Linux/rust/kernel/list/impl_list_item

Version: ~ [ linux-6.12-rc7 ] ~ [ linux-6.11.7 ] ~ [ linux-6.10.14 ] ~ [ linux-6.9.12 ] ~ [ linux-6.8.12 ] ~ [ linux-6.7.12 ] ~ [ linux-6.6.60 ] ~ [ linux-6.5.13 ] ~ [ linux-6.4.16 ] ~ [ linux-6.3.13 ] ~ [ linux-6.2.16 ] ~ [ linux-6.1.116 ] ~ [ linux-6.0.19 ] ~ [ linux-5.19.17 ] ~ [ linux-5.18.19 ] ~ [ linux-5.17.15 ] ~ [ linux-5.16.20 ] ~ [ linux-5.15.171 ] ~ [ linux-5.14.21 ] ~ [ linux-5.13.19 ] ~ [ linux-5.12.19 ] ~ [ linux-5.11.22 ] ~ [ linux-5.10.229 ] ~ [ linux-5.9.16 ] ~ [ linux-5.8.18 ] ~ [ linux-5.7.19 ] ~ [ linux-5.6.19 ] ~ [ linux-5.5.19 ] ~ [ linux-5.4.285 ] ~ [ linux-5.3.18 ] ~ [ linux-5.2.21 ] ~ [ linux-5.1.21 ] ~ [ linux-5.0.21 ] ~ [ linux-4.20.17 ] ~ [ linux-4.19.323 ] ~ [ linux-4.18.20 ] ~ [ linux-4.17.19 ] ~ [ linux-4.16.18 ] ~ [ linux-4.15.18 ] ~ [ linux-4.14.336 ] ~ [ linux-4.13.16 ] ~ [ linux-4.12.14 ] ~ [ linux-4.11.12 ] ~ [ linux-4.10.17 ] ~ [ linux-4.9.337 ] ~ [ linux-4.4.302 ] ~ [ linux-3.10.108 ] ~ [ linux-2.6.32.71 ] ~ [ linux-2.6.0 ] ~ [ linux-2.4.37.11 ] ~ [ unix-v6-master ] ~ [ ccs-tools-1.8.12 ] ~ [ policy-sample ] ~
Architecture: ~ [ i386 ] ~ [ alpha ] ~ [ m68k ] ~ [ mips ] ~ [ ppc ] ~ [ sparc ] ~ [ sparc64 ] ~

1 // SPDX-License-Identifier: GPL-2.0 2 3 // Copyright (C) 2024 Google LLC. 4 5 //! Helpers for implementing list traits safely. 6 7 use crate::list::ListLinks; 8 9 /// Declares that this type has a `ListLinks<ID>` field at a fixed offset. 10 /// 11 /// This trait is only used to help implement `ListItem` safely. If `ListItem` is implemented 12 /// manually, then this trait is not needed. Use the [`impl_has_list_links!`] macro to implement 13 /// this trait. 14 /// 15 /// # Safety 16 /// 17 /// All values of this type must have a `ListLinks<ID>` field at the given offset. 18 /// 19 /// The behavior of `raw_get_list_links` must not be changed. 20 pub unsafe trait HasListLinks<const ID: u64 = 0> { 21 /// The offset of the `ListLinks` field. 22 const OFFSET: usize; 23 24 /// Returns a pointer to the [`ListLinks<T, ID>`] field. 25 /// 26 /// # Safety 27 /// 28 /// The provided pointer must point at a valid struct of type `Self`. 29 /// 30 /// [`ListLinks<T, ID>`]: ListLinks 31 // We don't really need this method, but it's necessary for the implementation of 32 // `impl_has_list_links!` to be correct. 33 #[inline] 34 unsafe fn raw_get_list_links(ptr: *mut Self) -> *mut ListLinks<ID> { 35 // SAFETY: The caller promises that the pointer is valid. The implementer promises that the 36 // `OFFSET` constant is correct. 37 unsafe { (ptr as *mut u8).add(Self::OFFSET) as *mut ListLinks<ID> } 38 } 39 } 40 41 /// Implements the [`HasListLinks`] trait for the given type. 42 #[macro_export] 43 macro_rules! impl_has_list_links { 44 ($(impl$(<$($implarg:ident),*>)? 45 HasListLinks$(<$id:tt>)? 46 for $self:ident $(<$($selfarg:ty),*>)? 47 { self$(.$field:ident)* } 48 )*) => {$( 49 // SAFETY: The implementation of `raw_get_list_links` only compiles if the field has the 50 // right type. 51 // 52 // The behavior of `raw_get_list_links` is not changed since the `addr_of_mut!` macro is 53 // equivalent to the pointer offset operation in the trait definition. 54 unsafe impl$(<$($implarg),*>)? $crate::list::HasListLinks$(<$id>)? for 55 $self $(<$($selfarg),*>)? 56 { 57 const OFFSET: usize = ::core::mem::offset_of!(Self, $($field).*) as usize; 58 59 #[inline] 60 unsafe fn raw_get_list_links(ptr: *mut Self) -> *mut $crate::list::ListLinks$(<$id>)? { 61 // SAFETY: The caller promises that the pointer is not dangling. We know that this 62 // expression doesn't follow any pointers, as the `offset_of!