From nobody Mon Feb 9 22:22:36 2026 Received: from mail-ed1-f45.google.com (mail-ed1-f45.google.com [209.85.208.45]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 7ADF02A8D0; Wed, 30 Apr 2025 08:36:40 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.208.45 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1746002202; cv=none; b=aGJnLcGynXA0vsUc6+8XoXiiumJeQ5219c3Q8ooXXFIyKDHt62oQzcJJyH68sSEF3b+Dltf/nHD834QvCu7gT0Qpj8mpmrcl7ioWYofe6iMUyDSB/zmJMHpJcGzeBjSDJDruEtxkXG6SyEBPKYT0TLjpg84JG4O6Jp28c62F4KE= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1746002202; c=relaxed/simple; bh=kA6Ty50SPOFgimp7Tg2K3Ce2nrWbjdG63Xnq0binEW0=; h=From:Date:Subject:MIME-Version:Content-Type:Message-Id:References: In-Reply-To:To:Cc; b=HcG/tXB5l3Veq3IPTS2lIU88UKKtqDuhWVvg3Del+UQm05i85IaeRQH03w2RPoXuHHDvBcUIIaMtjIlR53TBJvCv0ewoSxpooRyud+V30jAfBg7xhcw0mcGp4W7xrdypxpzl3RNQtvzdguZH/Ff5gIydIUQNW9X3CvIVxF+fS68= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=H72Y/NFt; arc=none smtp.client-ip=209.85.208.45 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="H72Y/NFt" Received: by mail-ed1-f45.google.com with SMTP id 4fb4d7f45d1cf-5e5e8274a74so11071351a12.1; Wed, 30 Apr 2025 01:36:40 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1746002198; x=1746606998; darn=vger.kernel.org; h=cc:to:in-reply-to:references:message-id:content-transfer-encoding :mime-version:subject:date:from:from:to:cc:subject:date:message-id :reply-to; bh=H+wYAZz/pbkATVqPvOnfiWnwAhCBTt7BUcOohLnoILI=; b=H72Y/NFtSWOwk7AOpUn8AL59ISt+UQ8vKjpQvilgHflppHilvjXUbGXXJ7Qv5ARcdr N+wtvspf69ZU+D7fpMicgrdH64+JFuXstkPfzWtWngqT44vqS3rxDPfSgUTyjXjDgGLh utb96JcuI5FeCRlg0CbUxqrnC5CBC7Eusl13jRpfk0QAg/OCsAnJYmDp2AMCg6khdUPm Rmwlj73tMLjD7x+KJRknPoCdi9zZLOdFUbyFaPMLbrVZhk3TIiIH8AhIcZvoXbvc8HO7 yWrljwWShcl05ykfiixr7WqofkRNBbCk+/eiZMRZBpCGK7k4zoQj8o66NKHLHobnwgEm AaWA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1746002198; x=1746606998; h=cc:to:in-reply-to:references:message-id:content-transfer-encoding :mime-version:subject:date:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=H+wYAZz/pbkATVqPvOnfiWnwAhCBTt7BUcOohLnoILI=; b=MOxhj3VUViu8ZRk9w9BjuszSvlRwHxZLHJgKliTGSe3+6AmNQIaGkQCIZz7RK5Esc3 YwSagxdI1YtT4lINRS+UxgpsVnyF/H8rLNO4qj/0SHWbusepNH16I0bCiCzkxYN3T0lX ByozqmZRYLQGDLiU7IFSc9qGRPBr23td2VTJ+uzrRUk+JRinlDpk5lfAtGff3FlbYHv5 2bd6yxh3sDIL254Jmi9lZeujKq5dC+A4g0MAF9m5FRdmYv0B8Rhe3nOLudap+eqOvpx5 D+aODihEZY8HMpnjyUe6G3p1RaCVGg5LXymIxmVfYJ/rlRPpBCo0BnaGh0PXksh71jsW yESQ== X-Forwarded-Encrypted: i=1; AJvYcCUu47tmwYNGYsnQXhonkNoug0zjC1c2bSCEYbR6Vr6S4ofop3S2eBeqk6yx6g8TTnu8BC3SUub2TI6iWqPVVw==@vger.kernel.org X-Gm-Message-State: AOJu0YymKapGSlDJ1plo3iA0EwxmSfgiaD8S4hhSdZfdSk6nNouh7aON bB2WaOWfOAFjQ8sniHkxdrOCg2w+bFtaqnVhK9o+8Yd6NJXxPJdYFXQxPeKdApQ= X-Gm-Gg: ASbGncvNYzVn/JQZ3N30AB83+gxqVoo/baeA44Z/2arpNScqyxR6lsX9hi2P9CRPWaI WB4xMDel0zTblRYkRGM2xsZDypTZN+w6YSL2R7aUS0RORIQ1MIO9JPV8kZhZ24pkeYiWwl+B+gK YbirYCYZ/QWqWoZaNhmHSvaWJvOAbdx5rwRbCYPC1FD9VE8PimapfprkJbqjvXe57XiyVxuzHiN MKL6RgCO3J0yrUKn/qo8F56PQM7lhgINDLrcZjkXf2JkgNesqFoCuxP+97/lD15oMRCqjwr3VP6 5FjmKA6KUJRQ34WJHgPdkXtTEEs5uyHi3Gg86eetfrlSDbmlHajQ X-Google-Smtp-Source: AGHT+IFxT0EHxnU/Tbheyf1WL4mHvoav41cX+gwWGSY8CLEBag0Ts+UCjDR01lL3z3Do+ZByojBMCA== X-Received: by 2002:a05:6402:27c6:b0:5ec:9e6e:c48f with SMTP id 4fb4d7f45d1cf-5f8af0ca29bmr1057356a12.29.1746002198259; Wed, 30 Apr 2025 01:36:38 -0700 (PDT) Received: from [10.27.99.142] ([193.170.124.198]) by smtp.googlemail.com with ESMTPSA id 4fb4d7f45d1cf-5f7016f6424sm8653721a12.42.2025.04.30.01.36.37 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 30 Apr 2025 01:36:37 -0700 (PDT) From: Christian Schrefl Date: Wed, 30 Apr 2025 10:36:11 +0200 Subject: [PATCH v2 1/3] rust: add UnsafePinned type Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Message-Id: <20250430-rust_unsafe_pinned-v2-1-fc8617a74024@gmail.com> References: <20250430-rust_unsafe_pinned-v2-0-fc8617a74024@gmail.com> In-Reply-To: <20250430-rust_unsafe_pinned-v2-0-fc8617a74024@gmail.com> To: Sky , Miguel Ojeda , Alex Gaynor , Boqun Feng , Gary Guo , =?utf-8?q?Bj=C3=B6rn_Roy_Baron?