- Jul 08, 2024
-
-
Alice Ryhl authored
Add safe methods for reading and writing Rust values to and from userspace pointers. The C methods for copying to/from userspace use a function called `check_object_size` to verify that the kernel pointer is not dangling. However, this check is skipped when the length is a compile-time constant, with the assumption that such cases trivially have a correct kernel pointer. In this patch, we apply the same optimization to the typed accessors. For both methods, the size of the operation is known at compile time to be size_of of the type being read or written. Since the C side doesn't provide a variant that skips only this check, we create custom helpers for this purpose. The majority of reads and writes to userspace pointers in the Rust Binder driver uses these accessor methods. Benchmarking has found that skipping the `check_object_size` check makes a big difference for the cases being skipped here. (And that the check doesn't make a difference for...
-
Wedson Almeida Filho authored
A pointer to an area in userspace memory, which can be either read-only or read-write. All methods on this struct are safe: attempting to read or write on bad addresses (either out of the bound of the slice or unmapped addresses) will return `EFAULT`. Concurrent access, *including data races to/from userspace memory*, is permitted, because fundamentally another userspace thread/process could always be modifying memory at the same time (in the same way that userspace Rust's `std::io` permits data races with the contents of files on disk). In the presence of a race, the exact byte values read/written are unspecified but the operation is well-defined. Kernelspace code should validate its copy of data after completing a read, and not expect that multiple reads of the same address will return the same value. These APIs are designed to make it difficult to accidentally write TOCTOU bugs. Every time you read from a memory location, the pointer is advanced by the length so ...
-
Alice Ryhl authored
Make it possible to allocate memory that doesn't need to mapped into the kernel's address space. This flag is useful together with Page::alloc_page [1]. Rust Binder needs this for the memory that holds incoming transactions for each process. Each process will have a few megabytes of memory allocated with this flag, which is mapped into the process using vm_insert_page. When the kernel copies data for an incoming transaction into a process's memory region, it will use kmap_local_page to temporarily map pages that are being modified. There is no need for them to take up address space in the kernel when the kernel is not writing an incoming transaction into the page. Link: https://lore.kernel.org/all/20240528-alice-mm-v7-4-78222c31b8f4@google.com/ [1] Signed-off-by:
Alice Ryhl <aliceryhl@google.com> Link: https://lore.kernel.org/r/20240607-highmem-v1-1-d18c5ca4072f@google.com Signed-off-by:
Miguel Ojeda <ojeda@kernel.org>
-
Alice Ryhl authored
Fix a typo in alloc.rs by replacing Ror with For. Signed-off-by:
Vincenzo Palazzo <vincenzopalazzodev@gmail.com> Link: https://lore.kernel.org/r/20240529083452.779865-1-aliceryhl@google.com Signed-off-by:
-
Miguel Ojeda authored
