1 // SPDX-License-Identifier: GPL-2.0 2 3 //! Kernel types. 4 5 use crate::ffi::c_void; 6 use core::{ 7 cell::UnsafeCell, 8 marker::{PhantomData, PhantomPinned}, 9 mem::MaybeUninit, 10 ops::{Deref, DerefMut}, 11 }; 12 use pin_init::{PinInit, Wrapper, Zeroable}; 13 14 /// Used to transfer ownership to and from foreign (non-Rust) languages. 15 /// 16 /// Ownership is transferred from Rust to a foreign language by calling [`Self::into_foreign`] and 17 /// later may be transferred back to Rust by calling [`Self::from_foreign`]. 18 /// 19 /// This trait is meant to be used in cases when Rust objects are stored in C objects and 20 /// eventually "freed" back to Rust. 21 /// 22 /// # Safety 23 /// 24 /// - Implementations must satisfy the guarantees of [`Self::into_foreign`]. 25 pub unsafe trait ForeignOwnable: Sized { 26 /// The alignment of pointers returned by `into_foreign`. 27 const FOREIGN_ALIGN: usize; 28 29 /// Type used to immutably borrow a value that is currently foreign-owned. 30 type Borrowed<'a>; 31 32 /// Type used to mutably borrow a value that is currently foreign-owned. 33 type BorrowedMut<'a>; 34 35 /// Converts a Rust-owned object to a foreign-owned one. 36 /// 37 /// The foreign representation is a pointer to void. Aside from the guarantees listed below, 38 /// there are no other guarantees for this pointer. For example, it might be invalid, dangling 39 /// or pointing to uninitialized memory. Using it in any way except for [`from_foreign`], 40 /// [`try_from_foreign`], [`borrow`], or [`borrow_mut`] can result in undefined behavior. 41 /// 42 /// # Guarantees 43 /// 44 /// - Minimum alignment of returned pointer is [`Self::FOREIGN_ALIGN`]. 45 /// - The returned pointer is not null. 46 /// 47 /// [`from_foreign`]: Self::from_foreign 48 /// [`try_from_foreign`]: Self::try_from_foreign 49 /// [`borrow`]: Self::borrow 50 /// [`borrow_mut`]: Self::borrow_mut into_foreign(self) -> *mut c_void51 fn into_foreign(self) -> *mut c_void; 52 53 /// Converts a foreign-owned object back to a Rust-owned one. 54 /// 55 /// # Safety 56 /// 57 /// The provided pointer must have been returned by a previous call to [`into_foreign`], and it 58 /// must not be passed to `from_foreign` more than once. 59 /// 60 /// [`into_foreign`]: Self::into_foreign from_foreign(ptr: *mut c_void) -> Self61 unsafe fn from_foreign(ptr: *mut c_void) -> Self; 62 63 /// Tries to convert a foreign-owned object back to a Rust-owned one. 64 /// 65 /// A convenience wrapper over [`ForeignOwnable::from_foreign`] that returns [`None`] if `ptr` 66 /// is null. 67 /// 68 /// # Safety 69 /// 70 /// `ptr` must either be null or satisfy the safety requirements for [`from_foreign`]. 71 /// 72 /// [`from_foreign`]: Self::from_foreign try_from_foreign(ptr: *mut c_void) -> Option<Self>73 unsafe fn try_from_foreign(ptr: *mut c_void) -> Option<Self> { 74 if ptr.is_null() { 75 None 76 } else { 77 // SAFETY: Since `ptr` is not null here, then `ptr` satisfies the safety requirements 78 // of `from_foreign` given the safety requirements of this function. 79 unsafe { Some(Self::from_foreign(ptr)) } 80 } 81 } 82 83 /// Borrows a foreign-owned object immutably. 84 /// 85 /// This method provides a way to access a foreign-owned value from Rust immutably. It provides 86 /// you with exactly the same abilities as an `&Self` when the value is Rust-owned. 