In particular:
- Add missing Markdown code spans.
- Improve title for `DeviceId`, adding a link to the struct in the
C side, rather than referring to `bindings::`.
- Convert `TODO` from documentation to a normal comment, and put code
in block.
This was found using the Clippy `doc_markdown` lint, which we may want
to enable.
Fixes: 1bd8b6b2c5d3 ("rust: pci: add basic PCI device / driver abstractions")
Reviewed-by: Benno Lossin <benno.lossin@proton.me>
Acked-by: Danilo Krummrich <dakr@kernel.org>
Link: https://lore.kernel.org/r/20250324210359.1199574-8-ojeda@kernel.org
[ Prefixed link text with `struct`. - Miguel ]
Signed-off-by: Miguel Ojeda <ojeda@kernel.org>
Add missing Markdown code span.
This was found using the Clippy `doc_markdown` lint, which we may want
to enable.
Fixes: dd09538fb409 ("rust: alloc: implement `Cmalloc` in module allocator_test")
Reviewed-by: Benno Lossin <benno.lossin@proton.me>
Acked-by: Danilo Krummrich <dakr@kernel.org>
Link: https://lore.kernel.org/r/20250324210359.1199574-5-ojeda@kernel.org
Signed-off-by: Miguel Ojeda <ojeda@kernel.org>
Add missing Markdown code spans.
This was found using the Clippy `doc_markdown` lint, which we may want
to enable.
Fixes: b6a006e21b82 ("rust: alloc: introduce allocation flags")
Reviewed-by: Benno Lossin <benno.lossin@proton.me>
Acked-by: Danilo Krummrich <dakr@kernel.org>
Link: https://lore.kernel.org/r/20250324210359.1199574-4-ojeda@kernel.org
Signed-off-by: Miguel Ojeda <ojeda@kernel.org>
Convert `TODO` from documentation to a normal comment, and put code in
block.
This was found using the Clippy `doc_markdown` lint, which we may want
to enable.
Fixes: 683a63befc73 ("rust: platform: add basic platform device / driver abstractions")
Reviewed-by: Benno Lossin <benno.lossin@proton.me>
Acked-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Link: https://lore.kernel.org/r/20250324210359.1199574-9-ojeda@kernel.org
Signed-off-by: Miguel Ojeda <ojeda@kernel.org>
Rust kernel code is supposed to use the custom mapping of C FFI types,
i.e. those from the `ffi` crate, rather than the ones coming from `core`.
Thus, to minimize mistakes and to simplify the code everywhere, just
provide them in the `kernel` prelude and ask in the Coding Guidelines
to use them directly, i.e. as a single segment path.
After this lands, we can start cleaning up the existing users.
Ideally, we would use something like Clippy's `disallowed-types` to
prevent the use of the `core` ones, but that one sees through aliases.
Link: https://lore.kernel.org/rust-for-linux/CANiq72kc4gzfieD-FjuWfELRDXXD2vLgPv4wqk3nt4pjdPQ=qg@mail.gmail.com/
Reviewed-by: Danilo Krummrich <dakr@kernel.org>
Reviewed-by: Alice Ryhl <aliceryhl@google.com>
Link: https://lore.kernel.org/r/20250413005650.1745894-1-ojeda@kernel.org
[ Reworded content of the documentation to focus on how to use the
aliases first. - Miguel ]
Signed-off-by: Miguel Ojeda <ojeda@kernel.org>
Macros and auto-generated code should use absolute paths, `::core::...`
and `::kernel::...`, for core and kernel references.
This prevents issues where user-defined modules named `core` or `kernel`
could be picked up instead of the `core` or `kernel` crates.
Thus clean some references up.
Suggested-by: Benno Lossin <benno.lossin@proton.me>
Closes: https://github.com/Rust-for-Linux/linux/issues/1150
Signed-off-by: Igor Korotin <igor.korotin.linux@gmail.com>
Reviewed-by: Benno Lossin <lossin@kernel.org>
Acked-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Link: https://lore.kernel.org/r/20250519164615.3310844-1-igor.korotin.linux@gmail.com
[ Applied `rustfmt`. Reworded slightly. - Miguel ]
Signed-off-by: Miguel Ojeda <ojeda@kernel.org>
Currently rust on arm fails to compile due to '-mno-fdpic'. This flag
disables a GCC feature that we don't want for kernel builds, so let's
skip it as it doesn't apply to Clang.
UPD include/generated/asm-offsets.h
CALL scripts/checksyscalls.sh
RUSTC L rust/core.o
BINDGEN rust/bindings/bindings_generated.rs
BINDGEN rust/bindings/bindings_helpers_generated.rs
CC rust/helpers/helpers.o
Unable to generate bindings: clang diagnosed error: error: unknown argument: '-mno-fdpic'
make[2]: *** [rust/Makefile:369: rust/bindings/bindings_helpers_generated.rs] Error 1
make[2]: *** Deleting file 'rust/bindings/bindings_helpers_generated.rs'
make[2]: *** Waiting for unfinished jobs....
Unable to generate bindings: clang diagnosed error: error: unknown argument: '-mno-fdpic'
make[2]: *** [rust/Makefile:349: rust/bindings/bindings_generated.rs] Error 1
make[2]: *** Deleting file 'rust/bindings/bindings_generated.rs'
make[1]: *** [/home/pmos/build/src/linux-next-next-20250521/Makefile:1285: prepare] Error 2
make: *** [Makefile:248: __sub-make] Error 2
[ Naresh provided the draft diff [1].
Ben explained [2]:
FDPIC is only relevant with no-MMU targets, and then only for userspace.
When configured for the arm-*-uclinuxfdpiceabi target, GCC enables FDPIC
by default to facilitate compiling userspace programs. FDPIC is never
used for the kernel, and we pass -mno-fdpic when building the kernel to
override the default and make sure FDPIC is disabled.
and [3]:
-mno-fdpic disables a GCC feature that we don't want for kernel builds.
clang does not support this feature, so it always behaves as though
-mno-fdpic is passed. Therefore, it should be fine to mix the two, at
least as far as FDPIC is concerned.
[1] https://lore.kernel.org/rust-for-linux/CA+G9fYt4otQK4pHv8pJBW9e28yHSGCDncKquwuJiJ_1ou0pq0w@mail.gmail.com/
[2] https://lore.kernel.org/rust-for-linux/aAKrq2InExQk7f_k@dell-precision-5540/
[3] https://lore.kernel.org/rust-for-linux/aAo_F_UP1Gd4jHlZ@dell-precision-5540/
- Miguel ]
Reported-by: Linux Kernel Functional Testing <lkft@linaro.org>
Closes: https://lore.kernel.org/all/CA+G9fYvOanQBYXKSg7C6EU30k8sTRC0JRPJXYu7wWK51w38QUQ@mail.gmail.com/
Suggested-by: Miguel Ojeda <ojeda@kernel.org>
Acked-by: Naresh Kamboju <naresh.kamboju@linaro.org>
Signed-off-by: Rudraksha Gupta <guptarud@gmail.com>
Link: https://lore.kernel.org/r/20250522-rust-mno-fdpic-arm-fix-v2-1-a6f691d9c198@gmail.com
[ Reworded title. - Miguel ]
Signed-off-by: Miguel Ojeda <ojeda@kernel.org>
`bindgen` currently generates the wrong type for an `enum` when there
is a forward reference to it. For instance:
enum E;
enum E { A };
generates:
pub const E_A: E = 0;
pub type E = i32;
instead of the expected:
pub const E_A: E = 0;
pub type E = ffi::c_uint;
The issue was reported to upstream `bindgen` [1].
Now, both GCC and Clang support silently these forward references to
`enum` types, unless `-Wpedantic` is passed, and it turns out that some
headers in the kernel depend on them.
Thus, depending on how the headers are included, which in turn may depend
on the kernel configuration or the architecture, we may get a different
type on the Rust side for a given C `enum`.
That can be quite confusing, to say the least, especially since
developers may only notice issues when building for other architectures
like in [2]. In particular, they may end up forcing a cast and adding
an `#[allow(clippy::unnecessary_cast)]` like it was done in commit
94e05a66ea3e ("rust: hrtimer: allow timer restart from timer handler"),
which isn't great.
Instead, let's have a section at the top of our `bindings_helper.h` that
`#include`s the headers with the affected types -- hopefully there are
not many cases and there is a single ordering that covers all cases.
This allows us to remove the cast and the `#[allow]`, thus keeping the
correct code in the source files. When the issue gets resolved in upstream
`bindgen` (and we update our minimum `bindgen` version), we can easily
remove this section at the top.
Link: https://github.com/rust-lang/rust-bindgen/issues/3179 [1]
Link: https://lore.kernel.org/rust-for-linux/87tt7md1s6.fsf@kernel.org/ [2]
Acked-by: Andreas Hindborg <a.hindborg@kernel.org>
Link: https://lore.kernel.org/r/20250325184309.97170-1-ojeda@kernel.org
[ Added extra paragraph on the comment to clarify that the workaround may
not be possible in some cases. - Miguel ]
Signed-off-by: Miguel Ojeda <ojeda@kernel.org>
Add basic examples for the structure "List", which also serve as unit
tests for basic list methods. It includes the following manipulations:
* List creation
* List emptiness check
* List insertion through push_front(), push_back()
* List item removal through pop_front(), pop_back()
* Push one list to another through push_all_back()
The method "remove()" doesn't have an example here because insertion
with push_front() or push_back() will take the ownership of the item,
which means we can't keep any valid reference to the node we want to
remove, unless Cursor is used. The "remove" example through Cursor is
already demonstrated with commit 52ae96f5187c ("rust: list: make the
cursor point between elements").
Link: https://github.com/Rust-for-Linux/linux/issues/1121
Signed-off-by: I Hsin Cheng <richard120310@gmail.com>
Reviewed-by: Alice Ryhl <aliceryhl@google.com>
Reviewed-by: Benno Lossin <lossin@kernel.org>
Link: https://lore.kernel.org/r/20250311133357.90322-1-richard120310@gmail.com
[ Removed prelude import and spurious newlines. Formatted comments
with the usual style. Reworded slightly. - Miguel ]
Signed-off-by: Miguel Ojeda <ojeda@kernel.org>
"List::is_empty()" provides a straight forward convention to check
whether a given "List" is empty or not. There're numerous places in the
current implementation still use "self.first.is_null()" to perform the
equivalent check, replace them with "List::is_empty()".
Signed-off-by: I Hsin Cheng <richard120310@gmail.com>
Link: https://lore.kernel.org/r/20250310073853.427954-1-richard120310@gmail.com
Reviewed-by: Benno Lossin <lossin@kernel.org>
[ Rebased dropping the cases that do not apply anymore. - Miguel ]
Signed-off-by: Miguel Ojeda <ojeda@kernel.org>
Place cleanup_module() in .exit.text section. Currently,
cleanup_module() is likely placed in the .text section. It's
inconsistent with the layout of C modules, where cleanup_module() is
placed in .exit.text.
