From nobody Wed Dec 17 08:50:56 2025 Received: from mail-wm1-f49.google.com (mail-wm1-f49.google.com [209.85.128.49]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 5BE1C25E441; Sun, 11 May 2025 18:21:55 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.128.49 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1746987717; cv=none; b=OTFciXMWYH7zTS5lYRMvwmopCCY1vXfCjO3KM/BeoJda9GepmCaTLaIl783xt+LOfC/WODVsIEbdAF32Z7ScZWr8iG8vaFxlA+BG4/Msm5iz7uiAz9Ro86NbbB1iRaiaaelb0D1ThWd805JBUu6tokfFFg6KYgsuEoQUXnzcglg= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1746987717; c=relaxed/simple; bh=QhTkajzKAxWgUuhE+SsnQ0WLgzbrN9mbaO5miIxAQv0=; h=From:Date:Subject:MIME-Version:Content-Type:Message-Id:References: In-Reply-To:To:Cc; b=bj8QcNkyCt9cnaUDgUW01fqmpdlLzY36PIXFhdes0+62Xe9wdi2izeRRq7F/XxYlU+HmaqNVDQCUNVzBWfA4kMgOazON2fMlwJL5orKyfoTrLcFBGvtih3ZKwpcHYQQkgI/2ge0s71DdPKc5G31BMvLA8WDqrBibow1fjby1saY= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=XL1JdssU; arc=none smtp.client-ip=209.85.128.49 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="XL1JdssU" Received: by mail-wm1-f49.google.com with SMTP id 5b1f17b1804b1-43ce71582e9so27061275e9.1; Sun, 11 May 2025 11:21:55 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1746987713; x=1747592513; darn=vger.kernel.org; h=cc:to:in-reply-to:references:message-id:content-transfer-encoding :mime-version:subject:date:from:from:to:cc:subject:date:message-id :reply-to; bh=/3HklZYW0UfqWPqGSjmRU8CIidceE6c0Ikzvi2T3rJ8=; b=XL1JdssUQbnDJLCwpS696VYz5t+KJi1FTBxe+e+B07OJuH7ULeS6BkPiWVZkxPnPjn UMaeV5kpmTBF9K4+h1asOBGg05sx7Qq03EpsaTLoEL+WQ1dn1TgMK6xEtxo3vapdb7Di 4OlEMoj9JwO40uSVmGwIPhdesdSDX8VdcoT6DuOiVRXpSBL9XSLUX6z2TPr8pwtB4+Os LdzQA6pe9vm5A9OB/SJipPbgBk64qg3lgwk312fEmU8JXR0zR/cOdtMyxFYTojNM90Hn Q53YWAcjj/qmFw2gHCVstI76tsxiViJJkuintStGZxC5+nmBKNonglyzNLxBSQh4lkaF DlUA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1746987713; x=1747592513; h=cc:to:in-reply-to:references:message-id:content-transfer-encoding :mime-version:subject:date:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=/3HklZYW0UfqWPqGSjmRU8CIidceE6c0Ikzvi2T3rJ8=; b=HmKHrwFgiDr2SBjhUP4qCNsCCng6iR3Gz3bbnTpq+kIgoSxDfhFN6CxKWuEZMagPKK 3LVATl/yUmBMTe37BOJU5bP0L1/84dxYdPCkWnSRjCxRXI3ZVmL1FI6cgxrLFk1kY9Jt bz3dQSHxQhhq/oewj5Ikir5Hs8cI7WB6JiCRpI593ZzW433LNv3p5dFTjbKiyojevXgD n9uVT/FiNJScNWnpU81uHKtcSabRgHRQ7gqdU2cDoOTl+Il5yQymMJ83m46vOxzpR65P 1pS4m5LQf4BalxbC95Vc4cGIh7CgObSb36Nxt8/bDbwXiBoe64VSuX/39bp/pZLwE7FD YEow== X-Forwarded-Encrypted: i=1; AJvYcCWkgIpLbL1oZ91iAWr5+Os9IHdiAr/kwCM0KR2m4Ps3Vy4f2k3LQ2El6EPJu6vpIDxsW54PVk0lh6z4mUS6BA==@vger.kernel.org X-Gm-Message-State: AOJu0YyQ/Rr2+DoMafmKVM/jjmduBA6JOqR88WYGsr9yF8dn21+fNYJR ezJciJOsdOyL/QcoGBagmQEkngwie/5uqwVJBkn04Bbu+BLOo2Nb X-Gm-Gg: ASbGnctT3UrC4QxNEDXMd9lc2CNuS/XBPSrJsV9dOw3MBGQi2xLo0e2bHdOU1x4ijj2 1R2/YBO8wnXuCWmplXUIHQOopIK6ldxBC+NLDKmLZGNpwZtE8vGnX7w4R7N/8xZ7mV/Qi0cPe4m 9vSNu9/hfiD/iHE9UlT4MIexCKTq2dgwZhebWXvkXziHCmO/E/tjJVUY0jHBBKWQo9UrGuhk6yl K42KBhVX49gXuN72b6ba9ld8KCf42J9+/IMn5nJyxPRZ0O3if8W1uNdl5mgw1DmoOICLvzIqBfn smBHCeJkUTp779iP7+XUtxLf4wLH7SKR2uvc+jA= X-Google-Smtp-Source: AGHT+IGkeJH/ofwQXOSbok2LaZm3fwBgxHG1sSQWfzDEjcj5xXr/tGevPyUoM/i1Kb1WLFHfESlq0w== X-Received: by 2002:a05:600c:83ca:b0:43d:2313:7b4a with SMTP id 5b1f17b1804b1-442d6d18302mr108685075e9.3.1746987713202; Sun, 11 May 2025 11:21:53 -0700 (PDT) Received: from [10.0.1.56] ([2001:871:22a:99c5::1ad1]) by smtp.googlemail.com with ESMTPSA id 5b1f17b1804b1-442d67d5c7bsm100418495e9.4.2025.05.11.11.21.52 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 11 May 2025 11:21:52 -0700 (PDT) From: Christian Schrefl Date: Sun, 11 May 2025 20:21:38 +0200 Subject: [PATCH v4 1/3] rust: add UnsafePinned type Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Message-Id: <20250511-rust_unsafe_pinned-v4-1-a86c32e47e3d@gmail.com> References: <20250511-rust_unsafe_pinned-v4-0-a86c32e47e3d@gmail.com> In-Reply-To: <20250511-rust_unsafe_pinned-v4-0-a86c32e47e3d@gmail.com> To: Sky , Miguel Ojeda , Alex Gaynor , Boqun Feng , Gary Guo , =?utf-8?q?Bj=C3=B6rn_Roy_Baron?