87 /// 88 /// # Safety 89 /// 90 /// The provided pointer must have been returned by a previous call to [`into_foreign`], and if 91 /// the pointer is ever passed to [`from_foreign`], then that call must happen after the end of 92 /// the lifetime `'a`. 93 /// 94 /// [`into_foreign`]: Self::into_foreign 95 /// [`from_foreign`]: Self::from_foreign borrow<'a>(ptr: *mut c_void) -> Self::Borrowed<'a>96 unsafe fn borrow<'a>(ptr: *mut c_void) -> Self::Borrowed<'a>; 97 98 /// Borrows a foreign-owned object mutably. 99 /// 100 /// This method provides a way to access a foreign-owned value from Rust mutably. It provides 101 /// you with exactly the same abilities as an `&mut Self` when the value is Rust-owned, except 102 /// that the address of the object must not be changed. 103 /// 104 /// Note that for types like [`Arc`], an `&mut Arc<T>` only gives you immutable access to the 105 /// inner value, so this method also only provides immutable access in that case. 106 /// 107 /// In the case of `Box<T>`, this method gives you the ability to modify the inner `T`, but it 108 /// does not let you change the box itself. That is, you cannot change which allocation the box 109 /// points at. 110 /// 111 /// # Safety 112 /// 113 /// The provided pointer must have been returned by a previous call to [`into_foreign`], and if 114 /// the pointer is ever passed to [`from_foreign`], then that call must happen after the end of 115 /// the lifetime `'a`. 116 /// 117 /// The lifetime `'a` must not overlap with the lifetime of any other call to [`borrow`] or 118 /// `borrow_mut` on the same object. 119 /// 120 /// [`into_foreign`]: Self::into_foreign 121 /// [`from_foreign`]: Self::from_foreign 122 /// [`borrow`]: Self::borrow 123 /// [`Arc`]: crate::sync::Arc borrow_mut<'a>(ptr: *mut c_void) -> Self::BorrowedMut<'a>124 unsafe fn borrow_mut<'a>(ptr: *mut c_void) -> Self::BorrowedMut<'a>; 125 } 126 127 // SAFETY: The pointer returned by `into_foreign` comes from a well aligned 128 // pointer to `()`. 129 unsafe impl ForeignOwnable for () { 130 const FOREIGN_ALIGN: usize = core::mem::align_of::<()>(); 131 type Borrowed<'a> = (); 132 type BorrowedMut<'a> = (); 133 into_foreign(self) -> *mut c_void134 fn into_foreign(self) -> *mut c_void { 135 core::ptr::NonNull::dangling().as_ptr() 136 } 137 from_foreign(_: *mut c_void) -> Self138 unsafe fn from_foreign(_: *mut c_void) -> Self {} 139 borrow<'a>(_: *mut c_void) -> Self::Borrowed<'a>140 unsafe fn borrow<'a>(_: *mut c_void) -> Self::Borrowed<'a> {} borrow_mut<'a>(_: *mut c_void) -> Self::BorrowedMut<'a>141 unsafe fn borrow_mut<'a>(_: *mut c_void) -> Self::BorrowedMut<'a> {} 142 } 143 144 /// Runs a cleanup function/closure when dropped. 145 /// 146 /// The [`ScopeGuard::dismiss`] function prevents the cleanup function from running. 147 /// 148 /// # Examples 149 /// 150 /// In the example below, we have multiple exit paths and we want to log regardless of which one is 151 /// taken: 152 /// 153 /// ``` 154 /// # use kernel::types::ScopeGuard; 155 /// fn example1(arg: bool) { 156 /// let _log = ScopeGuard::new(|| pr_info!("example1 completed\n")); 157 /// 158 /// if arg { 159 /// return; 160 /// } 161 /// 162 /// pr_info!("Do something...\n"); 163 /// } 164 /// 165 /// # example1(false); 166 /// # example1(true); 167 /// ``` 168 /// 169 /// In the example below, we want to log the same message on all early exits but a different one on 170 /// the main exit path: 171 /// 172 /// ``` 173 /// # use kernel::types::ScopeGuard; 174 /// fn example2(arg: bool) { 175 /// let log = ScopeGuard::new(|| pr_info!