= , Benno Lossin , Andreas Hindborg , Alice Ryhl , Trevor Gross , Danilo Krummrich , =?utf-8?q?Gerald_Wisb=C3=B6ck?= Cc: linux-kernel@vger.kernel.org, rust-for-linux@vger.kernel.org, Christian Schrefl X-Mailer: b4 0.14.2 X-Developer-Signature: v=1; a=ed25519-sha256; t=1746002196; l=9573; i=chrisi.schrefl@gmail.com; s=20250119; h=from:subject:message-id; bh=kA6Ty50SPOFgimp7Tg2K3Ce2nrWbjdG63Xnq0binEW0=; b=jADf8Ze8rWeUVdGz1P5CE1xekmV4ZVhR5ZFj0GGCB+JPLZM1JA1/6kRpI05ZXfL3hRnlSbKnD tPNVCleEBakCe7lx1kSs7VjSzFeqCP7dHtSgQRq7Zeg+ednPfVWmLfF X-Developer-Key: i=chrisi.schrefl@gmail.com; a=ed25519; pk=EIyitYCrzxWlybrqoGqiL2jyvO7Vp9X40n0dQ6HE4oU= `UnsafePinned` is useful for cases where a value might be shared with C code but not directly used by it. In particular this is added for storing additional data in the `MiscDeviceRegistration` which will be shared between `fops->open` and the containing struct. Similar to `Opaque` but guarantees that the value is always initialized and that the inner value is dropped when `UnsafePinned` is dropped. This was originally proposed for the IRQ abstractions [0] and is also useful for other where the inner data may be aliased, but is always valid and automatic `Drop` is desired. Since then the `UnsafePinned` type was added to upstream Rust [1] by Sky as a unstable feature, therefore this patch implements the subset of the upstream API for the `UnsafePinned` type required for additional data in `MiscDeviceRegistration` and in the implementation of the `Opaque` type. Some differences to the upstream type definition are required in the kernel implementation, because upstream type uses some compiler changes to opt out of certain optimizations, this is documented in the documentation and a comment on the `UnsafePinned` type. The documentation on is based on the upstream rust documentation with minor modifications for the kernel implementation. Link: https://lore.kernel.org/rust-for-linux/CAH5fLgiOASgjoYKFz6kWwzLaH07Dq= P2ph+3YyCDh2+gYqGpABA@mail.gmail.com [0] Link: https://github.com/rust-lang/rust/pull/137043 [1] Suggested-by: Alice Ryhl Reviewed-by: Gerald Wisb=C3=B6ck Co-developed-by: Sky Signed-off-by: Sky Signed-off-by: Christian Schrefl Reviewed-by: Alice Ryhl --- init/Kconfig | 3 + rust/kernel/lib.rs | 1 + rust/kernel/types.rs | 6 ++ rust/kernel/types/unsafe_pinned.rs | 115 +++++++++++++++++++++++++++++++++= ++++ 4 files changed, 125 insertions(+) diff --git a/init/Kconfig b/init/Kconfig index 63f5974b9fa6ea3f5c92203cedd1f2f82aa468a1..727d85d2b59f555f1c33103bb78= 698551a41e7ca 100644 --- a/init/Kconfig +++ b/init/Kconfig @@ -140,6 +140,9 @@ config LD_CAN_USE_KEEP_IN_OVERLAY config RUSTC_HAS_COERCE_POINTEE def_bool RUSTC_VERSION >=3D 108400 =20 +config RUSTC_HAS_UNSAFE_PINNED + def_bool RUSTC_VERSION >=3D 108800 + config PAHOLE_VERSION int default $(shell,$(srctree)/scripts/pahole-version.sh $(PAHOLE)) diff --git a/rust/kernel/lib.rs b/rust/kernel/lib.rs index de07aadd1ff5fe46fd89517e234b97a6590c8e93..c08f0a50f1d8db95799478caa8e= 85558a1fcae8d 100644 --- a/rust/kernel/lib.rs +++ b/rust/kernel/lib.rs @@ -17,6 +17,7 @@ #![cfg_attr(not(CONFIG_RUSTC_HAS_COERCE_POINTEE), feature(coerce_unsized))] #![cfg_attr(not(CONFIG_RUSTC_HAS_COERCE_POINTEE), feature(dispatch_from_dy= n))] #![cfg_attr(not(CONFIG_RUSTC_HAS_COERCE_POINTEE), feature(unsize))] +#![cfg_attr(CONFIG_RUSTC_HAS_UNSAFE_PINNED, feature(unsafe_pinned))] #![feature(inline_const)] #![feature(lint_reasons)] // Stable in Rust 1.82 diff --git a/rust/kernel/types.rs b/rust/kernel/types.rs index 9d0471afc9648f2973235488b441eb109069adb1..705f420fdfbc4a576de1c454657= 8f2f04cdf615e 100644 --- a/rust/kernel/types.rs +++ b/rust/kernel/types.rs @@ -253,6 +253,9 @@ fn drop(&mut self) { /// /// [`Opaque`] is meant to be used with FFI objects that are never inte= rpreted by Rust code. /// +/// In cases where the contained data is only used by Rust, is not allowed= to be +/// uninitialized and automatic [`Drop`] is desired [`UnsafePinned`] shoul= d be used instead. +/// /// It is used to wrap structs from the C side, like for example `Opaque`. /// It gets rid of all the usual assumptions that Rust has for a value: /// @@ -578,3 +581,6 @@ pub enum Either { /// [`NotThreadSafe`]: type@NotThreadSafe #[allow(non_upper_case_globals)] pub const NotThreadSafe: NotThreadSafe =3D PhantomData; + +mod unsafe_pinned; +pub use unsafe_pinned::UnsafePinned; diff --git a/rust/kernel/types/unsafe_pinned.rs b/rust/kernel/types/unsafe_= pinned.rs new file mode 100644 index 0000000000000000000000000000000000000000..5a200aac30792bf71098087aee0= fd9d2d51c468f --- /dev/null +++ b/rust/kernel/types/unsafe_pinned.rs @@ -0,0 +1,115 @@ +// SPDX-License-Identifier: Apache-2.0 OR MIT + +//! The contents of this file partially come from the Rust standard librar= y, hosted in +//! the repository, licensed under +//! "Apache-2.0 OR MIT" and adapted for kernel use. For copyright details, +//! see . +//! +//! This file provides a implementation / polyfill of a subset of the upst= ream +//! rust `UnsafePinned` type. + +use core::{cell::UnsafeCell, marker::PhantomPinned}; +use pin_init::{cast_pin_init, PinInit, Wrapper}; + +/// This type provides a way to opt-out of typical aliasing rules; +/// specifically, `&mut UnsafePinned` is not guaranteed to be a unique = pointer. +/// +/// However, even if you define your type like `pub struct Wrapper(UnsafeP= inned<...>)`, it is still +/// very risky to have an `&mut Wrapper` that aliases anything else. Many = functions that work +/// generically on `&mut T` assume that the memory that stores `T` is uniq= uely owned (such as +/// `mem::swap`). In other words, while having aliasing with `&mut Wrapper= ` is not immediate +/// Undefined Behavior, it is still unsound to expose such a mutable refer= ence to code you do not +/// control! Techniques such as pinning via [`Pin`](core::pin::Pin) are ne= eded to ensure soundness. +/// +/// Similar to [`UnsafeCell`], [`UnsafePinned`] will not usually show up in +/// the public API of a library. It is an internal implementation detail o= f libraries that need to +/// support aliasing mutable references. +/// +/// Further note that this does *not* lift the requirement that shared ref= erences must be read-only! +/// Use [`UnsafeCell`] for that. +/// +/// This type blocks niches the same way [`UnsafeCell`] does. +/// +/// # Kernel implementation notes +/// +/// This implementation works because of the "`!Unpin` hack" in rustc, whi= ch allows (some kinds of) +/// mutual aliasing of `!Unpin` types. This hack might be removed at some = point, after which only +/// the `core::pin::UnsafePinned` type will allow this behavior. In order = to simplify the migration +/// to future rust versions only this polyfill of