= , Benno Lossin , Andreas Hindborg , Alice Ryhl , Trevor Gross , Danilo Krummrich , =?utf-8?q?Gerald_Wisb=C3=B6ck?= , Nathan Chancellor , Nick Desaulniers , Bill Wendling , Justin Stitt Cc: linux-kernel@vger.kernel.org, rust-for-linux@vger.kernel.org, llvm@lists.linux.dev, Christian Schrefl X-Mailer: b4 0.14.2 X-Developer-Signature: v=1; a=ed25519-sha256; t=1746987711; l=8462; i=chrisi.schrefl@gmail.com; s=20250119; h=from:subject:message-id; bh=QhTkajzKAxWgUuhE+SsnQ0WLgzbrN9mbaO5miIxAQv0=; b=Uy/fXqbRpuiMliNJI1DyK1Mu1s7D8QQByzo32leRblrToRzx25zquo/r2F6ljtuxJwf18PB6o eLZqrbk8UGlCwgO63k44/hrHcGifhqV9sUKYdC+8F4ZgkXXGGceKzM9 X-Developer-Key: i=chrisi.schrefl@gmail.com; a=ed25519; pk=EIyitYCrzxWlybrqoGqiL2jyvO7Vp9X40n0dQ6HE4oU= `UnsafePinned` is useful for cases where a value might be shared with C code but not directly used by it. In particular this is added for storing additional data in the `MiscDeviceRegistration` which will be shared between `fops->open` and the containing struct. Similar to `Opaque` but guarantees that the value is always initialized and that the inner value is dropped when `UnsafePinned` is dropped. This was originally proposed for the IRQ abstractions [0] and is also useful for other where the inner data may be aliased, but is always valid and automatic `Drop` is desired. Since then the `UnsafePinned` type was added to upstream Rust [1] by Sky as a unstable feature, therefore this patch implements the subset of the upstream API for the `UnsafePinned` type required for additional data in `MiscDeviceRegistration` and in the implementation of the `Opaque` type. Some differences to the upstream type definition are required in the kernel implementation, because upstream type uses some compiler changes to opt out of certain optimizations, this is documented in the documentation and a comment on the `UnsafePinned` type. The documentation on is based on the upstream rust documentation with minor modifications for the kernel implementation. Link: https://lore.kernel.org/rust-for-linux/CAH5fLgiOASgjoYKFz6kWwzLaH07Dq= P2ph+3YyCDh2+gYqGpABA@mail.gmail.com [0] Link: https://github.com/rust-lang/rust/pull/137043 [1] Suggested-by: Alice Ryhl Reviewed-by: Gerald Wisb=C3=B6ck Reviewed-by: Alice Ryhl Co-developed-by: Sky Signed-off-by: Sky Signed-off-by: Christian Schrefl Reviewed-by: Benno Lossin Reviewed-by: Boqun Feng --- rust/kernel/types.rs | 6 ++ rust/kernel/types/unsafe_pinned.rs | 111 +++++++++++++++++++++++++++++++++= ++++ 2 files changed, 117 insertions(+) diff --git a/rust/kernel/types.rs b/rust/kernel/types.rs index 9d0471afc9648f2973235488b441eb109069adb1..705f420fdfbc4a576de1c454657= 8f2f04cdf615e 100644 --- a/rust/kernel/types.rs +++ b/rust/kernel/types.rs @@ -253,6 +253,9 @@ fn drop(&mut self) { /// /// [`Opaque`] is meant to be used with FFI objects that are never inte= rpreted by Rust code. /// +/// In cases where the contained data is only used by Rust, is not allowed= to be +/// uninitialized and automatic [`Drop`] is desired [`UnsafePinned`] shoul= d be