("example2 returned early\n")); 176 /// 177 /// if arg { 178 /// return; 179 /// } 180 /// 181 /// // (Other early returns...) 182 /// 183 /// log.dismiss(); 184 /// pr_info!("example2 no early return\n"); 185 /// } 186 /// 187 /// # example2(false); 188 /// # example2(true); 189 /// ``` 190 /// 191 /// In the example below, we need a mutable object (the vector) to be accessible within the log 192 /// function, so we wrap it in the [`ScopeGuard`]: 193 /// 194 /// ``` 195 /// # use kernel::types::ScopeGuard; 196 /// fn example3(arg: bool) -> Result { 197 /// let mut vec = 198 /// ScopeGuard::new_with_data(KVec::new(), |v| pr_info!("vec had {} elements\n", v.len())); 199 /// 200 /// vec.push(10u8, GFP_KERNEL)?; 201 /// if arg { 202 /// return Ok(()); 203 /// } 204 /// vec.push(20u8, GFP_KERNEL)?; 205 /// Ok(()) 206 /// } 207 /// 208 /// # assert_eq!(example3(false), Ok(())); 209 /// # assert_eq!(example3(true), Ok(())); 210 /// ``` 211 /// 212 /// # Invariants 213 /// 214 /// The value stored in the struct is nearly always `Some(_)`, except between 215 /// [`ScopeGuard::dismiss`] and [`ScopeGuard::drop`]: in this case, it will be `None` as the value 216 /// will have been returned to the caller. Since [`ScopeGuard::dismiss`] consumes the guard, 217 /// callers won't be able to use it anymore. 218 pub struct ScopeGuard<T, F: FnOnce(T)>(Option<(T, F)>); 219 220 impl<T, F: FnOnce(T)> ScopeGuard<T, F> { 221 /// Creates a new guarded object wrapping the given data and with the given cleanup function. new_with_data(data: T, cleanup_func: F) -> Self222 pub fn new_with_data(data: T, cleanup_func: F) -> Self { 223 // INVARIANT: The struct is being initialised with `Some(_)`. 224 Self(Some((data, cleanup_func))) 225 } 226 227 /// Prevents the cleanup function from running and returns the guarded data. dismiss(mut self) -> T228 pub fn dismiss(mut self) -> T { 229 // INVARIANT: This is the exception case in the invariant; it is not visible to callers 230 // because this function consumes `self`. 231 self.0.take().unwrap().0 232 } 233 } 234 235 impl ScopeGuard<(), fn(())> { 236 /// Creates a new guarded object with the given cleanup function. new(cleanup: impl FnOnce()) -> ScopeGuard<(), impl FnOnce(())>237 pub fn new(cleanup: impl FnOnce()) -> ScopeGuard<(), impl FnOnce(())> { 238 ScopeGuard::new_with_data((), move |()| cleanup()) 239 } 240 } 241 242 impl<T, F: FnOnce(T)> Deref for ScopeGuard<T, F> { 243 type Target = T; 244 deref(&self) -> &T245 fn deref(&self) -> &T { 246 // The type invariants guarantee that `unwrap` will succeed. 247 &self.0.as_ref().unwrap().0 248 } 249 } 250 251 impl<T, F: FnOnce(T)> DerefMut for ScopeGuard<T, F> { deref_mut(&mut self) -> &mut T252 fn deref_mut(&mut self) -> &mut T { 253 // The type invariants guarantee that `unwrap` will succeed. 254 &mut self.0.as_mut().unwrap().0 255 } 256 } 257 258 impl<T, F: FnOnce(T)> Drop for ScopeGuard<T, F> { drop(&mut self)259 fn drop(&mut self) { 260 // Run the cleanup function if one is still present. 261 if let Some((data, cleanup)) = self.0.take() { 262 cleanup(data) 263 } 264 } 265 } 266 267 /// Stores an opaque value. 268 /// 269 /// [`Opaque<T>`] is meant to be used with FFI objects that are never interpreted by Rust code. 270 /// 271 /// It is used to wrap structs from the C side, like for example `Opaque<bindings::mutex>`. 