this type should be used= when this behavior is +/// required. +/// +/// In order to disable niche optimizations this implementation uses [`Uns= afeCell`] internally, +/// the upstream version however will not. So the fact that [`UnsafePinned= `] contains an +/// [`UnsafeCell`] must not be relied on (Other than the niche blocking). +// As opposed to the upstream Rust type this contains a `PhantomPinned`` a= nd `UnsafeCell` +// - `PhantomPinned` to avoid needing a `impl !Unpin for UnsafePinned` +// Required to use the `!Unpin hack`. +// - `UnsafeCell` instead of T to disallow niche optimizations, +// which is handled in the compiler in upstream Rust +#[repr(transparent)] +pub struct UnsafePinned { + _ph: PhantomPinned, + value: UnsafeCell, +} + +impl UnsafePinned { + /// Constructs a new instance of [`UnsafePinned`] which will wrap the = specified value. + /// + /// All access to the inner value through `&UnsafePinned` or `&mut = UnsafePinned` or + /// `Pin<&mut UnsafePinned>` requires `unsafe` code. + #[inline(always)] + #[must_use] + pub const fn new(value: T) -> Self { + UnsafePinned { + value: UnsafeCell::new(value), + _ph: PhantomPinned, + } + } +} +impl UnsafePinned { + /// Get read-only access to the contents of a shared `UnsafePinned`. + /// + /// Note that `&UnsafePinned` is read-only if `&T` is read-only. Th= is means that if there is + /// mutation of the `T`, future reads from the `*const T` returned her= e are UB! Use + /// [`UnsafeCell`] if you also need interior mutability. + /// + /// [`UnsafeCell`]: core::cell::UnsafeCell + /// + /// ```rust,no_build + /// use kernel::types::UnsafePinned; + /// + /// unsafe { + /// let mut x =3D UnsafePinned::new(0); + /// let ptr =3D x.get(); // read-only pointer, assumes immutability + /// x.get_mut_unchecked().write(1); + /// ptr.read(); // UB! + /// } + /// ``` + /// + /// Note that the `get_mut_unchecked` function used by this example is + /// currently not implemented in the kernel implementation. + #[inline(always)] + #[must_use] + pub const fn get(&self) -> *const T { + self.value.get() + } + + /// Gets a mutable pointer to the wrapped value. + /// + /// The difference from `get_mut_pinned` and `get_mut_unchecked` is th= at this function + /// accepts a raw pointer, which is useful to avoid the creation of te= mporary references. + /// + /// These functions mentioned here are currently not implemented in th= e kernel. + #[inline(always)] + #[must_use] + pub const fn raw_get_mut(this: *mut Self) -> *mut T { + this as *mut T + } +} + +impl Wrapper for UnsafePinned { + fn pin_init(init: impl PinInit) -> impl PinInit { + // SAFETY: `UnsafePinned` has a compatible layout to `T`. + unsafe { cast_pin_init(init) } + } +} --=20 2.49.0 From nobody Mon Feb 9 22:22:36 2026 Received: from mail-ed1-f54.google.com (mail-ed1-f54.google.com [209.85.208.54]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 828EE2E401; Wed, 30 Apr 2025 08:36:41 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.208.54 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1746002203; cv=none; b=fpEhCc3xuefIR2UAe039bFlZ7VUKIbDHwpbMy4iHqKkgxsugiFSG4pU4+c6Nvf5lX2wTbGKfbRwMFDnrD9PmE1tDA74NaDLHDVkphbgXnj/d6H0lIeBwLR9whLNjem9uxNLOAX5BbRWyPkZNWDGjXmi2a2yb0mc1aQ7JOJU5dVY= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1746002203; c=relaxed/simple; bh=cVe8kuvlCNbyLI9zMHSiLyFxdXifsYArcpk8G7n9O2w=; h=From:Date:Subject:MIME-Version:Content-Type:Message-Id:References: In-Reply-To:To:Cc; b=DJ20m/pRSCuxG8rSiUqIpU6kAQeu4+XitH5AuSasWfQVbGJNpAe0dqYqGKdJDk44cLOEaQIm6zf9awMiTYWD/v63UO77D8EsOmFZu+k2pBwc81Kmaz/+et2FeQZtBXiUnlL6z1hdepRAuZJAksM4P5JsW/UaDqzsXJI7rf/b0Po= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=eIMTaBXi; arc=none