1 // SPDX-License-Identifier: GPL-2.0
2
3 //! Devres abstraction
4 //!
5 //! [`Devres`] represents an abstraction for the kernel devres (device resource management)
6 //! implementation.
7
8 use crate::{
9 alloc::Flags,
10 bindings,
11 device::{Bound, Device},
12 error::{to_result, Error, Result},
13 ffi::c_void,
14 prelude::*,
15 revocable::{Revocable, RevocableGuard},
16 sync::{rcu, Completion},
17 types::{ARef, ForeignOwnable, Opaque, ScopeGuard},
18 };
19
20 use pin_init::Wrapper;
21
22 /// [`Devres`] inner data accessed from [`Devres::callback`].
23 #[pin_data]
24 struct Inner<T: Send> {
25 #[pin]
26 data: Revocable<T>,
27 /// Tracks whether [`Devres::callback`] has been completed.
28 #[pin]
29 devm: Completion,
30 /// Tracks whether revoking [`Self::data`] has been completed.
31 #[pin]
32 revoke: Completion,
33 }
34
35 /// This abstraction is meant to be used by subsystems to containerize [`Device`] bound resources to
36 /// manage their lifetime.
37 ///
38 /// [`Device`] bound resources should be freed when either the resource goes out of scope or the
39 /// [`Device`] is unbound respectively, depending on what happens first. In any case, it is always
40 /// guaranteed that revoking the device resource is completed before the corresponding [`Device`]
41 /// is unbound.
42 ///
43 /// To achieve that [`Devres`] registers a devres callback on creation, which is called once the
44 /// [`Device`] is unbound, revoking access to the encapsulated resource (see also [`Revocable`]).
45 ///
46 /// After the [`Devres`] has been unbound it is not possible to access the encapsulated resource
47 /// anymore.
48 ///
49 /// [`Devres`] users should make sure to simply free the corresponding backing resource in `T`'s
50 /// [`Drop`] implementation.
51 ///
52 /// # Examples
53 ///
54 /// ```no_run
55 /// # use kernel::{bindings, device::{Bound, Device}, devres::Devres, io::{Io, IoRaw}};
56 /// # use core::ops::Deref;
57 ///
58 /// // See also [`pci::Bar`] for a real example.
59 /// struct IoMem<const SIZE: usize>(IoRaw<SIZE>);
60 ///
61 /// impl<const SIZE: usize> IoMem<SIZE> {
62 /// /// # Safety
63 /// ///
64 /// /// [`paddr`, `paddr` + `SIZE`) must be a valid MMIO region that is mappable into the CPUs
65 /// /// virtual address space.
66 /// unsafe fn new(paddr: usize) -> Result<Self>{
67 /// // SAFETY: By the safety requirements of this function [`paddr`, `paddr` + `SIZE`) is
68 /// // valid for `ioremap`.
69 /// let addr = unsafe { bindings::ioremap(paddr as bindings::phys_addr_t, SIZE) };
70 /// if addr.is_null() {
71 /// return Err(ENOMEM);
72 /// }
73 ///
74 /// Ok(IoMem(IoRaw::new(addr as usize, SIZE)?))
75 /// }
76 /// }
77 ///
78 /// impl<const SIZE: usize> Drop for IoMem<SIZE> {
79 /// fn drop(&mut self) {
80 /// // SAFETY: `self.0.addr()` is guaranteed to be properly mapped by `Self::new`.
81 /// unsafe { bindings::iounmap(self.0.addr() as *mut c_void); };
82 /// }
83 /// }
84 ///
85 /// impl<const SIZE: usize> Deref for IoMem<SIZE> {
86 /// type Target = Io<SIZE>;
87 ///
88 /// fn deref(&self) -> &Self::Target {
89 /// // SAFETY: The memory range stored in `self` has been properly mapped in `Self::new`.
90 /// unsafe { Io::from_raw(&self.0) }
91 /// }
92 /// }
93 /// # fn no_run(dev: &Device<Bound>) -> Result<(), Error> {
94 /// // SAFETY: Invalid usage for example purposes.
