mirror of
https://github.com/torvalds/linux.git
synced 2025-08-17 23:22:18 +02:00
4e82c87058
Toolchain and infrastructure:
- Extract the 'pin-init' API from the 'kernel' crate and make it into
a standalone crate.
In order to do this, the contents are rearranged so that they can
easily be kept in sync with the version maintained out-of-tree that
other projects have started to use too (or plan to, like QEMU).
This will reduce the maintenance burden for Benno, who will now have
his own sub-tree, and will simplify future expected changes like the
move to use 'syn' to simplify the implementation.
- Add '#[test]'-like support based on KUnit.
We already had doctests support based on KUnit, which takes the
examples in our Rust documentation and runs them under KUnit.
Now, we are adding the beginning of the support for "normal" tests,
similar to those the '#[test]' tests in userspace Rust. For instance:
#[kunit_tests(my_suite)]
mod tests {
#[test]
fn my_test() {
assert_eq!(1 + 1, 2);
}
}
Unlike with doctests, the 'assert*!'s do not map to the KUnit
assertion APIs yet.
- Check Rust signatures at compile time for functions called from C by
name.
In particular, introduce a new '#[export]' macro that can be placed
in the Rust function definition. It will ensure that the function
declaration on the C side matches the signature on the Rust function:
#[export]
pub unsafe extern "C" fn my_function(a: u8, b: i32) -> usize {
// ...
}
The macro essentially forces the compiler to compare the types of
the actual Rust function and the 'bindgen'-processed C signature.
These cases are rare so far. In the future, we may consider
introducing another tool, 'cbindgen', to generate C headers
automatically. Even then, having these functions explicitly marked
may be a good idea anyway.
- Enable the 'raw_ref_op' Rust feature: it is already stable, and
allows us to use the new '&raw' syntax, avoiding a couple macros.
After everyone has migrated, we will disallow the macros.
- Pass the correct target to 'bindgen' on Usermode Linux.
- Fix 'rusttest' build in macOS.
'kernel' crate:
- New 'hrtimer' module: add support for setting up intrusive timers
without allocating when starting the timer. Add support for
'Pin<Box<_>>', 'Arc<_>', 'Pin<&_>' and 'Pin<&mut _>' as pointer types
for use with timer callbacks. Add support for setting clock source
and timer mode.
- New 'dma' module: add a simple DMA coherent allocator abstraction and
a test sample driver.
- 'list' module: make the linked list 'Cursor' point between elements,
rather than at an element, which is more convenient to us and allows
for cursors to empty lists; and document it with examples of how to
perform common operations with the provided methods.
- 'str' module: implement a few traits for 'BStr' as well as the
'strip_prefix()' method.
- 'sync' module: add 'Arc::as_ptr'.
- 'alloc' module: add 'Box::into_pin'.
- 'error' module: extend the 'Result' documentation, including a few
examples on different ways of handling errors, a warning about using
methods that may panic, and links to external documentation.
'macros' crate:
- 'module' macro: add the 'authors' key to support multiple authors.
The original key will be kept until everyone has migrated.
Documentation:
- Add error handling sections.
MAINTAINERS:
- Add Danilo Krummrich as reviewer of the Rust "subsystem".
- Add 'RUST [PIN-INIT]' entry with Benno Lossin as maintainer. It has
its own sub-tree.
- Add sub-tree for 'RUST [ALLOC]'.
- Add 'DMA MAPPING HELPERS DEVICE DRIVER API [RUST]' entry with Abdiel
Janulgue as primary maintainer. It will go through the sub-tree of
the 'RUST [ALLOC]' entry.
- Add 'HIGH-RESOLUTION TIMERS [RUST]' entry with Andreas Hindborg as
maintainer. It has its own sub-tree.
And a few other cleanups and improvements.
