From: Linus Torvalds Date: Sun, 3 Aug 2025 20:49:10 +0000 (-0700) Subject: Merge tag 'rust-6.17' of git://git.kernel.org/pub/scm/linux/kernel/git/ojeda/linux X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=352af6a011d586ff042db4b2d1f7421875eb8a14;p=thirdparty%2Fkernel%2Flinux.git Merge tag 'rust-6.17' of git://git.kernel.org/pub/scm/linux/kernel/git/ojeda/linux Pull Rust updates from Miguel Ojeda: "Toolchain and infrastructure: - Enable a set of Clippy lints: 'ptr_as_ptr', 'ptr_cast_constness', 'as_ptr_cast_mut', 'as_underscore', 'cast_lossless' and 'ref_as_ptr' These are intended to avoid type casts with the 'as' operator, which are quite powerful, into restricted variants that are less powerful and thus should help to avoid mistakes - Remove the 'author' key now that most instances were moved to the plural one in the previous cycle 'kernel' crate: - New 'bug' module: add 'warn_on!' macro which reuses the existing 'BUG'/'WARN' infrastructure, i.e. it respects the usual sysctls and kernel parameters: warn_on!(value == 42); To avoid duplicating the assembly code, the same strategy is followed as for the static branch code in order to share the assembly between both C and Rust This required a few rearrangements on C arch headers -- the existing C macros should still generate the same outputs, thus no functional change expected there - 'workqueue' module: add delayed work items, including a 'DelayedWork' struct, a 'impl_has_delayed_work!' macro and an 'enqueue_delayed' method, e.g.: /// Enqueue the struct for execution on the system workqueue, /// where its value will be printed 42 jiffies later. fn print_later(value: Arc) { let _ = workqueue::system().enqueue_delayed(value, 42); } - New 'bits' module: add support for 'bit' and 'genmask' functions, with runtime- and compile-time variants, e.g.: static_assert!(0b00010000 == bit_u8(4)); static_assert!(0b00011110 == genmask_u8(1..=4)); assert!(checked_bit_u32(u32::BITS).is_none()); - 'uaccess' module: add 'UserSliceReader::strcpy_into_buf', which reads NUL-terminated strings from userspace into a '&CStr' Introduce 'UserPtr' newtype, similar in purpose to '__user' in C, to minimize mistakes handling userspace pointers, including mixing them up with integers and leaking them via the 'Debug' trait. Add it to the prelude, too - Start preparations for the replacement of our custom 'CStr' type with the analogous type in the 'core' standard library. This will take place across several cycles to make it easier. For this one, it includes a new 'fmt' module, using upstream method names and some other cleanups Replace 'fmt!' with a re-export, which helps Clippy lint properly, and clean up the found 'uninlined-format-args' instances - 'dma' module: - Clarify wording and be consistent in 'coherent' nomenclature - Convert the 'read!()' and 'write!()' macros to return a 'Result' - Add 'as_slice()', 'write()' methods in 'CoherentAllocation' - Expose 'count()' and 'size()' in 'CoherentAllocation' and add the corresponding type invariants - Implement 'CoherentAllocation::dma_handle_with_offset()' - 'time' module: - Make 'Instant' generic over clock source. This allows the compiler to assert that arithmetic expressions involving the 'Instant' use 'Instants' based on the same clock source - Make 'HrTimer' generic over the timer mode. 'HrTimer' timers take a 'Duration' or an 'Instant' when setting the expiry time, depending on the timer mode. With this change, the compiler can check the type matches the timer mode - Add an abstraction for 'fsleep'. 