From nobody Sat Oct 4 19:18:47 2025 Received: from mail-wm1-f73.google.com (mail-wm1-f73.google.com [209.85.128.73]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 90F5C24467F for ; Wed, 13 Aug 2025 15:35:56 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.128.73 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1755099358; cv=none; b=Dp6Xe7F4CKvvfR/xiEthagsZAnX5LmH31Qw69ay58vMmSNvhr8YHyS67SQ8s8TPjOVTv8prIvbAS2QZtUyWwK8tuffwXn/Gz7Sfb13edDxITnX+4khPvnuQm6G7uWo1IkOAekKEQKV7xTsO6mtyNQC6y31IiJbbh+dCIjK4JxBM= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1755099358; c=relaxed/simple; bh=2KT9b66Vpg7O1XgImm+s2jh7nuCN0RUQGXoqFyCFNjk=; h=Date:In-Reply-To:Mime-Version:References:Message-ID:Subject:From: To:Cc:Content-Type; b=Z1fdfQ8vi/whyMZCjWSf6MWTIB2PpxDxkoQveqrvYrL46bL9M5pGQLt1yxm1J1BWXZzrSENBd61499bUx3e6rk2zwHkGSmgMb9yfnC/q2c4ULZYHUmLiJpc+tTd0X2bKfMiUHRlTeIbCdKh2Dl9W3uMIEHABwWQhmnoaIyMnJEM= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com; spf=pass smtp.mailfrom=flex--bqe.bounces.google.com; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b=PEavuCU+; arc=none smtp.client-ip=209.85.128.73 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=flex--bqe.bounces.google.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="PEavuCU+" Received: by mail-wm1-f73.google.com with SMTP id 5b1f17b1804b1-459db47f138so26142175e9.1 for ; Wed, 13 Aug 2025 08:35:56 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20230601; t=1755099355; x=1755704155; darn=vger.kernel.org; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:from:to:cc:subject:date:message-id:reply-to; bh=E1zuyuW5ibidXnQHsNdkTLhAD2Ht6AEd8unQ15QbNYg=; b=PEavuCU+RIqHMc7OHilivwyGaiNvno7DipUpmPzwac0ojBw2ntttx3IeIQX6f5h/Yx bBzvM027guK+FRq1d5gkuPLN+rlgAAAyLURzS6HKanE+Yfz6XFcyqoHh5Npal2oR6hg/ BUq3tQeXkUcreBGy9Lqez/oVgvx0vlJzCp4+bzZDxjuXfvNm1A0iw5qyTANr/QyKG7lr unISbuUFddBcBkR+SulIH8JQuNQS3Y5yeM3WmXBTIc2P0jL0vyHrdHwQAZ5QF3QuFxwa 2nKUcHI+tHdpIZCigOZrAlyzuoAZpKJpnJ4dEeBM79y8mlHLnXCyNSlaNDXmMSDIoOWj pD9g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1755099355; x=1755704155; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=E1zuyuW5ibidXnQHsNdkTLhAD2Ht6AEd8unQ15QbNYg=; b=IqmgrjtTTaAdTmxeOZBVy00xMonk/GYTATCLOnDMdsanEXDpl7d1I6OgMUTpVGna7/ OMT5LQfZ0GPfbsgCHZFWk7JYbxEbHsXf8J5UNLBCAKPtYuFDP2Y8vjAdISuzvwIQ8FvU bifnmE68feX11F3/i2LunBglvQzfNRIGoMEUg6RBGZ18tJ+CzduFZAqezNlwAaqAse5u T6ybWVlA8gXVkTc5DLIhL+KLbj4bb57A4Msqhbyr3l12cCkHnpLyvq9yD7zTQXFsEQZQ RjzPFIC/NHFAzwXy8/48bjsU6SNwsTIsHXCOm1YyMXIrm9KNu1qRMCNalVO5BM+Z1JYp Gdtw== X-Forwarded-Encrypted: i=1; AJvYcCXQ7HDZ2krLE4rg8akWccfsZ5f8NNPgz0TNkNQzAappgvoQBCmr0DdSiLBtSwX7IGKWm8v/bGpE88fmTF4=@vger.kernel.org X-Gm-Message-State: AOJu0YwVj+TOUjS56jwgPLlWWS1LP2JA2IAvGhTXOoHPSADyeVOCB37N HNSG0NtPSsBwkjk2nGRWx3LKOSna9iz+EAnmO0khYkL5SNHyYURraNuBGv+j0jtGdlT8KQ== X-Google-Smtp-Source: AGHT+IE+ZSG2eAcaUH4f0r+LrEDrUC08HR0FFobmR0CDvCZLYCneSrtTQPGZWhGgBEeqiV6j3om+DHA= X-Received: from wmbei18.prod.google.com ([2002:a05:600c:3f12:b0:459:dd4e:4446]) (user=bqe job=prod-delivery.src-stubby-dispatcher) by 2002:a05:600c:35c2:b0:458:bbed:a812 with SMTP id 5b1f17b1804b1-45a19769f4bmr18661845e9.17.1755099354918; Wed, 13 Aug 2025 08:35:54 -0700 (PDT) Date: Wed, 13 Aug 2025 15:35:42 +0000 In-Reply-To: <20250813153548.1650533-1-bqe@google.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: Mime-Version: 1.0 References: <20250813153548.1650533-1-bqe@google.com> X-Mailer: git-send-email 2.51.0.rc0.205.g4a044479a3-goog Message-ID: <20250813153548.1650533-2-bqe@google.com> Subject: [PATCH v14 1/5] rust: add bindings for bitmap.h From: Burak Emir To: Yury Norov , Kees Cook Cc: Burak Emir , Rasmus Villemoes , Viresh Kumar , Miguel Ojeda , Alex Gaynor , Boqun Feng , Gary Guo , "=?UTF-8?q?Bj=C3=B6rn=20Roy=20Baron?=" , Benno Lossin , Andreas Hindborg , Alice Ryhl , Trevor Gross , "Gustavo A . R . Silva" , Carlos LLama , Pekka Ristola , rust-for-linux@vger.kernel.org, linux-kernel@vger.kernel.org, linux-hardening@vger.kernel.org Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" Makes the bitmap_copy_and_extend inline function available to Rust. Adds F: to existing MAINTAINERS section BITMAP API BINDINGS [RUST]. Suggested-by: Alice Ryhl Suggested-by: Yury Norov Signed-off-by: Burak Emir Reviewed-by: Alice Ryhl Acked-by: Yury Norov [NVIDIA] - Tested-by: Alice Ryhl --- MAINTAINERS | 1 + rust/bindings/bindings_helper.h | 1 + rust/helpers/bitmap.c | 9 +++++++++ rust/helpers/helpers.c | 1 + 4 files changed, 12 insertions(+) create mode 100644 rust/helpers/bitmap.c diff --git a/MAINTAINERS b/MAINTAINERS index fe168477caa4..3950f605dedb 100644 --- a/MAINTAINERS +++ b/MAINTAINERS @@ -4298,6 +4298,7 @@ F: tools/lib/find_bit.c BITMAP API BINDINGS [RUST] M: Yury Norov S: Maintained +F: rust/helpers/bitmap.c F: rust/helpers/cpumask.c =20 BITOPS API diff --git a/rust/bindings/bindings_helper.h b/rust/bindings/bindings_helpe= r.h index 84d60635e8a9..7bb575043c86 100644 --- a/rust/bindings/bindings_helper.h +++ b/rust/bindings/bindings_helper.h @@ -36,6 +36,7 @@ #include #include #include +#include #include #include #include diff --git a/rust/helpers/bitmap.c b/rust/helpers/bitmap.c new file mode 100644 index 000000000000..a50e2f082e47 --- /dev/null +++ b/rust/helpers/bitmap.c @@ -0,0 +1,9 @@ +// SPDX-License-Identifier: GPL-2.0 + +#include + +void rust_helper_bitmap_copy_and_extend(unsigned long *to, const unsigned = long *from, + unsigned int count, unsigned int size) +{ + bitmap_copy_and_extend(to, from, count, size); +} diff --git a/rust/helpers/helpers.c b/rust/helpers/helpers.c index 7cf7fe95e41d..8437736fdf28 100644 --- a/rust/helpers/helpers.c +++ b/rust/helpers/helpers.c @@ -8,6 +8,7 @@ */ =20 #include "auxiliary.c" +#include "bitmap.c" #include "blk.c" #include "bug.c" #include "build_assert.c" --=20 2.51.0.rc0.205.g4a044479a3-goog From nobody Sat Oct 4 19:18:47 2025 Received: from mail-wm1-f74.google.com (mail-wm1-f74.google.com [209.85.128.74]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 7790D24887E for ; Wed, 13 Aug 2025 15:35:57 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.128.74 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1755099359; cv=none; b=mNl6GwrMMfQoO3L3qv6peAiyPJcdY/6NDQzd0y34rHwBPPpqgozQFRrEajffG7SjXaG2Cqcro7EWtvjwzMABJqY56SPIC+HUEET9MHKvMuONpOvEWhB253Qznu8ZiorTbqASJRoZay3wjldWOl2lJNNfaUTi89OjtmzDOc48XVE= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1755099359; c=relaxed/simple; bh=I77vfuLlWBPCt14LYZ8NtrBQVu12DONLwfRtZcKx0sw=; h=Date:In-Reply-To:Mime-Version:References:Message-ID:Subject:From: To:Cc:Content-Type; b=MSFRyu3pesiTkabWKAsTlvARAXJJneHw3l6DovuYqt5d07VsTNrsaCApNWZ3TTzMn/J/4Z2x2Cdeg6zGQ395kSZBz/Cl+hb7DQpqFGoGB/nSj+p+xu3QpkCR3Ow4to5IFSu4GostrdEhL6gxLtxGidaqFjZ2O6ywuhOOGaEr8ZM= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com; spf=pass smtp.mailfrom=flex--bqe.bounces.google.com; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b=OYeG69vv; arc=none smtp.client-ip=209.85.128.74 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=flex--bqe.bounces.google.