smtp.client-ip=209.85.208.54 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="eIMTaBXi" Received: by mail-ed1-f54.google.com with SMTP id 4fb4d7f45d1cf-5f6c3f7b0b0so13102426a12.0; Wed, 30 Apr 2025 01:36:41 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1746002200; x=1746607000; darn=vger.kernel.org; h=cc:to:in-reply-to:references:message-id:content-transfer-encoding :mime-version:subject:date:from:from:to:cc:subject:date:message-id :reply-to; bh=sgNeM8GMoi8jL54+pCv76QajxazqTJJs9v1rfzlVu8k=; b=eIMTaBXiON6tJguvRY/GwwcK9gjXqLzSOfSkGEqOn05M/N8rcrRtODK7mYTzPt+3Ct Q565sDV23HaPWYGyPd+4qvIQcYh2OIxNr2VGiYFoNGUouWNx+OqMJbnAkxXfRQk3+mxW ohyUVDyyadsCdou3mpQxN4f1Hgz+APYK2Vu0fgqCAIfS9vu6todWeVyYxgZIXfO/l9zm PhvIz4v2brrNNxMuWm6vXCmYofY2FYwjobqXdtOQdaj6L5nd5L4L5SYOHRnUdeXOcKNu WRO5T3GXSEdOqD5G7ZPBbUU1zHf6jtgnwyJ97WuYEULTFXUld5dbcCJVRdrFjeiq0Cjd flAg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1746002200; x=1746607000; h=cc:to:in-reply-to:references:message-id:content-transfer-encoding :mime-version:subject:date:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=sgNeM8GMoi8jL54+pCv76QajxazqTJJs9v1rfzlVu8k=; b=qm1o1cWkzy0FW/8Cj19UiU8AtOYuyn3Wq8/vvuvkVjv1axqY+Sq2VNTu5QnfABvP3Z VvIpVunNMkXFDowgUKtr+jCBjqIaIGC816eRl14lbtrkURXcAMyQONWhM9v6dzpwft7L jbIQcpeGG90AotOiA8Ad/sxG8ahJxlt8YomlKGNwiUjHEDDKNQ592x2rVYf0lChOZxFs IAtP3JjQUIl1U/JeiwSd3WHKhsE2bWs0F0X5nmbE7dmiwcMNpLo10qUlWkmCRq3SqcZh Yn0oghgf31ck5CBTXXw3+tZ4yDOYaDxOWU9D9sfcSLsr9VdXE6TcIeKS3jGC6frFjI3H HMxg== X-Forwarded-Encrypted: i=1; AJvYcCWw/xgklJYkl4VGVkRS3Z9YVwA579wteBTcfjLLXT5bUpPVvjlTAXJBp2PWWSsYVeoPQTGcnotLSSWMMxopFg==@vger.kernel.org X-Gm-Message-State: AOJu0YxH2CMn1yhUL1Kp0OrIGMSC0nKRdpl2Mxmhxvns8ytsKSW8IGEE AIXsnaunXTdZl4mcb3lHNGu/AalngmIf6F1FjRiuc/fTDk1dS6+Y1rmR+QQiAVc= X-Gm-Gg: ASbGncuK6tcI5J/2bft/zEF0zstMtE+Vp63a+v+fv9iydyS8xMF9JeB6OXSvY5vAxja k1cO0wsAEJUldQzI/NJSUXv9hqIJUWp1D+gIhZw1p9dz35fQ8vpxNGujLpS6lH+kOtALucNlkkp Qs8Msf3ch7Hl2kcWB3wyfH2XZsV+94oPPDzyeII8nK5NpJdOYDt4Mj1qQ26Rcw8i2eSODXhVQby SUvyFLpo3OdgWcGdEmdlkIb4CegPQmZgoCwmFkXCMssIdEhNuFLUdDFtbS/NVq4ICQg0cz5ZpOM xJYVbob9rLPw7+IsjJAwD0rz9DRQHSFBi5sB4zLSIZFjLW7xFkrp X-Google-Smtp-Source: AGHT+IEE8cW3+kZaE37viMlIBGstOxXYMmzeK7yDZP9y1qVranwCRAo0KQPq5kMvXsX1cwz/asHLnA== X-Received: by 2002:a05:6402:34d5:b0:5eb:534e:1c6c with SMTP id 4fb4d7f45d1cf-5f89b34b02cmr1908500a12.20.1746002199300; Wed, 30 Apr 2025 01:36:39 -0700 (PDT) Received: from [10.27.99.142] ([193.170.124.198]) by smtp.googlemail.com with ESMTPSA id 4fb4d7f45d1cf-5f7016f6424sm8653721a12.42.2025.04.30.01.36.38 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 30 Apr 2025 01:36:38 -0700 (PDT) From: Christian Schrefl Date: Wed, 30 Apr 2025 10:36:12 +0200 Subject: [PATCH v2 2/3] rust: implement `Wrapper` for `Opaque` Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Message-Id: <20250430-rust_unsafe_pinned-v2-2-fc8617a74024@gmail.com> References: <20250430-rust_unsafe_pinned-v2-0-fc8617a74024@gmail.com> In-Reply-To: <20250430-rust_unsafe_pinned-v2-0-fc8617a74024@gmail.com> To: Sky , Miguel Ojeda , Alex Gaynor , Boqun Feng , Gary Guo , =?utf-8?q?Bj=C3=B6rn_Roy_Baron?= , Benno Lossin , Andreas Hindborg , Alice Ryhl , Trevor Gross , Danilo Krummrich , =?utf-8?q?Gerald_Wisb=C3=B6ck?