` invocation above 63 // would otherwise not compile. 64 unsafe { ::core::ptr::addr_of_mut!((*ptr)$(.$field)*) } 65 } 66 } 67 )*}; 68 } 69 pub use impl_has_list_links; 70 71 /// Declares that the `ListLinks<ID>` field in this struct is inside a `ListLinksSelfPtr<T, ID>`. 72 /// 73 /// # Safety 74 /// 75 /// The `ListLinks<ID>` field of this struct at the offset `HasListLinks<ID>::OFFSET` must be 76 /// inside a `ListLinksSelfPtr<T, ID>`. 77 pub unsafe trait HasSelfPtr<T: ?Sized, const ID: u64 = 0> 78 where 79 Self: HasListLinks<ID>, 80 { 81 } 82 83 /// Implements the [`HasListLinks`] and [`HasSelfPtr`] traits for the given type. 84 #[macro_export] 85 macro_rules! impl_has_list_links_self_ptr { 86 ($(impl$({$($implarg:tt)*})? 87 HasSelfPtr<$item_type:ty $(, $id:tt)?> 88 for $self:ident $(<$($selfarg:ty),*>)? 89 { self.$field:ident } 90 )*) => {$( 91 // SAFETY: The implementation of `raw_get_list_links` only compiles if the field has the 92 // right type. 93 unsafe impl$(<$($implarg)*>)? $crate::list::HasSelfPtr<$item_type $(, $id)?> for 94 $self $(<$($selfarg),*>)? 95 {} 96 97 unsafe impl$(<$($implarg)*>)? $crate::list::HasListLinks$(<$id>)? for 98 $self $(<$($selfarg),*>)? 99 { 100 const OFFSET: usize = ::core::mem::offset_of!(Self, $field) as usize; 101 102 #[inline] 103 unsafe fn raw_get_list_links(ptr: *mut Self) -> *mut $crate::list::ListLinks$(<$id>)? { 104 // SAFETY: The caller promises that the pointer is not dangling. 105 let ptr: *mut $crate::list::ListLinksSelfPtr<$item_type $(, $id)?> = 106 unsafe { ::core::ptr::addr_of_mut!((*ptr).$field) }; 107 ptr.cast() 108 } 109 } 110 )*}; 111 } 112 pub use impl_has_list_links_self_ptr; 113 114 /// Implements the [`ListItem`] trait for the given type. 115 /// 116 /// Requires that the type implements [`HasListLinks`]. Use the [`impl_has_list_links!`] macro to 117 /// implement that trait. 118 /// 119 /// [`ListItem`]: crate::list::ListItem 120 #[macro_export] 121 macro_rules! impl_list_item { 122 ( 123 $(impl$({$($generics:tt)*})? ListItem<$num:tt> for $t:ty { 124 using ListLinks; 125 })* 126 ) => {$( 127 // SAFETY: See GUARANTEES comment on each method. 128 unsafe impl$(<$($generics)*>)? $crate::list::ListItem<$num> for $t { 129 // GUARANTEES: 130 // * This returns the same pointer as `prepare_to_insert` because `prepare_to_insert` 131 // is implemented in terms of `view_links`. 132 // * By the type invariants of `ListLinks`, the `ListLinks` has two null pointers when 133 // this value is not in a list. 134 unsafe fn view_links(me: *const Self) -> *mut $crate::list::ListLinks<$num> { 135 // SAFETY: The caller guarantees that `me` points at a valid value of type `Self`. 136 unsafe { 137 <Self as $crate::list::HasListLinks<$num>>::raw_get_list_links(me.cast_mut()) 138 } 139 } 140 141 // GUARANTEES: 142 // * `me` originates from the most recent call to `prepare_to_insert`, which just added 143 // `offset` to the pointer passed to `prepare_to_insert`. This method subtracts 144 // `offset` from `me` so it returns the pointer originally passed to 145 // `prepare_to_insert`. 146 // * The pointer remains valid until the next call to `post_remove` because the caller 147 // of the most recent call to `prepare_to_insert` promised to retain ownership of the 148 // `ListArc` containing `Self` until the next call to `post_remove`. The value cannot 149 // be destroyed while a `ListArc` reference exists. 