[ Boqun asked for an example of how the section changed to be
put in the log. Tomonori provided the following examples:
C module:
$ objdump -t ~/build/x86/drivers/block/loop.o|grep clean
0000000000000000 l O .exit.data 0000000000000008 __UNIQUE_ID___addressable_cleanup_module412
0000000000000000 g F .exit.text 000000000000009c cleanup_module
Rust module without this patch:
$ objdump -t ~/build/x86/samples/rust/rust_minimal.o|grep clean
00000000000002b0 g F .text 00000000000000c6 cleanup_module
0000000000000000 g O .exit.data 0000000000000008 _R...___UNIQUE_ID___addressable_cleanup_module
Rust module with this patch:
$ objdump -t ~/build/x86/samples/rust/rust_minimal.o|grep clean
0000000000000000 g F .exit.text 00000000000000c6 cleanup_module
0000000000000000 g O .exit.data 0000000000000008 _R...___UNIQUE_ID___addressable_cleanup_module
- Miguel ]
Signed-off-by: FUJITA Tomonori <fujita.tomonori@gmail.com>
Acked-by: Jarkko Sakkinen <jarkko@kernel.org>
Link: https://lore.kernel.org/r/20250308044506.14458-1-fujita.tomonori@gmail.com
Signed-off-by: Miguel Ojeda <ojeda@kernel.org>
For the Rust 1.87.0 release, Clippy was expected to warn with:
error: use `core::ptr::eq` when comparing raw pointers
--> rust/kernel/list.rs:438:12
|
438 | if self.first == item {
| ^^^^^^^^^^^^^^^^^^ help: try: `core::ptr::eq(self.first, item)`
|
= help: for further information visit https://rust-lang.github.io/rust-clippy/master/index.html#ptr_eq
= note: `-D clippy::ptr-eq` implied by `-D warnings`
= help: to override `-D warnings` add `#[allow(clippy::ptr_eq)]`
However, a backport to relax a bit the `clippy::ptr_eq` finally landed,
and thus Clippy did not warn by the time the release happened.
Thus remove the `allow`s added back then, which were added just in case
the backport did not land in time.
See commit a39f30870927 ("rust: allow Rust 1.87.0's `clippy::ptr_eq`
lint") for details.
Link: https://github.com/rust-lang/rust/pull/140859 [1]
Reviewed-by: Alice Ryhl <aliceryhl@google.com>
Link: https://lore.kernel.org/r/20250520182125.806758-1-ojeda@kernel.org
[ Reworded for clarity. - Miguel ]
Signed-off-by: Miguel Ojeda <ojeda@kernel.org>
Pass PHY driver pointer to .match_phy_device OP in addition to phydev.
Having access to the PHY driver struct might be useful to check the
PHY ID of the driver is being matched for in case the PHY ID scanned in
the phydev is not consistent.
A scenario for this is a PHY that change PHY ID after a firmware is
loaded, in such case, the PHY ID stored in PHY device struct is not
valid anymore and PHY will manually scan the ID in the match_phy_device
function.
Having the PHY driver info is also useful for those PHY driver that
implement multiple simple .match_phy_device OP to match specific MMD PHY
ID. With this extra info if the parsing logic is the same, the matching
function can be generalized by using the phy_id in the PHY driver
instead of hardcoding.
Rust wrapper callback is updated to align to the new match_phy_device
arguments.
Suggested-by: Russell King (Oracle) <rmk+kernel@armlinux.org.uk>
Reviewed-by: Russell King (Oracle) <rmk+kernel@armlinux.org.uk>
Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
Reviewed-by: Benno Lossin <lossin@kernel.org> # for Rust
Reviewed-by: FUJITA Tomonori <fujita.tomonori@gmail.com>
Link: https://patch.msgid.link/20250517201353.5137-2-ansuelsmth@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
- Rust abstractions for CPUFreq framework (Viresh Kumar).
- Rust abstractions for OPP framework (Viresh Kumar).
- Basic Rust abstractions for Clk and Cpumask frameworks (Viresh Kumar).
- Minor cleanup to the SCMI cpufreq driver (Mike Tipton).
-----BEGIN PGP SIGNATURE-----
iQIzBAABCgAdFiEEx73Crsp7f6M6scA70rkcPK6BEhwFAmgsHJEACgkQ0rkcPK6B
EhwzURAAp1T46sM970xrUKAbm542LYw2Rff6nYzNl9khU+tMo60ypdjtSh/RVQAZ
fcEKyaaXOEgHE6ahWOLaOIaMHYiah0DqIf8eVbZsJa3jTZ4nVNTd4Em1TQprWYer
0KfDT9UXqiz5sE6h3RvFRid0T8t93XOHZ0y48CDLnVnIzIMogB4dkWYM3O/KoAmh
MSVKYOvJXhj97AjHrFnJ6JzYlwX6gqq5UvRi6tzgm6B3kxHZG9dxCB25fCkRU+gP
0oVL1JHixYE36Os3oC0BnjXpAyvJa3gjv7XCNilVHnoqWpIccspBp/7uUI3eex/4
4uamldNalTA1bmP84JJzYt5qc9rBHME2nDvDlD6VbnmjjT/WFAF9/RAMeaE443Eo
0v/XiLcQuM+xDUGqUh6HheAfguIvfYASLM2Nkzi6yq13xYO2jK1NC+Ijwim2RJnC
lvYHrQTuvAbPyH2oFqPWvXM6/2HbDva6wxD3LI879Bpf7cJi/FfLDIGisDkx80WU
q8Ys2q8wXm0BkzWpaEbl2tZW43pMAS9TaYVUjoU3WZKbLsIWfmL/BofPS6Yjd6X7
dKCzREn3lw10Rk23SKUvJP6TYqBHW3ohkyGUtjoMbY0IGFrKv+XEZw7wDmj0GBWt
sA62Kf+s0bFmo0jy+x4uaEdf0ZNG9VqhcB2sYHaJpfk+votl2ic=
=Zx0u
-----END PGP SIGNATURE-----
Merge tag 'cpufreq-arm-updates-6.16' of git://git.kernel.org/pub/scm/linux/kernel/git/vireshk/pm
Merge ARM CPUFreq updates for 6.16 from Viresh Kumar:
"- Rust abstractions for CPUFreq framework (Viresh Kumar).
- Rust abstractions for OPP framework (Viresh Kumar).
- Basic Rust abstractions for Clk and Cpumask frameworks (Viresh Kumar).
- Minor cleanup to the SCMI cpufreq driver (Mike Tipton)."
* tag 'cpufreq-arm-updates-6.16' of git://git.kernel.org/pub/scm/linux/kernel/git/vireshk/pm: (24 commits)
cpufreq: scmi: Skip SCMI devices that aren't used by the CPUs
cpufreq: Add Rust-based cpufreq-dt driver
rust: opp: Extend OPP abstractions with cpufreq support
rust: cpufreq: Extend abstractions for driver registration
rust: cpufreq: Extend abstractions for policy and driver ops
rust: cpufreq: Add initial abstractions for cpufreq framework
rust: opp: Add abstractions for the configuration options
rust: opp: Add abstractions for the OPP table
rust: opp: Add initial abstractions for OPP framework
rust: cpu: Add from_cpu()
rust: macros: enable use of hyphens in module names
rust: clk: Add initial abstractions
rust: clk: Add helpers for Rust code
MAINTAINERS: Add entry for Rust cpumask API
rust: cpumask: Add initial abstractions
rust: cpumask: Add few more helpers
rust: devres: require a bound device
rust: pci: move iomap_region() to impl Device<Bound>
rust: device: implement Bound device context
rust: pci: preserve device context in AsRef
...
Fixes one small typo (`utilties` to `utilities`) in the documentation of
`MiscDevice::ioctl`.
Fixes: f893691e7426 ("rust: miscdevice: add base miscdevice abstraction")
Signed-off-by: Christian Schrefl <chrisi.schrefl@gmail.com>
Reviewed-by: Benno Lossin <lossin@kernel.org>
Reviewed-by: Alice Ryhl <aliceryhl@google.com>
Link: https://lore.kernel.org/r/20250517-rust_miscdevice_fix_typo-v1-1-8c30a6237ba9@gmail.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Extend the OPP abstractions to include support for interacting with the
cpufreq core, including the ability to retrieve frequency tables from
OPP table.
Signed-off-by: Viresh Kumar <viresh.kumar@linaro.org>
Extend the cpufreq abstractions to support driver registration from
Rust.
Reviewed-by: Danilo Krummrich <dakr@kernel.org>
Signed-off-by: Viresh Kumar <viresh.kumar@linaro.org>
Introduce initial Rust abstractions for the cpufreq core. This includes
basic representations for cpufreq flags, relation types, and the cpufreq
table.
Signed-off-by: Viresh Kumar <viresh.kumar@linaro.org>
Introduce Rust abstractions for the OPP core configuration options,
enabling safe access to various configurable aspects of the OPP
framework.
Signed-off-by: Viresh Kumar <viresh.kumar@linaro.org>
Introduce initial Rust abstractions for the Operating Performance Points
(OPP) framework. This includes bindings for `struct dev_pm_opp` and
`struct dev_pm_opp_data`, laying the groundwork for further OPP
integration.
Signed-off-by: Viresh Kumar <viresh.kumar@linaro.org>
This implements cpu::from_cpu(), which returns a reference to
Device for a CPU. The C struct is created at initialization time for
CPUs and is never freed and so ARef isn't returned from this function.
The new helper will be used by Rust based cpufreq drivers.
Signed-off-by: Viresh Kumar <viresh.kumar@linaro.org>
Some modules might need naming that contains hyphens "-" to match the
auto-probing by name in the platform devices that comes from the device
tree.
But Rust identifier cannot contain hyphens, so replace them with
underscores.
Signed-off-by: Anisse Astier <anisse@astier.eu>
Reviewed-by: Alice Ryhl <aliceryhl@google.com>
[ Viresh: Replace "-" with '-', minor commit log fix, rename variable and
fix line length checkpatch warnings ]
Reviewed-by: Benno Lossin <lossin@kernel.org>
Signed-off-by: Viresh Kumar <viresh.kumar@linaro.org>
Add initial abstractions for the clk APIs. These provide the minimal
functionality needed for common use cases, making them straightforward
to introduce in the first iteration.
These will be used by Rust based cpufreq / OPP layers to begin with.
Tested-by: Daniel Almeida <daniel.almeida@collabora.com>
Reviewed-by: Daniel Almeida <daniel.almeida@collabora.com>
Signed-off-by: Viresh Kumar <viresh.kumar@linaro.org>
Non-trivial C macros and inlined C functions cannot be used directly
in the Rust code and are used via functions ("helpers") that wrap
those so that they can be called from Rust.
In order to prepare for adding Rust abstractions for the clock APIs,
add clock helpers required by the Rust implementation.
Reviewed-by: Daniel Almeida <daniel.almeida@collabora.com>
Signed-off-by: Viresh Kumar <viresh.kumar@linaro.org>
Add initial Rust abstractions for struct cpumask, covering a subset of
its APIs. Additional APIs can be added as needed.
These abstractions will be used in upcoming Rust support for cpufreq and
OPP frameworks.
Signed-off-by: Viresh Kumar <viresh.kumar@linaro.org>
Reviewed-by: Yury Norov [NVIDIA] <yury.norov@gmail.com>
Add few more cpumask helpers that are required by the Rust abstraction.
Signed-off-by: Viresh Kumar <viresh.kumar@linaro.org>
Acked-by: Yury Norov [NVIDIA] <yury.norov@gmail.com>
Added:
- 'Wrapper<T>' trait for creating pin-initializers for wrapper structs
with a structurally pinned value such as 'UnsafeCell<T>' or
'MaybeUninit<T>'.
- 'MaybeZeroable' derive macro to try to derive 'Zeroable', but not
error if not all fields implement it. This is needed to derive
'Zeroable' for all bindgen-generated structs.
- 'unsafe fn cast_[pin_]init()' functions to unsafely change the
initialized type of an initializer. These are utilized by the
'Wrapper<T>' implementations.
Changed:
- Added support for visibility in 'Zeroable' derive macro.
- Added support for 'union's in 'Zeroable' derive macro.
Upstream dev news:
- The CI has been streamlined & some bugs with it have been fixed. I
also added new workflows to check if the user-space version and the
one in the kernel tree have diverged.
- I also started to use the issues [1] tab to keep track of any problems
or unexpected/unwanted things. This should help folks report and
diagnose issues w.r.t. 'pin-init' better.