-----BEGIN PGP SIGNATURE-----
iQIzBAABCgAdFiEEPjU5OPd5QIZ9jqqOGXyLc2htIW0FAmfpQgAACgkQGXyLc2ht
IW35CQ//VOIFKtG6qgHVMIxrmpT7YFsrAU41h+cHT2lzy5KiTqSYlCgd18SJ+Iyy
vi1ylfdyqOpH5EoO+opPN2H4E+VUlRJg7BkZrT4p1lgGDEKg1mtR/825TxquLNFM
A653f3FvK/scMb6X43kWNKGK/jnxlfxBGmUwIY4/p7+adIuZzXnNbPkV9XYGLx3r
8KIBKJ9gM52eXoCoF8XJpg6Vg/0rYWIet32OzYF0PvzSAOqUlH4keu15jeUo+59V
tgCzAkc2yV3oSo721KYlpPeCPKI5iVCzIcwT0n8fqraXtgGnaFPe5XF16U9Qvrjv
vRp5/dePAHwsOcj5ErzOgLMqGa1sqY76lxDI05PNcBJ8fBAhNEV/rpCTXs/wRagQ
xUZOdsQyEn0V/BOtV+dnwu410dElEeJdOAeojSYFm1gUay43a0e6yIboxn3Ylnfx
8jONSokZ/UFHX3wOFNqHeXsY+REB8Qq8OZXjNBZVFpKHNsICWA0G3BcCRnB1815k
0v7seSdrST78EJ/A5nM0a9gghuLzYgAN04SDx0FzKjb2mHs3PiVfXDvrNMCJ0pBW
zbF9RlvszKZStY5tpxdZ5Zh+f7rfYcnJHYhNpoP7DJr136iWP+NnHbk1lK6+o4WY
lPVdMMgUSUlEXIHgK2ebcb/I1KBrDYiPktmvKAFLrH3qVzhkLAU=
=PCxf
-----END PGP SIGNATURE-----
Merge tag 'rust-6.15' of git://git.kernel.org/pub/scm/linux/kernel/git/ojeda/linux
Pull Rust updates from Miguel Ojeda:
"Toolchain and infrastructure:
- Extract the 'pin-init' API from the 'kernel' crate and make it into
a standalone crate.
In order to do this, the contents are rearranged so that they can
easily be kept in sync with the version maintained out-of-tree that
other projects have started to use too (or plan to, like QEMU).
This will reduce the maintenance burden for Benno, who will now
have his own sub-tree, and will simplify future expected changes
like the move to use 'syn' to simplify the implementation.
- Add '#[test]'-like support based on KUnit.
We already had doctests support based on KUnit, which takes the
examples in our Rust documentation and runs them under KUnit.
Now, we are adding the beginning of the support for "normal" tests,
similar to those the '#[test]' tests in userspace Rust. For
instance:
#[kunit_tests(my_suite)]
mod tests {
#[test]
fn my_test() {
assert_eq!(1 + 1, 2);
}
}
Unlike with doctests, the 'assert*!'s do not map to the KUnit
assertion APIs yet.
- Check Rust signatures at compile time for functions called from C
by name.
In particular, introduce a new '#[export]' macro that can be placed
in the Rust function definition. It will ensure that the function
declaration on the C side matches the signature on the Rust
function:
#[export]
pub unsafe extern "C" fn my_function(a: u8, b: i32) -> usize {
// ...
}
The macro essentially forces the compiler to compare the types of
the actual Rust function and the 'bindgen'-processed C signature.
These cases are rare so far. In the future, we may consider
introducing another tool, 'cbindgen', to generate C headers
automatically. Even then, having these functions explicitly marked
may be a good idea anyway.
- Enable the 'raw_ref_op' Rust feature: it is already stable, and
allows us to use the new '&raw' syntax, avoiding a couple macros.
After everyone has migrated, we will disallow the macros.
- Pass the correct target to 'bindgen' on Usermode Linux.
- Fix 'rusttest' build in macOS.
'kernel' crate:
- New 'hrtimer' module: add support for setting up intrusive timers
without allocating when starting the timer. Add support for
'Pin<Box<_>>', 'Arc<_>', 'Pin<&_>' and 'Pin<&mut _>' as pointer
types for use with timer callbacks. Add support for setting clock
source and timer mode.