'fsleep' is a flexible sleep function that will select an appropriate sleep method depending on the requested sleep time - Avoid 64-bit divisions on 32-bit hardware when calculating timestamps - Seal the 'HrTimerMode' trait. This prevents users of the 'HrTimerMode' from implementing the trait on their own types - Pass the correct timer mode ID to 'hrtimer_start_range_ns()' - 'list' module: remove 'OFFSET' constants, allowing to remove pointer arithmetic; now 'impl_list_item!' invokes 'impl_has_list_links!' or 'impl_has_list_links_self_ptr!'. Other simplifications too - 'types' module: remove 'ForeignOwnable::PointedTo' in favor of a constant, which avoids exposing the type of the opaque pointer, and require 'into_foreign' to return non-null Remove the 'Either' type as well. It is unused, and we want to encourage the use of custom enums for concrete use cases - 'sync' module: implement 'Borrow' and 'BorrowMut' for 'Arc' types to allow them to be used in generic APIs - 'alloc' module: implement 'Borrow' and 'BorrowMut' for 'Box'; and 'Borrow', 'BorrowMut' and 'Default' for 'Vec' - 'Opaque' type: add 'cast_from' method to perform a restricted cast that cannot change the inner type and use it in callers of 'container_of!'. Rename 'raw_get' to 'cast_into' to match it - 'rbtree' module: add 'is_empty' method - 'sync' module: new 'aref' submodule to hold 'AlwaysRefCounted' and 'ARef', which are moved from the too general 'types' module which we want to reduce or eventually remove. Also fix a safety comment in 'static_lock_class' 'pin-init' crate: - Add 'impl [Pin]Init for Result', so results are now (pin-)initializers - Add 'Zeroable::init_zeroed()' that delegates to 'init_zeroed()' - New 'zeroed()', a safe version of 'mem::zeroed()' and also provide it via 'Zeroable::zeroed()' - Implement 'Zeroable' for 'Option<&T>', 'Option<&mut T>' and for 'Option<[unsafe] [extern "abi"] fn(...args...) -> ret>' for '"Rust"' and '"C"' ABIs and up to 20 arguments - Changed blanket impls of 'Init' and 'PinInit' from 'impl [Pin]Init for T' to 'impl [Pin]Init for T' - Renamed 'zeroed()' to 'init_zeroed()' - Upstream dev news: improve CI more to deny warnings, use '--all-targets'. Check the synchronization status of the two '-next' branches in upstream and the kernel MAINTAINERS: - Add Vlastimil Babka, Liam R. Howlett, Uladzislau Rezki and Lorenzo Stoakes as reviewers (thanks everyone) And a few other cleanups and improvements" * tag 'rust-6.17' of git://git.kernel.org/pub/scm/linux/kernel/git/ojeda/linux: (76 commits) rust: Add warn_on macro arm64/bug: Add ARCH_WARN_ASM macro for BUG/WARN asm code sharing with Rust riscv/bug: Add ARCH_WARN_ASM macro for BUG/WARN asm code sharing with Rust x86/bug: Add ARCH_WARN_ASM macro for BUG/WARN asm code sharing with Rust rust: kernel: move ARef and AlwaysRefCounted to sync::aref rust: sync: fix safety comment for `static_lock_class` rust: types: remove `Either` rust: kernel: use `core::ffi::CStr` method names rust: str: add `CStr` methods matching `core::ffi::CStr` rust: str: remove unnecessary qualification rust: use `kernel::{fmt,prelude::fmt!}` rust: kernel: add `fmt` module rust: kernel: remove `fmt!`, fix clippy::uninlined-format-args scripts: rust: emit path candidates in panic message scripts: rust: replace length checks with match rust: list: remove nonexistent generic parameter in link rust: bits: add support for bits/genmask macros rust: list: remove OFFSET constants rust: list: add `impl_list_item!