[1]: https://github.com/rust-for-linux/pin-init/issues
-----BEGIN PGP SIGNATURE-----
iIgEABYKADAWIQQjEG/HT3UeYLJybLTomd21rZaLygUCaBkpnxIcbG9zc2luQGtl
cm5lbC5vcmcACgkQ6Jndta2Wi8rvGAEAlmQercahKos8nEIvsP53vckky2OI7NWi
/1IjnFqIx0ABAJ4Wm08BDTU3tVOI7hNWIlZbWm0U81+Alk5fgR+Ou30F
=ZfOJ
-----END PGP SIGNATURE-----
Merge tag 'pin-init-v6.16' of https://github.com/Rust-for-Linux/linux into rust-next
Pull pin-init updates from Benno Lossin:
"Added:
- 'Wrapper<T>' trait for creating pin-initializers for wrapper
structs with a structurally pinned value such as 'UnsafeCell<T>' or
'MaybeUninit<T>'.
- 'MaybeZeroable' derive macro to try to derive 'Zeroable', but not
error if not all fields implement it. This is needed to derive
'Zeroable' for all bindgen-generated structs.
- 'unsafe fn cast_[pin_]init()' functions to unsafely change the
initialized type of an initializer. These are utilized by the
'Wrapper<T>' implementations.
Changed:
- Added support for visibility in 'Zeroable' derive macro.
- Added support for 'union's in 'Zeroable' derive macro.
Upstream dev news:
- The CI has been streamlined & some bugs with it have been fixed. I
also added new workflows to check if the user-space version and the
one in the kernel tree have diverged.
- I also started to use the issues [1] tab to keep track of any
problems or unexpected/unwanted things. This should help folks
report and diagnose issues w.r.t. 'pin-init' better.
[1] https://github.com/rust-for-linux/pin-init/issues"
* tag 'pin-init-v6.16' of https://github.com/Rust-for-Linux/linux:
rust: pin-init: improve documentation for `Zeroable` derive macros
rust: pin-init: fix typos
rust: pin-init: add `MaybeZeroable` derive macro
rust: pin-init: allow `Zeroable` derive macro to also be applied to unions
rust: pin-init: allow `pub` fields in `derive(Zeroable)`
rust: pin-init: Update the structural pinning link in readme.
rust: pin-init: Update Changelog and Readme
rust: pin-init: Implement `Wrapper` for `UnsafePinned` behind feature flag.
rust: pin-init: Add the `Wrapper` trait.
rust: pin-init: add `cast_[pin_]init` functions to change the initialized type
rust: pin-init: examples: use `allow` instead of `expect`
rust: pin-init: examples: conditionally enable `feature(lint_reasons)`
rust: pin-init: internal: skip rustfmt formatting of kernel-only module
rust: pin-init: synchronize README.md
Introduce Rust support for the `xarray` data structure:
- Add a rust abstraction for the `xarray` data structure. This abstraction
allows rust code to leverage the `xarray` to store types that implement
`ForeignOwnable`. This support is a dependency for memory backing feature of
the rust null block driver, which is waiting to be merged.
- Set up an entry in MAINTAINERS for the xarray rust support. Patches will go
to the new rust xarray tree and then via the rust subsystem tree for now.
`kernel` crate:
- Allow `ForeignOwnable` to carry information about the pointed-to type. This
helps asserting alignment requirements for the pointer passed to the foreign
language.
-----BEGIN PGP SIGNATURE-----
iQJKBAABCAA0FiEEEsH5R1a/fCoV1sAS4bgaPnkoY3cFAmgZ6fgWHGEuaGluZGJv
cmdAa2VybmVsLm9yZwAKCRDhuBo+eShjdxXVD/44Pko7d9oVLhLGG0nndMbWFjkk
/pCTdtw0+0NkulbJ8hKoIC5vYg47P2lE/nx6MsKJSbFdwts2fWd3nKHbxAQq8ox/
cWVLlzPESe719YmAUhLZhRPIOzRVyShWfbAIjyRDQZ0pc3txYbmiRHcBv9teu4In
bKCaV+OTqZFZSwZomyqFCz41uDPHdQxxb1O4vV8Kwh2vwD2x5/bcYvG2veU/Bzil
w1sSjhGvLAa0M3r/lP+72S4y5IbnA8HOsT9eBJMBVkdgWdw7avS9UfkuYeR1FcHg
7/osUZK4qvGKs9WDU2jkzt7imj0Zegis2/etlwblpzhR+GtSsTr0TZRGuuFL0HSr
bWb/2qbSDwKR28J3k4yfM7ksg3+PIztBA5MfTcffpMI4yjqaVQXkIzWGlFOoiGrx
tF+sZYqTqFBOgsKgir1pTAcK2/IZh7Y39HXYG7Wr4EO6GCXGkNxM68uzVR4WEbeT
PoxoxMzkjHaZe/sNyNYhhOfTjuhkikd9MazM+Ss8cpA8cFsWIcyDj/T5uyIuhE0+
BxzN/NTTwIM37ixAbtb9ZWT5F4hV9iwzXtvp+OqC0HUKcZH8vpXn/VFr0jKh4NKT
HpG3mwSYZt/eTSxvrGooVLYt36yvAKuP47jqqE8UaPzLtYEULwHuVDGJTfXNnErk
lV7grpE36dgXaSaErg==
=Ig1t
-----END PGP SIGNATURE-----
Merge tag 'rust-xarray-for-v6.16' of https://github.com/Rust-for-Linux/linux into rust-next
Pull XArray updates from Andreas Hindborg:
"Introduce Rust support for the 'xarray' data structure:
- Add a Rust abstraction for the 'xarray' data structure. This
abstraction allows Rust code to leverage the 'xarray' to store
types that implement 'ForeignOwnable'. This support is a dependency
for memory backing feature of the Rust null block driver, which is
waiting to be merged.
- Set up an entry in MAINTAINERS for the XArray Rust support. Patches
will go to the new Rust XArray tree and then via the Rust subsystem
tree for now.
'kernel' crate:
- Allow 'ForeignOwnable' to carry information about the pointed-to
type. This helps asserting alignment requirements for the pointer
passed to the foreign language."
* tag 'rust-xarray-for-v6.16' of https://github.com/Rust-for-Linux/linux:
MAINTAINERS: add entry for Rust XArray API
rust: xarray: Add an abstraction for XArray
rust: types: add `ForeignOwnable::PointedTo`
- Morph the rust hrtimer subsystem into the rust timekeeping subsystem,
covering delay, sleep, timekeeping, timers. This new subsystem has all the
relevant timekeeping C maintainers listed in the entry.
- Replace `Ktime` with `Delta` and `Instant` types to represent a duration of
time and a point in time.
- Temporarily add `Ktime` to `hrtimer` module to allow `hrtimer` to delay
converting to `Instant` and `Delta`.
-----BEGIN PGP SIGNATURE-----
iQJKBAABCAA0FiEEEsH5R1a/fCoV1sAS4bgaPnkoY3cFAmgZ1+8WHGEuaGluZGJv
cmdAa2VybmVsLm9yZwAKCRDhuBo+eShjd8MTD/9di4KXLhRpWaqVcNDbmNIPDaCL
e241wbiOkganrrel2ZtNg5ZVnxvHv7sNXcq1QrARNQE+/hb0LuXK/NHXINaovN2Y
bL29UyZGeL8rVW7sw4EKR/q8WE4dxUqCGBL6cF0/8aRQHGPteUuWm3Le5T4p4fej
tM0++NT9JzbNe0RFDYK5S5stl1S8VJiFeVLniTB85WhtpBdSvBGJ4P4d0GMUOwnZ
4Nbis56CXFtR32G2B6N+ztiBpMHidqCJ3LkavnXkff/tD6ja5bScsbgeZerwLOrR
Rkxz6n1IDFkx+tYLS7U54XWFnWGM0TeGtyGsxdHwPVn3g8O3sak5UN6mT+imeLXY
3KAsMqXEMMYoONnYtxS3k2Th9KtWs79SCi5lMou6YekqMZBDQxvQmBP0M7vnNGeL
wtGQ1ZUz3OsNwepjtH0Pjg13MmAK5Do+e+SEWGDwXiftDhnOmvRFFChqDO7kE/Jp
sqq6y0IZBBoZEiNsfvF22NunGXvx0MePUq8bppEtf3v8j8KCK3pW9jXMa/9eECTO
IBbIqG+uPvIGiTR6FnlEMBn8TUc1RBGSKuQ6qOKX/4YQ0uayTTQjO0ugNiMpODvB
2w9HiPymq7Mk5iZ3Dmeeo1Je5AJEN1VsWiOAs5URABXAYeSopOdrsaBLG1vgK+yW
0+xkDsf6VNiGcWdhbg==
=M1o/
-----END PGP SIGNATURE-----
Merge tag 'rust-timekeeping-for-v6.16-v2' of https://github.com/Rust-for-Linux/linux into rust-next
Pull timekeeping updates from Andreas Hindborg:
- Morph the Rust hrtimer subsystem into the Rust timekeeping subsystem,
covering delay, sleep, timekeeping, timers. This new subsystem has
all the relevant timekeeping C maintainers listed in the entry.
- Replace 'Ktime' with 'Delta' and 'Instant' types to represent a
duration of time and a point in time.
- Temporarily add 'Ktime' to 'hrtimer' module to allow 'hrtimer' to
delay converting to 'Instant' and 'Delta'.
* tag 'rust-timekeeping-for-v6.16-v2' of https://github.com/Rust-for-Linux/linux:
MAINTAINERS: rust: Add a new section for all of the time stuff
rust: time: Introduce Instant type
rust: time: Introduce Delta type
rust: time: Add PartialEq/Eq/PartialOrd/Ord trait to Ktime
rust: hrtimer: Add Ktime temporarily
Currently the implementation of "Guard" methods are basically wrappers
around rcu's function within kernel. Building the kernel with llvm
18.1.8 on x86_64 machine will generate the following symbols:
$ nm vmlinux | grep ' _R'.*Guard | rustfilt
ffffffff817b6c90 T <kernel::sync::rcu::Guard>::new
ffffffff817b6cb0 T <kernel::sync::rcu::Guard>::unlock
ffffffff817b6cd0 T <kernel::sync::rcu::Guard as core::ops::drop::Drop>::drop
ffffffff817b6c90 T <kernel::sync::rcu::Guard as core::default::Default>::default
These Rust symbols are basically wrappers around functions
"rcu_read_lock" and "rcu_read_unlock". Marking them as inline can
reduce the generation of these symbols, and saves the size of code
generation for 132 bytes.
$ ./scripts/bloat-o-meter vmlinux_old vmlinux_new
(Output is demangled for readability)
add/remove: 0/10 grow/shrink: 0/1 up/down: 0/-132 (-132)
Function old new delta
rust_driver_pci::SampleDriver::probe 1041 1034 -7
kernel::sync::rcu::Guard::default 9 - -9
kernel::sync::rcu::Guard::drop 9 - -9
kernel::sync::rcu::read_lock 9 - -9
kernel::sync::rcu::Guard::unlock 9 - -9
kernel::sync::rcu::Guard::new 9 - -9
__pfx__kernel::sync::rcu::Guard::default 16 - -16
__pfx__kernel::sync::rcu::Guard::drop 16 - -16
__pfx__kernel::sync::rcu::read_lock 16 - -16
__pfx__kernel::sync::rcu::Guard::unlock 16 - -16
__pfx__kernel::sync::rcu::Guard::new 16 - -16
Total: Before=23365955, After=23365823, chg -0.00%
Link: https://github.com/Rust-for-Linux/linux/issues/1145
Signed-off-by: I Hsin Cheng <richard120310@gmail.com>
Reviewed-by: Joel Fernandes <joelagnelf@nvidia.com>
Reviewed-by: Benno Lossin <benno.lossin@proton.me>
Reviewed-by: Charalampos Mitrodimas <charmitro@posteo.net>
Acked-by: Miguel Ojeda <ojeda@kernel.org>
Signed-off-by: Joel Fernandes <joelagnelf@nvidia.com>
Currently we are requiring AlwaysRefCounted in most trait bounds for gem
objects, and implementing it by hand for our only current type of gem
object. However, all gem objects use the same functions for reference
counting - and all gem objects support reference counting.
