There is no `mod flags` in this case, unlike others. Instead, they are
associated constants for the `Flags` type.
Thus reword the sentence to fix the broken intra-doc link, providing
an example of constant and linking to it to clarify which ones we are
referring to.
Fixes: 493fc33ec2 ("rust: io: add resource abstraction")
Signed-off-by: Miguel Ojeda <ojeda@kernel.org>
Link: https://lore.kernel.org/r/20250722085500.1360401-1-ojeda@kernel.org
Signed-off-by: Danilo Krummrich <dakr@kernel.org>
When introduced, the IoRequest doc-tests did depend on infrastructure
added in subsequent patches, hence they temporarily had to be disabled.
Now that we have the corresponding platform device infrastructure,
enable them.
Link: https://lore.kernel.org/r/DBG39YMN2TX6.1VR4PEQSI8PSG@kernel.org
Signed-off-by: Danilo Krummrich <dakr@kernel.org>
The previous patches have added the abstractions for Resources and the
ability to map them and therefore read and write the underlying memory .
The only thing missing to make this accessible for platform devices is
to provide accessors that return instances of IoRequest<'a>. These
ensure that the resource are valid only for the lifetime of the platform
device, and that the platform device is in the Bound state.
Therefore, add these accessors. Also make it possible to retrieve
resources from platform devices in Rust using either a name or an index.
Acked-by: Miguel Ojeda <ojeda@kernel.org>
Signed-off-by: Daniel Almeida <daniel.almeida@collabora.com>
Link: https://lore.kernel.org/r/20250717-topics-tyr-platform_iomem-v15-3-beca780b77e3@collabora.com
[ Remove #[expect(dead_code)] from IoRequest::new() and move SAFETY
comments right on top of unsafe blocks to avoid clippy warnings for
some (older) clippy versions. - Danilo ]
Signed-off-by: Danilo Krummrich <dakr@kernel.org>
Add a generic iomem abstraction to safely read and write ioremapped
regions. This abstraction requires a previously acquired IoRequest
instance. This makes it so that both the resource and the device match,
or, in other words, that the resource is indeed a valid resource for a
given bound device.
A subsequent patch will add the ability to retrieve IoRequest instances
from platform devices.
The reads and writes are done through IoRaw, and are thus checked either
at compile-time, if the size of the region is known at that point, or at
runtime otherwise.
Non-exclusive access to the underlying memory region is made possible to
cater to cases where overlapped regions are unavoidable.
Acked-by: Miguel Ojeda <ojeda@kernel.org>
Reviewed-by: Alice Ryhl <aliceryhl@google.com>
Signed-off-by: Daniel Almeida <daniel.almeida@collabora.com>
Link: https://lore.kernel.org/r/20250717-topics-tyr-platform_iomem-v15-2-beca780b77e3@collabora.com
[ Add #[expect(dead_code)] to avoid a temporary warning, remove
unnecessary OF_ID_TABLE constants in doc-tests and ignore doc-tests
for now to avoid a temporary build failure. - Danilo ]
Signed-off-by: Danilo Krummrich <dakr@kernel.org>
Introduce a new trait `RawDeviceIdIndex`, which extends `RawDeviceId`
to provide support for device ID types that include an index or
context field (e.g., `driver_data`). This separates the concerns of
layout compatibility and index-based data embedding, and allows
`RawDeviceId` to be implemented for types that do not contain a
`driver_data` field. Several such structures are defined in
include/linux/mod_devicetable.h.
Refactor `IdArray::new()` into a generic `build()` function, which
takes an optional offset. Based on the presence of `RawDeviceIdIndex`,
index writing is conditionally enabled. A new `new_without_index()`
constructor is also provided for use cases where no index should be
written.
This refactoring is a preparation for enabling the PHY abstractions to
use the RawDeviceId trait.
The changes to acpi.rs and driver.rs were made by Danilo.
Reviewed-by: Trevor Gross <tmgross@umich.edu>
Signed-off-by: FUJITA Tomonori <fujita.tomonori@gmail.com>
Acked-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Link: https://lore.kernel.org/r/20250711040947.1252162-2-fujita.tomonori@gmail.com
Signed-off-by: Danilo Krummrich <dakr@kernel.org>
Provide an unsafe functions for abstractions to convert a regular
&Device to a &Device<Bound>.