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="OYeG69vv" Received: by mail-wm1-f74.google.com with SMTP id 5b1f17b1804b1-45a15f10f31so5872495e9.0 for ; Wed, 13 Aug 2025 08:35:57 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20230601; t=1755099356; x=1755704156; darn=vger.kernel.org; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:from:to:cc:subject:date:message-id:reply-to; bh=L4WS8GvYue7559uQTybXRBqpjFVSzlkpZmS/XMzMhb4=; b=OYeG69vvFXZObry69u0edLqOk7l9IECTg4QSEUosZ6VsJeE3a7adcqFdep0Ae8U30z 08RPzT+eEG3c86Qlhb3t5X/OXUt0cKOUj6+KyBmF4bXgsifVunwJ/Nub9oGgE2moD10d AYznJ0lqyM1JQbpGmSBjR/WSY05R2wRgXrdpedOKFDRnZ3dCMVRGjUjaP9PPVfKhllOk DnvSR+tKCW+Sdh69QLjXW7adAPfQDN1PhqQjxnKb1JQdANbHGIg/615h66VhA3/fxOWP Y+UUO69O9iVBjRwdVuoQDLAdX2QFBIzFYx1dwRbcrcMzVR8NR0LOm/81EO4lrsFCZ0cV MM7g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1755099356; x=1755704156; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=L4WS8GvYue7559uQTybXRBqpjFVSzlkpZmS/XMzMhb4=; b=VGS1eNq1fEHJeeXguAOPgYCIFPhuFTdZTwDyUaQftnwkFux1lYbr2NitKmbt8N25do hEhuGFCkNirD7psu9QxRzxFB1Ziyna5vrcUbJK8YZYzNhyGlH48gsbPJLes/8cDWy+It gVCuwyQeU6As3MHbQxAvmpj3lymLWeZqnPhpj9/mcn35oRToVYb4JijaPKqaHDaM5UBD rcYf2zVEFeX0pKxgwtFo+8lgLUDRTrFwDpxijDwjJCOhcWsisURflvzt6l7Pounc5Bzm V/YwUgDgtsgLGxIcyHFwDQ1yd2bAFYOWw7EZHK+cP/Vq0hnDRl6VoZj//kJtnn+5nIWe ldAg== X-Forwarded-Encrypted: i=1; AJvYcCVtcYauoGkOGxNSfGiRaVIMh0ZlcJ+/gj7yQMqdayV3vWWQUcIacyC+TUnuluTgUsW2PhF8ywVxlFFgiEs=@vger.kernel.org X-Gm-Message-State: AOJu0YwC7QlwtNtm1prgL3+FV8UBIx1qRB/W24E6v/WaYnKUpy6ONsYC i+napZY6ETMnRiHSULXF+/f9jtNtate8S1QxAEQYj2DgRNc2g06T+NSDPhbv9ukbJG5DuA== X-Google-Smtp-Source: AGHT+IEe3dz6q96KeNmchrPq1cz+rF22A1Bsx6DhEle2xVBOzYq6ivW8h+sNse0JlVP+6oJyR4izDtk= X-Received: from wmbep10.prod.google.com ([2002:a05:600c:840a:b0:459:d8e5:aea6]) (user=bqe job=prod-delivery.src-stubby-dispatcher) by 2002:a05:600c:1d1f:b0:439:4b23:9e8e with SMTP id 5b1f17b1804b1-45a1acf4a5amr167855e9.3.1755099355884; Wed, 13 Aug 2025 08:35:55 -0700 (PDT) Date: Wed, 13 Aug 2025 15:35:43 +0000 In-Reply-To: <20250813153548.1650533-1-bqe@google.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: Mime-Version: 1.0 References: <20250813153548.1650533-1-bqe@google.com> X-Mailer: git-send-email 2.51.0.rc0.205.g4a044479a3-goog Message-ID: <20250813153548.1650533-3-bqe@google.com> Subject: [PATCH v14 2/5] rust: add bindings for bitops.h From: Burak Emir To: Yury Norov , Kees Cook Cc: Burak Emir , Rasmus Villemoes , Viresh Kumar , Miguel Ojeda , Alex Gaynor , Boqun Feng , Gary Guo , "=?UTF-8?q?Bj=C3=B6rn=20Roy=20Baron?=" , Benno Lossin , Andreas Hindborg , Alice Ryhl , Trevor Gross , "Gustavo A . R . Silva" , Carlos LLama , Pekka Ristola , rust-for-linux@vger.kernel.org, linux-kernel@vger.kernel.org, linux-hardening@vger.kernel.org Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" Makes atomic set_bit and clear_bit inline functions as well as the non-atomic variants __set_bit and __clear_bit available to Rust. Adds a new MAINTAINERS section BITOPS API BINDINGS [RUST]. Suggested-by: Alice Ryhl Suggested-by: Yury Norov Signed-off-by: Burak Emir Reviewed-by: Alice Ryhl Acked-by: Yury Norov [NVIDIA] Tested-by: Alice Ryhl --- MAINTAINERS | 5 +++++ rust/helpers/bitops.c | 23 +++++++++++++++++++++++ rust/helpers/helpers.c | 1 + 3 files changed, 29 insertions(+) create mode 100644 rust/helpers/bitops.c diff --git a/MAINTAINERS b/MAINTAINERS index 3950f605dedb..a9ebb2d49dea 100644 --- a/MAINTAINERS +++ b/MAINTAINERS @@ -4315,6 +4315,11 @@ F: include/linux/bitops.h F: lib/test_bitops.c F: tools/*/bitops* =20 +BITOPS API BINDINGS [RUST] +M: Yury Norov +S: Maintained +F: rust/helpers/bitops.c + BLINKM RGB LED DRIVER M: Jan-Simon Moeller S: Maintained diff --git a/rust/helpers/bitops.c b/rust/helpers/bitops.c new file mode 100644 index 000000000000..5d0861d29d3f --- /dev/null +++ b/rust/helpers/bitops.c @@ -0,0 +1,23 @@ +// SPDX-License-Identifier: GPL-2.0 + +#include + +void rust_helper___set_bit(unsigned long nr, unsigned long *addr) +{ + __set_bit(nr, addr); +} + +void rust_helper___clear_bit(unsigned long nr, unsigned long *addr) +{ + __clear_bit(nr, addr); +} + +void rust_helper_set_bit(unsigned long nr, volatile unsigned long *addr) +{ + set_bit(nr, addr); +} + +void rust_helper_clear_bit(unsigned long nr, volatile unsigned long *addr) +{ + clear_bit(nr, addr); +} diff --git a/rust/helpers/helpers.c b/rust/helpers/helpers.c index 8437736fdf28..abff1ef14d81 100644 --- a/rust/helpers/helpers.c +++ b/rust/helpers/helpers.c @@ -9,6 +9,7 @@ =20 #include "auxiliary.c" #include "bitmap.c" +#include "bitops.c" #include "blk.c" #include "bug.c" #include "build_assert.c" --=20 2.51.0.rc0.205.g4a044479a3-goog From nobody Sat Oct 4 19:18:47 2025 Received: from mail-wm1-f74.google.com (mail-wm1-f74.google.com [209.85.128.74]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id CF8A227144E for ; Wed, 13 Aug 2025 15:35:58 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.128.74 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1755099362; cv=none; b=dmYvVdW5TGHg8HvqcgRa4bqhpvv2Sshulgap1L06KrLV6FrHPAyfN1u6R30Su7COvZWsCfT2sAahWe7qLVR6ECLpXWXi7iKDP4MmWmkotVKDZPIaFqR03DXLbdqcQ/upd/fyEBe14QnCAEEdZs8ZkQ6Tcxl44M2iHQXY8SzW3UY= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1755099362; c=relaxed/simple; bh=oBQWuyUla02vxPxwEh+dqEBdG/AYlZTNzcRwVBvd/ac=; h=Date:In-Reply-To:Mime-Version:References:Message-ID:Subject:From: To:Cc:Content-Type; b=YJvsX9zDn3zCvakFJr3SZkGE26pl6kBf+8fEshp4FUrbdsaBFhT1loz8jpD1aVjYCHcnY2NCnKQUmrfXyDwpJk/Qy0bLZmcdZmWv6YCqPDxQjVCii1cNopU/gxATfD9KJ18K2mWUP/Y3bGQ+jvsj1RLr5RSwlz59CfoQswwmWuY= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com; spf=pass smtp.mailfrom=flex--bqe.bounces.google.com; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b=3niFRutz; arc=none smtp.client-ip=209.85.128.74 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=flex--bqe.bounces.google.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="3niFRutz" Received: by mail-wm1-f74.google.com with SMTP id 5b1f17b1804b1-458b9ded499so44499105e9.1 for ; Wed, 13 Aug 2025 08:35:58 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20230601; t=1755099357; x=1755704157; darn=vger.kernel.org; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:from:to:cc:subject:date:message-id:reply-to; bh=w+NNOJskszKCuDmOfNFzFwwz87hAJT4N8AGvoWM1j6o=; b=3niFRutzwFDl6/ivDvmbP6mP3l36DfYftUF2AolqhW26gSYNLQgOXWKCJ7kHlF6Sgh 6gYbaJ/dsG5ltmrpuquxkEA5gFNB+TBBaD0YxuE7O8qP9FS7y2a/987JCHJiM7QdiVTj WpRsPs+ljE4D0Ppzh1fZau0QoFSpsmFChTsdKPOHr1skR8lBn8OqdaLsF0GHB/cSaREQ VFMwBNRpqemMxF+nq0SmIOuo/HO1C2ztmSDKJ3NeaWY1Rp32upiUhj0/iof04FC6eLT/ JgRWmiwEcksCd7TXmxLqBZIAVyktoCOqwDnjg5wQf238/U6hpdyNV3Yed4XIe9IMPXi3 YOow== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1755099357; x=1755704157; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=w+NNOJskszKCuDmOfNFzFwwz87hAJT4N8AGvoWM1j6o=; b=qHutGSky3dK1IjrZPl+Iso8UczAYTNvxG0DswjeycyoJoDTnGZhlnA8vcWPhhrJWSS Lm6k+gF9/BT9pC2TaVw4vITlU9I2rH4bMpAhCSPZinJIIlY8XtTTBLYexFCOVeTF69pI IOX97dLgh+48abRGaEJtu9tvUxk0PiKWxICdmr3MTeFhrxQ58qI6svhb1450MrSxHjHf z2rbTePeLVbUyLiEecldSzHPpApf7MkdHh5Rr7rPioKN3GK1xGIDti98jThJ4mF97GgZ h/hWNEX68Whao7ct0qI1q6fpXJEa3qCv++WOoHI4rTj/hDJSLA+Y+2cZhDcWeDVGPhxf FnTA== X-Forwarded-Encrypted: i=1; AJvYcCUeZ6sAcxevCNTbAuDeHAWszu+VG/piXFJOUg/rbQE4Dl8R2twoRihUgH9Q2dMt0f48qbmftdhQAspT8+k=@vger.kernel.org X-Gm-Message-State: AOJu0YwYlj4kKPe+i+TQqNmlVBKobe1N5U6jsOuOODalRtMd/iySDj56 L7Yc7miaicYT16eU9bbhOu8A5QlNGZg8KDdzjVoVj1iOMj4luheF+2QkUGBMVzzdGWiEZg== X-Google-Smtp-Source: AGHT+IEfP27gkvOtNXolpUBFjN1uFRYFZl9gfVPk2u0jSDgwXek8jO1enUTabGcawriKG/u4CaxrO5A= X-Received: from wmsd12.prod.google.com ([2002:a05:600c:3acc:b0:459:dc02:4cf2]) (user=bqe job=prod-delivery.src-stubby-dispatcher) by 2002:a05:600c:35cb:b0:456:25e7:bed with SMTP id 5b1f17b1804b1-45a165adbadmr33129315e9.14.1755099356995; Wed, 13 Aug 2025 08:35:56 -0700 (PDT) Date: Wed, 13 Aug 2025 15:35:44 +0000 In-Reply-To: <20250813153548.1650533-1-bqe@google.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: Mime-Version: 1.0 References: <20250813153548.1650533-1-bqe@google.com> X-Mailer: git-send-email 2.51.0.rc0.205.g4a044479a3-goog Message-ID: <20250813153548.1650533-4-bqe@google.com> Subject: [PATCH v14 3/5] rust: add bitmap API. From: Burak Emir To: Yury Norov , Kees Cook Cc: Burak Emir , Rasmus Villemoes , Viresh Kumar , Miguel Ojeda , Alex Gaynor , Boqun Feng , Gary Guo , "=?UTF-8?q?Bj=C3=B6rn=20Roy=20Baron?