` examples rust: list: use fully qualified path ... --- 352af6a011d586ff042db4b2d1f7421875eb8a14 diff --cc drivers/cpufreq/rcpufreq_dt.rs index 9ad85fe6fd054,4608d2286fa19..7e1fbf9a091f7 --- a/drivers/cpufreq/rcpufreq_dt.rs +++ b/drivers/cpufreq/rcpufreq_dt.rs @@@ -19,9 -18,8 +18,9 @@@ use kernel:: /// Finds exact supply name from the OF node. fn find_supply_name_exact(dev: &Device, name: &str) -> Option { - let prop_name = CString::try_from_fmt(fmt!("{}-supply", name)).ok()?; + let prop_name = CString::try_from_fmt(fmt!("{name}-supply")).ok()?; - dev.property_present(&prop_name) + dev.fwnode()? + .property_present(&prop_name) .then(|| CString::try_from_fmt(fmt!("{name}")).ok()) .flatten() } diff --cc drivers/gpu/nova-core/util.rs index 64fb137607643,332a64cfc6a9d..76cedf3710d7b --- a/drivers/gpu/nova-core/util.rs +++ b/drivers/gpu/nova-core/util.rs @@@ -1,8 -1,5 +1,8 @@@ // SPDX-License-Identifier: GPL-2.0 +use kernel::prelude::*; - use kernel::time::{Delta, Instant}; ++use kernel::time::{Delta, Instant, Monotonic}; + pub(crate) const fn to_lowercase_bytes(s: &str) -> [u8; N] { let src = s.as_bytes(); let mut dst = [0; N]; @@@ -22,26 -19,3 +22,26 @@@ pub(crate) const fn const_bytes_to_str( Err(_) => kernel::build_error!("Bytes are not valid UTF-8."), } } + +/// Wait until `cond` is true or `timeout` elapsed. +/// +/// When `cond` evaluates to `Some`, its return value is returned. +/// +/// `Err(ETIMEDOUT)` is returned if `timeout` has been reached without `cond` evaluating to +/// `Some`. +/// +/// TODO[DLAY]: replace with `read_poll_timeout` once it is available. +/// (https://lore.kernel.org/lkml/20250220070611.214262-8-fujita.tomonori@gmail.com/) +pub(crate) fn wait_on Option>(timeout: Delta, cond: F) -> Result { - let start_time = Instant::now(); ++ let start_time = Instant::::now(); + + loop { + if let Some(ret) = cond() { + return Ok(ret); + } + + if start_time.elapsed().as_nanos() > timeout.as_nanos() { + return Err(ETIMEDOUT); + } + } +} diff --cc rust/helpers/helpers.c index 2bb13285825b7,0683fffdbde25..7cf7fe95e41dd --- a/rust/helpers/helpers.c +++ b/rust/helpers/helpers.c @@@ -28,17 -28,13 +28,17 @@@ #include "kunit.c" #include "mm.c" #include "mutex.c" +#include "of.c" #include "page.c" - #include "platform.c" #include "pci.c" #include "pid_namespace.c" + #include "platform.c" +#include "poll.c" +#include "property.c" #include "rbtree.c" - #include "regulator.c" #include "rcu.c" #include "refcount.c" ++#include "regulator.c" #include "security.c" #include "signal.c" #include "slab.c" diff --cc rust/kernel/device_id.rs index 8ed2c946144c3,3dc72ca8cfc26..70d57814ff79b --- a/rust/kernel/device_id.rs +++ b/rust/kernel/device_id.rs @@@ -94,16 -77,14 +94,16 @@@ impl() - .write(i); + if let Some(data_offset) = data_offset { + // SAFETY: by the safety requirement of this function, this would be effectively + // `raw_ids[i].driver_data = i;`. + unsafe { + raw_ids[i] + .as_mut_ptr() - .byte_offset(data_offset as _) ++ .byte_add(data_offset) + .cast::() + .write(i); + } } // SAFETY: this is effectively a move: `infos[i] = ids[i].1`. We make a copy here but diff --cc rust/kernel/devres.rs index 152a89b789438,d0e6c6e162c28..da18091143a67 --- a/rust/kernel/devres.rs +++ b/rust/kernel/devres.rs @@@ -49,10 -44,10 +49,10 @@@ struct Inner /// [`Devres`] users should make sure to simply free the corresponding backing resource in `T`'s /// [`Drop`] implementation. /// - /// # Example + /// # Examples /// /// ```no_run -/// # use kernel::{bindings, c_str, device::{Bound, Device}, devres::Devres, io::{Io, IoRaw}}; +/// # use