This is useful for registrations that provide certain guarantees for the
scope of their callbacks, such as IRQs or certain class device
registrations (e.g. PWM, miscdevice).
Reviewed-by: Benno Lossin <lossin@kernel.org>
Link: https://lore.kernel.org/r/20250713182737.64448-2-dakr@kernel.org
[ Remove unnecessary cast(). - Danilo ]
Signed-off-by: Danilo Krummrich <dakr@kernel.org>
Currently, there's really only one core callback for drivers, which is
probe().
Now, this isn't entirely true, since there is also the drop() callback of
the driver type (serving as the driver's private data), which is returned
by probe() and is dropped in remove().
On the C side remove() mainly serves two purposes:
(1) Tear down the device that is operated by the driver, e.g. call bus
specific functions, write I/O memory to reset the device, etc.
(2) Free the resources that have been allocated by a driver for a
specific device.
The drop() callback mentioned above is intended to cover (2) as the Rust
idiomatic way.
However, it is partially insufficient and inefficient to cover (1)
properly, since drop() can't be called with additional arguments, such as
the reference to the corresponding device that has the correct device
context, i.e. the Core device context.
This makes it inefficient (but not impossible) to access device
resources, e.g. to write device registers, and impossible to call device
methods, which are only accessible under the Core device context.
In order to solve this, add an additional callback for (1), which we
call unbind().
The reason for calling it unbind() is that, unlike remove(), it is *only*
meant to be used to perform teardown operations on the device (1), but
*not* to release resources (2).
Link: https://lore.kernel.org/r/20250621195118.124245-8-dakr@kernel.org
Signed-off-by: Danilo Krummrich <dakr@kernel.org>
Currently, there's really only one core callback for drivers, which is
probe().
Now, this isn't entirely true, since there is also the drop() callback of
the driver type (serving as the driver's private data), which is returned
by probe() and is dropped in remove().
On the C side remove() mainly serves two purposes:
(1) Tear down the device that is operated by the driver, e.g. call bus
specific functions, write I/O memory to reset the device, etc.
(2) Free the resources that have been allocated by a driver for a
specific device.
The drop() callback mentioned above is intended to cover (2) as the Rust
idiomatic way.
However, it is partially insufficient and inefficient to cover (1)
properly, since drop() can't be called with additional arguments, such as
the reference to the corresponding device that has the correct device
context, i.e. the Core device context.
This makes it inefficient (but not impossible) to access device
resources, e.g. to write device registers, and impossible to call device
methods, which are only accessible under the Core device context.
In order to solve this, add an additional callback for (1), which we
call unbind().
The reason for calling it unbind() is that, unlike remove(), it is *only*
meant to be used to perform teardown operations on the device (1), but
*not* to release resources (2).
Link: https://lore.kernel.org/r/20250621195118.124245-7-dakr@kernel.org
Signed-off-by: Danilo Krummrich <dakr@kernel.org>
Implement generic accessors for the private data of a driver bound to a
device.
Those accessors should be used by bus abstractions from their
corresponding core callbacks, such as probe(), remove(), etc.
Implementing them for device::CoreInternal guarantees that driver's can't
interfere with the logic implemented by the bus abstraction.
Acked-by: Benno Lossin <lossin@kernel.org>
Link: https://lore.kernel.org/r/20250621195118.124245-3-dakr@kernel.org
[ Improve safety comment as proposed by Benno. - Danilo ]
Signed-off-by: Danilo Krummrich <dakr@kernel.org>
Introduce an internal device context, which is semantically equivalent
to the Core device context, but reserved for bus abstractions.
This allows implementing methods for the Device type, which are limited
to be used within the core context of bus abstractions, i.e. restrict
the availability for drivers.
Link: https://lore.kernel.org/r/20250621195118.124245-2-dakr@kernel.org
[ Rename device::Internal to device::CoreInternal. - Danilo ]
Signed-off-by: Danilo Krummrich <dakr@kernel.org>
A future Clippy warning, `clippy::as_underscore`, is getting enabled in
parallel in the rust-next tree:
error: using `as _` conversion
--> rust/kernel/acpi.rs:25:9
|
25 | self.0.driver_data as _
| ^^^^^^^^^^^^^^^^^^^^^^-
| |
| help: consider giving the type explicitly: `usize`
The type is already `ulong`, which nowadays is always `usize`, so the
cast is unneeded. Thus remove it, which in turn will avoid the warning
in the future.