150 unsafe fn view_value(me: *mut $crate::list::ListLinks<$num>) -> *const Self { 151 let offset = <Self as $crate::list::HasListLinks<$num>>::OFFSET; 152 // SAFETY: `me` originates from the most recent call to `prepare_to_insert`, so it 153 // points at the field at offset `offset` in a value of type `Self`. Thus, 154 // subtracting `offset` from `me` is still in-bounds of the allocation. 155 unsafe { (me as *const u8).sub(offset) as *const Self } 156 } 157 158 // GUARANTEES: 159 // This implementation of `ListItem` will not give out exclusive access to the same 160 // `ListLinks` several times because calls to `prepare_to_insert` and `post_remove` 161 // must alternate and exclusive access is given up when `post_remove` is called. 162 // 163 // Other invocations of `impl_list_item!` also cannot give out exclusive access to the 164 // same `ListLinks` because you can only implement `ListItem` once for each value of 165 // `ID`, and the `ListLinks` fields only work with the specified `ID`. 166 unsafe fn prepare_to_insert(me: *const Self) -> *mut $crate::list::ListLinks<$num> { 167 // SAFETY: The caller promises that `me` points at a valid value. 168 unsafe { <Self as $crate::list::ListItem<$num>>::view_links(me) } 169 } 170 171 // GUARANTEES: 172 // * `me` originates from the most recent call to `prepare_to_insert`, which just added 173 // `offset` to the pointer passed to `prepare_to_insert`. This method subtracts 174 // `offset` from `me` so it returns the pointer originally passed to 175 // `prepare_to_insert`. 176 unsafe fn post_remove(me: *mut $crate::list::ListLinks<$num>) -> *const Self { 177 let offset = <Self as $crate::list::HasListLinks<$num>>::OFFSET; 178 // SAFETY: `me` originates from the most recent call to `prepare_to_insert`, so it 179 // points at the field at offset `offset` in a value of type `Self`. Thus, 180 // subtracting `offset` from `me` is still in-bounds of the allocation. 181 unsafe { (me as *const u8).sub(offset) as *const Self } 182 } 183 } 184 )*}; 185 186 ( 187 $(impl$({$($generics:tt)*})? ListItem<$num:tt> for $t:ty { 188 using ListLinksSelfPtr; 189 })* 190 ) => {$( 191 // SAFETY: See GUARANTEES comment on each method. 192 unsafe impl$(<$($generics)*>)? $crate::list::ListItem<$num> for $t { 193 // GUARANTEES: 194 // This implementation of `ListItem` will not give out exclusive access to the same 195 // `ListLinks` several times because calls to `prepare_to_insert` and `post_remove` 196 // must alternate and exclusive access is given up when `post_remove` is called. 197 // 198 // Other invocations of `impl_list_item!` also cannot give out exclusive access to the 199 // same `ListLinks` because you can only implement `ListItem` once for each value of 200 // `ID`, and the `ListLinks` fields only work with the specified `ID`. 201 unsafe fn prepare_to_insert(me: *const Self) -> *mut $crate::list::ListLinks<$num> { 202 // SAFETY: The caller promises that `me` points at a valid value of type `Self`. 203 let links_field = unsafe { <Self as $crate::list::ListItem<$num>>::view_links(me) }; 204 205 let spoff = $crate::list::ListLinksSelfPtr::<Self, $num>::LIST_LINKS_SELF_PTR_OFFSET; 206 // Goes via the offset as the field is private. 207 // 208 // SAFETY: The constant is equal to `offset_of!(ListLinksSelfPtr, self_ptr)`, so 209 // the pointer stays in bounds of the allocation. 