= Cc: linux-kernel@vger.kernel.org, rust-for-linux@vger.kernel.org, Christian Schrefl X-Mailer: b4 0.14.2 X-Developer-Signature: v=1; a=ed25519-sha256; t=1746002196; l=3238; i=chrisi.schrefl@gmail.com; s=20250119; h=from:subject:message-id; bh=cVe8kuvlCNbyLI9zMHSiLyFxdXifsYArcpk8G7n9O2w=; b=xXZxc2yj/vgoE9aPMSRDfqsD1tEiutaCy1tMeJEfx+ubuzgpfqNZh6DvEl/jfabTleejUcdKW JhEBNiasT9BCCUuuTTchmV8qvyGBKbrjwOB3gLXDEPLtSEutF20nS4C X-Developer-Key: i=chrisi.schrefl@gmail.com; a=ed25519; pk=EIyitYCrzxWlybrqoGqiL2jyvO7Vp9X40n0dQ6HE4oU= Moves the implementation for `pin-init` from an associated function to the trait function of the `Wrapper` trait and extends the implementation to support pin-initializers with error types. This allows to declare functions that are generic over `Wrapper` types. Adds a use for the `Wrapper` trait in `revocable.rs`, to use the new `pin-init` function. This is currently the only usage in the kernel. Reviewed-by: Gerald Wisb=C3=B6ck Signed-off-by: Christian Schrefl Reviewed-by: Alice Ryhl Reviewed-by: Benno Lossin --- rust/kernel/revocable.rs | 2 ++ rust/kernel/types.rs | 25 +++++++++++++------------ 2 files changed, 15 insertions(+), 12 deletions(-) diff --git a/rust/kernel/revocable.rs b/rust/kernel/revocable.rs index 1e5a9d25c21b279b01f90b02997492aa4880d84f..4db68ea2207ebafcc09d082fdc1= e281f31846a38 100644 --- a/rust/kernel/revocable.rs +++ b/rust/kernel/revocable.rs @@ -5,6 +5,8 @@ //! The [`Revocable`] type wraps other types and allows access to them to = be revoked. The existence //! of a [`RevocableGuard`] ensures that objects remain valid. =20 +use pin_init::Wrapper; + use crate::{bindings, prelude::*, sync::rcu, types::Opaque}; use core::{ marker::PhantomData, diff --git a/rust/kernel/types.rs b/rust/kernel/types.rs index 705f420fdfbc4a576de1c4546578f2f04cdf615e..f06e8720e012102e5c41e79fd97= b0607e927d71c 100644 --- a/rust/kernel/types.rs +++ b/rust/kernel/types.rs @@ -9,7 +9,7 @@ ops::{Deref, DerefMut}, ptr::NonNull, }; -use pin_init::{PinInit, Zeroable}; +use pin_init::{PinInit, Wrapper, Zeroable}; =20 /// Used to transfer ownership to and from foreign (non-Rust) languages. /// @@ -332,17 +332,6 @@ pub const fn uninit() -> Self { } } =20 - /// Create an opaque pin-initializer from the given pin-initializer. - pub fn pin_init(slot: impl PinInit) -> impl PinInit { - Self::ffi_init(|ptr: *mut T| { - // SAFETY: - // - `ptr` is a valid pointer to uninitialized memory, - // - `slot` is not accessed on error; the call is infallible, - // - `slot` is pinned in memory. - let _ =3D unsafe { PinInit::::__pinned_init(slot, ptr) }; - }) - } - /// Creates a pin-initializer from the given initializer closure. /// /// The returned initializer calls the given closure with the pointer = to the inner `T` of this @@ -393,6 +382,18 @@ pub const fn raw_get(this: *const Self) -> *mut T { UnsafeCell::raw_get(this.cast::>>()).cas= t::() } } +impl Wrapper for Opaque { + /// Create an opaque pin-initializer from the given pin-initializer. + fn pin_init(slot: impl PinInit) -> impl PinInit { + Self::try_ffi_init(|ptr: *mut T| { + // SAFETY: + // - `ptr` is a valid pointer to uninitialized memory, + // - `slot` is not accessed on error; the call is infallible, + // - `slot` is pinned in memory. + unsafe { PinInit::::__pinned_init(slot, ptr) } + }) + } +} =20 /// Types that are _always_ reference counted. /// --=20 2.49.0 From nobody Mon Feb 9 22:22:36 2026 Received: from mail-ed1-f43.google.com (mail-ed1-f43.google.com [209.85.208.43]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 91D20216E23; Wed, 30 Apr 2025 08:36:42 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.208.43 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1746002204; cv=none; b=foUkN5B4Bf0B7SQqvrjy8ZzxLTdEqFM2RBn1TMof2nabKQkP85+MNfYgjxJQ68vx76gzN2hFxwASajtTU4n8fw6iMwxMXT0qoqPsRLpdqVMsserY3I4CbAl0ydigyxq/ZcHouaBRIN4bfrw8PdaqkXdcinATikRm4kZNVrLvkKA= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1746002204; c=relaxed/simple; bh=xahLNgygqJTiJVigFRn+IzsVCeHFMXE9X3Pdq7CmgYs=; h=From:Date:Subject:MIME-Version:Content-Type:Message-Id:References: In-Reply-To:To:Cc; b=DgVsEDWdPsPg7JduHd/B8O5UZD66PNC39Au0c8bx4+0hoUP4INfC9tKtZg/k2v2zzoorT0Zj2WwZO+sDkloDjBb1MFGChWbx1iaK8sms/m6ZHaNHizkjTeA4jsvLOTtogPhsxFFQpx/MrYBBCNHa47cssM/St0F3Wg0i20T+jlw= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=SYF1Roky; arc=none smtp.client-ip=209.85.208.43 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="SYF1Roky" Received: by mail-ed1-f43.google.com with SMTP id 4fb4d7f45d1cf-5e5c7d6b96fso1971785a12.3; Wed, 30 Apr 2025 01:36:42 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1746002201; x=1746607001; darn=vger.kernel.org; h=cc:to:in-reply-to:references:message-id:content-transfer-encoding :mime-version:subject:date:from:from:to:cc:subject:date:message-id :reply-to; bh=9uCVKDq6jp9oxx83/rvCXFQf3N8D+OHF8dGA1W5v+/w=; b=SYF1RokyzAhUNOH4SUyHtAL7naSqCNvt3UhaKtuT7XwVALz+FcdwQhP8bxPLpMRk8C MzOInrV9s7FdxvwJsHpnFv8gQ0G43Y+0ePjMc1wc4bekS7hnYTu8vVYw6cvUS41OrFCj nBdLXU6EkUsWMbIfwVqF5k3c2wDOzCM8fBw7gne0ol5fWc8BwfpDzUTkwrFQCykwNXwC +KEMMSQe/K6bctm0KZuLg0DOsHd3N9EzDuMx+mZnRp5QVzIRsAi+Kbcvn1lmkfAG7iFp 7EkR5qlbcJzxwUYVDJK+SRCJ+8DT+KaxcjnzFBDVhe913/JgGl93ZU9jA0Jo6JVDMKHY sCfg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1746002201; x=1746607001; h=cc:to:in-reply-to:references:message-id:content-transfer-encoding :mime-version:subject:date:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=9uCVKDq6jp9oxx83/rvCXFQf3N8D+OHF8dGA1W5v+/w=; b=QPAUu/Geip76CgK311ktuMAKOUmNWB3PiNlULuHbvHdvVw8Y8tLMxvtR1dP89+77BT 99pK+SbYbI2S2S4rLubdsG58KFDz0HncGeH8Me923UVn9YCpI/V/m0S3QA0HhwO0NyTU SSdbePwtSPkXpg3XCmeoNDfEK/NZbCgC+HhR4x7HEz+DujHd3tDPD9kthQyBpeUCLAbJ 1GBM6RzgJfGrxLrt6FVWiJ2LD4iJGthLOjLNDCYY3wjhHkUDGJJ5eRmfPJ1xxR0/qaxv sqrYp6XrceG+pWsB5XHiUmmoQ0zzGt+NWH5MUzXQ+xi+Q7CE3gXSLYwOmUlhEMap4o9X lFuw== X-Forwarded-Encrypted: i=1; AJvYcCU3Xe8hklhu7YuwKOVqzYSW4IbOtxAHVi7gFYlDtd9P553+I1873+aUpF5j7tndY09dSsDms47WfJ3brcyF/Q==@vger.kernel.org X-Gm-Message-State: AOJu0Yz7v2hsQB959p2FwidaQW+QpKz7GuWLVyuwm4FUJ/ifvsvBhLpW KlhKpPs8Ea/f6RwBEfL0luJ7s96MD8384SYZqbMIL6z/CSSWiWnZydmDxKm2Q6U= X-Gm-Gg: ASbGncv543J3xKq5yRsz5hE1jPUAmKmZPZtvce9i3FNEWUOAK5dnHXt93XqQnyb54Bg LmULy6UPLNfPhTfaxCndsdfWldDWhhJS6udgRkPnn5lqg4DQIJBjhdQAHftfDq/B/RIHJMj34vt GBIGTMAPzihcxwXRyjRUX0jz2HKPljZbFkdtLeQbGyN6uq1yr0/sf4TD0GULI/a8AD07PIto3bC YyIE9b9KggWEkFkKjlOzZLMfl4uoJMP6cVpUoU6Fu/IgnHU5MrQRLJ2nR/uFVTbFl8mYq4kdjrD 0/ncHnsEJTy62tar2pjGuNl9zIoCNo2sXCfdjOtPaMagMxsU03LDBwsJ4ZBikOU= X-Google-Smtp-Source: AGHT+IHgdUyDb7Npa79GgVeGUIa/uULKZUeqZatBXuTZuum3H0JpJVQL0VyV11HYP9jjk1dqKdMIWw== X-Received: by 2002:a05:6402:e86:b0:5ec:cc90:b126 with SMTP id 4fb4d7f45d1cf-5f89b557d7cmr1445950a12.19.1746002200393; Wed, 30 Apr 2025 01:36:40 -0700 (PDT) Received: from [10.27.99.142] ([193.170.124.198]) by smtp.googlemail.com with ESMTPSA id 4fb4d7f45d1cf-5f7016f6424sm8653721a12.42.2025.04.30.01.36.39 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 30 Apr 2025 01:36:40 -0700 (PDT) From: Christian Schrefl Date: Wed, 30 Apr 2025 10:36:13 +0200 Subject: [PATCH v2 3/3] rust: use `UnsafePinned` in the implementation of `Opaque` Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Message-Id: <20250430-rust_unsafe_pinned-v2-3-fc8617a74024@gmail.com> References: <20250430-rust_unsafe_pinned-v2-0-fc8617a74024@gmail.com> In-Reply-To: <20250430-rust_unsafe_pinned-v2-0-fc8617a74024@gmail.com> To: Sky , Miguel Ojeda , Alex Gaynor , Boqun Feng , Gary Guo , =?utf-8?q?Bj=C3=B6rn_Roy_Baron?