- New 'dma' module: add a simple DMA coherent allocator abstraction
and a test sample driver.
- 'list' module: make the linked list 'Cursor' point between
elements, rather than at an element, which is more convenient to us
and allows for cursors to empty lists; and document it with
examples of how to perform common operations with the provided
methods.
- 'str' module: implement a few traits for 'BStr' as well as the
'strip_prefix()' method.
- 'sync' module: add 'Arc::as_ptr'.
- 'alloc' module: add 'Box::into_pin'.
- 'error' module: extend the 'Result' documentation, including a few
examples on different ways of handling errors, a warning about
using methods that may panic, and links to external documentation.
'macros' crate:
- 'module' macro: add the 'authors' key to support multiple authors.
The original key will be kept until everyone has migrated.
Documentation:
- Add error handling sections.
MAINTAINERS:
- Add Danilo Krummrich as reviewer of the Rust "subsystem".
- Add 'RUST [PIN-INIT]' entry with Benno Lossin as maintainer. It has
its own sub-tree.
- Add sub-tree for 'RUST [ALLOC]'.
- Add 'DMA MAPPING HELPERS DEVICE DRIVER API [RUST]' entry with
Abdiel Janulgue as primary maintainer. It will go through the
sub-tree of the 'RUST [ALLOC]' entry.
- Add 'HIGH-RESOLUTION TIMERS [RUST]' entry with Andreas Hindborg as
maintainer. It has its own sub-tree.
And a few other cleanups and improvements"
* tag 'rust-6.15' of git://git.kernel.org/pub/scm/linux/kernel/git/ojeda/linux: (71 commits)
rust: dma: add `Send` implementation for `CoherentAllocation`
rust: macros: fix `make rusttest` build on macOS
rust: block: refactor to use `&raw mut`
rust: enable `raw_ref_op` feature
rust: uaccess: name the correct function
rust: rbtree: fix comments referring to Box instead of KBox
rust: hrtimer: add maintainer entry
rust: hrtimer: add clocksource selection through `ClockId`
rust: hrtimer: add `HrTimerMode`
rust: hrtimer: implement `HrTimerPointer` for `Pin<Box<T>>`
rust: alloc: add `Box::into_pin`
rust: hrtimer: implement `UnsafeHrTimerPointer` for `Pin<&mut T>`
rust: hrtimer: implement `UnsafeHrTimerPointer` for `Pin<&T>`
rust: hrtimer: add `hrtimer::ScopedHrTimerPointer`
rust: hrtimer: add `UnsafeHrTimerPointer`
rust: hrtimer: allow timer restart from timer handler
rust: str: implement `strip_prefix` for `BStr`
rust: str: implement `AsRef<BStr>` for `[u8]` and `BStr`
rust: str: implement `Index` for `BStr`
rust: str: implement `PartialEq` for `BStr`
...
282 lines
9.6 KiB
Rust
282 lines
9.6 KiB
Rust
// SPDX-License-Identifier: GPL-2.0
|
|
|
|
//! Generic kernel lock and guard.
|
|
//!
|
|
//! It contains a generic Rust lock and guard that allow for different backends (e.g., mutexes,
|
|
//! spinlocks, raw spinlocks) to be provided with minimal effort.
|
|
|
|
use super::LockClassKey;
|
|
use crate::{
|
|
str::CStr,
|
|
types::{NotThreadSafe, Opaque, ScopeGuard},
|
|
};
|
|
use core::{cell::UnsafeCell, marker::PhantomPinned, pin::Pin};
|
|
use pin_init::{pin_data, pin_init, PinInit};
|
|
|
|
pub mod mutex;
|
|
pub mod spinlock;
|
|
|
|
pub(super) mod global;
|
|
pub use global::{GlobalGuard, GlobalLock, GlobalLockBackend, GlobalLockedBy};
|
|
|
|
/// The "backend" of a lock.