95 /// let iomem = unsafe { IoMem::<{ core::mem::size_of::<u32>() }>::new(0xBAAAAAAD)? };
96 /// let devres = KBox::pin_init(Devres::new(dev, iomem), GFP_KERNEL)?;
97 ///
98 /// let res = devres.try_access().ok_or(ENXIO)?;
99 /// res.write8(0x42, 0x0);
100 /// # Ok(())
101 /// # }
102 /// ```
103 ///
104 /// # Invariants
105 ///
106 /// [`Self::inner`] is guaranteed to be initialized and is always accessed read-only.
107 #[pin_data(PinnedDrop)]
108 pub struct Devres<T: Send> {
109 dev: ARef<Device>,
110 /// Pointer to [`Self::devres_callback`].
111 ///
112 /// Has to be stored, since Rust does not guarantee to always return the same address for a
113 /// function. However, the C API uses the address as a key.
114 callback: unsafe extern "C" fn(*mut c_void),
115 /// Contains all the fields shared with [`Self::callback`].
116 // TODO: Replace with `UnsafePinned`, once available.
117 //
118 // Subsequently, the `drop_in_place()` in `Devres::drop` and `Devres::new` as well as the
119 // explicit `Send` and `Sync' impls can be removed.
120 #[pin]
121 inner: Opaque<Inner<T>>,
122 _add_action: (),
123 }
124
125 impl<T: Send> Devres<T> {
126 /// Creates a new [`Devres`] instance of the given `data`.
127 ///
128 /// The `data` encapsulated within the returned `Devres` instance' `data` will be
129 /// (revoked)[`Revocable`] once the device is detached.
new<'a, E>( dev: &'a Device<Bound>, data: impl PinInit<T, E> + 'a, ) -> impl PinInit<Self, Error> + 'a where T: 'a, Error: From<E>,130 pub fn new<'a, E>(
131 dev: &'a Device<Bound>,
132 data: impl PinInit<T, E> + 'a,
133 ) -> impl PinInit<Self, Error> + 'a
134 where
135 T: 'a,
136 Error: From<E>,
137 {
138 let callback = Self::devres_callback;
139
140 try_pin_init!(&this in Self {
141 dev: dev.into(),
142 callback,
143 // INVARIANT: `inner` is properly initialized.
144 inner <- Opaque::pin_init(try_pin_init!(Inner {
145 devm <- Completion::new(),
146 revoke <- Completion::new(),
147 data <- Revocable::new(data),
148 })),
149 // TODO: Replace with "initializer code blocks" [1] once available.
150 //
151 // [1] https://github.com/Rust-for-Linux/pin-init/pull/69
152 _add_action: {
153 // SAFETY: `this` is a valid pointer to uninitialized memory.
154 let inner = unsafe { &raw mut (*this.as_ptr()).inner };
155
156 // SAFETY:
157 // - `dev.as_raw()` is a pointer to a valid bound device.
158 // - `inner` is guaranteed to be a valid for the duration of the lifetime of `Self`.
159 // - `devm_add_action()` is guaranteed not to call `callback` until `this` has been
160 // properly initialized, because we require `dev` (i.e. the *bound* device) to
161 // live at least as long as the returned `impl PinInit<Self, Error>`.
162 to_result(unsafe {
163 bindings::devm_add_action(dev.as_raw(), Some(callback), inner.cast())
164 }).inspect_err(|_| {
165 let inner = Opaque::cast_into(inner);
166
167 // SAFETY: `inner` is a valid pointer to an `Inner<T>` and valid for both reads
168 // and writes.
169 unsafe { core::ptr::drop_in_place(inner) };
170 })?;
171 },
172 })
173 }
174
inner(&self) -> &Inner<T>175 fn inner(&self) -> &Inner<T> {
176 // SAFETY: By the type invairants of `Self`, `inner` is properly initialized and always
177 // accessed read-only.
178 unsafe { &*self.inner.get() }
179 }
180
data(&self) -> &Revocable<T>181 fn data(&self) -> &Revocable<T> {
182 &self.inner().data
183 }
184
185 #[allow(clippy::missing_safety_doc)]
devres_callback(ptr: *mut kernel::ffi::c_void)186 unsafe extern "C" fn devres_callback(ptr: *mut kernel::ffi::c_void) {
187 // SAFETY: In `Self::new` we've passed a valid pointer to `Inner` to `devm_add_action()`,
188 // hence `ptr` must be a valid pointer to `Inner`.