We're planning on adding support for shmem gem objects, let's move this
around a bit by instead making IntoGEMObject require AlwaysRefCounted as a
trait bound, and then provide a blanket AlwaysRefCounted implementation for
any object that implements IntoGEMObject so all gem object types can use
the same AlwaysRefCounted implementation. This also makes things less
verbose by making the AlwaysRefCounted trait bound implicit for any
IntoGEMObject bound.
Signed-off-by: Lyude Paul <lyude@redhat.com>
Reviewed-by: Daniel Almeida <daniel.almeida@collabora.com>
Link: https://lore.kernel.org/r/20250513221046.903358-5-lyude@redhat.com
Signed-off-by: Danilo Krummrich <dakr@kernel.org>
There's a few changes here:
* The rename, of course (this should also let us drop the clippy annotation
here)
* Return *mut bindings::drm_gem_object instead of
&Opaque<bindings::drm_gem_object> - the latter doesn't really have any
benefit and just results in conversion from the rust type to the C type
having to be more verbose than necessary.
Signed-off-by: Lyude Paul <lyude@redhat.com>
Reviewed-by: Daniel Almeida <daniel.almeida@collabora.com>
Link: https://lore.kernel.org/r/20250513221046.903358-4-lyude@redhat.com
[ Fixup s/into_gem_obj()/as_raw()/ in safety comment. - Danilo ]
Signed-off-by: Danilo Krummrich <dakr@kernel.org>
There's a few issues with this function, mainly:
* This function -probably- should have been unsafe from the start. Pointers
are not always necessarily valid, but you want a function that does
field-projection for a pointer that can travel outside of the original
struct to be unsafe, at least if I understand properly.
* *mut Self is not terribly useful in this context, the majority of uses of
from_gem_obj() grab a *mut Self and then immediately convert it into a
&'a Self. It also goes against the ffi conventions we've set in the rest
of the kernel thus far.
* from_gem_obj() also doesn't follow the naming conventions in the rest of
the DRM bindings at the moment, as_ref() would be a better name.
So, let's:
* Make from_gem_obj() unsafe
* Convert it to return &'a Self
* Rename it to as_ref()
* Update all call locations
Signed-off-by: Lyude Paul <lyude@redhat.com>
Reviewed-by: Daniel Almeida <daniel.almeida@collabora.com>
Link: https://lore.kernel.org/r/20250513221046.903358-3-lyude@redhat.com
Signed-off-by: Danilo Krummrich <dakr@kernel.org>
There is usually not much of a reason to use a raw pointer in a data
struct, so move this to NonNull instead.
Signed-off-by: Lyude Paul <lyude@redhat.com>
Reviewed-by: Daniel Almeida <daniel.almeida@collabora.com>
Link: https://lore.kernel.org/r/20250513221046.903358-2-lyude@redhat.com
Signed-off-by: Danilo Krummrich <dakr@kernel.org>
Add the initial nova-drm driver skeleton.
nova-drm is connected to nova-core through the auxiliary bus and
implements the DRM parts of the nova driver stack.
For now, it implements the fundamental DRM abstractions, i.e. creates a
DRM device and registers it, exposing a three sample IOCTLs.
DRM_IOCTL_NOVA_GETPARAM
- provides the PCI bar size from the bar that maps the GPUs VRAM
from nova-core
DRM_IOCTL_NOVA_GEM_CREATE
- creates a new dummy DRM GEM object and returns a handle
DRM_IOCTL_NOVA_GEM_INFO
- provides metadata for the DRM GEM object behind a given handle
I implemented a small userspace test suite [1] that utilizes this
interface.
Link: https://gitlab.freedesktop.org/dakr/drm-test [1]
Reviewed-by: Maxime Ripard <mripard@kernel.org>
Acked-by: Dave Airlie <airlied@redhat.com>
Link: https://lore.kernel.org/r/20250424160452.8070-3-dakr@kernel.org
[ Kconfig: depend on DRM=y rather than just DRM. - Danilo ]
Signed-off-by: Danilo Krummrich <dakr@kernel.org>
Add a Rust API for configfs, thus allowing Rust modules to use configfs for
configuration. Make the implementation a shim on top of the C configfs
implementation, allowing safe use of the C infrastructure from Rust.
Link: https://lore.kernel.org/r/20250508-configfs-v8-1-8ebde6180edc@kernel.org
Signed-off-by: Andreas Hindborg <a.hindborg@kernel.org>
The doctest requires `CONFIG_PCI`:
error[E0432]: unresolved import `kernel::pci`
--> rust/doctests_kernel_generated.rs:2689:44
|
2689 | use kernel::{device::Core, devres::Devres, pci};
| ^^^ no `pci` in the root
|
note: found an item that was configured out
--> rust/kernel/lib.rs:96:9
note: the item is gated here
--> rust/kernel/lib.rs:95:1
Thus conditionally compile it (which still checks the syntax).
Fixes: f301cb978c06 ("rust: devres: implement Devres::access()")
Signed-off-by: Miguel Ojeda <ojeda@kernel.org>
Link: https://lore.kernel.org/r/20250511182533.1016163-1-ojeda@kernel.org
Signed-off-by: Danilo Krummrich <dakr@kernel.org>
Introduce a new type called `CurrentTask` that lets you perform various
operations that are only safe on the `current` task. Use the new type to
provide a way to access the current mm without incrementing its refcount.
With this change, you can write stuff such as
let vma = current!().mm().lock_vma_under_rcu(addr);
without incrementing any refcounts.
This replaces the existing abstractions for accessing the current pid
namespace. With the old approach, every field access to current involves
both a macro and a unsafe helper function. The new approach simplifies
that to a single safe function on the `CurrentTask` type. This makes it
less heavy-weight to add additional current accessors in the future.
That said, creating a `CurrentTask` type like the one in this patch
requires that we are careful to ensure that it cannot escape the current
task or otherwise access things after they are freed. To do this, I
declared that it cannot escape the current "task context" where I defined
a "task context" as essentially the region in which `current` remains
unchanged. So e.g., release_task() or begin_new_exec() would leave the
task context.
If a userspace thread returns to userspace and later makes another
syscall, then I consider the two syscalls to be different task contexts.
This allows values stored in that task to be modified between syscalls,
even if they're guaranteed to be immutable during a syscall.
Ensuring correctness of `CurrentTask` is slightly tricky if we also want
the ability to have a safe `kthread_use_mm()` implementation in Rust. To
support that safely, there are two patterns we need to ensure are safe:
// Case 1: current!() called inside the scope.
let mm;
kthread_use_mm(some_mm, || {
mm = current!().mm();
});
drop(some_mm);
mm.do_something(); // UAF
and:
// Case 2: current!() called before the scope.
let mm;
let task = current!();
kthread_use_mm(some_mm, || {
mm = task.mm();
});
drop(some_mm);
mm.do_something(); // UAF
The existing `current!()` abstraction already natively prevents the first
case: The `&CurrentTask` would be tied to the inner scope, so the
borrow-checker ensures that no reference derived from it can escape the
scope.
Fixing the second case is a bit more tricky. The solution is to
essentially pretend that the contents of the scope execute on an different
thread, which means that only thread-safe types can cross the boundary.
Since `CurrentTask` is marked `NotThreadSafe`, attempts to move it to
another thread will fail, and this includes our fake pretend thread
boundary.
This has the disadvantage that other types that aren't thread-safe for
reasons unrelated to `current` also cannot be moved across the
`kthread_use_mm()` boundary. I consider this an acceptable tradeoff.
Link: https://lkml.kernel.org/r/20250408-vma-v16-8-d8b446e885d9@google.com
Signed-off-by: Alice Ryhl <aliceryhl@google.com>
Acked-by: Lorenzo Stoakes <lorenzo.stoakes@oracle.com>
Acked-by: Liam R. Howlett <Liam.Howlett@Oracle.com>
Reviewed-by: Boqun Feng <boqun.feng@gmail.com>
Reviewed-by: Andreas Hindborg <a.hindborg@kernel.org>
Reviewed-by: Gary Guo <gary@garyguo.net>
Cc: Alex Gaynor <alex.gaynor@gmail.com>
Cc: Arnd Bergmann <arnd@arndb.de>
Cc: Balbir Singh <balbirs@nvidia.com>
Cc: Benno Lossin <benno.lossin@proton.me>
Cc: Björn Roy Baron <bjorn3_gh@protonmail.com>
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Cc: Jann Horn <jannh@google.com>
Cc: John Hubbard <jhubbard@nvidia.com>
Cc: Matthew Wilcox (Oracle) <willy@infradead.org>
Cc: Miguel Ojeda <ojeda@kernel.org>
Cc: Suren Baghdasaryan <surenb@google.com>
Cc: Trevor Gross <tmgross@umich.edu>
Cc: Vlastimil Babka <vbabka@suse.cz>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Add the ability to write a file_operations->mmap hook in Rust when using
the miscdevice abstraction. The `vma` argument to the `mmap` hook uses
the `VmaNew` type from the previous commit; this type provides the correct
set of operations for a file_operations->mmap hook.
Link: https://lkml.kernel.org/r/20250408-vma-v16-7-d8b446e885d9@google.com
Signed-off-by: Alice Ryhl <aliceryhl@google.com>
Acked-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Acked-by: Lorenzo Stoakes <lorenzo.stoakes@oracle.com>
Acked-by: Liam R. Howlett <Liam.Howlett@Oracle.com>
Reviewed-by: Andreas Hindborg <a.hindborg@kernel.org>
Reviewed-by: Gary Guo <gary@garyguo.net>
Cc: Alex Gaynor <alex.gaynor@gmail.com>
Cc: Arnd Bergmann <arnd@arndb.de>
Cc: Balbir Singh <balbirs@nvidia.com>
Cc: Benno Lossin <benno.lossin@proton.me>
Cc: Björn Roy Baron <bjorn3_gh@protonmail.com>
Cc: Boqun Feng <boqun.feng@gmail.com>
Cc: Jann Horn <jannh@google.com>
Cc: John Hubbard <jhubbard@nvidia.com>
Cc: Matthew Wilcox (Oracle) <willy@infradead.org>
Cc: Miguel Ojeda <ojeda@kernel.org>
Cc: Suren Baghdasaryan <surenb@google.com>
Cc: Trevor Gross <tmgross@umich.edu>
Cc: Vlastimil Babka <vbabka@suse.cz>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
This type will be used when setting up a new vma in an f_ops->mmap() hook.
Using a separate type from VmaRef allows us to have a separate set of
operations that you are only able to use during the mmap() hook. For
example, the VM_MIXEDMAP flag must not be changed after the initial setup
that happens during the f_ops->mmap() hook.
To avoid setting invalid flag values, the methods for clearing VM_MAYWRITE
and similar involve a check of VM_WRITE, and return an error if VM_WRITE
is set. Trying to use `try_clear_maywrite` without checking the return
value results in a compilation error because the `Result` type is marked
#[must_use].
For now, there's only a method for VM_MIXEDMAP and not VM_PFNMAP. When we
add a VM_PFNMAP method, we will need some way to prevent you from setting
both VM_MIXEDMAP and VM_PFNMAP on the same vma.
Link: https://lkml.kernel.org/r/20250408-vma-v16-6-d8b446e885d9@google.com
Signed-off-by: Alice Ryhl <aliceryhl@google.com>
Acked-by: Lorenzo Stoakes <lorenzo.stoakes@oracle.com>
Acked-by: Liam R. Howlett <Liam.Howlett@Oracle.com>
Reviewed-by: Jann Horn <jannh@google.com>
Reviewed-by: Andreas Hindborg <a.hindborg@kernel.org>
Cc: Alex Gaynor <alex.gaynor@gmail.com>
Cc: Arnd Bergmann <arnd@arndb.de>
Cc: Balbir Singh <balbirs@nvidia.com>
Cc: Benno Lossin <benno.lossin@proton.me>
Cc: Björn Roy Baron <bjorn3_gh@protonmail.com>
Cc: Boqun Feng <boqun.feng@gmail.com>
Cc: Gary Guo <gary@garyguo.net>
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Cc: John Hubbard <jhubbard@nvidia.com>
Cc: Matthew Wilcox (Oracle) <willy@infradead.org>
Cc: Miguel Ojeda <ojeda@kernel.org>
Cc: Suren Baghdasaryan <surenb@google.com>
Cc: Trevor Gross <tmgross@umich.edu>
Cc: Vlastimil Babka <vbabka@suse.cz>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Adds an MmWithUserAsync type that uses mmput_async when dropped but is
otherwise identical to MmWithUser. This has to be done using a separate
type because the thing we are changing is the destructor.