|
|
///
|
|
/// It is the actual implementation of the lock, without the need to repeat patterns used in all
|
|
/// locks.
|
|
///
|
|
/// # Safety
|
|
///
|
|
/// - Implementers must ensure that only one thread/CPU may access the protected data once the lock
|
|
/// is owned, that is, between calls to [`lock`] and [`unlock`].
|
|
/// - Implementers must also ensure that [`relock`] uses the same locking method as the original
|
|
/// lock operation.
|
|
///
|
|
/// [`lock`]: Backend::lock
|
|
/// [`unlock`]: Backend::unlock
|
|
/// [`relock`]: Backend::relock
|
|
pub unsafe trait Backend {
|
|
/// The state required by the lock.
|
|
type State;
|
|
|
|
/// The state required to be kept between [`lock`] and [`unlock`].
|
|
///
|
|
/// [`lock`]: Backend::lock
|
|
/// [`unlock`]: Backend::unlock
|
|
type GuardState;
|
|
|
|
/// Initialises the lock.
|
|
///
|
|
/// # Safety
|
|
///
|
|
/// `ptr` must be valid for write for the duration of the call, while `name` and `key` must
|
|
/// remain valid for read indefinitely.
|
|
unsafe fn init(
|
|
ptr: *mut Self::State,
|
|
name: *const crate::ffi::c_char,
|
|
key: *mut bindings::lock_class_key,
|
|
);
|
|
|
|
/// Acquires the lock, making the caller its owner.
|
|
///
|
|
/// # Safety
|
|
///
|
|
/// Callers must ensure that [`Backend::init`] has been previously called.
|
|
#[must_use]
|
|
unsafe fn lock(ptr: *mut Self::State) -> Self::GuardState;
|
|
|
|
/// Tries to acquire the lock.
|
|
///
|
|
/// # Safety
|
|
///
|
|
/// Callers must ensure that [`Backend::init`] has been previously called.
|
|
unsafe fn try_lock(ptr: *mut Self::State) -> Option<Self::GuardState>;
|
|
|
|
/// Releases the lock, giving up its ownership.
|
|
///
|
|
/// # Safety
|
|
///
|
|
/// It must only be called by the current owner of the lock.
|
|
unsafe fn unlock(ptr: *mut Self::State, guard_state: &Self::GuardState);
|
|
|
|
/// Reacquires the lock, making the caller its owner.
|
|
///
|
|
/// # Safety
|
|
///
|
|
/// Callers must ensure that `guard_state` comes from a previous call to [`Backend::lock`] (or
|
|
/// variant) that has been unlocked with [`Backend::unlock`] and will be relocked now.
|
|
unsafe fn relock(ptr: *mut Self::State, guard_state: &mut Self::GuardState) {
|
|
// SAFETY: The safety requirements ensure that the lock is initialised.
|
|
*guard_state = unsafe { Self::lock(ptr) };
|
|
}
|
|
|
|
/// Asserts that the lock is held using lockdep.
|
|
///
|
|
/// # Safety
|
|
///
|
|
/// Callers must ensure that [`Backend::init`] has been previously called.
|
|
unsafe fn assert_is_held(ptr: *mut Self::State);
|
|
}
|
|
|
|
/// A mutual exclusion primitive.
|
|
///
|
|
/// Exposes one of the kernel locking primitives. Which one is exposed depends on the lock
|
|
/// [`Backend`] specified as the generic parameter `B`.
|
|
#[repr(C)]
|
|
#[pin_data]
|
|
pub struct Lock<T: ?Sized, B: Backend> {
|
|
/// The kernel lock object.
|
|
#[pin]
|
|
state: Opaque<B::State>,
|
|
|
|
/// Some locks are known to be self-referential (e.g., mutexes), while others are architecture
|
|
/// or config defined (e.g., spinlocks). So we conservatively require them to be pinned in case
|
|
/// some architecture uses self-references now or in the future.