Since we dropped our custom `alloc` in commit 9d0441ba ("rust: alloc: remove our fork of the `alloc` crate"), there is no need anymore to keep the custom sysroot hack. Thus delete it, which makes the target way simpler and faster too. This also means we are not using Cargo for anything at the moment, and that no download is required anymore, so update the main `Makefile` and the documentation accordingly. Link: https://lore.kernel.org/r/20240528163502.411600-1-ojeda@kernel.org Signed-off-by:
-
Roland Xu authored
Make the impl_has_work macro compatible with more complex generics such as lifetimes and const generic arguments. Signed-off-by:
Roland Xu <mu001999@outlook.com> Link: https://lore.kernel.org/r/ME0P282MB4890A180B99490CC65EF64FDCCEB2@ME0P282MB4890.AUSP282.PROD.OUTLOOK.COM Suggested-by:
Benno Lossin <benno.lossin@proton.me> Link: https://github.com/Rust-for-Linux/linux/issues/1077 [ Wrapped message to 72 columns. - Miguel ] Signed-off-by:
-
FUJITA Tomonori authored
This adds 'firmware' field support to module! macro, corresponds to MODULE_FIRMWARE macro. You can specify the file names of binary firmware that the kernel module requires. The information is embedded in the modinfo section of the kernel module. For example, a tool to build an initramfs uses this information to put the firmware files into the initramfs image. Signed-off-by:
FUJITA Tomonori <fujita.tomonori@gmail.com> Reviewed-by:
-
Aswin Unnikrishnan authored
Remove the mention of byte array as datatype for `module` macro arguments since the arguments are defined as string, and `alias` is a string array. Signed-off-by:
Aswin Unnikrishnan <aswinunni01@gmail.com> Reviewed-by:
-
Aswin Unnikrishnan authored
Add example for `alias` argument supported by `module` macro. `alias` accepts an array of alternate names for the module as string. Reviewed-by:
-
- Jun 11, 2024
-
-
Miguel Ojeda authored
When compiling for the `rusttest` target, the `core::ptr` import is unused since its only use happens in the `reserve()` method which is not compiled in that target: warning: unused import: `core::ptr` --> rust/kernel/alloc/vec_ext.rs:7:5 | 7 | use core::ptr; | ^^^^^^^^^ | = note: `#[warn(unused_imports)]` on by default Thus clean it. Fixes: 97ab3e8e ("rust: alloc: fix dangling pointer in VecExt<T>::reserve()") Reviewed-by:Danilo Krummrich <dakr@redhat.com> Link: https://lore.kernel.org/r/20240519210735.587323-1-ojeda@kernel.org Signed-off-by:
-
- May 14, 2024
-
-
WANG Rui authored
This commit switches to use the LoongArch's built-in rustc target 'loongarch64-unknown-none-softfloat'. The Rust samples have been tested. Acked-by:
WANG Rui <wangrui@loongson.cn> Signed-off-by:
Huacai Chen <chenhuacai@loongson.cn>
-
- May 09, 2024
-
-
Masahiro Yamada authored
Kbuild conventionally uses $(obj)/ for generated files, and $(src)/ for checked-in source files. It is merely a convention without any functional difference. In fact, $(obj) and $(src) are exactly the same, as defined in scripts/Makefile.build: src := $(obj) When the kernel is built in a separate output directory, $(src) does not accurately reflect the source directory location. While Kbuild resolves this discrepancy by specifying VPATH=$(srctree) to search for source files, it does not cover all cases. For example, when adding a header search path for local headers, -I$(srctree)/$(src) is typically passed to the compiler. This introduces inconsistency between upstream and downstream Makefiles because $(src) is used instead of $(srctree)/$(src) for the latter. To address this inconsistency, this commit changes the semantics of $(src) so that it always points to the directory in the source tree. Going forward, the variables used ...