272 /// It gets rid of all the usual assumptions that Rust has for a value: 273 /// 274 /// * The value is allowed to be uninitialized (for example have invalid bit patterns: `3` for a 275 /// [`bool`]). 276 /// * The value is allowed to be mutated, when a `&Opaque<T>` exists on the Rust side. 277 /// * No uniqueness for mutable references: it is fine to have multiple `&mut Opaque<T>` point to 278 /// the same value. 279 /// * The value is not allowed to be shared with other threads (i.e. it is `!Sync`). 280 /// 281 /// This has to be used for all values that the C side has access to, because it can't be ensured 282 /// that the C side is adhering to the usual constraints that Rust needs. 283 /// 284 /// Using [`Opaque<T>`] allows to continue to use references on the Rust side even for values shared 285 /// with C. 286 /// 287 /// # Examples 288 /// 289 /// ``` 290 /// use kernel::types::Opaque; 291 /// # // Emulate a C struct binding which is from C, maybe uninitialized or not, only the C side 292 /// # // knows. 293 /// # mod bindings { 294 /// # pub struct Foo { 295 /// # pub val: u8, 296 /// # } 297 /// # } 298 /// 299 /// // `foo.val` is assumed to be handled on the C side, so we use `Opaque` to wrap it. 300 /// pub struct Foo { 301 /// foo: Opaque<bindings::Foo>, 302 /// } 303 /// 304 /// impl Foo { 305 /// pub fn get_val(&self) -> u8 { 306 /// let ptr = Opaque::get(&self.foo); 307 /// 308 /// // SAFETY: `Self` is valid from C side. 309 /// unsafe { (*ptr).val } 310 /// } 311 /// } 312 /// 313 /// // Create an instance of `Foo` with the `Opaque` wrapper. 314 /// let foo = Foo { 315 /// foo: Opaque::new(bindings::Foo { val: 0xdb }), 316 /// }; 317 /// 318 /// assert_eq!(foo.get_val(), 0xdb); 319 /// ``` 320 #[repr(transparent)] 321 pub struct Opaque<T> { 322 value: UnsafeCell<MaybeUninit<T>>, 323 _pin: PhantomPinned, 324 } 325 326 // SAFETY: `Opaque<T>` allows the inner value to be any bit pattern, including all zeros. 327 unsafe impl<T> Zeroable for Opaque<T> {} 328 329 impl<T> Opaque<T> { 330 /// Creates a new opaque value. new(value: T) -> Self331 pub const fn new(value: T) -> Self { 332 Self { 333 value: UnsafeCell::new(MaybeUninit::new(value)), 334 _pin: PhantomPinned, 335 } 336 } 337 338 /// Creates an uninitialised value. uninit() -> Self339 pub const fn uninit() -> Self { 340 Self { 341 value: UnsafeCell::new(MaybeUninit::uninit()), 342 _pin: PhantomPinned, 343 } 344 } 345 346 /// Creates a new zeroed opaque value. zeroed() -> Self347 pub const fn zeroed() -> Self { 348 Self { 349 value: UnsafeCell::new(MaybeUninit::zeroed()), 350 _pin: PhantomPinned, 351 } 352 } 353 354 /// Creates a pin-initializer from the given initializer closure. 355 /// 356 /// The returned initializer calls the given closure with the pointer to the inner `T` of this 357 /// `Opaque`. Since this memory is uninitialized, the closure is not allowed to read from it. 358 /// 359 /// This function is safe, because the `T` inside of an `Opaque` is allowed to be 360 /// uninitialized. Additionally, access to the inner `T` requires `unsafe`, so the caller needs 361 /// to verify at that point that the inner value is valid. ffi_init(init_func: impl FnOnce(*mut T)) -> impl PinInit<Self>362 pub fn ffi_init(init_func: impl FnOnce(*mut T)) -> impl PinInit<Self> { 363 // SAFETY: We contain a `MaybeUninit`, so it is OK for the `init_func` to not fully 364 // initialize the `T`. 