189 let inner = unsafe { &*ptr.cast::<Inner<T>>() };
190
191 // Ensure that `inner` can't be used anymore after we signal completion of this callback.
192 let inner = ScopeGuard::new_with_data(inner, |inner| inner.devm.complete_all());
193
194 if !inner.data.revoke() {
195 // If `revoke()` returns false, it means that `Devres::drop` already started revoking
196 // `data` for us. Hence we have to wait until `Devres::drop` signals that it
197 // completed revoking `data`.
198 inner.revoke.wait_for_completion();
199 }
200 }
201
remove_action(&self) -> bool202 fn remove_action(&self) -> bool {
203 // SAFETY:
204 // - `self.dev` is a valid `Device`,
205 // - the `action` and `data` pointers are the exact same ones as given to
206 // `devm_add_action()` previously,
207 (unsafe {
208 bindings::devm_remove_action_nowarn(
209 self.dev.as_raw(),
210 Some(self.callback),
211 core::ptr::from_ref(self.inner()).cast_mut().cast(),
212 )
213 } == 0)
214 }
215
216 /// Return a reference of the [`Device`] this [`Devres`] instance has been created with.
device(&self) -> &Device217 pub fn device(&self) -> &Device {
218 &self.dev
219 }
220
221 /// Obtain `&'a T`, bypassing the [`Revocable`].
222 ///
223 /// This method allows to directly obtain a `&'a T`, bypassing the [`Revocable`], by presenting
224 /// a `&'a Device<Bound>` of the same [`Device`] this [`Devres`] instance has been created with.
225 ///
226 /// # Errors
227 ///
228 /// An error is returned if `dev` does not match the same [`Device`] this [`Devres`] instance
229 /// has been created with.
230 ///
231 /// # Examples
232 ///
233 /// ```no_run
234 /// # #![cfg(CONFIG_PCI)]
235 /// # use kernel::{device::Core, devres::Devres, pci};
236 ///
237 /// fn from_core(dev: &pci::Device<Core>, devres: Devres<pci::Bar<0x4>>) -> Result {
238 /// let bar = devres.access(dev.as_ref())?;
239 ///
240 /// let _ = bar.read32(0x0);
241 ///
242 /// // might_sleep()
243 ///
244 /// bar.write32(0x42, 0x0);
245 ///
246 /// Ok(())
247 /// }
248 /// ```
access<'a>(&'a self, dev: &'a Device<Bound>) -> Result<&'a T>249 pub fn access<'a>(&'a self, dev: &'a Device<Bound>) -> Result<&'a T> {
250 if self.dev.as_raw() != dev.as_raw() {
251 return Err(EINVAL);
252 }
253
254 // SAFETY: `dev` being the same device as the device this `Devres` has been created for
255 // proves that `self.data` hasn't been revoked and is guaranteed to not be revoked as long
256 // as `dev` lives; `dev` lives at least as long as `self`.
257 Ok(unsafe { self.data().access() })
258 }
259
260 /// [`Devres`] accessor for [`Revocable::try_access`].
try_access(&self) -> Option<RevocableGuard<'_, T>>261 pub fn try_access(&self) -> Option<RevocableGuard<'_, T>> {
262 self.data().try_access()
263 }
264
265 /// [`Devres`] accessor for [`Revocable::try_access_with`].
try_access_with<R, F: FnOnce(&T) -> R>(&self, f: F) -> Option<R>266 pub fn try_access_with<R, F: FnOnce(&T) -> R>(&self, f: F) -> Option<R> {
267 self.data().try_access_with(f)
268 }
269
270 /// [`Devres`] accessor for [`Revocable::try_access_with_guard`].
try_access_with_guard<'a>(&'a self, guard: &'a rcu::Guard) -> Option<&'a T>271 pub fn try_access_with_guard<'a>(&'a self, guard: &'a rcu::Guard) -> Option<&'a T> {
272 self.data().try_access_with_guard(guard)
273 }
274 }
275
276 // SAFETY: `Devres` can be send to any task, if `T: Send`.