|
|
#[pin]
|
|
_pin: PhantomPinned,
|
|
|
|
/// The data protected by the lock.
|
|
pub(crate) data: UnsafeCell<T>,
|
|
}
|
|
|
|
// SAFETY: `Lock` can be transferred across thread boundaries iff the data it protects can.
|
|
unsafe impl<T: ?Sized + Send, B: Backend> Send for Lock<T, B> {}
|
|
|
|
// SAFETY: `Lock` serialises the interior mutability it provides, so it is `Sync` as long as the
|
|
// data it protects is `Send`.
|
|
unsafe impl<T: ?Sized + Send, B: Backend> Sync for Lock<T, B> {}
|
|
|
|
impl<T, B: Backend> Lock<T, B> {
|
|
/// Constructs a new lock initialiser.
|
|
pub fn new(t: T, name: &'static CStr, key: Pin<&'static LockClassKey>) -> impl PinInit<Self> {
|
|
pin_init!(Self {
|
|
data: UnsafeCell::new(t),
|
|
_pin: PhantomPinned,
|
|
// SAFETY: `slot` is valid while the closure is called and both `name` and `key` have
|
|
// static lifetimes so they live indefinitely.
|
|
state <- Opaque::ffi_init(|slot| unsafe {
|
|
B::init(slot, name.as_char_ptr(), key.as_ptr())
|
|
}),
|
|
})
|
|
}
|
|
}
|
|
|
|
impl<B: Backend> Lock<(), B> {
|
|
/// Constructs a [`Lock`] from a raw pointer.
|
|
///
|
|
/// This can be useful for interacting with a lock which was initialised outside of Rust.
|
|
///
|
|
/// # Safety
|
|
///
|
|
/// The caller promises that `ptr` points to a valid initialised instance of [`State`] during
|
|
/// the whole lifetime of `'a`.
|
|
///
|
|
/// [`State`]: Backend::State
|
|
pub unsafe fn from_raw<'a>(ptr: *mut B::State) -> &'a Self {
|
|
// SAFETY:
|
|
// - By the safety contract `ptr` must point to a valid initialised instance of `B::State`
|
|
// - Since the lock data type is `()` which is a ZST, `state` is the only non-ZST member of
|
|
// the struct
|
|
// - Combined with `#[repr(C)]`, this guarantees `Self` has an equivalent data layout to
|
|
// `B::State`.
|
|
unsafe { &*ptr.cast() }
|
|
}
|
|
}
|
|
|
|
impl<T: ?Sized, B: Backend> Lock<T, B> {
|
|
/// Acquires the lock and gives the caller access to the data protected by it.
|
|
pub fn lock(&self) -> Guard<'_, T, B> {
|
|
// SAFETY: The constructor of the type calls `init`, so the existence of the object proves
|
|
// that `init` was called.
|
|
let state = unsafe { B::lock(self.state.get()) };
|
|
// SAFETY: The lock was just acquired.
|
|
unsafe { Guard::new(self, state) }
|
|
}
|
|
|
|
/// Tries to acquire the lock.
|
|
///
|
|
/// Returns a guard that can be used to access the data protected by the lock if successful.
|
|
pub fn try_lock(&self) -> Option<Guard<'_, T, B>> {
|
|
// SAFETY: The constructor of the type calls `init`, so the existence of the object proves
|
|
// that `init` was called.
|
|
unsafe { B::try_lock(self.state.get()).map(|state| Guard::new(self, state)) }
|
|
}
|
|
}
|
|
|
|
/// A lock guard.
|
|
///
|
|
/// Allows mutual exclusion primitives that implement the [`Backend`] trait to automatically unlock
|
|
/// when a guard goes out of scope. It also provides a safe and convenient way to access the data
|
|
/// protected by the lock.
|
|
#[must_use = "the lock unlocks immediately when the guard is unused"]
|
|
pub struct Guard<'a, T: ?Sized, B: Backend> {
|
|
pub(crate) lock: &'a Lock<T, B>,
|
|
pub(crate) state: B::GuardState,
|
|
_not_send: NotThreadSafe,
|
|
}
|
|
|
|
// SAFETY: `Guard` is sync when the data protected by the lock is also sync.