Other abstractions of device tables do not use a cast here either.
Signed-off-by: Miguel Ojeda <ojeda@kernel.org>
Reviewed-by: Trevor Gross <tmgross@umich.edu>
Link: https://lore.kernel.org/r/20250701174656.62205-1-ojeda@kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
So far Devres uses an inner memory allocation and reference count, i.e.
an inner Arc, in order to ensure that the devres callback can't run into
a use-after-free in case where the Devres object is dropped while the
devres callback runs concurrently.
Instead, use a completion in order to avoid a potential UAF: In
Devres::drop(), if we detect that we can't remove the devres action
anymore, we wait for the completion that is completed from the devres
callback. If, in turn, we were able to successfully remove the devres
action, we can just go ahead.
This, again, allows us to get rid of the internal Arc, and instead let
Devres consume an `impl PinInit<T, E>` in order to return an
`impl PinInit<Devres<T>, E>`, which enables us to get away with less
memory allocations.
Additionally, having the resulting explicit synchronization in
Devres::drop() prevents potential subtle undesired side effects of the
devres callback dropping the final Arc reference asynchronously within
the devres callback.
Reviewed-by: Benno Lossin <lossin@kernel.org>
Reviewed-by: Boqun Feng <boqun.feng@gmail.com>
Link: https://lore.kernel.org/r/20250626200054.243480-4-dakr@kernel.org
[ Move '# Invariants' below '# Examples'. - Danilo ]
Signed-off-by: Danilo Krummrich <dakr@kernel.org>
Replace Devres::new_foreign_owned() with devres::register().
The current implementation of Devres::new_foreign_owned() creates a full
Devres container instance, including the internal Revocable and
completion.
However, none of that is necessary for the intended use of giving full
ownership of an object to devres and getting it dropped once the given
device is unbound.
Hence, implement devres::register(), which is limited to consume the
given data, wrap it in a KBox and drop the KBox once the given device is
unbound, without any other synchronization.
Cc: Dave Airlie <airlied@redhat.com>
Cc: Simona Vetter <simona.vetter@ffwll.ch>
Cc: Viresh Kumar <viresh.kumar@linaro.org>
Acked-by: Viresh Kumar <viresh.kumar@linaro.org>
Reviewed-by: Benno Lossin <lossin@kernel.org>
Reviewed-by: Alice Ryhl <aliceryhl@google.com>
Link: https://lore.kernel.org/r/20250626200054.243480-3-dakr@kernel.org
Signed-off-by: Danilo Krummrich <dakr@kernel.org>
Currently, Revocable::new() only supports infallible PinInit
implementations, i.e. impl PinInit<T, Infallible>.
This has been sufficient so far, since users such as Devres do not
support fallibility.
Since this is about to change, make Revocable::new() generic over the
error type E.
Reviewed-by: Benno Lossin <lossin@kernel.org>
Reviewed-by: Alice Ryhl <aliceryhl@google.com>
Acked-by: Miguel Ojeda <ojeda@kernel.org>
Link: https://lore.kernel.org/r/20250626200054.243480-2-dakr@kernel.org
Signed-off-by: Danilo Krummrich <dakr@kernel.org>
pin-init blanket implementation changes for v6.17
Remove the error from the blanket implementations for `[Pin]Init` and
add implementations for `Result`.
(Subsequent Devres improvements depend on those pin-init features.)
Extend the `platform::Driver` trait to support ACPI device matching by
adding the `ACPI_ID_TABLE` constant.
This allows Rust platform drivers to define ACPI match tables alongside
their existing OF match tables. These changes mirror the existing OF
support and allow Rust platform drivers to match devices based on ACPI
identifiers.
Signed-off-by: Igor Korotin <igor.korotin.linux@gmail.com>
Link: https://lore.kernel.org/r/20250620154334.298320-1-igor.korotin.linux@gmail.com
[ Use 'LNUXBEEF' as ACPI ID. - Danilo ]
Signed-off-by: Danilo Krummrich <dakr@kernel.org>
Provide a default value of `None` for `Driver::OF_ID_TABLE` to simplify
driver implementations.