210 let self_ptr = unsafe { (links_field as *const u8).add(spoff) } 211 as *const $crate::types::Opaque<*const Self>; 212 let cell_inner = $crate::types::Opaque::raw_get(self_ptr); 213 214 // SAFETY: This value is not accessed in any other places than `prepare_to_insert`, 215 // `post_remove`, or `view_value`. By the safety requirements of those methods, 216 // none of these three methods may be called in parallel with this call to 217 // `prepare_to_insert`, so this write will not race with any other access to the 218 // value. 219 unsafe { ::core::ptr::write(cell_inner, me) }; 220 221 links_field 222 } 223 224 // GUARANTEES: 225 // * This returns the same pointer as `prepare_to_insert` because `prepare_to_insert` 226 // returns the return value of `view_links`. 227 // * By the type invariants of `ListLinks`, the `ListLinks` has two null pointers when 228 // this value is not in a list. 229 unsafe fn view_links(me: *const Self) -> *mut $crate::list::ListLinks<$num> { 230 // SAFETY: The caller promises that `me` points at a valid value of type `Self`. 231 unsafe { <Self as HasListLinks<$num>>::raw_get_list_links(me.cast_mut()) } 232 } 233 234 // This function is also used as the implementation of `post_remove`, so the caller 235 // may choose to satisfy the safety requirements of `post_remove` instead of the safety 236 // requirements for `view_value`. 237 // 238 // GUARANTEES: (always) 239 // * This returns the same pointer as the one passed to the most recent call to 240 // `prepare_to_insert` since that call wrote that pointer to this location. The value 241 // is only modified in `prepare_to_insert`, so it has not been modified since the 242 // most recent call. 243 // 244 // GUARANTEES: (only when using the `view_value` safety requirements) 245 // * The pointer remains valid until the next call to `post_remove` because the caller 246 // of the most recent call to `prepare_to_insert` promised to retain ownership of the 247 // `ListArc` containing `Self` until the next call to `post_remove`. The value cannot 248 // be destroyed while a `ListArc` reference exists. 249 unsafe fn view_value(links_field: *mut $crate::list::ListLinks<$num>) -> *const Self { 250 let spoff = $crate::list::ListLinksSelfPtr::<Self, $num>::LIST_LINKS_SELF_PTR_OFFSET; 251 // SAFETY: The constant is equal to `offset_of!(ListLinksSelfPtr, self_ptr)`, so 252 // the pointer stays in bounds of the allocation. 253 let self_ptr = unsafe { (links_field as *const u8).add(spoff) } 254 as *const ::core::cell::UnsafeCell<*const Self>; 255 let cell_inner = ::core::cell::UnsafeCell::raw_get(self_ptr); 256 // SAFETY: This is not a data race, because the only function that writes to this 257 // value is `prepare_to_insert`, but by the safety requirements the 258 // `prepare_to_insert` method may not be called in parallel with `view_value` or 259 // `post_remove`. 260 unsafe { ::core::ptr::read(cell_inner) } 261 } 262 263 // GUARANTEES: 264 // The first guarantee of `view_value` is exactly what `post_remove` guarantees. 265 unsafe fn post_remove(me: *mut $crate::list::ListLinks<$num>) -> *const Self { 266 // SAFETY: This specific implementation of `view_value` allows the caller to 267 // promise the safety requirements of `post_remove` instead of the safety 268 // requirements for `view_value`. 269 unsafe { <Self as $crate::list::ListItem<$num>>::view_value(me) } 270 } 271 } 272 )*}; 273 } 274 pub use impl_list_item;

Linux® is a registered trademark of Linus Torvalds in the United States and other countries.
TOMOYO® is a registered trademark of NTT DATA CORPORATION.

TOMOYO Linux Cross Reference Linux/rust/kernel/list/impl_list_item_mod.rs

TOMOYO Linux Cross Reference
Linux/rust/kernel/list/impl_list_item_mod.rs