=" , Benno Lossin , Andreas Hindborg , Alice Ryhl , Trevor Gross , "Gustavo A . R . Silva" , Carlos LLama , Pekka Ristola , rust-for-linux@vger.kernel.org, linux-kernel@vger.kernel.org, linux-hardening@vger.kernel.org Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" Provides an abstraction for C bitmap API and bitops operations. This commit enables a Rust implementation of an Android Binder data structure from commit 15d9da3f818c ("binder: use bitmap for faster descriptor lookup"), which can be found in drivers/android/dbitmap.h. It is a step towards upstreaming the Rust port of Android Binder driver. We follow the C Bitmap API closely in naming and semantics, with a few differences that take advantage of Rust language facilities and idioms. The main types are `BitmapVec` for owned bitmaps and `Bitmap` for references to C bitmaps. * We leverage Rust type system guarantees as follows: * all (non-atomic) mutating operations require a &mut reference which amounts to exclusive access. * the `BitmapVec` type implements Send. This enables transferring ownership between threads and is needed for Binder. * the `BitmapVec` type implements Sync, which enables passing shared references &Bitmap between threads. Atomic operations can be used to safely modify from multiple threads (interior mutability), though without ordering guarantees. * The Rust API uses `{set,clear}_bit` vs `{set,clear}_bit_atomic` as names for clarity, which differs from the C naming convention `set_bit` for atomic vs `__set_bit` for non-atomic. * we include enough operations for the API to be useful. Not all operations are exposed yet in order to avoid dead code. The missing ones can be added later. * We take a fine-grained approach to safety: * Low-level bit-ops get a safe API with bounds checks. Calling with an out-of-bounds arguments to {set,clear}_bit becomes a no-op and get logged as errors. * We also introduce a RUST_BITMAP_HARDENED config, which causes invocations with out-of-bounds arguments to panic. * methods correspond to find_* C methods tolerate out-of-bounds since the C implementation does. Also here, out-of-bounds arguments are logged as errors, or panic in RUST_BITMAP_HARDENED mode. * We add a way to "borrow" bitmaps from C in Rust, to make C bitmaps that were allocated in C directly usable in Rust code (`Bitmap`). * the Rust API is optimized to represent the bitmap inline if it would fit into a pointer. This saves allocations which is relevant in the Binder use case. The underlying C bitmap is *not* exposed for raw access in Rust. Doing so would permit bypassing the Rust API and lose static guarantees. An alternative route of vendoring an existing Rust bitmap package was considered but suboptimal overall. Reusing the C implementation is preferable for a basic data structure like bitmaps. It enables Rust code to be a lot more similar and predictable with respect to C code that uses the same data structures and enables the use of code that has been tried-and-tested in the kernel, with the same performance characteristics whenever possible. We use the `usize` type for sizes and indices into the bitmap, because Rust generally always uses that type for indices and lengths and it will be more convenient if the API accepts that type. This means that we need to perform some casts to/from u32 and usize, since the C headers use unsigned int instead of size_t/unsigned long for these numbers in some places. Adds new MAINTAINERS section BITMAP API [RUST]. Suggested-by: Alice Ryhl Suggested-by: Yury Norov Signed-off-by: Burak Emir Reviewed-by: Alice Ryhl Tested-by: Alice Ryhl --- MAINTAINERS | 7 + rust/kernel/bitmap.rs | 582 +++++++++++++++++++++++++++++++++++++ rust/kernel/lib.rs | 1 + security/Kconfig.hardening | 10 + 4 files changed, 600 insertions(+) create mode 100644 rust/kernel/bitmap.rs diff --git a/MAINTAINERS b/MAINTAINERS index a9ebb2d49dea..1760df683cd2 100644 --- a/MAINTAINERS +++ b/MAINTAINERS @@ -4301,6 +4301,13 @@ S: Maintained F: rust/helpers/bitmap.c F: rust/helpers/cpumask.c =20 +BITMAP API [RUST] +M: Alice Ryhl +M: Burak Emir +R: Yury Norov +S: Maintained +F: rust/kernel/bitmap.rs + BITOPS API M: Yury Norov R: Rasmus Villemoes diff --git a/rust/kernel/bitmap.rs b/rust/kernel/bitmap.rs new file mode 100644 index 000000000000..9235808dc03c --- /dev/null +++ b/rust/kernel/bitmap.rs @@ -0,0 +1,582 @@ +// SPDX-License-Identifier: GPL-2.0 + +// Copyright (C) 2025 Google LLC. + +//! Rust API for bitmap. +//! +//! C headers: [`include/linux/bitmap.h`](srctree/include/linux/bitmap.h). + +use crate::alloc::{AllocError, Flags}; +use crate::bindings; +#[cfg(not(CONFIG_RUST_BITMAP_HARDENED))] +use crate::pr_err; +use core::ptr::NonNull; + +const BITS_PER_LONG: usize =3D bindings::BITS_PER_LONG as usize; + +/// Represents a C bitmap. Wraps underlying C bitmap API. +/// +/// # Invariants +/// +/// Must reference a `[c_ulong]` long enough to fit `data.len()` bits. +#[cfg_attr(CONFIG_64BIT, repr(align(8)))] +#[cfg_attr(not(CONFIG_64BIT), repr(align(4)))] +pub struct Bitmap { + data: [()], +} + +impl Bitmap { + /// Borrows a C bitmap. + /// + /// # Safety + /// + /// * `ptr` holds a non-null address of an initialized array of `unsig= ned long` + /// that is large enough to hold `nbits` bits. + /// * the array must not be freed for the lifetime of this [`Bitmap`] + /// * concurrent access only happens through atomic operations + pub unsafe fn from_raw<'a>(ptr: *const usize, nbits: usize) -> &'a Bit= map { + let data: *const [()] =3D core::ptr::slice_from_raw_parts(ptr.cast= (), nbits); + // INVARIANT: `data` references an initialized array that can hold= `nbits` bits. + // SAFETY: + // The caller guarantees that `data` (derived from `ptr` and `nbit= s`) + // points to a valid, initialized, and appropriately sized memory = region + // that will not be freed for the lifetime 'a. + // We are casting `*const [()]` to `*const Bitmap`. The `Bitmap` + // struct is a ZST with a `data: [()]` field. This means its layout + // is compatible with a slice of `()`, and effectively it's a "thi= n pointer" + // (its size is 0 and alignment is 1). The `slice_from_raw_parts` + // function correctly encodes the length (number of bits, not elem= ents) + // into the metadata of the fat pointer. Therefore, dereferencing = this + // pointer as `&Bitmap` is safe given the caller's guarantees. + unsafe { &*(data as *const Bitmap) } + } + + /// Borrows a C bitmap exclusively. + /// + /// # Safety + /// + /// * `ptr` holds a non-null address of an initialized array of `unsig= ned long` + /// that is large enough to hold `nbits` bits. + /// * the array must not be freed for the lifetime of this [`Bitmap`] + /// * no concurrent access may happen. + pub unsafe fn from_raw_mut<'a>(ptr: *mut usize, nbits: usize) -> &'a m= ut Bitmap { + let data: *mut [()] =3D core::ptr::slice_from_raw_parts_mut(ptr.ca= st(), nbits); + // INVARIANT: `data` references an initialized array that can hold= `nbits` bits. + // SAFETY: + // The caller guarantees that `data` (derived from `ptr` and `nbit= s`) + // points to a valid, initialized, and appropriately sized memory = region + // that will not be freed for the lifetime 'a. + // Furthermore, the caller guarantees no concurrent access will ha= ppen, + // which upholds the exclusivity requirement for a mutable referen= ce. + // Similar to `from_raw`, casting `*mut [()]` to `*mut Bitmap` is + // safe because `Bitmap` is a ZST with a `data: [()]` field, + // making its layout compatible with a slice of `()`. + unsafe { &mut *(data as *mut Bitmap) } + } + + /// Returns a raw pointer to the backing [`Bitmap`]. + pub fn as_ptr(&self) -> *const usize { + core::ptr::from_ref::(self).cast::() + } + + /// Returns a mutable raw pointer to the backing [`Bitmap`]. + pub fn as_mut_ptr(&mut self) -> *mut usize { + core::ptr::from_mut::(self).cast::() + } + + /// Returns length of this [`Bitmap`]. + #[expect(clippy::len_without_is_empty)] + pub fn len(&self) -> usize { + self.data.len() + } +} + +/// Holds either a pointer to array of `unsigned long` or a small bitmap. +#[repr(C)] +union BitmapRepr { + bitmap: usize, + ptr: NonNull, +} + +macro_rules! bitmap_assert { + ($cond:expr, $($arg:tt)+) =3D> { + #[cfg(CONFIG_RUST_BITMAP_HARDENED)] + assert!($cond, $($arg)*); + } +} + +macro_rules! bitmap_assert_return { + ($cond:expr, $($arg:tt)+) =3D> { + #[cfg(CONFIG_RUST_BITMAP_HARDENED)] + assert!($cond, $($arg)*); + + #[cfg(not(CONFIG_RUST_BITMAP_HARDENED))] + if !($cond) { + pr_err!