|
|
unsafe impl<T: Sync + ?Sized, B: Backend> Sync for Guard<'_, T, B> {}
|
|
|
|
impl<'a, T: ?Sized, B: Backend> Guard<'a, T, B> {
|
|
/// Returns the lock that this guard originates from.
|
|
///
|
|
/// # Examples
|
|
///
|
|
/// The following example shows how to use [`Guard::lock_ref()`] to assert the corresponding
|
|
/// lock is held.
|
|
///
|
|
/// ```
|
|
/// # use kernel::{new_spinlock, sync::lock::{Backend, Guard, Lock}};
|
|
/// # use pin_init::stack_pin_init;
|
|
///
|
|
/// fn assert_held<T, B: Backend>(guard: &Guard<'_, T, B>, lock: &Lock<T, B>) {
|
|
/// // Address-equal means the same lock.
|
|
/// assert!(core::ptr::eq(guard.lock_ref(), lock));
|
|
/// }
|
|
///
|
|
/// // Creates a new lock on the stack.
|
|
/// stack_pin_init!{
|
|
/// let l = new_spinlock!(42)
|
|
/// }
|
|
///
|
|
/// let g = l.lock();
|
|
///
|
|
/// // `g` originates from `l`.
|
|
/// assert_held(&g, &l);
|
|
/// ```
|
|
pub fn lock_ref(&self) -> &'a Lock<T, B> {
|
|
self.lock
|
|
}
|
|
|
|
pub(crate) fn do_unlocked<U>(&mut self, cb: impl FnOnce() -> U) -> U {
|
|
// SAFETY: The caller owns the lock, so it is safe to unlock it.
|
|
unsafe { B::unlock(self.lock.state.get(), &self.state) };
|
|
|
|
let _relock = ScopeGuard::new(||
|
|
// SAFETY: The lock was just unlocked above and is being relocked now.
|
|
unsafe { B::relock(self.lock.state.get(), &mut self.state) });
|
|
|
|
cb()
|
|
}
|
|
}
|
|
|
|
impl<T: ?Sized, B: Backend> core::ops::Deref for Guard<'_, T, B> {
|
|
type Target = T;
|
|
|
|
fn deref(&self) -> &Self::Target {
|
|
// SAFETY: The caller owns the lock, so it is safe to deref the protected data.
|
|
unsafe { &*self.lock.data.get() }
|
|
}
|
|
}
|
|
|
|
impl<T: ?Sized, B: Backend> core::ops::DerefMut for Guard<'_, T, B> {
|
|
fn deref_mut(&mut self) -> &mut Self::Target {
|
|
// SAFETY: The caller owns the lock, so it is safe to deref the protected data.
|
|
unsafe { &mut *self.lock.data.get() }
|
|
}
|
|
}
|
|
|
|
impl<T: ?Sized, B: Backend> Drop for Guard<'_, T, B> {
|
|
fn drop(&mut self) {
|
|
// SAFETY: The caller owns the lock, so it is safe to unlock it.
|
|
unsafe { B::unlock(self.lock.state.get(), &self.state) };
|
|
}
|
|
}
|
|
|
|
impl<'a, T: ?Sized, B: Backend> Guard<'a, T, B> {
|
|
/// Constructs a new immutable lock guard.
|
|
///
|
|
/// # Safety
|
|
///
|
|
/// The caller must ensure that it owns the lock.
|
|
pub unsafe fn new(lock: &'a Lock<T, B>, state: B::GuardState) -> Self {
|
|
// SAFETY: The caller can only hold the lock if `Backend::init` has already been called.
|
|
unsafe { B::assert_is_held(lock.state.get()) };
|
|
|
|
Self {
|
|
lock,
|
|
state,
|
|
_not_send: NotThreadSafe,
|
|
}
|
|
}
|
|
}
|