used instead. +/// /// It is used to wrap structs from the C side, like for example `Opaque`. /// It gets rid of all the usual assumptions that Rust has for a value: /// @@ -578,3 +581,6 @@ pub enum Either { /// [`NotThreadSafe`]: type@NotThreadSafe #[allow(non_upper_case_globals)] pub const NotThreadSafe: NotThreadSafe =3D PhantomData; + +mod unsafe_pinned; +pub use unsafe_pinned::UnsafePinned; diff --git a/rust/kernel/types/unsafe_pinned.rs b/rust/kernel/types/unsafe_= pinned.rs new file mode 100644 index 0000000000000000000000000000000000000000..315248cb88c089239bd672c889b= 5107060175ec3 --- /dev/null +++ b/rust/kernel/types/unsafe_pinned.rs @@ -0,0 +1,111 @@ +// SPDX-License-Identifier: Apache-2.0 OR MIT + +//! The contents of this file partially come from the Rust standard librar= y, hosted in +//! the repository, licensed under +//! "Apache-2.0 OR MIT" and adapted for kernel use. For copyright details, +//! see . +//! +//! This file provides a implementation / polyfill of a subset of the upst= ream +//! rust `UnsafePinned` type. For details on the difference to the upstream +//! implementation see the comment on the [`UnsafePinned`] struct definiti= on. + +use core::{cell::UnsafeCell, marker::PhantomPinned}; +use pin_init::{cast_pin_init, PinInit, Wrapper}; + +/// This type provides a way to opt-out of typical aliasing rules; +/// specifically, `&mut UnsafePinned` is not guaranteed to be a unique = pointer. +/// +/// However, even if you define your type like `pub struct Wrapper(UnsafeP= inned<...>)`, it is still +/// very risky to have an `&mut Wrapper` that aliases anything else. Many = functions that work +/// generically on `&mut T` assume that the memory that stores `T` is uniq= uely owned (such as +/// `mem::swap`). In other words, while having aliasing with `&mut Wrapper= ` is not immediate +/// Undefined Behavior, it is still unsound to expose such a mutable refer= ence to code you do not +/// control! Techniques such as pinning via [`Pin`](core::pin::Pin) are ne= eded to ensure soundness. +/// +/// Similar to [`UnsafeCell`], [`UnsafePinned`] will not usually show up in +/// the public API of a library. It is an internal implementation detail o= f libraries that need to +/// support aliasing mutable references. +/// +/// Further note that this does *not* lift the requirement that shared ref= erences must be read-only! +/// Use [`UnsafeCell`] for that. +/// +/// This type blocks niches the same way [`UnsafeCell`] does. +/// +/// # Kernel implementation notes +/// +/// This implementation works because of the "`!Unpin` hack" in rustc, whi= ch allows (some kinds of) +/// mutual aliasing of `!Unpin` types. This hack might be removed at some = point, after which only +/// the `core::pin::UnsafePinned` type will allow this behavior. In order = to simplify the migration +/// to future rust versions only this polyfill of this type should be used= when this behavior is +/// required. +// +// As opposed to the upstream Rust type this contains a `PhantomPinned` an= d `UnsafeCell` +// - `PhantomPinned` to ensure the struct always is `!Unpin` and thus enab= les the `!Unpin` hack. +// This causes the LLVM `noalias` and `dereferenceable` attributes to be= removed from +// `&mut !Unpin` types. +// - In order to disable niche optimizations this implementation uses `Uns= afeCell` internally, +// the upstream version however currently does not. This will most likel= y change in the future +// but for now we don't expose this in the documentation, since adding t= he guarantee is simpler +// than removing it. Meaning that for now the fact that `UnsafePinned` c= ontains an `UnsafeCell` +// must not be relied on (Other than the niche blocking). +// See this Rust tracking issue: https://github.com/rust-lang/rust/issue= s/137750 +#[repr(transparent)] +pub struct UnsafePinned { + _ph: PhantomPinned, + value: UnsafeCell, +} + +impl UnsafePinned { + /// Constructs a new instance of [`UnsafePinned`] which will wrap the = specified value. + /// + /// All access to the inner value through `&UnsafePinned` or `&mut = UnsafePinned` or + /// `Pin<&mut UnsafePinned>` requires `unsafe` code. + #[inline(always)] + #[must_use] + pub const fn new(value: T) -> Self { + UnsafePinned { + value: UnsafeCell::new(value), + _ph: PhantomPinned, + } + } +} +impl UnsafePinned { + /// Get read-only access to the contents of a shared `UnsafePinned`. + /// + /// Note that `&UnsafePinned` is read-only if `&T` is read-only. Th= is means that if there is + /// mutation of the `T`, future reads from the `*const T` returned her= e are UB! Use + /// [`UnsafeCell`] if you also need interior mutability. + /// + /// [`UnsafeCell`]: core::cell::UnsafeCell + /// + /// ```rust,no_run + /// use kernel::types::UnsafePinned; + /// + /// unsafe { + /// let mut x =3D UnsafePinned::new(0); + /// let ptr =3D x.get(); // read-only pointer, assumes immutability + /// # // Upstream Rust uses `UnsafePinned::get_mut_unchecked` here. + /// UnsafePinned::raw_get_mut(&raw mut x).write(1); + /// ptr.read(); // UB! + /// } + /// ``` + #[inline(always)] + #[must_use] + pub const fn get(&self) -> *const T { + self.value.get() + } + + /// Gets a mutable pointer to the wrapped value. + #[inline(always)] + #[must_use] + pub const fn raw_get_mut(this: *mut Self) -> *mut T { + this as *mut T + } +} + +impl Wrapper for UnsafePinned { + fn pin_init(init: impl PinInit) -> impl PinInit { + // SAFETY: `UnsafePinned` has a compatible layout to `T`. + unsafe { cast_pin_init(init) } + } +} --=20 2.49.0 From nobody Wed Dec 17 08:50:56 2025 Received: from mail-wr1-f43.google.com (mail-wr1-f43.google.com [209.85.221.43]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 4AD6825B1EF; Sun, 11 May 2025 18:21:56 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.221.43 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1746987718; cv=none; b=fuy4NEhJ7jmdxloaOzk4PGdyfahC+Ex5yrdWwen2RauPDmmFJQXc2q1npRZMcPKvZgmAfyeGymHTc4+SHl/izgW9siinN8w+4DndNpuuNs8tSOe5QsX3IrTLMlk80c6Smzcrw70hN3E9qGjLu3mnNI17BVfi/AFfc4VrD5mQeH4= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1746987718; c=relaxed/simple; bh=OgwyE3W4j5m9tlImAIMzZFHkRczAKc1EPWHJolrN6PY=; h=From:Date:Subject:MIME-Version:Content-Type:Message-Id:References: In-Reply-To:To:Cc; b=ubCZHBzX1qHvgSaTsDVm3KCYzbeEmpiIJ/J47qLQRcbop4HrwE0ljtLtTNZGgsymURaFgXc6f5+RiuM4O41XLrJCakqvjlEOVNKQv8sSlD8yqqduXd99IDXBqj3oy+kOrsKJdhTAxiUrQlf5HbIG5nilFlpGfVo0/2WJ44RjPQQ= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=RTyEeUHP; arc=none smtp.client-ip=209.85.221.43 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="RTyEeUHP" Received: by mail-wr1-f43.google.com with SMTP id ffacd0b85a97d-3a0ba0b6b76so2560435f8f.1; Sun, 11 May 2025 11:21:55 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1746987714; x=1747592514; darn=vger.kernel.org; h=cc:to:in-reply-to:references:message-id:content-transfer-encoding :mime-version:subject:date:from:from:to:cc:subject:date:message-id :reply-to; bh=z2gCa+XcfQ3b3bjRPwVH7s9yFYkkubMVDYMxKJoALEk=; b=RTyEeUHPjb9WXdPTIhkm7G8KhlAsM+ghzIgPcstbUwROdcSnbfSqtAH/Jf8i4ajn1W