($($arg)*); + return + } + } +} + +/// Represents an owned bitmap. +/// +/// Wraps underlying C bitmap API. See [`Bitmap`] for available +/// methods. +/// +/// # Examples +/// +/// Basic usage +/// +/// ``` +/// use kernel::alloc::flags::GFP_KERNEL; +/// use kernel::bitmap::BitmapVec; +/// +/// let mut b =3D BitmapVec::new(16, GFP_KERNEL)?; +/// +/// assert_eq!(16, b.len()); +/// for i in 0..16 { +/// if i % 4 =3D=3D 0 { +/// b.set_bit(i); +/// } +/// } +/// assert_eq!(Some(0), b.next_bit(0)); +/// assert_eq!(Some(1), b.next_zero_bit(0)); +/// assert_eq!(Some(4), b.next_bit(1)); +/// assert_eq!(Some(5), b.next_zero_bit(4)); +/// assert_eq!(Some(12), b.last_bit()); +/// # Ok::<(), Error>(()) +/// ``` +/// +/// # Invariants +/// +/// * `nbits` is `<=3D i32::MAX` and never changes. +/// * if `nbits <=3D bindings::BITS_PER_LONG`, then `repr` is a `usize`. +/// * otherwise, `repr` holds a non-null pointer to an initialized +/// array of `unsigned long` that is large enough to hold `nbits` bits. +pub struct BitmapVec { + /// Representation of bitmap. + repr: BitmapRepr, + /// Length of this bitmap. Must be `<=3D i32::MAX`. + nbits: usize, +} + +impl core::ops::Deref for BitmapVec { + type Target =3D Bitmap; + + fn deref(&self) -> &Bitmap { + let ptr =3D if self.nbits <=3D BITS_PER_LONG { + // SAFETY: Bitmap is represented inline. + unsafe { core::ptr::addr_of!(self.repr.bitmap) } + } else { + // SAFETY: Bitmap is represented as array of `unsigned long`. + unsafe { self.repr.ptr.as_ptr() } + }; + + // SAFETY: We got the right pointer and invariants of [`Bitmap`] h= old. + // An inline bitmap is treated like an array with single element. + unsafe { Bitmap::from_raw(ptr, self.nbits) } + } +} + +impl core::ops::DerefMut for BitmapVec { + fn deref_mut(&mut self) -> &mut Bitmap { + let ptr =3D if self.nbits <=3D BITS_PER_LONG { + // SAFETY: Bitmap is represented inline. + unsafe { core::ptr::addr_of_mut!(self.repr.bitmap) } + } else { + // SAFETY: Bitmap is represented as array of `unsigned long`. + unsafe { self.repr.ptr.as_ptr() } + }; + + // SAFETY: We got the right pointer and invariants of [`BitmapVec`= ] hold. + // An inline bitmap is treated like an array with single element. + unsafe { Bitmap::from_raw_mut(ptr, self.nbits) } + } +} + +/// Enable ownership transfer to other threads. +/// +/// SAFETY: We own the underlying bitmap representation. +unsafe impl Send for BitmapVec {} + +/// Enable unsynchronized concurrent access to [`BitmapVec`] through share= d references. +/// +/// SAFETY: `deref()` will return a reference to a [`Bitmap`]. Its methods +/// take immutable references are either atomic or read-only. +unsafe impl Sync for BitmapVec {} + +impl Drop for BitmapVec { + fn drop(&mut self) { + if self.nbits <=3D BITS_PER_LONG { + return; + } + // SAFETY: `self.ptr` was returned by the C `bitmap_zalloc`. + // + // INVARIANT: there is no other use of the `self.ptr` after this + // call and the value is being dropped so the broken invariant is + // not observable on function exit. + unsafe { bindings::bitmap_free(self.repr.ptr.as_ptr()) }; + } +} + +impl BitmapVec { + /// Constructs a new [`BitmapVec`]. + /// + /// Fails with [`AllocError`] when the [`BitmapVec`] could not be allo= cated. This + /// includes the case when `nbits` is greater than `i32::MAX`. + #[inline] + pub fn new(nbits: usize, flags: Flags) -> Result { + if nbits <=3D BITS_PER_LONG { + return Ok(BitmapVec { + repr: BitmapRepr { bitmap: 0 }, + nbits, + }); + } + if nbits > i32::MAX.try_into().unwrap() { + return Err(AllocError); + } + let nbits_u32 =3D u32::try_from(nbits).unwrap(); + // SAFETY: `BITS_PER_LONG < nbits` and `nbits <=3D i32::MAX`. + let ptr =3D unsafe { bindings::bitmap_zalloc(nbits_u32, flags.as_r= aw()) }; + let ptr =3D NonNull::new(ptr).ok_or(AllocError)?; + // INVARIANT: `ptr` returned by C `bitmap_zalloc` and `nbits` chec= ked. + Ok(BitmapVec { + repr: BitmapRepr { ptr }, + nbits, + }) + } + + /// Returns length of this [`Bitmap`]. + #[allow(clippy::len_without_is_empty)] + #[inline] + pub fn len(&self) -> usize { + self.nbits + } +} + +impl Bitmap { + /// Set bit with index `index`. + /// + /// ATTENTION: `set_bit` is non-atomic, which differs from the naming + /// convention in C code. The corresponding C function is `__set_bit`. + /// + /// If CONFIG_RUST_BITMAP_HARDENED is not enabled and `index` is great= er than + /// or equal to `self.nbits`, does nothing. + /// + /// # Panics + /// + /// Panics if CONFIG_RUST_BITMAP_HARDENED is enabled and `index` is gr= eater than + /// or equal to `self.nbits`. + #[inline] + pub fn set_bit(&mut self, index: usize) { + bitmap_assert_return!( + index < self.len(), + "Bit `index` must be < {}, was {}", + self.len(), + index + ); + // SAFETY: Bit `index` is within bounds. + unsafe { bindings::__set_bit(index, self.as_mut_ptr()) }; + } + + /// Set bit with index `index`, atomically. + /// + /// This is a relaxed atomic operation (no implied memory barriers). + /// + /// ATTENTION: The naming convention differs from C, where the corresp= onding + /// function is called `set_bit`. + /// + /// If CONFIG_RUST_BITMAP_HARDENED is not enabled and `index` is great= er than + /// or equal to `self.len()`, does nothing. + /// + /// # Panics + /// + /// Panics if CONFIG_RUST_BITMAP_HARDENED is enabled and `index` is gr= eater than + /// or equal to `self.len()`. + #[inline] + pub fn set_bit_atomic(&self, index: usize) { + bitmap_assert_return!( + index < self.len(), + "Bit `index` must be < {}, was {}", + self.len(), + index + ); + // SAFETY: `index` is within bounds and the caller has ensured that + // there is no mix of non-atomic and atomic operations. + unsafe { bindings::set_bit(index, self.as_ptr().cast_mut()) }; + } + + /// Clear `index` bit. + /// + /// ATTENTION: `clear_bit` is non-atomic, which differs from the naming + /// convention in C code. The corresponding C function is `__clear_bit= `. + /// + /// If CONFIG_RUST_BITMAP_HARDENED is not enabled and `index` is great= er than + /// or equal to `self.len()`, does nothing. + /// + /// # Panics + /// + /// Panics if CONFIG_RUST_BITMAP_HARDENED is enabled and `index` is gr= eater than + /// or equal to `self.len()`. + #[inline] + pub fn clear_bit(&mut self, index: usize) { + bitmap_assert_return!( + index < self.len(), + "Bit `index` must be < {}, was {}", + self.len(), + index + ); + // SAFETY: `index` is within bounds. + unsafe { bindings::__clear_bit(index, self.as_mut_ptr()) }; + } + + /// Clear `index` bit, atomically. + /// + /// This is a relaxed atomic operation (no implied memory barriers). + /// + /// ATTENTION: The naming convention differs from C, where the corresp= onding + /// function is called `clear_bit`. + /// + /// If CONFIG_RUST_BITMAP_HARDENED is not enabled and `index` is great= er than + /// or equal to `self.len()`, does nothing. + /// + /// # Panics + /// + /// Panics if CONFIG_RUST_BITMAP_HARDENED is enabled and `index` is gr= eater than + /// or equal to `self.len()`. + #[inline] + pub fn clear_bit_atomic(&self, index: usize) { + bitmap_assert_return!( + index < self.len(), + "Bit `index` must be < {}, was {}", + self.len(), + index + ); + // SAFETY: `index` is within bounds and the caller has ensured that + // there is no mix of non-atomic and atomic operations. + unsafe { bindings::clear_bit(index, self.as_ptr().cast_mut()) }; + } + + /// Copy `src` into this [`Bitmap`] and set any remaining bits to zero. + /// + /// # Examples + /// + /// ``` + /// use kernel::alloc::{AllocError, flags::GFP_KERNEL}; + /// use kernel::bitmap::BitmapVec; + /// + /// let mut long_bitmap =3D BitmapVec::new(256, GFP_KERNEL)?; + /// + /// assert_eq!(None, long_bitmap.last_bit()); + /// + /// let mut short_bitmap =3D BitmapVec::new(16, GFP_KERNEL)?; + /// + /// short_bitmap.set_bit(7); + /// long_bitmap.copy_and_extend(&short_bitmap); + /// assert_eq!