Drivers that do not require OpenFirmware matching no longer need to
import the `of` module or define the constant explicitly.
This reduces unnecessary boilerplate and avoids pulling in unused
dependencies.
Signed-off-by: Igor Korotin <igor.korotin.linux@gmail.com>
Link: https://lore.kernel.org/r/20250620154124.297158-1-igor.korotin.linux@gmail.com
Signed-off-by: Danilo Krummrich <dakr@kernel.org>
Extend the `Adapter` trait to support ACPI device identification.
This mirrors the existing Open Firmware (OF) support (`of_id_table`) and
enables Rust drivers to match and retrieve ACPI-specific device data
when `CONFIG_ACPI` is enabled.
To avoid breaking compilation, a stub implementation of `acpi_id_table()`
is added to the Platform adapter; the full implementation will be provided
in a subsequent patch.
Signed-off-by: Igor Korotin <igor.korotin.linux@gmail.com>
Link: https://lore.kernel.org/r/20250620153914.295679-1-igor.korotin.linux@gmail.com
[ Fix clippy warning if #[cfg(not(CONFIG_OF))]; fix checkpatch.pl line
length warnings. - Danilo ]
Signed-off-by: Danilo Krummrich <dakr@kernel.org>
Refactor the `of_id_info` methods in the `Adapter` trait to reduce
duplication. Previously, the method had two versions selected
via `#[cfg(...)]` and `#[cfg(not(...))]`. This change merges them into a
single method by using `#[cfg]` blocks within the method body.
Suggested-by: Benno Lossin <lossin@kernel.org>
Signed-off-by: Igor Korotin <igor.korotin.linux@gmail.com>
Link: https://lore.kernel.org/r/20250620153656.294468-1-igor.korotin.linux@gmail.com
[ Fix clippy warning if #[cfg(not(CONFIG_OF))]; fix checkpatch.pl line
length warnings. - Danilo ]
Signed-off-by: Danilo Krummrich <dakr@kernel.org>
Allow Rust code to read reference args from device properties. The
wrapper type `FwNodeReferenceArgs` allows callers to access the buffer
of read args safely.
Signed-off-by: Remo Senekowitsch <remo@buenzli.dev>
Link: https://lore.kernel.org/r/20250616154511.1862909-3-remo@buenzli.dev
[ Move up NArgs; refer to FwNodeReferenceArgs in NArgs doc-comment.
- Danilo ]
Signed-off-by: Danilo Krummrich <dakr@kernel.org>
Allow Rust drivers to access children of a fwnode either by name or by
iterating over all of them.
In C, there is the function `fwnode_get_next_child_node` for iteration
and the macro `fwnode_for_each_child_node` that helps with handling the
pointers. Instead of a macro, a native iterator is used in Rust such
that regular for-loops can be used.
Tested-by: Dirk Behme <dirk.behme@de.bosch.com>
Signed-off-by: Remo Senekowitsch <remo@buenzli.dev>
Link: https://lore.kernel.org/r/20250616154511.1862909-2-remo@buenzli.dev
Signed-off-by: Danilo Krummrich <dakr@kernel.org>
We need the driver-core fixes that are in 6.16-rc3 into here as well
to build on top of.
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Pull driver core fixes from Danilo Krummrich:
- Fix a race condition in Devres::drop(). This depends on two other
patches:
- (Minimal) Rust abstractions for struct completion
- Let Revocable indicate whether its data is already being revoked
- Fix Devres to avoid exposing the internal Revocable
- Add .mailmap entry for Danilo Krummrich
- Add Madhavan Srinivasan to embargoed-hardware-issues.rst
* tag 'driver-core-6.16-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/driver-core/driver-core:
Documentation: embargoed-hardware-issues.rst: Add myself for Power
mailmap: add entry for Danilo Krummrich
rust: devres: do not dereference to the internal Revocable
rust: devres: fix race in Devres::drop()
rust: revocable: indicate whether `data` has been revoked already
rust: completion: implement initial abstraction
Pull Rust fix from Miguel Ojeda:
- 'hrtimer': fix future compile error when the 'impl_has_hr_timer!'
macro starts to get called
* tag 'rust-fixes-6.16' of git://git.kernel.org/pub/scm/linux/kernel/git/ojeda/linux:
rust: time: Fix compile error in impl_has_hr_timer macro
We can't expose direct access to the internal Revocable, since this
allows users to directly revoke the internal Revocable without Devres
having the chance to synchronize with the devres callback -- we have to
guarantee that the internal Revocable has been fully revoked before
the device is fully unbound.