KbyzV1m3PNH/btunV8S3ao5nxjIDD+alRV6OGOz+PmwJjGv6t7nNKwAk7MVvz7SFV9yj F4tTvOlCBWQBZoWUsVO+f85ErOQ/6bbSafVLcLlexLrNlAkqIiI3iIbqbeyEmvDnYKfS BijLDEfOMvkvwxUBhuai59xmVncg3wjg2tfsLkV4mcZ9OonWv54wnZ2EHtVn0SQfRirz MLeJq74E2dBLacy2z7+YE9cRKFqUBJOG0B7/oEP5OB+MI+wY10sEydxUg96W+yNVAQcj imTg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1746987714; x=1747592514; h=cc:to:in-reply-to:references:message-id:content-transfer-encoding :mime-version:subject:date:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=z2gCa+XcfQ3b3bjRPwVH7s9yFYkkubMVDYMxKJoALEk=; b=ucJtSTDhGlQpl0J9PBTzB1BCQ9CcBB8tYWWTxoGDyI3Bh+PAix8+PGsyU2alIP2p+w 6DysOlCpsoYbPAgNZm8wTYkosdC6F+7axTI6DbiKh9e2mZ75pjuIBeJZpshEPEqZoozJ hk+iDcfpXYaxk3YS12L9NbhQePO4J7xVkbM2R1PHyAoL8HjH1v2iHPi5soYHdLEW31KX j5esdrAiTLjE1bYHmFytlFvMK3SzhxFgzDbX4MQ7gr6T5TINIBaeCM2tNlHR8GFEvw5O lQuGmD1rZCp42ynr3Akh5PZG5rPMY7+HctL+8jhhC08/h+YN5dk/pdWSCX2AA4PAWrlh 8RzA== X-Forwarded-Encrypted: i=1; AJvYcCV3qLmVv+sq17nB/0lRWON6udyigGUpFyjpcKmuPER1d5aPqOhoR2cT9OCcRSk345ZWtbO5Q6kyGVLPAzfgQg==@vger.kernel.org X-Gm-Message-State: AOJu0YydL6kn0irF6iXLnT45uu4BVfAvO1jojg2wDPRf8JbRU8YPNqj1 7suG7igMk0C032WNRwgCIybGQ1r4XCzUsL1jL9aPXH9BJw5ajEiD X-Gm-Gg: ASbGnctQOHT4SzK7FgEDnSKe3DLkUiJXewwfqCWOlBa3fadnLHDjNE74WO1Gu75XAG1 IxK5K7CLm/BRenXWyqphwlKmJA/uaXJNZ/XO+wOrqMwAhjiE4BdERUzr68F3rpwqzbsz3gTSQOo xLrD5jkxqPhIg1xrX1b67rSKjrbxDH02s7z+43dMaeXRPPRvtSpWzTbqCNW7zVsDYJIV/Kzam33 XNWDs8iWquYGd+X8foZmQfw10YHYzFoZKL0e98xNc6UxQSyLj0gZYODFxkI3WkffahQvEI4Wyf2 AVLVHzMxuYwZ6IgWuu/6lAv/4ikUpN4xSXKeS7U= X-Google-Smtp-Source: AGHT+IFk4orcZxm8m6VOZ/CaABjz8qCDMIPUSwoACoqLJ5T45mVs4hLOHnXTk18hBisaLHChxoUInw== X-Received: by 2002:a05:6000:3113:b0:3a0:88e4:3d2f with SMTP id ffacd0b85a97d-3a1f643acc9mr8479425f8f.5.1746987714295; Sun, 11 May 2025 11:21:54 -0700 (PDT) Received: from [10.0.1.56] ([2001:871:22a:99c5::1ad1]) by smtp.googlemail.com with ESMTPSA id 5b1f17b1804b1-442d67d5c7bsm100418495e9.4.2025.05.11.11.21.53 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 11 May 2025 11:21:53 -0700 (PDT) From: Christian Schrefl Date: Sun, 11 May 2025 20:21:39 +0200 Subject: [PATCH v4 2/3] rust: implement `Wrapper` for `Opaque` Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Message-Id: <20250511-rust_unsafe_pinned-v4-2-a86c32e47e3d@gmail.com> References: <20250511-rust_unsafe_pinned-v4-0-a86c32e47e3d@gmail.com> In-Reply-To: <20250511-rust_unsafe_pinned-v4-0-a86c32e47e3d@gmail.com> To: Sky , Miguel Ojeda , Alex Gaynor , Boqun Feng , Gary Guo , =?utf-8?q?Bj=C3=B6rn_Roy_Baron?= , Benno Lossin , Andreas Hindborg , Alice Ryhl , Trevor Gross , Danilo Krummrich , =?utf-8?q?Gerald_Wisb=C3=B6ck?= , Nathan Chancellor , Nick Desaulniers , Bill Wendling , Justin Stitt Cc: linux-kernel@vger.kernel.org, rust-for-linux@vger.kernel.org, llvm@lists.linux.dev, Christian Schrefl , Benno Lossin X-Mailer: b4 0.14.2 X-Developer-Signature: v=1; a=ed25519-sha256; t=1746987711; l=3333; i=chrisi.schrefl@gmail.com; s=20250119; h=from:subject:message-id; bh=OgwyE3W4j5m9tlImAIMzZFHkRczAKc1EPWHJolrN6PY=; b=bhSblH/q4GVo8aFGdyfkctXedJwqvUEKwxXtKvw7mYUMyusB+BYFVfKxP/df4T7SGwxE9LM3r w7gxr2VKBfECWarqiT1d+DI17735COPXzjLaUrO7pIKWqZYVUjCZksm X-Developer-Key: i=chrisi.schrefl@gmail.com; a=ed25519; pk=EIyitYCrzxWlybrqoGqiL2jyvO7Vp9X40n0dQ6HE4oU= Moves the implementation for `pin-init` from an associated function to the trait function of the `Wrapper` trait and extends the implementation to support pin-initializers with error types. This allows to declare functions that are generic over `Wrapper` types. Adds a use for the `Wrapper` trait