(Some(7), long_bitmap.last_bit()); + /// + /// # Ok::<(), AllocError>(()) + /// ``` + #[inline] + pub fn copy_and_extend(&mut self, src: &Bitmap) { + let len =3D core::cmp::min(src.len(), self.len()); + // SAFETY: access to `self` and `src` is within bounds. + unsafe { + bindings::bitmap_copy_and_extend( + self.as_mut_ptr(), + src.as_ptr(), + len as u32, + self.len() as u32, + ) + }; + } + + /// Finds last set bit. + /// + /// # Examples + /// + /// ``` + /// use kernel::alloc::{AllocError, flags::GFP_KERNEL}; + /// use kernel::bitmap::BitmapVec; + /// + /// let bitmap =3D BitmapVec::new(64, GFP_KERNEL)?; + /// + /// match bitmap.last_bit() { + /// Some(idx) =3D> { + /// pr_info!("The last bit has index {idx}.\n"); + /// } + /// None =3D> { + /// pr_info!("All bits in this bitmap are 0.\n"); + /// } + /// } + /// # Ok::<(), AllocError>(()) + /// ``` + #[inline] + pub fn last_bit(&self) -> Option { + // SAFETY: `_find_next_bit` access is within bounds due to invaria= nt. + let index =3D unsafe { bindings::_find_last_bit(self.as_ptr(), sel= f.len()) }; + if index >=3D self.len() { + None + } else { + Some(index) + } + } + + /// Finds next set bit, starting from `start`. + /// + /// Returns `None` if `start` is greater or equal to `self.nbits`. + #[inline] + pub fn next_bit(&self, start: usize) -> Option { + bitmap_assert!( + start < self.len(), + "`start` must be < {} was {}", + self.len(), + start + ); + // SAFETY: `_find_next_bit` tolerates out-of-bounds arguments and = returns a + // value larger than or equal to `self.len()` in that case. + let index =3D unsafe { bindings::_find_next_bit(self.as_ptr(), sel= f.len(), start) }; + if index >=3D self.len() { + None + } else { + Some(index) + } + } + + /// Finds next zero bit, starting from `start`. + /// Returns `None` if `start` is greater than or equal to `self.len()`. + #[inline] + pub fn next_zero_bit(&self, start: usize) -> Option { + bitmap_assert!( + start < self.len(), + "`start` must be < {} was {}", + self.len(), + start + ); + // SAFETY: `_find_next_zero_bit` tolerates out-of-bounds arguments= and returns a + // value larger than or equal to `self.len()` in that case. + let index =3D unsafe { bindings::_find_next_zero_bit(self.as_ptr()= , self.len(), start) }; + if index >=3D self.len() { + None + } else { + Some(index) + } + } +} + +use macros::kunit_tests; + +#[kunit_tests(rust_kernel_bitmap)] +mod tests { + use super::*; + use kernel::alloc::flags::GFP_KERNEL; + + #[test] + fn bitmap_borrow() { + let fake_bitmap: [usize; 2] =3D [0, 0]; + // SAFETY: `fake_c_bitmap` is an array of expected length. + let b =3D unsafe { Bitmap::from_raw(fake_bitmap.as_ptr(), 2 * BITS= _PER_LONG) }; + assert_eq!(2 * BITS_PER_LONG, b.len()); + assert_eq!(None, b.next_bit(0)); + } + + #[test] + fn bitmap_copy() { + let fake_bitmap: usize =3D 0xFF; + // SAFETY: `fake_c_bitmap` can be used as one-element array of exp= ected length. + let b =3D unsafe { Bitmap::from_raw(core::ptr::addr_of!(fake_bitma= p), 8) }; + assert_eq!(8, b.len()); + assert_eq!(None, b.next_zero_bit(0)); + } + + #[test] + fn bitmap_vec_new() -> Result<(), AllocError> { + let b =3D BitmapVec::new(0, GFP_KERNEL)?; + assert_eq!(0, b.len()); + + let b =3D BitmapVec::new(3, GFP_KERNEL)?; + assert_eq!(3, b.len()); + + let b =3D BitmapVec::new(1024, GFP_KERNEL)?; + assert_eq!(1024, b.len()); + + // Requesting too large values results in [`AllocError`]. + let res =3D BitmapVec::new(1 << 31, GFP_KERNEL); + assert!(res.is_err()); + Ok(()) + } + + #[test] + fn bitmap_set_clear_find() -> Result<(), AllocError> { + let mut b =3D BitmapVec::new(128, GFP_KERNEL)?; + + // Zero-initialized + assert_eq!(None, b.next_bit(0)); + assert_eq!(Some(0), b.next_zero_bit(0)); + assert_eq!(None, b.last_bit()); + + b.set_bit(17); + + assert_eq!(Some(17), b.next_bit(0)); + assert_eq!(Some(17), b.next_bit(17)); + assert_eq!(None, b.next_bit(18)); + assert_eq!(Some(17), b.last_bit()); + + b.set_bit(107); + + assert_eq!(Some(17), b.next_bit(0)); + assert_eq!(Some(17), b.next_bit(17)); + assert_eq!(Some(107), b.next_bit(18)); + assert_eq!(Some(107), b.last_bit()); + + b.clear_bit(17); + + assert_eq!(Some(107), b.next_bit(0)); + assert_eq!(Some(107), b.last_bit()); + Ok(()) + } + + #[cfg(not(CONFIG_RUST_BITMAP_HARDENED))] + #[test] + fn owned_bitmap_out_of_bounds() -> Result<(), AllocError> { + let mut b =3D BitmapVec::new(128, GFP_KERNEL)?; + + b.set_bit(2048); + b.set_bit_atomic(2048); + b.clear_bit(2048); + b.clear_bit_atomic(2048); + assert_eq!(None, b.next_bit(2048)); + assert_eq!(None, b.next_zero_bit(2048)); + assert_eq!(None, b.last_bit()); + Ok(()) + } + + // TODO: uncomment once kunit supports [should_panic]. + // #[cfg(CONFIG_RUST_BITMAP_HARDENED)] + // #[test] + // #[should_panic] + // fn owned_bitmap_out_of_bounds() -> Result<(), AllocError> { + // let mut b =3D BitmapVec::new(128, GFP_KERNEL)?; + // + // b.set_bit(2048); + // } + + #[test] + fn bitmap_copy_and_extend() -> Result<(), AllocError> { + let mut long_bitmap =3D BitmapVec::new(256, GFP_KERNEL)?; + + long_bitmap.set_bit(3); + long_bitmap.set_bit(200); + + let mut short_bitmap =3D BitmapVec::new(32, GFP_KERNEL)?; + + short_bitmap.set_bit(17); + + long_bitmap.copy_and_extend(&short_bitmap); + + // Previous bits have been cleared. + assert_eq!(Some(17), long_bitmap.next_bit(0)); + assert_eq!(Some(17), long_bitmap.last_bit()); + Ok(()) + } +} diff --git a/rust/kernel/lib.rs b/rust/kernel/lib.rs index ed53169e795c..586be7f246eb 100644 --- a/rust/kernel/lib.rs +++ b/rust/kernel/lib.rs @@ -62,6 +62,7 @@ pub mod alloc; #[cfg(CONFIG_AUXILIARY_BUS)] pub mod auxiliary; +pub mod bitmap; pub mod bits; #[cfg(CONFIG_BLOCK)] pub mod block; diff --git a/security/Kconfig.hardening b/security/Kconfig.hardening index b9a5bc3430aa..86f8768c63d4 100644 --- a/security/Kconfig.hardening +++ b/security/Kconfig.hardening @@ -255,6 +255,16 @@ config LIST_HARDENED =20 If unsure, say N. =20 +config RUST_BITMAP_HARDENED + bool "Check integrity of bitmap Rust API" + depends on RUST + help + Enables additional assertions in the Rust Bitmap API to catch + arguments that are not guaranteed to result in an immediate access + fault. + + If unsure, say N. + config BUG_ON_DATA_CORRUPTION bool "Trigger a BUG when data corruption is detected" select LIST_HARDENED --=20 2.51.0.rc0.205.g4a044479a3-goog From nobody Sat Oct 4 19:18:47 2025 Received: from mail-wm1-f73.google.com (mail-wm1-f73.google.com [209.85.128.73]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 8DE131E570B for ; Wed, 13 Aug 2025 15:35:59 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.128.73 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1755099364; cv=none; b=Xwx3Pl3Fb+/aHkLlpisPc9m55qbxxYZQ05e2GUPbfo9WCL19gtn/Hf+63tKGkv56FKzW0DUbTVkB8nAuCkQUJSHxbNZLpTJFR0cVFHEu9/NgoF+U+JI1Hs1BomNKZsPYvlmyd2TPxee4m76A42jyjpyis5hNyaJE1n1mxivouLc= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1755099364; c=relaxed/simple; bh=pYSqyLbGEOkp9MiVPkD6d88z2+rXjpa+i2Cy2Tbm1WU=; h=Date:In-Reply-To:Mime-Version:References:Message-ID:Subject:From: To:Cc:Content-Type; b=lLKv1m8wgvuLUcnRyYK1vbDLxXM8nyOVcR/kKHVZgqZFcvAlvsPweYpwYWq3ksPfnjGWazcThiB/kJyeWoe5mBgW1ZDN/CmtokHTh0vF4cBCKnQiCC562hT2TMNk3x1FFyYuqqwSAyEcWBnWxsQQ/zE82R1hze17suFdjc/ICGg= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com; spf=pass smtp.mailfrom=flex--bqe.bounces.google.com; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b=Jqong9Ns; arc=none smtp.client-ip=209.85.128.73 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=flex--bqe.bounces.google.