365 unsafe { 366 pin_init::pin_init_from_closure::<_, ::core::convert::Infallible>(move |slot| { 367 init_func(Self::cast_into(slot)); 368 Ok(()) 369 }) 370 } 371 } 372 373 /// Creates a fallible pin-initializer from the given initializer closure. 374 /// 375 /// The returned initializer calls the given closure with the pointer to the inner `T` of this 376 /// `Opaque`. Since this memory is uninitialized, the closure is not allowed to read from it. 377 /// 378 /// This function is safe, because the `T` inside of an `Opaque` is allowed to be 379 /// uninitialized. Additionally, access to the inner `T` requires `unsafe`, so the caller needs 380 /// to verify at that point that the inner value is valid. try_ffi_init<E>( init_func: impl FnOnce(*mut T) -> Result<(), E>, ) -> impl PinInit<Self, E>381 pub fn try_ffi_init<E>( 382 init_func: impl FnOnce(*mut T) -> Result<(), E>, 383 ) -> impl PinInit<Self, E> { 384 // SAFETY: We contain a `MaybeUninit`, so it is OK for the `init_func` to not fully 385 // initialize the `T`. 386 unsafe { 387 pin_init::pin_init_from_closure::<_, E>(move |slot| init_func(Self::cast_into(slot))) 388 } 389 } 390 391 /// Returns a raw pointer to the opaque data. get(&self) -> *mut T392 pub const fn get(&self) -> *mut T { 393 UnsafeCell::get(&self.value).cast::<T>() 394 } 395 396 /// Gets the value behind `this`. 397 /// 398 /// This function is useful to get access to the value without creating intermediate 399 /// references. cast_into(this: *const Self) -> *mut T400 pub const fn cast_into(this: *const Self) -> *mut T { 401 UnsafeCell::raw_get(this.cast::<UnsafeCell<MaybeUninit<T>>>()).cast::<T>() 402 } 403 404 /// The opposite operation of [`Opaque::cast_into`]. cast_from(this: *const T) -> *const Self405 pub const fn cast_from(this: *const T) -> *const Self { 406 this.cast() 407 } 408 } 409 410 impl<T> Wrapper<T> for Opaque<T> { 411 /// Create an opaque pin-initializer from the given pin-initializer. pin_init<E>(slot: impl PinInit<T, E>) -> impl PinInit<Self, E>412 fn pin_init<E>(slot: impl PinInit<T, E>) -> impl PinInit<Self, E> { 413 Self::try_ffi_init(|ptr: *mut T| { 414 // SAFETY: 415 // - `ptr` is a valid pointer to uninitialized memory, 416 // - `slot` is not accessed on error, 417 // - `slot` is pinned in memory. 418 unsafe { PinInit::<T, E>::__pinned_init(slot, ptr) } 419 }) 420 } 421 } 422 423 /// Zero-sized type to mark types not [`Send`]. 424 /// 425 /// Add this type as a field to your struct if your type should not be sent to a different task. 426 /// Since [`Send`] is an auto trait, adding a single field that is `!Send` will ensure that the 427 /// whole type is `!Send`. 428 /// 429 /// If a type is `!Send` it is impossible to give control over an instance of the type to another 430 /// task. This is useful to include in types that store or reference task-local information. A file 431 /// descriptor is an example of such task-local information. 432 /// 433 /// This type also makes the type `!Sync`, which prevents immutable access to the value from 434 /// several threads in parallel. 435 pub type NotThreadSafe = PhantomData<*mut ()>; 436 437 /// Used to construct instances of type [`NotThreadSafe`] similar to how `PhantomData` is 438 /// constructed. 439 /// 440 /// [`NotThreadSafe`]: type@NotThreadSafe 441 #[allow(non_upper_case_globals)] 442 pub const NotThreadSafe: NotThreadSafe = PhantomData; 443