Hence, remove the corresponding Deref implementation and, instead,
provide indirect accessors for the internal Revocable.
Note that we can still support Devres::revoke() by implementing the
required synchronization (which would be almost identical to the
synchronization in Devres::drop()).
Fixes: 76c01ded72 ("rust: add devres abstraction")
Reviewed-by: Benno Lossin <lossin@kernel.org>
Link: https://lore.kernel.org/r/20250611174827.380555-1-dakr@kernel.org
Signed-off-by: Danilo Krummrich <dakr@kernel.org>
In Devres::drop() we first remove the devres action and then drop the
wrapped device resource.
The design goal is to give the owner of a Devres object control over when
the device resource is dropped, but limit the overall scope to the
corresponding device being bound to a driver.
However, there's a race that was introduced with commit 8ff656643d
("rust: devres: remove action in `Devres::drop`"), but also has been
(partially) present from the initial version on.
In Devres::drop(), the devres action is removed successfully and
subsequently the destructor of the wrapped device resource runs.
However, there is no guarantee that the destructor of the wrapped device
resource completes before the driver core is done unbinding the
corresponding device.
If in Devres::drop(), the devres action can't be removed, it means that
the devres callback has been executed already, or is still running
concurrently. In case of the latter, either Devres::drop() wins revoking
the Revocable or the devres callback wins revoking the Revocable. If
Devres::drop() wins, we (again) have no guarantee that the destructor of
the wrapped device resource completes before the driver core is done
unbinding the corresponding device.
CPU0 CPU1
------------------------------------------------------------------------
Devres::drop() { Devres::devres_callback() {
self.data.revoke() { this.data.revoke() {
is_available.swap() == true
is_available.swap == false
}
}
// [...]
// device fully unbound
drop_in_place() {
// release device resource
}
}
}
Depending on the specific device resource, this can potentially lead to
user-after-free bugs.
In order to fix this, implement the following logic.
In the devres callback, we're always good when we get to revoke the
device resource ourselves, i.e. Revocable::revoke() returns true.
If Revocable::revoke() returns false, it means that Devres::drop(),
concurrently, already drops the device resource and we have to wait for
Devres::drop() to signal that it finished dropping the device resource.
Note that if we hit the case where we need to wait for the completion of
Devres::drop() in the devres callback, it means that we're actually
racing with a concurrent Devres::drop() call, which already started
revoking the device resource for us. This is rather unlikely and means
that the concurrent Devres::drop() already started doing our work and we
just need to wait for it to complete it for us. Hence, there should not
be any additional overhead from that.
(Actually, for now it's even better if Devres::drop() does the work for
us, since it can bypass the synchronize_rcu() call implied by
Revocable::revoke(), but this goes away anyways once I get to implement
the split devres callback approach, which allows us to first flip the
atomics of all registered Devres objects of a certain device, execute a
single synchronize_rcu() and then drop all revocable objects.)
In Devres::drop() we try to revoke the device resource. If that is *not*
successful, it means that the devres callback already did and we're good.
Otherwise, we try to remove the devres action, which, if successful,
means that we're good, since the device resource has just been revoked
by us *before* we removed the devres action successfully.
If the devres action could not be removed, it means that the devres
callback must be running concurrently, hence we signal that the device
resource has been revoked by us, using the completion.
This makes it safe to drop a Devres object from any task and at any point
of time, which is one of the design goals.
Fixes: 76c01ded72 ("rust: add devres abstraction")
Reported-by: Alice Ryhl <aliceryhl@google.com>
Closes: https://lore.kernel.org/lkml/aD64YNuqbPPZHAa5@google.com/
Reviewed-by: Benno Lossin <lossin@kernel.org>
Link: https://lore.kernel.org/r/20250612121817.1621-4-dakr@kernel.org
Signed-off-by: Danilo Krummrich <dakr@kernel.org>