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="Jqong9Ns" Received: by mail-wm1-f73.google.com with SMTP id 5b1f17b1804b1-4538f375e86so50836765e9.3 for ; Wed, 13 Aug 2025 08:35:59 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20230601; t=1755099358; x=1755704158; darn=vger.kernel.org; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:from:to:cc:subject:date:message-id:reply-to; bh=0wAb9+mVefgM/g0S0IITXMqNjygEyOxwctOAsMxRGu8=; b=Jqong9NsIwAXxI6yy84qAT4zB7xusndulUfj0r4sC8bFTIt0KscbanfJOOFHTcQ3gz 9xZ2Z37ScVqTt3VU4pr+mqMlknu0KiUAvijApHfjVf4LGFZUk/8LteRi/d0mXQKtkhT7 iSHFFE5p4kwg8txOjiMzR1syEQ+0mYB4Ex6hFb9VsA+FOTKqkkQQJ8rcTpv4U+aXJrhQ E0r5reu4FOUaTWS5zWD68JIiMGDPh8YMLwfqcUpKMQbo2bu7JQvuSct/1UhX/EtaihvK QwNsFApQ58eU3IAWSwnfawZm2LwKD0C+AFuL6sJlapabn+oxIZv7BAdb4Kj2TtgOa5ri 5YPg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1755099358; x=1755704158; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=0wAb9+mVefgM/g0S0IITXMqNjygEyOxwctOAsMxRGu8=; b=ER+j2X+xHJsajDa5/wrkqqJHwTsy67sOe91z6gltMv9A4FCtxG7/HSuYU3yjXTbk/W GNQb6xf34AQGJpHD1otSN2w4dIsBkbNV6jT5rA/TGRwgT3+v+0wooAKunqii45ygYRV3 8HzciteY4MvqKSs13brxf8ftCpnESRvO7qmVWhJCMoNkLuDa0ZExbNo2mCWQAESymrO8 g3vfd3RqOwFvdeWSh9q5NM8Y/F9yRU0PIKiyazQ7skbyvDUxdCqEJ7wESInDDr9Bpyca GX0bzZbgTGGU86xRhd1GuFN70JKj0BxGHPXGimdbGfle0V/0qjWPzs+edc4r/PPN46vF ZrLQ== X-Forwarded-Encrypted: i=1; AJvYcCV/9OyTUZdLqi9mXd9g/vAMe5pVyGx9Y8LeClEjXT/pc0GpduCJdc2h3UTJjEi8miS2ryyWVbJQT79Rozs=@vger.kernel.org X-Gm-Message-State: AOJu0YzAYrusxBtFu47gddPDi5iCilsLi0Ts4RgDL7lBSxc9+/pQYI8D k6WdEPcqY6hZdA3SqXbjUDuM95Gt71Dv96L/m/e3+mJ+KNjsc21LEkYZSkT41QJsmtSPzw== X-Google-Smtp-Source: AGHT+IFz51RtwEjUOWxOiNS5p9bPIxjtuQN8w5lwpgxOq2+IaeC15Xn2UgM8jyxrEnCM5dEe0dtfbJY= X-Received: from wmcn17-n2.prod.google.com ([2002:a05:600c:c0d1:20b0:458:c02c:3ccd]) (user=bqe job=prod-delivery.src-stubby-dispatcher) by 2002:a05:600c:3ba0:b0:459:f90e:4f5a with SMTP id 5b1f17b1804b1-45a1a91d646mr3652385e9.15.1755099357866; Wed, 13 Aug 2025 08:35:57 -0700 (PDT) Date: Wed, 13 Aug 2025 15:35:45 +0000 In-Reply-To: <20250813153548.1650533-1-bqe@google.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: Mime-Version: 1.0 References: <20250813153548.1650533-1-bqe@google.com> X-Mailer: git-send-email 2.51.0.rc0.205.g4a044479a3-goog Message-ID: <20250813153548.1650533-5-bqe@google.com> Subject: [PATCH v14 4/5] rust: add find_bit_benchmark_rust module. From: Burak Emir To: Yury Norov , Kees Cook Cc: Burak Emir , Rasmus Villemoes , Viresh Kumar , Miguel Ojeda , Alex Gaynor , Boqun Feng , Gary Guo , "=?UTF-8?q?Bj=C3=B6rn=20Roy=20Baron?=" , Benno Lossin , Andreas Hindborg , Alice Ryhl , Trevor Gross , "Gustavo A . R . Silva" , Carlos LLama , Pekka Ristola , rust-for-linux@vger.kernel.org, linux-kernel@vger.kernel.org, linux-hardening@vger.kernel.org Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" Microbenchmark protected by a config FIND_BIT_BENCHMARK_RUST, following `find_bit_benchmark.c` but testing the Rust Bitmap API. We add a fill_random() method protected by the config in order to maintain the abstraction. The sample output from the benchmark, both C and Rust version: find_bit_benchmark.c output: ``` Start testing find_bit() with random-filled bitmap [ 438.101937] find_next_bit: 860188 ns, 163419 iterations [ 438.109471] find_next_zero_bit: 912342 ns, 164262 iterations [ 438.116820] find_last_bit: 726003 ns, 163419 iterations [ 438.130509] find_nth_bit: 7056993 ns, 16269 iterations [ 438.139099] find_first_bit: 1963272 ns, 16270 iterations [ 438.173043] find_first_and_bit: 27314224 ns, 32654 iterations [ 438.180065] find_next_and_bit: 398752 ns, 73705 iterations [ 438.186689] Start testing find_bit() with sparse bitmap [ 438.193375] find_next_bit: 9675 ns, 656 iterations [ 438.201765] find_next_zero_bit: 1766136 ns, 327025 iterations [ 438.208429] find_last_bit: 9017 ns, 656 iterations [ 438.217816] find_nth_bit: 2749742 ns, 655 iterations [ 438.225168] find_first_bit: 721799 ns, 656 iterations [ 438.231797] find_first_and_bit: 2819 ns, 1 iterations [ 438.238441] find_next_and_bit: 3159 ns, 1 iterations ``` find_bit_benchmark_rust.rs output: ``` [ 451.182459] find_bit_benchmark_rust: [ 451.186688] Start testing find_bit() Rust with random-filled bitmap [ 451.194450] next_bit: 777950 ns, 163644 iterations [ 451.201997] next_zero_bit: 918889 ns, 164036 iterations [ 451.208642] Start testing find_bit() Rust with sparse bitmap [ 451.214300] next_bit: 9181 ns, 654 iterations [ 451.222806] next_zero_bit: 1855504 ns, 327026 iterations ``` Here are the results from 32 samples, with 95% confidence interval. The microbenchmark was built with RUST_BITMAP_HARDENED=3Dn and run on a machine that did not execute other processes. Random-filled bitmap: +-----------+-------+-----------+--------------+-----------+-----------+ | Benchmark | Lang | Mean (ms) | Std Dev (ms) | 95% CI Lo | 95% CI Hi | +-----------+-------+-----------+--------------+-----------+-----------+ | find_bit/ | C | 825.07 | 53.89 | 806.40 | 843.74 | | next_bit | Rust | 870.91 | 46.29 | 854.88 | 886.95 | +-----------+-------+-----------+--------------+-----------+-----------+ | find_zero/| C | 933.56 | 56.34 | 914.04 | 953.08 | | next_zero | Rust | 945.85 | 60.44 | 924.91 | 966.79 | +-----------+-------+-----------+--------------+-----------+-----------+ Rust appears 5.5% slower for next_bit, 1.3% slower for next_zero. Sparse bitmap: +-----------+-------+-----------+--------------+-----------+-----------+ | Benchmark | Lang | Mean (ms) | Std Dev (ms) | 95% CI Lo | 95% CI Hi | +-----------+-------+-----------+--------------+-----------+-----------+ | find_bit/ | C | 13.17 | 6.21 | 11.01 | 15.32 | | next_bit | Rust | 14.30 | 8.27 | 11.43 | 17.17 | +-----------+-------+-----------+--------------+-----------+-----------+ | find_zero/| C | 1859.31 | 82.30 | 1830.80 | 1887.83 | | next_zero | Rust | 1908.09 | 139.82 | 1859.65 | 1956.54 | +-----------+-------+-----------+--------------+-----------+-----------+ Rust appears 8.5% slower for next_bit, 2.6% slower for next_zero. In summary, taking the arithmetic mean of all slow-downs, we can say the Rust API has a 4.5% slowdown. Suggested-by: Alice Ryhl Suggested-by: Yury Norov [NVIDIA] Reviewed-by: Yury Norov [NVIDIA] Reviewed-by: Alice Ryhl Signed-off-by: Burak Emir Tested-by: Alice Ryhl --- MAINTAINERS | 1 + lib/Kconfig.debug | 13 ++++ lib/Makefile | 1 + lib/find_bit_benchmark_rust.rs | 104 ++++++++++++++++++++++++++++++++ rust/bindings/bindings_helper.h | 1 + rust/kernel/bitmap.rs | 15 +++++ 6 files changed, 135 insertions(+) create mode 100644 lib/find_bit_benchmark_rust.rs diff --git a/MAINTAINERS b/MAINTAINERS index 1760df683cd2..f99e7f4eb4ca 100644 --- a/MAINTAINERS +++ b/MAINTAINERS @@ -4306,6 +4306,7 @@ M: Alice Ryhl M: Burak Emir R: Yury Norov S: Maintained +F: lib/find_bit_benchmark_rust.rs F: rust/kernel/bitmap.rs =20 BITOPS API diff --git a/lib/Kconfig.debug b/lib/Kconfig.debug index dc0e0c6ed075..386232d81a0e 100644 --- a/lib/Kconfig.debug +++ b/lib/Kconfig.debug @@ -2607,6 +2607,19 @@ config FIND_BIT_BENCHMARK =20 If unsure, say N. =20 +config FIND_BIT_BENCHMARK_RUST + tristate "Test find_bit functions in Rust" + depends on RUST + help + This builds the "find_bit_benchmark_rust" module. It is a micro + benchmark that measures the performance of Rust functions that + correspond to the find_*_bit() operations in C. It follows the + FIND_BIT_BENCHMARK closely but will in general not yield same + numbers due to extra bounds checks and overhead of foreign + function calls. + + If unsure, say N. + config TEST_FIRMWARE tristate "Test firmware loading via userspace interface" depends on FW_LOADER diff --git a/lib/Makefile b/lib/Makefile index 392ff808c9b9..96a83b937a60 100644 --- a/lib/Makefile +++ b/lib/Makefile @@ -62,6 +62,7 @@ obj-y +=3D hexdump.o obj-$(CONFIG_TEST_HEXDUMP) +=3D test_hexdump.o obj-y +=3D kstrtox.o obj-$(CONFIG_FIND_BIT_BENCHMARK) +=3D find_bit_benchmark.o +obj-$(CONFIG_FIND_BIT_BENCHMARK_RUST) +=3D find_bit_benchmark_rust.o obj-$(CONFIG_TEST_BPF) +=3D test_bpf.o test_dhry-objs :=3D dhry_1.o dhry_2.o dhry_run.o obj-$(CONFIG_TEST_DHRY) +=3D test_dhry.o diff --git a/lib/find_bit_benchmark_rust.rs b/lib/find_bit_benchmark_rust.rs new file mode 100644 index 000000000000..6bdc51de2f30 --- /dev/null +++ b/lib/find_bit_benchmark_rust.rs @@ -0,0 +1,104 @@ +// SPDX-License-Identifier: GPL-2.0 +//! Benchmark for find_bit-like methods in Bitmap Rust API. + +use kernel::alloc::flags::GFP_KERNEL; +use kernel::bindings; +use kernel::bitmap::BitmapVec; +use kernel::error::{code, Result}; +use kernel::prelude::module; +use kernel::time::{Instant, Monotonic}; +use kernel::ThisModule; +use kernel::{pr_cont, pr_err}; + +const BITMAP_LEN: usize =3D 4096 * 8 * 10; +// Reciprocal of the fraction of bits that are set in sparse bitmap. +const SPARSENESS: usize =3D 500; + +/// Test module that benchmarks performance of traversing bitmaps. +struct Benchmark(); + +fn test_next_bit(bitmap: &BitmapVec) { + let time =3D Instant::::now(); + let mut cnt =3D 0; + let mut i =3D 0; + + while let Some(index) =3D bitmap.next_bit(i) { + cnt +=3D 1; + i =3D index + 1; + // CONFIG_RUST_BITMAP_HARDENED enforces strict bounds. + if i =3D=3D BITMAP_LEN { + break; + } + } + + let delta =3D time.elapsed(); + pr_cont!