Rust Binder needs this to avoid a certain deadlock. See commit
9a9ab0d96362 ("binder: fix race between mmput() and do_exit()") for
details. It's also needed in the shrinker to avoid cleaning up the mm in
the shrinker's context.
Link: https://lkml.kernel.org/r/20250408-vma-v16-5-d8b446e885d9@google.com
Signed-off-by: Alice Ryhl <aliceryhl@google.com>
Acked-by: Lorenzo Stoakes <lorenzo.stoakes@oracle.com>
Acked-by: Liam R. Howlett <Liam.Howlett@Oracle.com>
Reviewed-by: Andreas Hindborg <a.hindborg@kernel.org>
Reviewed-by: Gary Guo <gary@garyguo.net>
Cc: Alex Gaynor <alex.gaynor@gmail.com>
Cc: Arnd Bergmann <arnd@arndb.de>
Cc: Balbir Singh <balbirs@nvidia.com>
Cc: Benno Lossin <benno.lossin@proton.me>
Cc: Björn Roy Baron <bjorn3_gh@protonmail.com>
Cc: Boqun Feng <boqun.feng@gmail.com>
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Cc: Jann Horn <jannh@google.com>
Cc: John Hubbard <jhubbard@nvidia.com>
Cc: Matthew Wilcox (Oracle) <willy@infradead.org>
Cc: Miguel Ojeda <ojeda@kernel.org>
Cc: Suren Baghdasaryan <surenb@google.com>
Cc: Trevor Gross <tmgross@umich.edu>
Cc: Vlastimil Babka <vbabka@suse.cz>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Currently, the binder driver always uses the mmap lock to make changes to
its vma. Because the mmap lock is global to the process, this can involve
significant contention. However, the kernel has a feature called per-vma
locks, which can significantly reduce contention. For example, you can
take a vma lock in parallel with an mmap write lock. This is important
because contention on the mmap lock has been a long-term recurring
challenge for the Binder driver.
This patch introduces support for using `lock_vma_under_rcu` from Rust.
The Rust Binder driver will be able to use this to reduce contention on
the mmap lock.
Link: https://lkml.kernel.org/r/20250408-vma-v16-4-d8b446e885d9@google.com
Signed-off-by: Alice Ryhl <aliceryhl@google.com>
Acked-by: Lorenzo Stoakes <lorenzo.stoakes@oracle.com>
Acked-by: Liam R. Howlett <Liam.Howlett@Oracle.com>
Reviewed-by: Jann Horn <jannh@google.com>
Reviewed-by: Andreas Hindborg <a.hindborg@kernel.org>
Reviewed-by: Gary Guo <gary@garyguo.net>
Cc: Alex Gaynor <alex.gaynor@gmail.com>
Cc: Arnd Bergmann <arnd@arndb.de>
Cc: Balbir Singh <balbirs@nvidia.com>
Cc: Benno Lossin <benno.lossin@proton.me>
Cc: Björn Roy Baron <bjorn3_gh@protonmail.com>
Cc: Boqun Feng <boqun.feng@gmail.com>
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Cc: John Hubbard <jhubbard@nvidia.com>
Cc: Matthew Wilcox (Oracle) <willy@infradead.org>
Cc: Miguel Ojeda <ojeda@kernel.org>
Cc: Suren Baghdasaryan <surenb@google.com>
Cc: Trevor Gross <tmgross@umich.edu>
Cc: Vlastimil Babka <vbabka@suse.cz>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
The vm_insert_page method is only usable on vmas with the VM_MIXEDMAP
flag, so we introduce a new type to keep track of such vmas.
The approach used in this patch assumes that we will not need to encode
many flag combinations in the type. I don't think we need to encode more
than VM_MIXEDMAP and VM_PFNMAP as things are now. However, if that
becomes necessary, using generic parameters in a single type would scale
better as the number of flags increases.
Link: https://lkml.kernel.org/r/20250408-vma-v16-3-d8b446e885d9@google.com
Signed-off-by: Alice Ryhl <aliceryhl@google.com>
Acked-by: Lorenzo Stoakes <lorenzo.stoakes@oracle.com>
Acked-by: Liam R. Howlett <Liam.Howlett@Oracle.com>
Reviewed-by: Andreas Hindborg <a.hindborg@kernel.org>
Reviewed-by: Gary Guo <gary@garyguo.net>
Cc: Alex Gaynor <alex.gaynor@gmail.com>
Cc: Arnd Bergmann <arnd@arndb.de>
Cc: Balbir Singh <balbirs@nvidia.com>
Cc: Benno Lossin <benno.lossin@proton.me>
Cc: Björn Roy Baron <bjorn3_gh@protonmail.com>
Cc: Boqun Feng <boqun.feng@gmail.com>
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Cc: Jann Horn <jannh@google.com>
Cc: John Hubbard <jhubbard@nvidia.com>
Cc: Matthew Wilcox (Oracle) <willy@infradead.org>
Cc: Miguel Ojeda <ojeda@kernel.org>
Cc: Suren Baghdasaryan <surenb@google.com>
Cc: Trevor Gross <tmgross@umich.edu>
Cc: Vlastimil Babka <vbabka@suse.cz>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
This adds a type called VmaRef which is used when referencing a vma that
you have read access to. Here, read access means that you hold either the
mmap read lock or the vma read lock (or stronger).
Additionally, a vma_lookup method is added to the mmap read guard, which
enables you to obtain a &VmaRef in safe Rust code.
This patch only provides a way to lock the mmap read lock, but a follow-up
patch also provides a way to just lock the vma read lock.
Link: https://lkml.kernel.org/r/20250408-vma-v16-2-d8b446e885d9@google.com
Signed-off-by: Alice Ryhl <aliceryhl@google.com>
Acked-by: Lorenzo Stoakes <lorenzo.stoakes@oracle.com>
Acked-by: Liam R. Howlett <Liam.Howlett@Oracle.com>
Reviewed-by: Jann Horn <jannh@google.com>
Reviewed-by: Andreas Hindborg <a.hindborg@kernel.org>
Reviewed-by: Gary Guo <gary@garyguo.net>
Cc: Alex Gaynor <alex.gaynor@gmail.com>
Cc: Arnd Bergmann <arnd@arndb.de>
Cc: Balbir Singh <balbirs@nvidia.com>
Cc: Benno Lossin <benno.lossin@proton.me>
Cc: Björn Roy Baron <bjorn3_gh@protonmail.com>
Cc: Boqun Feng <boqun.feng@gmail.com>
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Cc: John Hubbard <jhubbard@nvidia.com>
Cc: Matthew Wilcox (Oracle) <willy@infradead.org>
Cc: Miguel Ojeda <ojeda@kernel.org>
Cc: Suren Baghdasaryan <surenb@google.com>
Cc: Trevor Gross <tmgross@umich.edu>
Cc: Vlastimil Babka <vbabka@suse.cz>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Patch series "Rust support for mm_struct, vm_area_struct, and mmap", v16.
This updates the vm_area_struct support to use the approach we discussed
at LPC where there are several different Rust wrappers for vm_area_struct
depending on the kind of access you have to the vma. Each case allows a
different set of operations on the vma.
This includes an MM MAINTAINERS entry as proposed by Lorenzo:
https://lore.kernel.org/all/33e64b12-aa07-4e78-933a-b07c37ff1d84@lucifer.local/
This patch (of 9):
These abstractions allow you to reference a `struct mm_struct` using both
mmgrab and mmget refcounts. This is done using two Rust types:
* Mm - represents an mm_struct where you don't know anything about the
value of mm_users.
* MmWithUser - represents an mm_struct where you know at compile time
that mm_users is non-zero.
This allows us to encode in the type system whether a method requires that
mm_users is non-zero or not. For instance, you can always call
`mmget_not_zero` but you can only call `mmap_read_lock` when mm_users is
non-zero.
The struct is called Mm to keep consistency with the C side.
The ability to obtain `current->mm` is added later in this series.
The mm module is defined to only exist when CONFIG_MMU is set. This
avoids various errors due to missing types and functions when CONFIG_MMU
is disabled. More fine-grained cfgs can be considered in the future. See
the thread at [1] for more info.
Link: https://lkml.kernel.org/r/20250408-vma-v16-9-d8b446e885d9@google.com
Link: https://lkml.kernel.org/r/20250408-vma-v16-1-d8b446e885d9@google.com
Link: https://lore.kernel.org/all/202503091916.QousmtcY-lkp@intel.com/
Signed-off-by: Alice Ryhl <aliceryhl@google.com>
Acked-by: Lorenzo Stoakes <lorenzo.stoakes@oracle.com>
Acked-by: Liam R. Howlett <Liam.Howlett@Oracle.com>
Acked-by: Balbir Singh <balbirs@nvidia.com>
Reviewed-by: Andreas Hindborg <a.hindborg@kernel.org>
Reviewed-by: Gary Guo <gary@garyguo.net>
Cc: Alex Gaynor <alex.gaynor@gmail.com>
Cc: Arnd Bergmann <arnd@arndb.de>
Cc: Benno Lossin <benno.lossin@proton.me>
Cc: Björn Roy Baron <bjorn3_gh@protonmail.com>
Cc: Boqun Feng <boqun.feng@gmail.com>
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Cc: Jann Horn <jannh@google.com>
Cc: John Hubbard <jhubbard@nvidia.com>
Cc: Matthew Wilcox (Oracle) <willy@infradead.org>
Cc: Miguel Ojeda <ojeda@kernel.org>
Cc: Suren Baghdasaryan <surenb@google.com>
Cc: Trevor Gross <tmgross@umich.edu>
Cc: Vlastimil Babka <vbabka@suse.cz>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Some comments in Rust files use raw URLs (http://example.com) rather
than Markdown autolinks <URL>. This inconsistency makes the
documentation less uniform and harder to maintain.
This patch converts all remaining raw URLs in Rust code comments to use
the Markdown autolink format, maintaining consistency with the rest of
the codebase which already uses this style.
Suggested-by: Miguel Ojeda <ojeda@kernel.org>
Link: https://github.com/Rust-for-Linux/linux/issues/1153
Signed-off-by: Xizhe Yin <xizheyin@smail.nju.edu.cn>
Link: https://lore.kernel.org/r/509F0B66E3C1575D+20250407033441.5567-1-xizheyin@smail.nju.edu.cn
[ Used From form for Signed-off-by. Sorted tags. - Miguel ]
Signed-off-by: Miguel Ojeda <ojeda@kernel.org>
We track the details of which Rust features we use at our usual "live
list" [1] (and its sub-lists), but in light of a discussion in the LWN
article [2], it would help to clarify it in the source code.
In particular, we are very close to rely only on stable Rust language-wise
-- essentially only two language features remain (including the `kernel`
crate).
Thus add some details in both the feature list of the `kernel` crate as
well as the list of allowed features.
This does not over every single feature, and there are quite a few
non-language features that we use too. To have the full picture, please
refer to [1].
Link: https://github.com/Rust-for-Linux/linux/issues/2 [1]
Link: https://lwn.net/Articles/1015409/ [2]
Suggested-by: Andreas Hindborg <a.hindborg@kernel.org>
Reviewed-by: Benno Lossin <benno.lossin@proton.me>
Link: https://lore.kernel.org/r/20250327211302.286313-1-ojeda@kernel.org
[ Improved comments with suggestions from the list. - Miguel ]
Signed-off-by: Miguel Ojeda <ojeda@kernel.org>
The `kernel` prelude brings `Result` and the error codes; and the prelude
itself is already available in the examples automatically.