in `revocable.rs`, to use the new `pin-init` function. This is currently the only usage in the kernel. Reviewed-by: Gerald Wisb=C3=B6ck Reviewed-by: Alice Ryhl Reviewed-by: Benno Lossin Signed-off-by: Christian Schrefl Reviewed-by: Boqun Feng --- rust/kernel/revocable.rs | 2 ++ rust/kernel/types.rs | 25 +++++++++++++------------ 2 files changed, 15 insertions(+), 12 deletions(-) diff --git a/rust/kernel/revocable.rs b/rust/kernel/revocable.rs index 1e5a9d25c21b279b01f90b02997492aa4880d84f..4db68ea2207ebafcc09d082fdc1= e281f31846a38 100644 --- a/rust/kernel/revocable.rs +++ b/rust/kernel/revocable.rs @@ -5,6 +5,8 @@ //! The [`Revocable`] type wraps other types and allows access to them to = be revoked. The existence //! of a [`RevocableGuard`] ensures that objects remain valid. =20 +use pin_init::Wrapper; + use crate::{bindings, prelude::*, sync::rcu, types::Opaque}; use core::{ marker::PhantomData, diff --git a/rust/kernel/types.rs b/rust/kernel/types.rs index 705f420fdfbc4a576de1c4546578f2f04cdf615e..f06e8720e012102e5c41e79fd97= b0607e927d71c 100644 --- a/rust/kernel/types.rs +++ b/rust/kernel/types.rs @@ -9,7 +9,7 @@ ops::{Deref, DerefMut}, ptr::NonNull, }; -use pin_init::{PinInit, Zeroable}; +use pin_init::{PinInit, Wrapper, Zeroable}; =20 /// Used to transfer ownership to and from foreign (non-Rust) languages. /// @@ -332,17 +332,6 @@ pub const fn uninit() -> Self { } } =20 - /// Create an opaque pin-initializer from the given pin-initializer. - pub fn pin_init(slot: impl PinInit) -> impl PinInit { - Self::ffi_init(|ptr: *mut T| { - // SAFETY: - // - `ptr` is a valid pointer to uninitialized memory, - // - `slot` is not accessed on error; the call is infallible, - // - `slot` is pinned in memory. - let _ =3D unsafe { PinInit::::__pinned_init(slot, ptr) }; - }) - } - /// Creates a pin-initializer from the given initializer closure. /// /// The returned initializer calls the given closure with the pointer = to the inner `T` of this @@ -393,6 +382,18 @@ pub const fn raw_get(this: *const Self) -> *mut T { UnsafeCell::raw_get(this.cast::>>()).cas= t::() } } +impl Wrapper for Opaque { + /// Create an opaque pin-initializer from the given pin-initializer. + fn pin_init(slot: impl PinInit) -> impl PinInit { + Self::try_ffi_init(|ptr: *mut T| { + // SAFETY: + // - `ptr` is a valid pointer to uninitialized memory, + // - `slot` is not accessed on error; the call is infallible, + // - `slot` is pinned in memory. + unsafe { PinInit::::__pinned_init(slot, ptr) } + }) + } +} =20 /// Types that are _always_ reference counted. /// --=20 2.49.0 From nobody Wed Dec 17 08:50:56 2025 Received: from mail-wm1-f43.google.com (mail-wm1-f43.google.com [209.85.128.43]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id BFFBD25F97A; Sun, 11 May 2025 18:21:57 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.128.43 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1746987719; cv=none; b=juV81RrpwsocDqm8R/Wh4ZqxmWCDFco6BZcd//FXOGWi09n5cAu2hcktI8CbEu//3HHxfb0iVBisvkIXUuZmTPSO+qUz5zaz1wL0mUGbvNXLOhRYCQUWSGDZj+USLqyj2KrrHZNxLkd4wnrCYM1MQ0GHPHl/l4uPWD5buUQ4Oao= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1746987719; c=relaxed/simple; bh=5KT6o4PwmqhxLMTqeLgps9jLONAfkvBGP8fVPNwouPw=; h=From:Date:Subject:MIME-Version:Content-Type:Message-Id:References: In-Reply-To:To:Cc; b=sWmfymmrv49D3T2xKyXtavri03lNvwPOAll6IkvewSy+kofDvOY83ZeYkBuR29qK3ErXZ4ogmErAjs/0oaOksIRDvJRPRrbTgXcm6JielLZ02Q5bJIJhetPAtygDSJHWv+MWpTUpv+aCMTriHB1IQotU2pxc72R3NEz5HHspffg= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=DC4zDPNs; arc=none