( + "\nnext_bit: {:18} ns, {:6} iterations", + delta.as_nanos(), + cnt + ); +} + +fn test_next_zero_bit(bitmap: &BitmapVec) { + let time =3D Instant::::now(); + let mut cnt =3D 0; + let mut i =3D 0; + + while let Some(index) =3D bitmap.next_zero_bit(i) { + cnt +=3D 1; + i =3D index + 1; + // CONFIG_RUST_BITMAP_HARDENED enforces strict bounds. + if i =3D=3D BITMAP_LEN { + break; + } + } + + let delta =3D time.elapsed(); + pr_cont!( + "\nnext_zero_bit: {:18} ns, {:6} iterations", + delta.as_nanos(), + cnt + ); +} + +fn find_bit_test() { + pr_err!("Benchmark"); + pr_cont!("\nStart testing find_bit() Rust with random-filled bitmap"); + + let mut bitmap =3D BitmapVec::new(BITMAP_LEN, GFP_KERNEL).expect("allo= c bitmap failed"); + bitmap.fill_random(); + + test_next_bit(&bitmap); + test_next_zero_bit(&bitmap); + + pr_cont!("\nStart testing find_bit() Rust with sparse bitmap"); + + let mut bitmap =3D BitmapVec::new(BITMAP_LEN, GFP_KERNEL).expect("allo= c sparse bitmap failed"); + let nbits =3D BITMAP_LEN / SPARSENESS; + for _i in 0..nbits { + // SAFETY: __get_random_u32_below is safe to call with any u32 arg= ument. + let bit =3D + unsafe { bindings::__get_random_u32_below(BITMAP_LEN.try_into(= ).unwrap()) as usize }; + bitmap.set_bit(bit); + } + + test_next_bit(&bitmap); + test_next_zero_bit(&bitmap); + pr_cont!("\n"); +} + +impl kernel::Module for Benchmark { + fn init(_module: &'static ThisModule) -> Result { + find_bit_test(); + // Return error so test module can be inserted again without rmmod. + Err(code::EINVAL) + } +} + +module! { + type: Benchmark, + name: "find_bit_benchmark_rust", + authors: ["Burak Emir "], + description: "Module with benchmark for bitmap Rust API", + license: "GPL v2", +} diff --git a/rust/bindings/bindings_helper.h b/rust/bindings/bindings_helpe= r.h index 7bb575043c86..5d58316f871e 100644 --- a/rust/bindings/bindings_helper.h +++ b/rust/bindings/bindings_helper.h @@ -67,6 +67,7 @@ #include #include #include +#include #include #include #include diff --git a/rust/kernel/bitmap.rs b/rust/kernel/bitmap.rs index 9235808dc03c..6e0824579781 100644 --- a/rust/kernel/bitmap.rs +++ b/rust/kernel/bitmap.rs @@ -252,6 +252,21 @@ pub fn new(nbits: usize, flags: Flags) -> Result { pub fn len(&self) -> usize { self.nbits } + + /// Fills this `Bitmap` with random bits. + #[cfg(CONFIG_FIND_BIT_BENCHMARK_RUST)] + pub fn fill_random(&mut self) { + // SAFETY: `self.as_mut_ptr` points to either an array of the + // appropriate length or one usize. + unsafe { + bindings::get_random_bytes( + self.as_mut_ptr().cast::(), + usize::div_ceil(self.nbits, bindings::BITS_PER_LONG as usi= ze) + * bindings::BITS_PER_LONG as usize + / 8, + ); + } + } } =20 impl Bitmap { --=20 2.51.0.rc0.205.g4a044479a3-goog From nobody Sat Oct 4 19:18:47 2025 Received: from mail-wr1-f73.google.com (mail-wr1-f73.google.com [209.85.221.73]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 8054027876E for ; Wed, 13 Aug 2025 15:36:00 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.221.73 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1755099362; cv=none; b=lP3tvWCLGQXSxxBTtP0Bb6WsgxzM8gi2DpIo7ne5ZBn2bnzHbxT/qMuYQuyo4QpZixxNa/NveEDot2YJymBV9JKyUO4UulnRmh5HKGoDOrZ8OJv1oemt6CSaB72t19rTx8xnEo8gX6HZsT+ICCc1KwO89/8x3PtgTgu/t2YdIIs= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1755099362; c=relaxed/simple; bh=F5kXql9KZ2X4USku+sOKmVRv0Iqmm+ZJUglBQyfyi/Y=; h=Date:In-Reply-To:Mime-Version:References:Message-ID:Subject:From: To:Cc:Content-Type; b=Bq/ktYZefy2tBObRH0ngNFOGvenRDVTrpEEt1hlIHefNzP1QpGwXmLtdpCjoLBmJfL6B77Xv+n3iC2gvtOI9NZixYR8mzDcu2nQoBWm4mDg7FO9qynRNBU9fNQhj3FkTVGICAhdp3DEJsakTqHvPCjwbHZb2XyhGxUCCqNpvqOk= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com; spf=pass smtp.mailfrom=flex--bqe.bounces.google.com; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b=uyq5xvXp; arc=none smtp.client-ip=209.85.221.73 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=flex--bqe.bounces.google.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="uyq5xvXp" Received: by mail-wr1-f73.google.com with SMTP id ffacd0b85a97d-3b7961b3c82so3281312f8f.0 for ; Wed, 13 Aug 2025 08:36:00 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20230601; t=1755099359; x=1755704159; darn=vger.kernel.org; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:from:to:cc:subject:date:message-id:reply-to; bh=WCnniwx/eqVo4rkrzyGEOkcRV4/yTE/g13esoeTQj24=; b=uyq5xvXpXWwkDtMaBMuWp3VF+DNb5nn9mcmeM+ZaFEk6qXXlQOkXmyOMqEcoX9zTfM X73SNN5XXxl2JtW+L4GxdoR7WId3iusYBQ16dgo/fwU9qDUJw+jln64BLP0neK+CDq15 5Vwrb5l6R+p9zFkHEp+151WXK2befE+CXK9EYO3QrrrZw3Z5Wb6lkUv38teXS6cRUrGs iPV4uDDxzV4oaMjnKcidmYqFkZmasGZ0wHN2AhqBjPL9o2LJbviGUWCBIOSlw17L3w2C cBXpDKOimtw2DuIKsbbPOWLO8F5EDpFv5wpM+JYnAnXPMDCAaMKFNPlhVn2vwdyyPEbX 1KBw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1755099359; x=1755704159; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=WCnniwx/eqVo4rkrzyGEOkcRV4/yTE/g13esoeTQj24=; b=m3/M/bScb/6LbtSO9AD1Qp9UUzOudmN23sqm3IeNFMq+UQzssKd1WcNlmfUhdCRM3J ySh0bEgv0uLxSFjitTKa3bHLSfnTrFzJChR34bZx6uPZsRJtjQ1vRA6ssciUA3NAyJDY uUjSTXRhaZiBJ4dkE5X0UGzteIfKFf0L9Rap4308kEu5valSWAFl4VUmvAjeAcmbT83+ K08riGDDkHsN1DZy4MRuak8Z5uX1C2TpQrlx0Gu0bzz5dJxWQRdfzB5p0N4hIwzbsnYL Rw1GTsUjkJ0YW8APUASgJ34vg6tZsuxJTaYsJbZOKUA3D7oBk5zNigdLhlBC6R3JbB4P aT7g== X-Forwarded-Encrypted: i=1; AJvYcCWlG+Y+zjKY7no4bQxG7hlpNGf3U9iXlLNYScMGA1pW7nS//btipbOL2FbB/ECKhtNzuMDyxIZnK5MtJB4=@vger.kernel.org X-Gm-Message-State: AOJu0Yyfdezgn2kRAh+1LrSbwo4kXfoHk8xdgQFkUK/pBo+HmMcDGOWA AljOmn2Hc43bYJvfCiYqC9WJGGPemCV8/HJqlCQm+lediJv3kBhUdCsmgLNHtOSeo7rDNA== X-Google-Smtp-Source: AGHT+IEHPzq6y4J4pJvIHhMiUq2CFDTTFGiDrKu9ZaRgdB2JgJm0ylY+MzAx9WvcsZVuurEQGVFvtT8= X-Received: from wmby25-n1.prod.google.com ([2002:a05:600c:c059:10b0:459:d776:c35d]) (user=bqe job=prod-delivery.src-stubby-dispatcher) by 2002:a05:6000:2501:b0:3a4:df80:7284 with SMTP id ffacd0b85a97d-3b917d2aa74mr2917052f8f.1.1755099358779; Wed, 13 Aug 2025 08:35:58 -0700 (PDT) Date: Wed, 13 Aug 2025 15:35:46 +0000 In-Reply-To: <20250813153548.1650533-1-bqe@google.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: Mime-Version: 1.0 References: <20250813153548.1650533-1-bqe@google.com> X-Mailer: git-send-email 2.51.0.rc0.205.g4a044479a3-goog Message-ID: <20250813153548.1650533-6-bqe@google.com> Subject: [PATCH v14 5/5] rust: add dynamic ID pool abstraction for bitmap From: Burak Emir To: Yury Norov , Kees Cook Cc: Burak Emir , Rasmus Villemoes , Viresh Kumar , Miguel Ojeda , Alex Gaynor , Boqun Feng , Gary Guo , "=?UTF-8?q?Bj=C3=B6rn=20Roy=20Baron?