In addition, `Result` already defaults to `T = ()`.
Thus simplify.
Reviewed-by: Alice Ryhl <aliceryhl@google.com>
Link: https://lore.kernel.org/r/20250429151445.438977-1-ojeda@kernel.org
Signed-off-by: Miguel Ojeda <ojeda@kernel.org>
Add an optional panic message to the `static_assert!` macro.
The panic message doesn't support argument formatting, because the
`assert!` macro only supports formatting in non-const contexts.
Suggested-by: Miguel Ojeda <ojeda@kernel.org>
Link: https://github.com/Rust-for-Linux/linux/issues/1149
Signed-off-by: Altan Ozlu <altan@ozlu.eu>
Reviewed-by: Benno Lossin <benno.lossin@proton.me>
Reviewed-by: Trevor Gross <tmgross@umich.edu>
Link: https://lore.kernel.org/r/20250326202520.1176162-2-altan@ozlu.eu
Signed-off-by: Miguel Ojeda <ojeda@kernel.org>
When build the kernel using the llvm-18.1.3-rust-1.85.0-x86_64
with ARCH=arm64, the following symbols are generated:
$nm vmlinux | grep ' _R'.*Page | rustfilt
ffff8000805b6f98 T <kernel::page::Page>::alloc_page
ffff8000805b715c T <kernel::page::Page>::fill_zero_raw
ffff8000805b720c T <kernel::page::Page>::copy_from_user_slice_raw
ffff8000805b6fb4 T <kernel::page::Page>::read_raw
ffff8000805b7088 T <kernel::page::Page>::write_raw
ffff8000805b72fc T <kernel::page::Page as core::ops::drop::Drop>::drop
These Rust symbols(alloc_page and drop) are trivial wrappers around the C
functions alloc_pages and __free_pages. It doesn't make sense to go
through a trivial wrapper for these functions, so mark them inline.
Link: https://github.com/Rust-for-Linux/linux/issues/1145
Suggested-by: Alice Ryhl <aliceryhl@google.com>
Co-developed-by: Grace Deng <Grace.Deng006@Gmail.com>
Signed-off-by: Grace Deng <Grace.Deng006@Gmail.com>
Signed-off-by: Kunwu Chan <kunwu.chan@hotmail.com>
Reviewed-by: Alice Ryhl <aliceryhl@google.com>
Link: https://lore.kernel.org/r/20250321080124.484647-1-kunwu.chan@linux.dev
[ Removed spurious colon in title. - Miguel ]
Signed-off-by: Miguel Ojeda <ojeda@kernel.org>
This adds a variant of Vec::insert that does not allocate memory. This
makes it safe to use this function while holding a spinlock. Rust Binder
uses it for the range allocator fast path.
Signed-off-by: Alice Ryhl <aliceryhl@google.com>
Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Reviewed-by: Benno Lossin <lossin@kernel.org>
Link: https://lore.kernel.org/r/20250502-vec-methods-v5-7-06d20ad9366f@google.com
Signed-off-by: Danilo Krummrich <dakr@kernel.org>
This is needed by Rust Binder in the range allocator, and by upcoming
GPU drivers during firmware initialization.
Panics in the kernel are best avoided when possible, so an error is
returned if the index is out of bounds. An error type is used rather
than just returning Option<T> to let callers handle errors with ?.
Signed-off-by: Alice Ryhl <aliceryhl@google.com>
Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Reviewed-by: Benno Lossin <lossin@kernel.org>
Link: https://lore.kernel.org/r/20250502-vec-methods-v5-6-06d20ad9366f@google.com
[ Remove `# Panics` section; `Vec::remove() handles the error properly.`
- Danilo ]
Signed-off-by: Danilo Krummrich <dakr@kernel.org>
This adds a common Vec method called `retain` that removes all elements
that don't match a certain condition. Rust Binder uses it to find all
processes that match a given pid.
The stdlib retain method takes &T rather than &mut T and has a separate
retain_mut for the &mut T case. However, this is considered an API
mistake that can't be fixed now due to backwards compatibility. There's
no reason for us to repeat that mistake.
Signed-off-by: Alice Ryhl <aliceryhl@google.com>
Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Reviewed-by: Benno Lossin <lossin@kernel.org>
Link: https://lore.kernel.org/r/20250502-vec-methods-v5-5-06d20ad9366f@google.com
Signed-off-by: Danilo Krummrich <dakr@kernel.org>
This is like the stdlib method drain, except that it's hard-coded to use
the entire vector's range. Rust Binder uses it in the range allocator to
take ownership of everything in a vector in a case where reusing the
vector is desirable.
Implementing `DrainAll` in terms of `slice::IterMut` lets us reuse some
nice optimizations in core for the case where T is a ZST.
Signed-off-by: Alice Ryhl <aliceryhl@google.com>
Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Reviewed-by: Benno Lossin <lossin@kernel.org>
Link: https://lore.kernel.org/r/20250502-vec-methods-v5-4-06d20ad9366f@google.com
Signed-off-by: Danilo Krummrich <dakr@kernel.org>
This introduces a new method called `push_within_capacity` for appending
to a vector without attempting to allocate if the capacity is full. Rust
Binder will use this in various places to safely push to a vector while
holding a spinlock.
The implementation is moved to a push_within_capacity_unchecked method.
This is preferred over having push() call push_within_capacity()
followed by an unwrap_unchecked() for simpler unsafe.
Panics in the kernel are best avoided when possible, so an error is
returned if the vector does not have sufficient capacity. An error type
is used rather than just returning Result<(),T> to make it more
convenient for callers (i.e. they can use ? or unwrap).
Signed-off-by: Alice Ryhl <aliceryhl@google.com>
Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Reviewed-by: Benno Lossin <lossin@kernel.org>
Link: https://lore.kernel.org/r/20250502-vec-methods-v5-3-06d20ad9366f@google.com
[ Remove public visibility from `Vec::push_within_capacity_unchecked()`.
- Danilo ]
Signed-off-by: Danilo Krummrich <dakr@kernel.org>
This introduces a basic method that our custom Vec is missing. I expect
that it will be used in many places, but at the time of writing, Rust
Binder has six calls to Vec::pop.
Signed-off-by: Alice Ryhl <aliceryhl@google.com>
Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Reviewed-by: Benno Lossin <lossin@kernel.org>
Link: https://lore.kernel.org/r/20250502-vec-methods-v5-2-06d20ad9366f@google.com
Signed-off-by: Danilo Krummrich <dakr@kernel.org>
Our custom Vec type is missing the stdlib method `clear`, thus add it.
It will be used in the miscdevice sample.
Reviewed-by: Benno Lossin <benno.lossin@proton.me>
Reviewed-by: Tamir Duberstein <tamird@gmail.com>
Signed-off-by: Alice Ryhl <aliceryhl@google.com>
Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Link: https://lore.kernel.org/r/20250502-vec-methods-v5-1-06d20ad9366f@google.com
Signed-off-by: Danilo Krummrich <dakr@kernel.org>
Starting with Rust 1.88.0 (expected 2025-06-26) [1], `rustc` may move
back the `uninlined_format_args` to `style` from `pedantic` (it was
there waiting for rust-analyzer suppotr), and thus we will start to see
lints like:
warning: variables can be used directly in the `format!` string
--> rust/macros/kunit.rs:105:37
|
105 | let kunit_wrapper_fn_name = format!("kunit_rust_wrapper_{}", test);
| ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|
= help: for further information visit https://rust-lang.github.io/rust-clippy/master/index.html#uninlined_format_args
help: change this to
|
105 - let kunit_wrapper_fn_name = format!("kunit_rust_wrapper_{}", test);
105 + let kunit_wrapper_fn_name = format!("kunit_rust_wrapper_{test}");
There is even a case that is a pure removal:
warning: variables can be used directly in the `format!` string
--> rust/macros/module.rs:51:13
|
51 | format!("{field}={content}\0", field = field, content = content)
| ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|
= help: for further information visit https://rust-lang.github.io/rust-clippy/master/index.html#uninlined_format_args
help: change this to
|
51 - format!("{field}={content}\0", field = field, content = content)
51 + format!("{field}={content}\0")
The lints all seem like nice cleanups, thus just apply them.
We may want to disable `allow-mixed-uninlined-format-args` in the future.
Cc: stable@vger.kernel.org # Needed in 6.12.y and later (Rust is pinned in older LTSs).
Link: https://github.com/rust-lang/rust-clippy/pull/14160 [1]
Acked-by: Benno Lossin <lossin@kernel.org>
Reviewed-by: Tamir Duberstein <tamird@gmail.com>
Reviewed-by: Alice Ryhl <aliceryhl@google.com>
Link: https://lore.kernel.org/r/20250502140237.1659624-6-ojeda@kernel.org
Signed-off-by: Miguel Ojeda <ojeda@kernel.org>
Starting with Rust 1.88.0 (expected 2025-06-26) [1][2], `rustc` may
introduce a new lint that catches unnecessary transmutes, e.g.:
error: unnecessary transmute
--> rust/uapi/uapi_generated.rs:23242:18
|
23242 | unsafe { ::core::mem::transmute(self._bitfield_1.get(0usize, 1u8) as u8) }
| ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ help: replace this with: `(self._bitfield_1.get(0usize, 1u8) as u8 == 1)`
|
= note: `-D unnecessary-transmutes` implied by `-D warnings`
= help: to override `-D warnings` add `#[allow(unnecessary_transmutes)]`
There are a lot of them (at least 300), but luckily they are all in
`bindgen`-generated code.
Thus clean all up by allowing it there.
Since unknown lints trigger a lint itself in older compilers, do it
conditionally so that we can keep the `unknown_lints` lint enabled.
Cc: stable@vger.kernel.org # Needed in 6.12.y and later (Rust is pinned in older LTSs).
Link: https://github.com/rust-lang/rust/pull/136083 [1]
Link: https://github.com/rust-lang/rust/issues/136067 [2]
Reviewed-by: Alice Ryhl <aliceryhl@google.com>
Link: https://lore.kernel.org/r/20250502140237.1659624-4-ojeda@kernel.org
Signed-off-by: Miguel Ojeda <ojeda@kernel.org>
Implement a direct accessor for the data stored within the Devres for
cases where we can prove that we own a reference to a Device<Bound>
(i.e. a bound device) of the same device that was used to create the
corresponding Devres container.
Usually, when accessing the data stored within a Devres container, it is
not clear whether the data has been revoked already due to the device
being unbound and, hence, we have to try whether the access is possible
and subsequently keep holding the RCU read lock for the duration of the
access.
However, when we can prove that we hold a reference to Device<Bound>
matching the device the Devres container has been created with, we can
guarantee that the device is not unbound for the duration of the
lifetime of the Device<Bound> reference and, hence, it is not possible
for the data within the Devres container to be revoked.
Therefore, in this case, we can bypass the atomic check and the RCU read
lock, which is a great optimization and simplification for drivers.
Reviewed-by: Christian Schrefl <chrisi.schrefl@gmail.com>
Reviewed-by: Alexandre Courbot <acourbot@nvidia.com>
Acked-by: Boqun Feng <boqun.feng@gmail.com>
Reviewed-by: Joel Fernandes <joelagnelf@nvidia.com>
Link: https://lore.kernel.org/r/20250428140137.468709-3-dakr@kernel.org
Signed-off-by: Danilo Krummrich <dakr@kernel.org>
Implement an unsafe direct accessor for the data stored within the
Revocable.
This is useful for cases where we can prove that the data stored within
the Revocable is not and cannot be revoked for the duration of the
lifetime of the returned reference.