smtp.client-ip=209.85.128.43 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="DC4zDPNs" Received: by mail-wm1-f43.google.com with SMTP id 5b1f17b1804b1-43d07ca6a80so16868885e9.1; Sun, 11 May 2025 11:21:57 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1746987716; x=1747592516; darn=vger.kernel.org; h=cc:to:in-reply-to:references:message-id:content-transfer-encoding :mime-version:subject:date:from:from:to:cc:subject:date:message-id :reply-to; bh=CJGae8ej3sDPBpz6YOCR1Ed8bJvIS2qRuUE9rFXc47Y=; b=DC4zDPNs/s/mAP87v97F6fmhqHD60xmKHKgxzoi2t4RmrdsDHKlHUVdNsz5bX/sEc8 Z2qIjCwGeB/KIW+hYBUG09Qa3Kze0yqGMc7uAmEmqedS1PsHLDpgAk1DVHWzbaAQyKa+ Polk1AgwlPd1hUdjmGhv2Svhw9SemY17cajfOhg3nLII/Qv9kiYD3gjFMpXy+BSevBhW N1Gy5jviL/t70BtlSp7JwIzT6VbLL/c6gjGnFNenJUHgJiyWHtOqhFGs0Mr0d5IR6iVr 2ADZaYa/nqJWjzNnRzZ8OtBmO405FucfOIWvZTnSNCzoQykiPaQHv22xxcjc6OdSHL0q 4/Hg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1746987716; x=1747592516; h=cc:to:in-reply-to:references:message-id:content-transfer-encoding :mime-version:subject:date:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=CJGae8ej3sDPBpz6YOCR1Ed8bJvIS2qRuUE9rFXc47Y=; b=cTd2ARjzZFVzOVfBT08Qyn27j5dCJi6sNRs+qHqA6AsW1nAYcCopROk4nJHTZEpV+o /X9qHgZa3ZLxHDY/WiG1X1Amjz2OEKl9c8xShLl53xokhdRQm3yQlFn6NtP4AVUKvTsR 1IG4BmDloWquyegWMWH2y1TIsr6L0OH8HnHriVUrh5/s5BxBGdyqzkr8PweTtxN/v4Rr b0SG+rTxUn1fhHU7ote7ZGcKnqcAYiL++ybwR5zoxBrFsf66gHdXgFB0YFbfHMxcGzWP DwzSF9MnrPruF2qsYMz2bweW8ZbB1ckZChMzJvj5UjAJoum9VI5sxXA6hA8e2D6jdwRY OYDA== X-Forwarded-Encrypted: i=1; AJvYcCUs94EFfnvIb1W+SI8fZ389Q7bPE4YBJQh5e7ADNJZK5gzlbbO7+Ncck08o9mEKbYqwjaXaygB2DJXAEh5ulw==@vger.kernel.org X-Gm-Message-State: AOJu0YxEJ4StYwgJGYdt8BhwmSykFHTJj77Uc5pJ7dbEiPaikFfZCtGA O5rEQyDQt3p0j8wENLwdiHcbxgeU7GO9TBiXtf9HkrBOi3J20ki1 X-Gm-Gg: ASbGnctwGyzwo+86Qd7YSbieLbPOqj/d+gaRLidLTby66vur4jfnm76mSMOAKf+TNTp pABKhcK4xTNmI/HS41s030OCG+SnNE1PHqfHeZyxB9xphoE9rWEwGNadhGTAd++SKqdcSjeUyij lt3Iha9x7/OZ0aB8FAvviPNAwfhf5vG2w9F23NdNJU3SRxIw0D7ZbP+s6KeEe4YvqPmCndt0NyA SW09rp9iT1rL+CDTA55Q8kHMWefB2v/MFDycj6D/erysEpEeu774LBvyT9e0hTmJW7tXp5zZXyx vVG+lVLHnRy15ITZFjuEIXI2tSkx1RdwqHe3Wbq895LodDaVbA== X-Google-Smtp-Source: AGHT+IGBoxlvzaPApRkL7T3N31oDhgngmd2RjXxOhYwOHe2lszSJdIdNonaizWEVQD1usNSLeu057A== X-Received: by 2002:a05:600c:6095:b0:43c:f629:66f4 with SMTP id 5b1f17b1804b1-442d6c3a186mr103848115e9.0.1746987715563; Sun, 11 May 2025 11:21:55 -0700 (PDT) Received: from [10.0.1.56] ([2001:871:22a:99c5::1ad1]) by smtp.googlemail.com with ESMTPSA id 5b1f17b1804b1-442d67d5c7bsm100418495e9.4.2025.05.11.11.21.54 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 11 May 2025 11:21:55 -0700 (PDT) From: Christian Schrefl Date: Sun, 11 May 2025 20:21:40 +0200 Subject: [PATCH v4 3/3] rust: use `UnsafePinned` in the implementation of `Opaque` Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Message-Id: <20250511-rust_unsafe_pinned-v4-3-a86c32e47e3d@gmail.com> References: <20250511-rust_unsafe_pinned-v4-0-a86c32e47e3d@gmail.com> In-Reply-To: <20250511-rust_unsafe_pinned-v4-0-a86c32e47e3d@gmail.com> To: Sky , Miguel Ojeda , Alex Gaynor , Boqun Feng , Gary Guo , =?utf-8?q?Bj=C3=B6rn_Roy_Baron?= , Benno Lossin , Andreas Hindborg , Alice Ryhl , Trevor Gross , Danilo Krummrich , =?utf-8?q?Gerald_Wisb=C3=B6ck?