=" , Benno Lossin , Andreas Hindborg , Alice Ryhl , Trevor Gross , "Gustavo A . R . Silva" , Carlos LLama , Pekka Ristola , rust-for-linux@vger.kernel.org, linux-kernel@vger.kernel.org, linux-hardening@vger.kernel.org Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" This is a port of the Binder data structure introduced in commit 15d9da3f818c ("binder: use bitmap for faster descriptor lookup") to Rust. Like drivers/android/dbitmap.h, the ID pool abstraction lets clients acquire and release IDs. The implementation uses a bitmap to know what IDs are in use, and gives clients fine-grained control over the time of allocation. This fine-grained control is needed in the Android Binder. We provide an example that release a spinlock for allocation and unit tests (rustdoc examples). The implementation does not permit shrinking below capacity below BITS_PER_LONG. Suggested-by: Alice Ryhl Suggested-by: Yury Norov Reviewed-by: Alice Ryhl Signed-off-by: Burak Emir Tested-by: Alice Ryhl --- MAINTAINERS | 1 + rust/kernel/id_pool.rs | 226 +++++++++++++++++++++++++++++++++++++++++ rust/kernel/lib.rs | 1 + 3 files changed, 228 insertions(+) create mode 100644 rust/kernel/id_pool.rs diff --git a/MAINTAINERS b/MAINTAINERS index f99e7f4eb4ca..e62bebfffa9c 100644 --- a/MAINTAINERS +++ b/MAINTAINERS @@ -4308,6 +4308,7 @@ R: Yury Norov S: Maintained F: lib/find_bit_benchmark_rust.rs F: rust/kernel/bitmap.rs +F: rust/kernel/id_pool.rs =20 BITOPS API M: Yury Norov diff --git a/rust/kernel/id_pool.rs b/rust/kernel/id_pool.rs new file mode 100644 index 000000000000..a41a3404213c --- /dev/null +++ b/rust/kernel/id_pool.rs @@ -0,0 +1,226 @@ +// SPDX-License-Identifier: GPL-2.0 + +// Copyright (C) 2025 Google LLC. + +//! Rust API for an ID pool backed by a [`BitmapVec`]. + +use crate::alloc::{AllocError, Flags}; +use crate::bitmap::BitmapVec; + +const BITS_PER_LONG: usize =3D bindings::BITS_PER_LONG as usize; + +/// Represents a dynamic ID pool backed by a [`BitmapVec`]. +/// +/// Clients acquire and release IDs from unset bits in a bitmap. +/// +/// The capacity of the ID pool may be adjusted by users as +/// needed. The API supports the scenario where users need precise control +/// over the time of allocation of a new backing bitmap, which may require +/// release of spinlock. +/// Due to concurrent updates, all operations are re-verified to determine +/// if the grow or shrink is sill valid. +/// +/// # Examples +/// +/// Basic usage +/// +/// ``` +/// use kernel::alloc::{AllocError, flags::GFP_KERNEL}; +/// use kernel::id_pool::IdPool; +/// +/// let mut pool =3D IdPool::new(64, GFP_KERNEL)?; +/// for i in 0..64 { +/// assert_eq!(i, pool.acquire_next_id(i).ok_or(ENOSPC)?); +/// } +/// +/// pool.release_id(23); +/// assert_eq!(23, pool.acquire_next_id(0).ok_or(ENOSPC)?); +/// +/// assert_eq!(None, pool.acquire_next_id(0)); // time to realloc. +/// let resizer =3D pool.grow_request().ok_or(ENOSPC)?.realloc(GFP_KERNEL)= ?; +/// pool.grow(resizer); +/// +/// assert_eq!(pool.acquire_next_id(0), Some(64)); +/// # Ok::<(), Error>(()) +/// ``` +/// +/// Releasing spinlock to grow the pool +/// +/// ```no_run +/// use kernel::alloc::{AllocError, flags::GFP_KERNEL}; +/// use kernel::sync::{new_spinlock, SpinLock}; +/// use kernel::id_pool::IdPool; +/// +/// fn get_id_maybe_realloc(guarded_pool: &SpinLock) -> Result { +/// let mut pool =3D guarded_pool.lock(); +/// loop { +/// match pool.acquire_next_id(0) { +/// Some(index) =3D> return Ok(index), +/// None =3D> { +/// let alloc_request =3D pool.grow_request(); +/// drop(pool); +/// let resizer =3D alloc_request.ok_or(AllocError)?.reall= oc(GFP_KERNEL)?; +/// pool =3D guarded_pool.lock(); +/// pool.grow(resizer) +/// } +/// } +/// } +/// } +/// ``` +pub struct IdPool { + map: BitmapVec, +} + +/// Indicates that an [`IdPool`] should change to a new target size. +pub struct ReallocRequest { + num_ids: usize, +} + +/// Contains a [`BitmapVec`] of a size suitable for reallocating [`IdPool`= ]. +pub struct PoolResizer { + new: BitmapVec, +} + +impl ReallocRequest { + /// Allocates a new backing [`BitmapVec`] for [`IdPool`]. + /// + /// This method only prepares reallocation and does not complete it. + /// Reallocation will complete after passing the [`PoolResizer`] to the + /// [`IdPool::grow`] or [`IdPool::shrink`] operation, which will check + /// that reallocation still makes sense. + pub fn realloc(&self, flags: Flags) -> Result= { + let new =3D BitmapVec::new(self.num_ids, flags)?; + Ok(PoolResizer { new }) + } +} + +impl IdPool { + /// Constructs a new [`IdPool`]. + /// + /// A capacity below [`BITS_PER_LONG`] is adjusted to + /// [`BITS_PER_LONG`]. + /// + /// [`BITS_PER_LONG`]: srctree/include/asm-generic/bitsperlong.h + #[inline] + pub fn new(num_ids: usize, flags: Flags) -> Result { + let num_ids =3D core::cmp::max(num_ids, BITS_PER_LONG); + let map =3D BitmapVec::new(num_ids, flags)?; + Ok(Self { map }) + } + + /// Returns how many IDs this pool can currently have. + #[inline] + pub fn capacity(&self) -> usize { + self.map.len() + } + + /// Returns a [`ReallocRequest`] if the [`IdPool`] can be shrunk, [`No= ne`] otherwise. + /// + /// The capacity of an [`IdPool`] cannot be shrunk below [`BITS_PER_LO= NG`]. + /// + /// [`BITS_PER_LONG`]: srctree/include/asm-generic/bitsperlong.h + /// + /// # Examples + /// + /// ``` + /// use kernel::alloc::{AllocError, flags::GFP_KERNEL}; + /// use kernel::id_pool::{ReallocRequest, IdPool}; + /// + /// let mut pool =3D IdPool::new(1024, GFP_KERNEL)?; + /// let alloc_request =3D pool.shrink_request().ok_or(AllocError)?; + /// let resizer =3D alloc_request.realloc(GFP_KERNEL)?; + /// pool.shrink(resizer); + /// assert_eq!(pool.capacity(), kernel::bindings::BITS_PER_LONG as usi= ze); + /// # Ok::<(), AllocError>(()) + /// ``` + #[inline] + pub fn shrink_request(&self) -> Option { + let cap =3D self.capacity(); + // Shrinking below [`BITS_PER_LONG`] is never possible. + if cap <=3D BITS_PER_LONG { + return None; + } + // Determine if the bitmap can shrink based on the position of + // its last set bit. If the bit is within the first quarter of + // the bitmap then shrinking is possible. In this case, the + // bitmap should shrink to half its current size. + let Some(bit) =3D self.map.last_bit() else { + return Some(ReallocRequest { + num_ids: BITS_PER_LONG, + }); + }; + if bit >=3D (cap / 4) { + return None; + } + let num_ids =3D usize::max(BITS_PER_LONG, cap / 2); + Some(ReallocRequest { num_ids }) + } + + /// Shrinks pool by using a new [`BitmapVec`], if still possible. + #[inline] + pub fn shrink(&mut self, mut resizer: PoolResizer) { + // Between request to shrink that led to allocation of `resizer` a= nd now, + // bits may have changed. + // Verify that shrinking is still possible. In case shrinking to + // the size of `resizer` is no longer possible, do nothing, + // drop `resizer` and move on. + let Some(updated) =3D self.shrink_request() else { + return; + }; + if updated.num_ids > resizer.new.len() { + return; + } + + resizer.new.copy_and_extend(&self.map); + self.map =3D resizer.new; + } + + /// Returns a [`ReallocRequest`] for growing this [`IdPool`], if possi= ble. + /// + /// The capacity of an [`IdPool`] cannot be grown above [`i32::MAX`]. + #[inline] + pub fn grow_request(&self) -> Option { + let num_ids =3D self.capacity() * 2; + if num_ids > i32::MAX.try_into().unwrap() { + return None; + } + Some(ReallocRequest { num_ids }) + } + + /// Grows pool by using a new [`BitmapVec`], if still necessary. + /// + /// The `resizer` arguments has to be obtained by calling [`Self::grow= _request`] + /// on this object and performing a [`ReallocRequest::realloc`]. + #[inline] + pub fn grow(&mut self, mut resizer: PoolResizer) { + // Between request to grow that led to allocation of `resizer` and= now, + // another thread may have already grown the capacity. + // In this case, do nothing, drop `resizer` and move on. + if resizer.new.len() <=3D self.capacity() { + return; + } + + resizer.new.copy_and_extend(&self.map); + self.map =3D resizer.new; + } + + /// Acquires a new ID by finding and setting the next zero bit in the + /// bitmap. + /// + /// Upon success, returns its index. Otherwise, returns [`None`] + /// to indicate that a [`Self::grow_request`] is needed. + #[inline] + pub fn acquire_next_id(&mut self, offset: usize) -> Option { + let next_zero_bit =3D self.map.next_zero_bit(offset); + if let Some(nr) =3D next_zero_bit { + self.map.set_bit(nr); + } + next_zero_bit + } + + /// Releases an ID. + #[inline] + pub fn release_id(&mut self, id: usize) { + self.map.clear_bit(id); + } +} diff --git a/rust/kernel/lib.rs b/rust/kernel/lib.rs index 586be7f246eb..9b8a6c386c52 100644 --- a/rust/kernel/lib.rs +++ b/rust/kernel/lib.rs @@ -90,6 +90,7 @@ pub mod firmware; pub mod fmt; pub mod fs; +pub mod id_pool; pub mod init; pub mod io; pub mod ioctl; --=20 2.51.0.rc0.205.g4a044479a3-goog