= , Benno Lossin , Andreas Hindborg , Alice Ryhl , Trevor Gross , Danilo Krummrich , =?utf-8?q?Gerald_Wisb=C3=B6ck?= Cc: linux-kernel@vger.kernel.org, rust-for-linux@vger.kernel.org, Christian Schrefl X-Mailer: b4 0.14.2 X-Developer-Signature: v=1; a=ed25519-sha256; t=1746002196; l=3515; i=chrisi.schrefl@gmail.com; s=20250119; h=from:subject:message-id; bh=xahLNgygqJTiJVigFRn+IzsVCeHFMXE9X3Pdq7CmgYs=; b=z/maNiGs7sluI5WE1/LfJTpFFqrItwR11ffc9FYjYlnWtq7VLtet30b3QsHpDF2dVZ7W6feOI 3AJ8IIbOy7JD4KILoLpybmZSgsdBzXT4ApukNgph1GYq8we20VS4zWV X-Developer-Key: i=chrisi.schrefl@gmail.com; a=ed25519; pk=EIyitYCrzxWlybrqoGqiL2jyvO7Vp9X40n0dQ6HE4oU= This change makes the semantics of the `Opaque` implementation clearer and prepares for the switch to the upstream rust UnsafePinned` type in the future. `Opaque` still uses `UnsafeCell` even though the kernel implementation of `UnsafePinned` already includes it, since the current upstream version does not. Reviewed-by: Gerald Wisb=C3=B6ck Signed-off-by: Christian Schrefl Reviewed-by: Alice Ryhl Reviewed-by: Benno Lossin --- rust/kernel/types.rs | 29 ++++++++++++----------------- 1 file changed, 12 insertions(+), 17 deletions(-) diff --git a/rust/kernel/types.rs b/rust/kernel/types.rs index f06e8720e012102e5c41e79fd97b0607e927d71c..44d96423a8a6c358bb7ebf12c24= fad98e5c2cb61 100644 --- a/rust/kernel/types.rs +++ b/rust/kernel/types.rs @@ -4,12 +4,12 @@ =20 use core::{ cell::UnsafeCell, - marker::{PhantomData, PhantomPinned}, + marker::PhantomData, mem::{ManuallyDrop, MaybeUninit}, ops::{Deref, DerefMut}, ptr::NonNull, }; -use pin_init::{PinInit, Wrapper, Zeroable}; +use pin_init::{cast_pin_init, PinInit, Wrapper, Zeroable}; =20 /// Used to transfer ownership to and from foreign (non-Rust) languages. /// @@ -308,8 +308,7 @@ fn drop(&mut self) { /// ``` #[repr(transparent)] pub struct Opaque { - value: UnsafeCell>, - _pin: PhantomPinned, + value: UnsafePinned>>, } =20 // SAFETY: `Opaque` allows the inner value to be any bit pattern, inclu= ding all zeros. @@ -319,16 +318,14 @@ impl Opaque { /// Creates a new opaque value. pub const fn new(value: T) -> Self { Self { - value: UnsafeCell::new(MaybeUninit::new(value)), - _pin: PhantomPinned, + value: UnsafePinned::new(UnsafeCell::new(MaybeUninit::new(valu= e))), } } =20 /// Creates an uninitialised value. pub const fn uninit() -> Self { Self { - value: UnsafeCell::new(MaybeUninit::uninit()), - _pin: PhantomPinned, + value: UnsafePinned::new(UnsafeCell::new(MaybeUninit::uninit()= )), } } =20 @@ -371,7 +368,7 @@ pub fn try_ffi_init( =20 /// Returns a raw pointer to the opaque data. pub const fn get(&self) -> *mut T { - UnsafeCell::get(&self.value).cast::() + UnsafeCell::raw_get(self.value.get()).cast::() } =20 /// Gets the value behind `this`. @@ -384,14 +381,12 @@ pub const fn raw_get(this: *const Self) -> *mut T { } impl Wrapper for Opaque { /// Create an opaque pin-initializer from the given pin-initializer. - fn pin_init(slot: impl PinInit) -> impl PinInit { - Self::try_ffi_init(|ptr: *mut T| { - // SAFETY: - // - `ptr` is a valid pointer to uninitialized memory, - // - `slot` is not accessed on error; the call is infallible, - // - `slot` is pinned in memory. - unsafe { PinInit::::__pinned_init(slot, ptr) } - }) + fn pin_init(value_init: impl PinInit) -> impl PinInit { + let value_init =3D + UnsafePinned::pin_init(UnsafeCell::pin_init(MaybeUninit::pin_i= nit(value_init))); + // SAFETY: `Opaque` is a `repr(transparent)` wrapper around + // `UnsafePinned>>` so the memory represe= ntation is compatible. + unsafe { cast_pin_init(value_init) } } } =20 --=20 2.49.0