-
- May 07, 2024
-
-
Danilo Krummrich authored
Currently, a Vec<T>'s ptr value, after calling Vec<T>::new(), is initialized to Unique::dangling(). Hence, in VecExt<T>::reserve(), we're passing a dangling pointer (instead of NULL) to krealloc() whenever a new Vec<T>'s backing storage is allocated through VecExt<T> extension functions. This only works as long as align_of::<T>(), used by Unique::dangling() to derive the dangling pointer, resolves to a value between 0x0 and ZERO_SIZE_PTR (0x10) and krealloc() hence treats it the same as a NULL pointer however. This isn't a case we should rely on, since there may be types whose alignment may exceed the range still covered by krealloc(), plus other kernel allocators are not as tolerant either. Instead, pass a real NULL pointer to krealloc_aligned() if Vec<T>'s capacity is zero. Fixes: 5ab560ce ("rust: alloc: update `VecExt` to take allocation flags") Reviewed-by:
Boqun Feng <boqun.feng@gmail.com>...>
-
- May 05, 2024
-
-
Miguel Ojeda authored
Rust's `unused_imports` lint covers both unused and redundant imports. In the upcoming 1.78.0, the lint detects more cases of redundant imports [1], e.g.: error: the item `bindings` is imported redundantly --> rust/kernel/print.rs:38:9 | 38 | use crate::bindings; | ^^^^^^^^^^^^^^^ the item `bindings` is already defined by prelude Most cases are `use crate::bindings`, plus a few other items like `Box`. Thus clean them up. Note that, in the `bindings` case, the message "defined by prelude" above means the extern prelude, i.e. the `--extern` flags we pass. Link: https://github.com/rust-lang/rust/pull/117772 [1] Reviewed-by: -
Miguel Ojeda authored
In the upcoming Rust 1.78.0, Clippy suggests to implement `Default` even when `new()` is `const`, since `Default::default()` may call `const` functions even if it is not `const` itself [1]: error: you should consider adding a `Default` implementation for `LockClassKey` --> rust/kernel/sync.rs:31:5 | 31 | / pub const fn new() -> Self { 32 | | Self(Opaque::uninit()) 33 | | } | |_____^ Thus implement it. Link: https://github.com/rust-lang/rust-clippy/pull/10903 [1] Reviewed-by:Boqun Feng <boqun.feng@gmail.com> Link: https://lore.kernel.org/r/20240401212303.537355-2-ojeda@kernel.org Signed-off-by:
-
Nell Shamrell-Harrington authored
Rust doctests implicitly include `kernel::prelude::*`. Removes explicit `kernel::prelude` imports from doctests. Suggested-by:
Nell Shamrell-Harrington <nells@linux.microsoft.com> Reviewed-by:
-
Raghav Narang authored
In Rust 1.76.0, the `dbg!()` macro was updated to also format the column number. The reason cited was usage of a few characters worth of horizontal space while allowing direct jumps to the source location. [1] Link: https://github.com/rust-lang/rust/pull/114962 [1] Link: https://github.com/Rust-for-Linux/linux/issues/1065 Signed-off-by:
Raghav Narang <dev@raxyte.com> Reviewed-by:
Trevor Gross <tmgross@umich.edu> Reviewed-by:
Gary Guo <gary@garyguo.net> Link: https://lore.kernel.org/r/eba70259-9b10-4bf7-ac4f-d7accf6b8891@smtp-relay.sendinblue.com [ Fixed commit author name and removed spurious newline in message. - Miguel ] Signed-off-by:
-
Thorsten Blum authored
s/directly the bindings/the bindings directly/ Signed-off-by:
Thorsten Blum <thorsten.blum@toblux.com> Reviewed-by:
-
Benno Lossin authored
The initializers created by the `[try_][pin_]init!` macros utilize the guard pattern to drop already initialized fields, when initialization fails mid-way. These guards are generated to have the same name as the field that they handle. To prevent namespacing issues [1] when the field name is the same as e.g. a constant name, add `__` as a prefix and `_guard` as the suffix. [ Gary says: "Here's the simplified example: ``` macro_rules! f { () => { let a = 1; let _: u32 = a; } } const a: u64 = 1; fn main() { f!(); } ``` The `a` in `f` have a different hygiene so normally it is scoped to the macro expansion and wouldn't escape. Interestingly a constant is still preferred despite the hygiene so constants escaped into the macro, leading to the error." - Miguel ] Signed-off-by: -