Reviewed-by: Christian Schrefl <chrisi.schrefl@gmail.com>
Reviewed-by: Benno Lossin <benno.lossin@proton.me>
Acked-by: Miguel Ojeda <ojeda@kernel.org>
Reviewed-by: Alexandre Courbot <acourbot@nvidia.com>
Acked-by: Boqun Feng <boqun.feng@gmail.com>
Reviewed-by: Joel Fernandes <joelagnelf@nvidia.com>
Link: https://lore.kernel.org/r/20250428140137.468709-2-dakr@kernel.org
Signed-off-by: Danilo Krummrich <dakr@kernel.org>
Specify that both `MaybeZeroable` and `Zeroable` work on `union`s. Add a
doc example for a union. Also include an example with visibility on the
field.
Link: ab0985a0e0
Reviewed-by: Christian Schrefl <chrisi.schrefl@gmail.com>
Signed-off-by: Benno Lossin <benno.lossin@proton.me>
Correct two typos in the `Wrapper::pin_init` documentation.
Link: fd0bf5e244
Reviewed-by: Christian Schrefl <chrisi.schrefl@gmail.com>
Signed-off-by: Benno Lossin <benno.lossin@proton.me>
This derive macro implements `Zeroable` for structs & unions precisely
if all fields also implement `Zeroable` and does nothing otherwise. The
plain `Zeroable` derive macro instead errors when it cannot derive
`Zeroable` safely. The `MaybeZeroable` derive macro is useful in cases
where manual checking is infeasible such as with the bindings crate.
Move the zeroable generics parsing into a standalone function in order
to avoid code duplication between the two derive macros.
Link: 1165cdad1a
Signed-off-by: Benno Lossin <benno.lossin@proton.me>
Enabling the same behavior for unions as for structs is correct, but
could be relaxed: the valid bit patterns for unions are the union of all
valid bit patterns of their fields. So for a union to implement
`Zeroable`, only a single field needs to implement `Zeroable`. This can
be a future improvement, as it is currently only needed for unions where
all fields implement `Zeroable`.
There is no danger for mis-parsing with the two optional tokens (ie
neither one or both tokens are parsed), as the compiler will already
have rejected that before giving it as the input to the derive macro.
Link: 5927b497ce
Signed-off-by: Benno Lossin <benno.lossin@proton.me>
Add support for parsing `pub`, `pub(crate)` and `pub(super)` to the
derive macro `Zeroable`.
Link: e8311e52ca
Signed-off-by: Benno Lossin <benno.lossin@proton.me>
The previous link anchor was broken in rust 1.77, because the
documentation was refactored in upstream rust.
Change the link to refer to the new section in the rust documentation.
Signed-off-by: Christian Schrefl <chrisi.schrefl@gmail.com>
Link: a146142fe1
[ Fixed commit authorship. - Benno ]
Signed-off-by: Benno Lossin <benno.lossin@proton.me>
Add Changelog entry for the `Wrapper` trait and document the
`unsafe-pinned` feature in the Readme.
Signed-off-by: Christian Schrefl <chrisi.schrefl@gmail.com>
Link: 986555f564
[ Fixed commit authorship. - Benno ]
Signed-off-by: Benno Lossin <benno.lossin@proton.me>
Add the `unsafe-pinned` feature which gates the `Wrapper`
implementation of the `core::pin::UnsafePinned` struct.
For now this is just a cargo feature, but once `core::pin::UnsafePinned`
is stable a config flag can be added to allow the usage of this
implementation in the linux kernel.
Signed-off-by: Christian Schrefl <chrisi.schrefl@gmail.com>
Link: 99cb193442
[ Fixed commit authorship. - Benno ]
Signed-off-by: Benno Lossin <benno.lossin@proton.me>
This trait allows creating `PinInitializers` for wrapper or new-type
structs with the inner value structurally pinned, when given the
initializer for the inner value.
Implement this trait for `UnsafeCell` and `MaybeUninit`.
Signed-off-by: Christian Schrefl <chrisi.schrefl@gmail.com>
Link: 3ab4db083b
[ Reworded commit message into imperative mode, fixed typo and fixed
commit authorship. - Benno ]
Signed-off-by: Benno Lossin <benno.lossin@proton.me>
These functions cast the given pointer from one type to another. They
are particularly useful when initializing transparent wrapper types.
Link: 80c03ddee4
Reviewed-by: Christian Schrefl <chrisi.schrefl@gmail.com>
Signed-off-by: Benno Lossin <benno.lossin@proton.me>
`XArray` is an efficient sparse array of pointers. Add a Rust
abstraction for this type.
This implementation bounds the element type on `ForeignOwnable` and
requires explicit locking for all operations. Future work may leverage
RCU to enable lockless operation.
Inspired-by: Maíra Canal <mcanal@igalia.com>
Inspired-by: Asahi Lina <lina@asahilina.net>
Reviewed-by: Andreas Hindborg <a.hindborg@kernel.org>
Reviewed-by: Alice Ryhl <aliceryhl@google.com>
Signed-off-by: Tamir Duberstein <tamird@gmail.com>
Link: https://lore.kernel.org/r/20250423-rust-xarray-bindings-v19-2-83cdcf11c114@gmail.com
Signed-off-by: Andreas Hindborg <a.hindborg@kernel.org>
Allow implementors to specify the foreign pointer type; this exposes
information about the pointed-to type such as its alignment.
This requires the trait to be `unsafe` since it is now possible for
implementors to break soundness by returning a misaligned pointer.
Encoding the pointer type in the trait (and avoiding pointer casts)
allows the compiler to check that implementors return the correct
pointer type. This is preferable to directly encoding the alignment in
the trait using a constant as the compiler would be unable to check it.
Acked-by: Danilo Krummrich <dakr@kernel.org>
Signed-off-by: Tamir Duberstein <tamird@gmail.com>
Reviewed-by: Alice Ryhl <aliceryhl@google.com>
Link: https://lore.kernel.org/r/20250423-rust-xarray-bindings-v19-1-83cdcf11c114@gmail.com
Signed-off-by: Andreas Hindborg <a.hindborg@kernel.org>
When `CONFIG_AUXILIARY_BUS` is disabled, `parent()` is still dead code:
error: method `parent` is never used
--> rust/kernel/device.rs:71:19
|
64 | impl<Ctx: DeviceContext> Device<Ctx> {
| ------------------------------------ method in this implementation
...
71 | pub(crate) fn parent(&self) -> Option<&Self> {
| ^^^^^^
|
= note: `-D dead-code` implied by `-D warnings`
= help: to override `-D warnings` add `#[allow(dead_code)]`
Thus reintroduce the `expect`, but now as a conditional one. Do so as
`dead_code` since that is narrower.
An `allow` would also be possible, but Danilo wants to catch new users
in the future [1].
Link: https://lore.kernel.org/rust-for-linux/aBE8qQrpXOfru_K3@pollux/ [1]
Fixes: ce735e73dd59 ("rust: auxiliary: add auxiliary device / driver abstractions")
Signed-off-by: Miguel Ojeda <ojeda@kernel.org>
Link: https://lore.kernel.org/r/20250429210629.513521-1-ojeda@kernel.org
[ Adjust commit subject to "rust: device: conditionally expect
`dead_code` for `parent()`". - Danilo ]
Signed-off-by: Danilo Krummrich <dakr@kernel.org>
Introduce a type representing a specific point in time. We could use
the Ktime type but C's ktime_t is used for both timestamp and
timedelta. To avoid confusion, introduce a new Instant type for
timestamp.
Rename Ktime to Instant and modify their methods for timestamp.
Implement the subtraction operator for Instant:
Delta = Instant A - Instant B
Reviewed-by: Boqun Feng <boqun.feng@gmail.com>
Reviewed-by: Gary Guo <gary@garyguo.net>
Reviewed-by: Fiona Behrens <me@kloenk.dev>
Tested-by: Daniel Almeida <daniel.almeida@collabora.com>
Reviewed-by: Andreas Hindborg <a.hindborg@kernel.org>
Signed-off-by: FUJITA Tomonori <fujita.tomonori@gmail.com>
Link: https://lore.kernel.org/r/20250423192857.199712-5-fujita.tomonori@gmail.com
Signed-off-by: Andreas Hindborg <a.hindborg@kernel.org>
Introduce a type representing a span of time. Define our own type
because `core::time::Duration` is large and could panic during
creation.
time::Ktime could be also used for time duration but timestamp and
timedelta are different so better to use a new type.
i64 is used instead of u64 to represent a span of time; some C drivers
uses negative Deltas and i64 is more compatible with Ktime using i64
too (e.g., ktime_[us|ms]_delta() APIs return i64 so we create Delta
object without type conversion.
i64 is used instead of bindings::ktime_t because when the ktime_t
type is used as timestamp, it represents values from 0 to
KTIME_MAX, which is different from Delta.
as_millis() method isn't used in this patchset. It's planned to be
used in Binder driver.
Reviewed-by: Andrew Lunn <andrew@lunn.ch>
Reviewed-by: Alice Ryhl <aliceryhl@google.com>
Reviewed-by: Gary Guo <gary@garyguo.net>
Reviewed-by: Fiona Behrens <me@kloenk.dev>
Tested-by: Daniel Almeida <daniel.almeida@collabora.com>
Reviewed-by: Andreas Hindborg <a.hindborg@kernel.org>
Signed-off-by: FUJITA Tomonori <fujita.tomonori@gmail.com>
Link: https://lore.kernel.org/r/20250423192857.199712-4-fujita.tomonori@gmail.com
Signed-off-by: Andreas Hindborg <a.hindborg@kernel.org>
Add PartialEq/Eq/PartialOrd/Ord trait to Ktime so two Ktime instances
can be compared to determine whether a timeout is met or not.
Use the derive implements; we directly touch C's ktime_t rather than
using the C's accessors because it is more efficient and we already do
in the existing code (Ktime::sub).
Reviewed-by: Trevor Gross <tmgross@umich.edu>
Reviewed-by: Alice Ryhl <aliceryhl@google.com>
Reviewed-by: Gary Guo <gary@garyguo.net>
Reviewed-by: Fiona Behrens <me@kloenk.dev>
Tested-by: Daniel Almeida <daniel.almeida@collabora.com>
Reviewed-by: Andreas Hindborg <a.hindborg@kernel.org>
Signed-off-by: FUJITA Tomonori <fujita.tomonori@gmail.com>
Link: https://lore.kernel.org/r/20250423192857.199712-3-fujita.tomonori@gmail.com
Signed-off-by: Andreas Hindborg <a.hindborg@kernel.org>
Add Ktime temporarily until hrtimer is refactored to use Instant and
Delta types.
Reviewed-by: Andreas Hindborg <a.hindborg@kernel.org>
Reviewed-by: Boqun Feng <boqun.feng@gmail.com>
Signed-off-by: FUJITA Tomonori <fujita.tomonori@gmail.com>
Link: https://lore.kernel.org/r/20250423192857.199712-2-fujita.tomonori@gmail.com
Signed-off-by: Andreas Hindborg <a.hindborg@kernel.org>
DRM GEM is the DRM memory management subsystem used by most modern
drivers; add a Rust abstraction for DRM GEM.
This includes the BaseObject trait, which contains operations shared by
all GEM object classes.
Signed-off-by: Asahi Lina <lina@asahilina.net>
Reviewed-by: Alyssa Rosenzweig <alyssa@rosenzweig.io>
Reviewed-by: Lyude Paul <lyude@redhat.com>
Link: https://lore.kernel.org/r/20250410235546.43736-8-dakr@kernel.org
[ Rework of GEM object abstractions
* switch to the Opaque<T> type
* fix (mutable) references to struct drm_gem_object (which in this
context is UB)
* drop all custom reference types in favor of AlwaysRefCounted
* bunch of minor changes and simplifications (e.g. IntoGEMObject
trait)
* write and fix safety and invariant comments
* remove necessity for and convert 'as' casts
* original source archive: https://archive.is/dD5SL
- Danilo ]
[ Fix missing CONFIG_DRM guards in rust/helpers/drm.c. - Danilo ]
Signed-off-by: Danilo Krummrich <dakr@kernel.org>
Here are some small driver core fixes to resolve a number of reported
problems. Included in here are:
- driver core sync fix revert to resolve a much reported problem,
hopefully this is finally resolved
- MAINTAINERS file update, documenting that the driver-core tree is
now under a "shared" maintainership model, thanks to Rafael and
Danilo for offering to do this!
