removes and returns the element at the given index. +    pub fn remove(&mut self, index: usize) -> Option<T> { +        // SAFETY: +        // - `self.xa.xa` is always valid by the type invariant. +        // - The caller holds the lock. +        let ptr = unsafe { bindings::__xa_erase(self.xa.xa.get(), index) }.cast(); +        // SAFETY: +        // - `ptr` is either NULL or came from `T::into_foreign`. +        // - `&mut self` guarantees that the lifetimes of [`T::Borrowed`] and [`T::BorrowedMut`] +        // borrowed from `self` have ended. +        unsafe { T::try_from_foreign(ptr) } +    } + +    /// Stores an element at the given index. +    /// +    /// May drop the lock if needed to allocate memory, and then reacquire it afterwards. +    /// +    /// On success, returns the element which was previously at the given index. +    /// +    /// On failure, returns the element which was attempted to be stored. +    pub fn store( +        &mut self, +        index: usize, +        value: T, +        gfp: alloc::Flags, +    ) -> Result<Option<T>, StoreError<T>> { +        build_assert!( +            mem::align_of::<T::PointedTo>() >= 4, +            "pointers stored in XArray must be 4-byte aligned" +        ); +        let new = value.into_foreign(); + +        let old = { +            let new = new.cast(); +            // SAFETY: +            // - `self.xa.xa` is always valid by the type invariant. +            // - The caller holds the lock. +            // +            // INVARIANT: `new` came from `T::into_foreign`. +            unsafe { bindings::__xa_store(self.xa.xa.get(), index, new, gfp.as_raw()) } +        }; + +        // SAFETY: `__xa_store` returns the old entry at this index on success or `xa_err` if an +        // error happened. +        let errno = unsafe { bindings::xa_err(old) }; +        if errno != 0 { +            // SAFETY: `new` came from `T::into_foreign` and `__xa_store` does not take +            // ownership of the value on error. +            let value = unsafe { T::from_foreign(new) }; +            Err(StoreError { +                value, +                error: Error::from_errno(errno), +            }) +        } else { +            let old = old.cast(); +            // SAFETY: `ptr` is either NULL or came from `T::into_foreign`. +            // +            // NB: `XA_ZERO_ENTRY` is never returned by functions belonging to the Normal XArray +            // API; such entries present as `NULL`. +            Ok(unsafe { T::try_from_foreign(old) }) +        } +    } +} + +// SAFETY: `XArray<T>` has no shared mutable state so it is `Send` iff `T` is `Send`. +unsafe impl<T: ForeignOwnable + Send> Send for XArray<T> {} + +// SAFETY: `XArray<T>` serialises the interior mutability it provides so it is `Sync` iff `T` is +// `Send`. +unsafe impl<T: ForeignOwnable + Send> Sync for XArray<T> {} | 