Alice Ryhl authored
Decrement the refcount of an `Arc`, but handle the case where it hits zero by taking ownership of the now-unique `Arc`, instead of destroying and deallocating it. This is a dependency of the linked list that Rust Binder uses. The linked list uses this method as part of its `ListArc` abstraction [1]. Boqun Feng has authored the examples. Reviewed-by:
-
Alice Ryhl authored
Allows access to a value in an `Arc` that is currently held as a raw pointer due to use of `Arc::into_raw`, without destroying or otherwise consuming that raw pointer. This is a dependency of the linked list that Rust Binder uses. The linked list uses this method when iterating over the linked list [1]. Reviewed-by:
-
Boqun Feng authored
To support a potential usage: static foo: Opaque<Foo> = ..; // Or defined in an extern block. ... fn bar() { let ptr = foo.get(); } `Opaque::get` need to be `const`, otherwise compiler will complain because calls on statics are limited to const functions. Also `Opaque::get` should be naturally `const` since it's a composition of two `const` functions: `UnsafeCell::get` and `ptr::cast`. Signed-off-by:Wedson Almeida Filho <walmeida@microsoft.com> Reviewed-by:
-
- Apr 30, 2024
-
-
Boqun Feng authored
The definitions related to jiffies are at linux/jiffies.h, and the definitions related to ktime_t are at linux/ktime.h, since `kernel::time` provides the functionality dealing with jiffies and ktime_t, it makes sense to add links to them from Rust's time module. Signed-off-by:
Thomas Gleixner <tglx@linutronix.de> Reviewed-by:
-
- Apr 25, 2024
-
-
Kent Overstreet authored
Memory allocation profiling is turning krealloc() into a nontrivial macro - so for now, we need a helper for it. Until we have proper support on the rust side for memory allocation profiling this does mean that all Rust allocations will be accounted to the helper. Link: https://lkml.kernel.org/r/20240321163705.3067592-25-surenb@google.com Signed-off-by:
Kent Overstreet <kent.overstreet@linux.dev> Signed-off-by:
Suren Baghdasaryan <surenb@google.com> Reviewed-by:
Kees Cook <keescook@chromium.org> Cc: Alex Gaynor <alex.gaynor@gmail.com> Cc: Wedson Almeida Filho <wedsonaf@gmail.com> Cc: Boqun Feng <boqun.feng@gmail.com> Cc: Gary Guo <gary@garyguo.net> Cc: "Björn Roy Baron" <bjorn3_gh@protonmail.com> Cc: Benno Lossin <benno.lossin@proton.me> Cc: Andreas Hindborg <a.hindborg@samsung.com> Cc: Alexander Viro <viro@zeniv.linux.org.uk> Cc: Christoph Lameter <cl@linux.com> Cc: Dennis Zhou <dennis@kernel.org> Cc: Pasha Tatashin <pasha.tatashin@soleen.com> Cc: Peter Zijlstra <peterz@infradead.org> Cc: Tejun Heo <tj@kernel.org> Cc: Vlastimil Babka <vbabka@suse.cz> Signed-off-by:
Andrew Morton <akpm@linux-foundation.org>
-
Aswin Unnikrishnan authored
Remove argument `params` from the `module` macro example, because the macro does not currently support module parameters since it was not sent with the initial merge. Signed-off-by:
-
- Apr 22, 2024
-
-
Miguel Ojeda authored
When KUnit tests are enabled, under very big kernel configurations (e.g. `allyesconfig`), we can trigger a `rustdoc` ICE [1]: RUSTDOC TK rust/kernel/lib.rs error: the compiler unexpectedly panicked. this is a bug. The reason is that this build step has a duplicated `@rustc_cfg` argument, which contains the kernel configuration, and thus a lot of arguments. The factor 2 happens to be enough to reach the ICE. Thus remove the unneeded `@rustc_cfg`. By doing so, we clean up the command and workaround the ICE. The ICE has been fixed in the upcoming Rust 1.79 [2]. Cc: stable@vger.kernel.org Fixes: a66d733d ("rust: support running Rust documentation tests as KUnit ones") Link: https://github.com/rust-lang/rust/issues/122722 [1] Link: https://github.com/rust-lang/rust/pull/122840 [2] Reviewed-by: -
Wedson Almeida Filho authored
The thread that calls the module initialisation code when a module is loaded is not guaranteed [in fact, it is unlikely] to be the same one that calls the module cleanup code on module unload, therefore, `Module` implementations must be `Send` to account for them moving from one thread to another implicitly. Signed-off-by:
-
Wedson Almeida Filho authored
In preparation for requiring `Send` for `Module` implementations in the next patch. Cc: FUJITA Tomonori <fujita.tomonori@gmail.com> Cc: Trevor Gross <tmgross@umich.edu> Cc: netdev@vger.kernel.org Signed-off-by:
-
- Apr 16, 2024
-
-
Wedson Almeida Filho authored
With the adoption of `BoxExt` and `VecExt`, we don't need the functions provided by this feature (namely the methods prefixed with `try_` and different allocator per collection instance). We do need `AllocError`, but we define our own as it is a trivial empty struct. Reviewed-by:
-
Wedson Almeida Filho authored
This is the last component in the conversion for allocators to take allocation flags as parameters. Reviewed-by:
-
Wedson Almeida Filho authored
We also remove the `try_` prefix to align with how `Box` and `Vec` are providing methods now. `init` is temporarily updated with uses of GFP_KERNEL. These will be updated in a subsequent patch to take flags as well. Reviewed-by:
-
Wedson Almeida Filho authored
We also rename the methods by removing the `try_` prefix since the names are available due to our usage of the `no_global_oom_handling` config when building the `alloc` crate. Reviewed-by:
-
Wedson Almeida Filho authored
Make fallible versions of `new` and `new_uninit` methods available in `Box` even though it doesn't implement them because we build `alloc` with the `no_global_oom_handling` config. They also have an extra `flags` parameter that allows callers to pass flags to the allocator. Signed-off-by:
-
Wedson Almeida Filho authored
We'll use them when allocating `Box`, `Arc`, and `UniqueArc` instances, as well as when allocating memory for `Vec` elements. These changes will come in subsequent patches. Reviewed-by:
-
Wedson Almeida Filho authored
It is not used anymore as `VecExt` now provides the functionality we depend on. Reviewed-by:
-
Wedson Almeida Filho authored
Switch away from our fork of the `alloc` crate. We remove it altogether in the next commit. Signed-off-by:
-
Wedson Almeida Filho authored
Make `try_with_capacity`, `try_push`, and `try_extend_from_slice` methods available in `Vec` even though it doesn't implement them. It is implemented with `try_reserve` and `push_within_capacity`. This is in preparation for switching to the upstream `alloc` crate. Reviewed-by:
-
Wedson Almeida Filho authored
We will add more to the `alloc` module in subsequent patches (e.g., allocation flags and extension traits). Reviewed-by:
-
Benno Lossin authored
The `module!` macro creates glue code that are called by C to initialize the Rust modules using the `Module::init` function. Part of this glue code are the local functions `__init` and `__exit` that are used to initialize/destroy the Rust module. These functions are safe and also visible to the Rust mod in which the `module!` macro is invoked. This means that they can be called by other safe Rust code. But since they contain `unsafe` blocks that rely on only being called at the right time, this is a soundness issue. Wrap these generated functions inside of two private modules, this guarantees that the public functions cannot be called from the outside. Make the safe functions `unsafe` and add SAFETY comments. Cc: stable@vger.kernel.org Reported-by:
Björn Roy Baron <bjorn3_gh@protonmail.com> Closes: https://github.com/Rust-for-Linux/linux/issues/629 Fixes: 1fbde52b ("rust: add `macros` crate") Signed-off-by:
-
- Apr 11, 2024
-
-
Alice Ryhl authored
Introduce a wrapper around `ktime_t` with a few different useful methods. Rust Binder will use these bindings to compute how many milliseconds a transaction has been active for when dumping the current state of the Binder driver. This replicates the logic in C Binder [1]. For a usage example in Rust Binder, see [2]. ktime_get() cannot be safely called in NMI context. This requirement is not checked by these abstractions, but it is intended that klint [3] or a similar tool will be used to check it in the future. Signed-off-by:
-