kernel::{bindings, device::{Bound, Device}, devres::Devres, io::{Io, IoRaw}}; /// # use core::ops::Deref; /// /// // See also [`pci::Bar`] for a real example. diff --cc rust/kernel/drm/gem/mod.rs index a24c9a2fc201b,6f914ae0a5aad..b71821cfb5eaa --- a/rust/kernel/drm/gem/mod.rs +++ b/rust/kernel/drm/gem/mod.rs @@@ -124,12 -124,10 +124,10 @@@ impl IntoGEMObject fo self.obj.get() } - unsafe fn as_ref<'a>(self_ptr: *mut bindings::drm_gem_object) -> &'a Self { + unsafe fn from_raw<'a>(self_ptr: *mut bindings::drm_gem_object) -> &'a Self { - let self_ptr: *mut Opaque = self_ptr.cast(); - // SAFETY: `obj` is guaranteed to be in an `Object` via the safety contract of this // function - unsafe { &*crate::container_of!(self_ptr, Object, obj) } + unsafe { &*crate::container_of!(Opaque::cast_from(self_ptr), Object, obj) } } } diff --cc rust/kernel/io.rs index b7fc759f8b5d3,bd4d720be1653..03b467722b865 --- a/rust/kernel/io.rs +++ b/rust/kernel/io.rs @@@ -5,13 -5,8 +5,13 @@@ //! C header: [`include/asm-generic/io.h`](srctree/include/asm-generic/io.h) use crate::error::{code::EINVAL, Result}; - use crate::{bindings, build_assert}; + use crate::{bindings, build_assert, ffi::c_void}; +pub mod mem; +pub mod resource; + +pub use resource::Resource; + /// Raw representation of an MMIO region. /// /// By itself, the existence of an instance of this structure does not provide any guarantees that diff --cc rust/kernel/platform.rs index b4d3087aff52f,e894790c510cc..8f028c76f9fa6 --- a/rust/kernel/platform.rs +++ b/rust/kernel/platform.rs @@@ -132,10 -122,10 +132,10 @@@ macro_rules! module_platform_driver /// /// Drivers must implement this trait in order to get a platform driver registered. /// - /// # Example + /// # Examples /// ///``` -/// # use kernel::{bindings, c_str, device::Core, of, platform}; +/// # use kernel::{acpi, bindings, c_str, device::Core, of, platform}; /// /// struct MyDriver; /// diff --cc rust/kernel/types.rs index 3958a5f44d567,ec82a163cb0ee..dc0a02f5c3cfc --- a/rust/kernel/types.rs +++ b/rust/kernel/types.rs @@@ -5,12 -6,13 +6,13 @@@ use crate::ffi::c_void use core::{ cell::UnsafeCell, marker::{PhantomData, PhantomPinned}, - mem::{ManuallyDrop, MaybeUninit}, + mem::MaybeUninit, ops::{Deref, DerefMut}, - ptr::NonNull, }; -use pin_init::{PinInit, Zeroable}; +use pin_init::{PinInit, Wrapper, Zeroable}; + pub use crate::sync::aref::{ARef, AlwaysRefCounted}; + /// Used to transfer ownership to and from foreign (non-Rust) languages. /// /// Ownership is transferred from Rust to a foreign language by calling [`Self::into_foreign`] and @@@ -399,191 -411,16 +400,29 @@@ impl Opaque /// /// This function is useful to get access to the value without creating intermediate /// references. - pub const fn raw_get(this: *const Self) -> *mut T { + pub const fn cast_into(this: *const Self) -> *mut T { UnsafeCell::raw_get(this.cast::>>()).cast::() } + + /// The opposite operation of [`Opaque::cast_into`]. + pub const fn cast_from(this: *const T) -> *const Self { + this.cast() + } } +impl Wrapper for Opaque { + /// Create an opaque pin-initializer from the given pin-initializer. + fn pin_init(slot: impl PinInit) -> impl PinInit { + Self::try_ffi_init(|ptr: *mut T| { + // SAFETY: + // - `ptr` is a valid pointer to uninitialized memory, + // - `slot` is not accessed on error, + // - `slot` is pinned in memory. + unsafe { PinInit::::__pinned_init(slot, ptr) } + }) + } +} + - /// Types that are _always_ reference counted. - /// - /// It allows such types to define their own custom ref increment and decrement functions. - /// Additionally, it