- auxbus documentation and MAINTAINERS file update
- MAINTAINERS file update for Rust PCI code
- firmware rust binding fixup
- software node link fix
All of these have been in linux-next for over a week with no reported
issues.
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
-----BEGIN PGP SIGNATURE-----
iG0EABECAC0WIQT0tgzFv3jCIUoxPcsxR9QN2y37KQUCaAuR4g8cZ3JlZ0Brcm9h
aC5jb20ACgkQMUfUDdst+ynU0wCg2YmcO0R7M4+g5SPHEFN0jy2xcaAAn1rMLbAY
E4U8Wo13hNMRtzMeI814
=YKYd
-----END PGP SIGNATURE-----
Merge tag 'driver-core-6.15-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/driver-core/driver-core
Pull driver core fixes from Greg KH:
"Here are some small driver core fixes to resolve a number of reported
problems. Included in here are:
- driver core sync fix revert to resolve a much reported problem,
hopefully this is finally resolved
- MAINTAINERS file update, documenting that the driver-core tree is
now under a "shared" maintainership model, thanks to Rafael and
Danilo for offering to do this!
- auxbus documentation and MAINTAINERS file update
- MAINTAINERS file update for Rust PCI code
- firmware rust binding fixup
- software node link fix
All of these have been in linux-next for over a week with no reported
issues"
* tag 'driver-core-6.15-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/driver-core/driver-core:
drivers/base/memory: Avoid overhead from for_each_present_section_nr()
software node: Prevent link creation failure from causing kobj reference count imbalance
device property: Add a note to the fwnode.h
drivers/base: Add myself as auxiliary bus reviewer
drivers/base: Extend documentation with preferred way to use auxbus
driver core: fix potential NULL pointer dereference in dev_uevent()
driver core: introduce device_set_driver() helper
Revert "drivers: core: synchronize really_probe() and dev_uevent()"
MAINTAINERS: update the location of the driver-core git tree
rust: firmware: Use `ffi::c_char` type in `FwFunc`
MAINTAINERS: pci: add entry for Rust PCI code
A DRM File is the DRM counterpart to a kernel file structure,
representing an open DRM file descriptor.
Add a Rust abstraction to allow drivers to implement their own File types
that implement the DriverFile trait.
Reviewed-by: Maxime Ripard <mripard@kernel.org>
Signed-off-by: Asahi Lina <lina@asahilina.net>
Reviewed-by: Alyssa Rosenzweig <alyssa@rosenzweig.io>
Reviewed-by: Lyude Paul <lyude@redhat.com>
Link: https://lore.kernel.org/r/20250410235546.43736-7-dakr@kernel.org
[ Rework of drm::File
* switch to the Opaque<T> type
* fix (mutable) references to struct drm_file (which in this context
is UB)
* restructure and rename functions to align with common kernel
schemes
* write and fix safety and invariant comments
* remove necessity for and convert 'as' casts
* original source archive: https://archive.is/GH8oy
- Danilo ]
Signed-off-by: Danilo Krummrich <dakr@kernel.org>
Implement the DRM driver `Registration`.
The `Registration` structure is responsible to register and unregister a
DRM driver. It makes use of the `Devres` container in order to allow the
`Registration` to be owned by devres, such that it is automatically
dropped (and the DRM driver unregistered) once the parent device is
unbound.
Signed-off-by: Asahi Lina <lina@asahilina.net>
Reviewed-by: Alyssa Rosenzweig <alyssa@rosenzweig.io>
Reviewed-by: Lyude Paul <lyude@redhat.com>
Link: https://lore.kernel.org/r/20250410235546.43736-6-dakr@kernel.org
[ Rework of drm::Registration
* move VTABLE to drm::Device to prevent use-after-free bugs; VTABLE
needs to be bound to the lifetime of drm::Device, not the
drm::Registration
* combine new() and register() to get rid of the registered boolean
* remove file_operations
* move struct drm_device creation to drm::Device
* introduce Devres
* original source archive: https://archive.is/Pl9ys
- Danilo ]
Signed-off-by: Danilo Krummrich <dakr@kernel.org>
Implement the abstraction for a `struct drm_device`.
A `drm::Device` creates a static const `struct drm_driver` filled with
the data from the `drm::Driver` trait implementation of the actual
driver creating the `drm::Device`.
Reviewed-by: Maxime Ripard <mripard@kernel.org>
Signed-off-by: Asahi Lina <lina@asahilina.net>
Reviewed-by: Alyssa Rosenzweig <alyssa@rosenzweig.io>
Reviewed-by: Lyude Paul <lyude@redhat.com>
Link: https://lore.kernel.org/r/20250410235546.43736-5-dakr@kernel.org
[ Rewrite of drm::Device
* full rewrite of the drm::Device abstraction using the subclassing
pattern
* original source archive: http://archive.today/5NxBo
- Danilo ]
Signed-off-by: Danilo Krummrich <dakr@kernel.org>
Implement the DRM driver abstractions.
The `Driver` trait provides the interface to the actual driver to fill
in the driver specific data, such as the `DriverInfo`, driver features
and IOCTLs.
Reviewed-by: Maxime Ripard <mripard@kernel.org>
Signed-off-by: Asahi Lina <lina@asahilina.net>
Reviewed-by: Alyssa Rosenzweig <alyssa@rosenzweig.io>
Reviewed-by: Lyude Paul <lyude@redhat.com>
Link: https://lore.kernel.org/r/20250410235546.43736-4-dakr@kernel.org
[ MISC changes
* remove unnecessary DRM features; make remaining ones crate private
* add #[expect(unused)] to avoid warnings
* add sealed trait
* remove shmem::Object references
* original source archive: https://archive.is/Pl9ys
- Danilo ]
Signed-off-by: Danilo Krummrich <dakr@kernel.org>
DRM drivers need to be able to declare which driver-specific ioctls they
support. Add an abstraction implementing the required types and a helper
macro to generate the ioctl definition inside the DRM driver.
Note that this macro is not usable until further bits of the abstraction
are in place (but it will not fail to compile on its own, if not called).
Signed-off-by: Asahi Lina <lina@asahilina.net>
Reviewed-by: Alyssa Rosenzweig <alyssa@rosenzweig.io>
Reviewed-by: Lyude Paul <lyude@redhat.com>
Link: https://lore.kernel.org/r/20250410235546.43736-3-dakr@kernel.org
[ MISC fixes
* wrap raw_data in Opaque to avoid UB when creating a reference
* fix IOCTL sample declaration
* fix safety comment of IOCTL argument
* original source archive: https://archive.is/LqHDQ
- Danilo ]
Signed-off-by: Danilo Krummrich <dakr@kernel.org>
Rename `set_len` to `inc_len` and simplify its safety contract.
Note that the usage in `CString::try_from_fmt` remains correct as the
receiver is known to have `len == 0`.
Reviewed-by: Alice Ryhl <aliceryhl@google.com>
Signed-off-by: Tamir Duberstein <tamird@gmail.com>
Link: https://lore.kernel.org/r/20250416-vec-set-len-v4-4-112b222604cd@gmail.com
Signed-off-by: Danilo Krummrich <dakr@kernel.org>
Use `checked_sub` to satisfy the safety requirements of `dec_len` and
replace nearly the whole body of `truncate` with a call to `dec_len`.
Reviewed-by: Andrew Ballance <andrewjballance@gmail.com>
Reviewed-by: Alice Ryhl <aliceryhl@google.com>
Signed-off-by: Tamir Duberstein <tamird@gmail.com>
Link: https://lore.kernel.org/r/20250416-vec-set-len-v4-3-112b222604cd@gmail.com
[ Remove #[expect(unused)] from dec_len(). - Danilo ]
Signed-off-by: Danilo Krummrich <dakr@kernel.org>
Add `Vec::dec_len` that reduces the length of the receiver. This method
is intended to be used from methods that remove elements from `Vec` such
as `truncate`, `pop`, `remove`, and others. This method is intentionally
not `pub`.
Reviewed-by: Alice Ryhl <aliceryhl@google.com>
Signed-off-by: Tamir Duberstein <tamird@gmail.com>
Link: https://lore.kernel.org/r/20250416-vec-set-len-v4-2-112b222604cd@gmail.com
[ Add #[expect(unused)] to dec_len(). - Danilo ]
Signed-off-by: Danilo Krummrich <dakr@kernel.org>
Document the invariant that the vector's length is always less than or
equal to its capacity. This is already implied by these other
invariants:
- `self.len` always represents the exact number of elements stored in
the vector.
- `self.layout` represents the absolute number of elements that can be
stored within the vector without re-allocation.
but it doesn't hurt to spell it out. Note that the language references
`self.capacity` rather than `self.layout.len` as the latter is zero for
a vector of ZSTs.
Update a safety comment touched by this patch to correctly reference
`realloc` rather than `alloc` and replace "leaves" with "leave" to
improve grammar.
Reviewed-by: Alice Ryhl <aliceryhl@google.com>
Signed-off-by: Tamir Duberstein <tamird@gmail.com>
Link: https://lore.kernel.org/r/20250416-vec-set-len-v4-1-112b222604cd@gmail.com
Signed-off-by: Danilo Krummrich <dakr@kernel.org>
This enables the creation of trait objects backed by a Box, similarly to
what can be done with the standard library.
Suggested-by: Benno Lossin <benno.lossin@proton.me>
Reviewed-by: Alice Ryhl <aliceryhl@google.com>
Reviewed-by: Benno Lossin <benno.lossin@proton.me>
Signed-off-by: Alexandre Courbot <acourbot@nvidia.com>
Link: https://lore.kernel.org/r/20250412-box_trait_objs-v3-1-f67ced62d520@nvidia.com
Signed-off-by: Danilo Krummrich <dakr@kernel.org>
Revocable::try_access() returns a guard through which the wrapped object
can be accessed. Code that can sleep is not allowed while the guard is
held; thus, it is common for the caller to explicitly drop it before
running sleepable code, e.g:
let b = bar.try_access()?;
let reg = b.readl(...);
// Don't forget this or things could go wrong!
drop(b);
something_that_might_sleep();
let b = bar.try_access()?;
let reg2 = b.readl(...);
This is arguably error-prone. try_access_with() provides an arguably
safer alternative, by taking a closure that is run while the guard is
held, and by dropping the guard automatically after the closure
completes. This way, code can be organized more clearly around the
critical sections and the risk of forgetting to release the guard when
needed is considerably reduced:
let reg = bar.try_access_with(|b| b.readl(...))?;
something_that_might_sleep();
let reg2 = bar.try_access_with(|b| b.readl(...))?;
The closure can return nothing, or any value including a Result which is
then wrapped inside the Option returned by try_access_with. Error
management is driver-specific, so users are encouraged to create their
own macros that map and flatten the returned values to something
appropriate for the code they are working on.
Suggested-by: Danilo Krummrich <dakr@kernel.org>
Reviewed-by: Benno Lossin <benno.lossin@proton.me>
Signed-off-by: Alexandre Courbot <acourbot@nvidia.com>
Reviewed-by: Joel Fernandes <joelagnelf@nvidia.com>
Acked-by: Miguel Ojeda <ojeda@kernel.org>
Link: https://lore.kernel.org/r/20250411-try_with-v4-1-f470ac79e2e2@nvidia.com
[ Link `None`, `Some`, `Option` in doc-comment. - Danilo ]
Signed-off-by: Danilo Krummrich <dakr@kernel.org>
Rust 1.78 doesn't emit a `dead_code` error on the annotated element,
resulting in the `unfulfilled_lint_expectations` error. Rust 1.85 does
emit the `dead_code` error, so we still need an `allow`.
Link: 0e28cbb895
Link: https://lore.kernel.org/all/20250414195928.129040-4-benno.lossin@proton.me
Signed-off-by: Benno Lossin <benno.lossin@proton.me>