= , Nathan Chancellor , Nick Desaulniers , Bill Wendling , Justin Stitt Cc: linux-kernel@vger.kernel.org, rust-for-linux@vger.kernel.org, llvm@lists.linux.dev, Christian Schrefl , Benno Lossin X-Mailer: b4 0.14.2 X-Developer-Signature: v=1; a=ed25519-sha256; t=1746987711; l=3832; i=chrisi.schrefl@gmail.com; s=20250119; h=from:subject:message-id; bh=5KT6o4PwmqhxLMTqeLgps9jLONAfkvBGP8fVPNwouPw=; b=6DGEo06Gy8SeTNomTbvBz9mPO1ZJQ5zJq9ikIniy/ZM3/jsHbTpA8LvsMkyK1iRXrGw6kfpy1 +09e2BHcPDBArwvHC3PP8xtc4+PtGIEnI8chobLj75cwhXJsxkhvEoz X-Developer-Key: i=chrisi.schrefl@gmail.com; a=ed25519; pk=EIyitYCrzxWlybrqoGqiL2jyvO7Vp9X40n0dQ6HE4oU= Make the semantics of the `Opaque` implementation clearer and prepare for the switch to the upstream rust `UnsafePinned` type in the future. `Opaque` still uses `UnsafeCell` even though the kernel implementation of `UnsafePinned` already includes it, since the current upstream version does not. Reviewed-by: Gerald Wisb=C3=B6ck Reviewed-by: Alice Ryhl Reviewed-by: Benno Lossin Signed-off-by: Christian Schrefl Reviewed-by: Boqun Feng --- rust/kernel/types.rs | 32 +++++++++++++++----------------- 1 file changed, 15 insertions(+), 17 deletions(-) diff --git a/rust/kernel/types.rs b/rust/kernel/types.rs index f06e8720e012102e5c41e79fd97b0607e927d71c..e32905c42453132fbea49d37a64= 57547d42465ce 100644 --- a/rust/kernel/types.rs +++ b/rust/kernel/types.rs @@ -4,12 +4,12 @@ =20 use core::{ cell::UnsafeCell, - marker::{PhantomData, PhantomPinned}, + marker::PhantomData, mem::{ManuallyDrop, MaybeUninit}, ops::{Deref, DerefMut}, ptr::NonNull, }; -use pin_init::{PinInit, Wrapper, Zeroable}; +use pin_init::{cast_pin_init, PinInit, Wrapper, Zeroable}; =20 /// Used to transfer ownership to and from foreign (non-Rust) languages. /// @@ -308,8 +308,10 @@ fn drop(&mut self) { /// ``` #[repr(transparent)] pub struct Opaque { - value: UnsafeCell>, - _pin: PhantomPinned, + // The kernel implementation of `UnsafePinned` uses `UnsafeCell` inter= nally, but the + // upstream rust `UnsafePinned` will not. So to make sure this is comp= atible with + // the upstream version use `UnsafeCell` here. + value: UnsafePinned>>, } =20 // SAFETY: `Opaque` allows the inner value to be any bit pattern, inclu= ding all zeros. @@ -319,16 +321,14 @@ impl Opaque { /// Creates a new opaque value. pub const fn new(value: T) -> Self { Self { - value: UnsafeCell::new(MaybeUninit::new(value)), - _pin: PhantomPinned, + value: UnsafePinned::new(UnsafeCell::new(MaybeUninit::new(valu= e))), } } =20 /// Creates an uninitialised value. pub const fn uninit() -> Self { Self { - value: UnsafeCell::new(MaybeUninit::uninit()), - _pin: PhantomPinned, + value: UnsafePinned::new(UnsafeCell::new(MaybeUninit::uninit()= )), } } =20 @@ -371,7 +371,7 @@ pub fn try_ffi_init( =20 /// Returns a raw pointer to the opaque data. pub const fn get(&self) -> *mut T { - UnsafeCell::get(&self.value).cast::() + UnsafeCell::raw_get(self.value.get()).cast::() } =20 /// Gets the value behind `this`. @@ -384,14 +384,12 @@ pub const fn raw_get(this: *const Self) -> *mut T { } impl Wrapper for Opaque { /// Create an opaque pin-initializer from the given pin-initializer. - fn pin_init(slot: impl PinInit) -> impl PinInit { - Self::try_ffi_init(|ptr: *mut T| { - // SAFETY: - // - `ptr` is a valid pointer to uninitialized memory, - // - `slot` is not accessed on error; the call is infallible, - // - `slot` is pinned in memory. - unsafe { PinInit::::__pinned_init(slot, ptr) } - }) + fn pin_init(value_init: impl PinInit) -> impl PinInit { + let value_init =3D + UnsafePinned::pin_init(UnsafeCell::pin_init(MaybeUninit::pin_i= nit(value_init))); + // SAFETY: `Opaque` is a `repr(transparent)` wrapper around + // `UnsafePinned>>` so the memory represe= ntation is compatible. + unsafe { cast_pin_init(value_init) } } } =20 --=20 2.49.0