277 unsafe impl<T: Send> Send for Devres<T> {}
278
279 // SAFETY: `Devres` can be shared with any task, if `T: Sync`.
280 unsafe impl<T: Send + Sync> Sync for Devres<T> {}
281
282 #[pinned_drop]
283 impl<T: Send> PinnedDrop for Devres<T> {
drop(self: Pin<&mut Self>)284 fn drop(self: Pin<&mut Self>) {
285 // SAFETY: When `drop` runs, it is guaranteed that nobody is accessing the revocable data
286 // anymore, hence it is safe not to wait for the grace period to finish.
287 if unsafe { self.data().revoke_nosync() } {
288 // We revoked `self.data` before the devres action did, hence try to remove it.
289 if !self.remove_action() {
290 // We could not remove the devres action, which means that it now runs concurrently,
291 // hence signal that `self.data` has been revoked by us successfully.
292 self.inner().revoke.complete_all();
293
294 // Wait for `Self::devres_callback` to be done using this object.
295 self.inner().devm.wait_for_completion();
296 }
297 } else {
298 // `Self::devres_callback` revokes `self.data` for us, hence wait for it to be done
299 // using this object.
300 self.inner().devm.wait_for_completion();
301 }
302
303 // INVARIANT: At this point it is guaranteed that `inner` can't be accessed any more.
304 //
305 // SAFETY: `inner` is valid for dropping.
306 unsafe { core::ptr::drop_in_place(self.inner.get()) };
307 }
308 }
309
310 /// Consume `data` and [`Drop::drop`] `data` once `dev` is unbound.
register_foreign<P>(dev: &Device<Bound>, data: P) -> Result where P: ForeignOwnable + Send + 'static,311 fn register_foreign<P>(dev: &Device<Bound>, data: P) -> Result
312 where
313 P: ForeignOwnable + Send + 'static,
314 {
315 let ptr = data.into_foreign();
316
317 #[allow(clippy::missing_safety_doc)]
318 unsafe extern "C" fn callback<P: ForeignOwnable>(ptr: *mut kernel::ffi::c_void) {
319 // SAFETY: `ptr` is the pointer to the `ForeignOwnable` leaked above and hence valid.
320 drop(unsafe { P::from_foreign(ptr.cast()) });
321 }
322
323 // SAFETY:
324 // - `dev.as_raw()` is a pointer to a valid and bound device.
325 // - `ptr` is a valid pointer the `ForeignOwnable` devres takes ownership of.
326 to_result(unsafe {
327 // `devm_add_action_or_reset()` also calls `callback` on failure, such that the
328 // `ForeignOwnable` is released eventually.
329 bindings::devm_add_action_or_reset(dev.as_raw(), Some(callback::<P>), ptr.cast())
330 })
331 }
332
333 /// Encapsulate `data` in a [`KBox`] and [`Drop::drop`] `data` once `dev` is unbound.
334 ///
335 /// # Examples
336 ///
337 /// ```no_run
338 /// use kernel::{device::{Bound, Device}, devres};
339 ///
340 /// /// Registration of e.g. a class device, IRQ, etc.
341 /// struct Registration;
342 ///
343 /// impl Registration {
344 /// fn new() -> Self {
345 /// // register
346 ///
347 /// Self
348 /// }
349 /// }
350 ///
351 /// impl Drop for Registration {
352 /// fn drop(&mut self) {
353 /// // unregister
354 /// }
355 /// }
356 ///
357 /// fn from_bound_context(dev: &Device<Bound>) -> Result {
358 /// devres::register(dev, Registration::new(), GFP_KERNEL)
359 /// }
360 /// ```
register<T, E>(dev: &Device<Bound>, data: impl PinInit<T, E>, flags: Flags) -> Result where T: Send + 'static, Error: From<E>,361 pub fn register<T, E>(dev: &Device<Bound>, data: impl PinInit<T, E>, flags: Flags) -> Result
362 where
363 T: Send + 'static,
364 Error: From<E>,
365 {
366 let data = KBox::pin_init(data, flags)?;
367
368 register_foreign(dev, data)
369 }
370