allows users to convert from a shared reference `&T` to an owned reference - /// [`ARef`]. - /// - /// This is usually implemented by wrappers to existing structures on the C side of the code. For - /// Rust code, the recommendation is to use [`Arc`](crate::sync::Arc) to create reference-counted - /// instances of a type. - /// - /// # Safety - /// - /// Implementers must ensure that increments to the reference count keep the object alive in memory - /// at least until matching decrements are performed. - /// - /// Implementers must also ensure that all instances are reference-counted. (Otherwise they - /// won't be able to honour the requirement that [`AlwaysRefCounted::inc_ref`] keep the object - /// alive.) - pub unsafe trait AlwaysRefCounted { - /// Increments the reference count on the object. - fn inc_ref(&self); - - /// Decrements the reference count on the object. - /// - /// Frees the object when the count reaches zero. - /// - /// # Safety - /// - /// Callers must ensure that there was a previous matching increment to the reference count, - /// and that the object is no longer used after its reference count is decremented (as it may - /// result in the object being freed), unless the caller owns another increment on the refcount - /// (e.g., it calls [`AlwaysRefCounted::inc_ref`] twice, then calls - /// [`AlwaysRefCounted::dec_ref`] once). - unsafe fn dec_ref(obj: NonNull); - } - - /// An owned reference to an always-reference-counted object. - /// - /// The object's reference count is automatically decremented when an instance of [`ARef`] is - /// dropped. It is also automatically incremented when a new instance is created via - /// [`ARef::clone`]. - /// - /// # Invariants - /// - /// The pointer stored in `ptr` is non-null and valid for the lifetime of the [`ARef`] instance. In - /// particular, the [`ARef`] instance owns an increment on the underlying object's reference count. - pub struct ARef { - ptr: NonNull, - _p: PhantomData, - } - - // SAFETY: It is safe to send `ARef` to another thread when the underlying `T` is `Sync` because - // it effectively means sharing `&T` (which is safe because `T` is `Sync`); additionally, it needs - // `T` to be `Send` because any thread that has an `ARef` may ultimately access `T` using a - // mutable reference, for example, when the reference count reaches zero and `T` is dropped. - unsafe impl Send for ARef {} - - // SAFETY: It is safe to send `&ARef` to another thread when the underlying `T` is `Sync` - // because it effectively means sharing `&T` (which is safe because `T` is `Sync`); additionally, - // it needs `T` to be `Send` because any thread that has a `&ARef` may clone it and get an - // `ARef` on that thread, so the thread may ultimately access `T` using a mutable reference, for - // example, when the reference count reaches zero and `T` is dropped. - unsafe impl Sync for ARef {} - - impl ARef { - /// Creates a new instance of [`ARef`]. - /// - /// It takes over an increment of the reference count on the underlying object. - /// - /// # Safety - /// - /// Callers must ensure that the reference count was incremented at least once, and that they - /// are properly relinquishing one increment. That is, if there is only one increment, callers - /// must not use the underlying object anymore -- it is only safe to do so via the newly - /// created [`ARef`]. - pub unsafe fn from_raw(ptr: NonNull) -> Self { - // INVARIANT: The safety requirements guarantee that the new instance now owns the - // increment on the refcount. - Self { - ptr, - _p: PhantomData, - } - } - - /// Consumes the `ARef`, returning a raw pointer. - /// - /// This function does not change the refcount. After calling this function, the caller is - /// responsible for the refcount previously managed by the `ARef`. - /// - /// # Examples - /// - /// ``` - /// use core::ptr::NonNull; - /// use kernel::types::{ARef, AlwaysRefCounted}; - /// - /// struct Empty {} - /// - /// # // SAFETY: TODO. - /// unsafe impl AlwaysRefCounted for Empty { - /// fn inc_ref(&self) {} - /// unsafe fn dec_ref(_obj: NonNull) {} - /// } - /// - /// let mut data = Empty {}; - /// let ptr = NonNull::::new(&mut data).unwrap(); - /// # // SAFETY: TODO. - /// let data_ref: ARef = unsafe { ARef::from_raw(ptr) }; - /// let raw_ptr: NonNull = ARef::into_raw(data_ref); - /// - /// assert_eq!(ptr, raw_ptr); - /// ``` - pub fn into_raw(me: Self) -> NonNull { - ManuallyDrop::new(me).ptr - } - } - - impl Clone for ARef { - fn clone(&self) -> Self { - self.inc_ref(); - // SAFETY: We just incremented the refcount above. - unsafe { Self::from_raw(self.ptr) } - } - } - - impl Deref for ARef { - type Target = T; - - fn deref(&self) -> &Self::Target { - // SAFETY: The type invariants guarantee that the object is valid. - unsafe { self.ptr.as_ref() } - } - } - - impl From<&T> for ARef { - fn from(b: &T) -> Self { - b.inc_ref(); - // SAFETY: We just incremented the refcount above. - unsafe { Self::from_raw(NonNull::from(b)) } - } - } - - impl Drop for ARef { - fn drop(&mut self) { - // SAFETY: The type invariants guarantee that the `ARef` owns the reference we're about to - // decrement. - unsafe { T::dec_ref(self.ptr) }; - } - } - - /// A sum type that always holds either a value of type `L` or `R`. - /// - /// # Examples - /// - /// ``` - /// use kernel::types::Either; - /// - /// let left_value: Either = Either::Left(7); - /// let right_value: Either = Either::Right("right value"); - /// ``` - pub enum Either { - /// Constructs an instance of [`Either`] containing a value of type `L`. - Left(L), - - /// Constructs an instance of [`Either`] containing a value of type `R`. - Right(R), - } - /// Zero-sized type to mark types not [`Send`]. /// /// Add this type as a field to your struct if your type should not be sent to a different task. diff --cc scripts/Makefile.build index ba71b27aa3634,79c40af6f3992..d0ee33a487be9 --- a/scripts/Makefile.build +++ b/scripts/Makefile.build @@@ -309,14 -309,14 +309,15 @@@ $(obj)/%.lst: $(obj)/%.c FORC # The features in this list are the ones allowed for non-`rust/` code. # # - Stable since Rust 1.81.0: `feature(lint_reasons)`. - # - Stable since Rust 1.82.0: `feature(asm_const)`, `feature(raw_ref_op)`. + # - Stable since Rust 1.82.0: `feature(asm_const)`, + # `feature(offset_of_nested)`, `feature(raw_ref_op)`. # - Stable since Rust 1.87.0: `feature(asm_goto)`. # - Expected to become stable: `feature(arbitrary_self_types)`. +# - To be determined: `feature(used_with_arg)`. # # Please see https://github.com/Rust-for-Linux/linux/issues/2 for details on # the unstable features in use. - rust_allowed_features := asm_const,asm_goto,arbitrary_self_types,lint_reasons,raw_ref_op,used_with_arg -rust_allowed_features := asm_const,asm_goto,arbitrary_self_types,lint_reasons,offset_of_nested,raw_ref_op ++rust_allowed_features := asm_const,asm_goto,arbitrary_self_types,lint_reasons,offset_of_nested,raw_ref_op,used_with_arg # `--out-dir` is required to avoid temporaries being created by `rustc` in the # current working directory, which may be not accessible in the out-of-tree