1 // SPDX-License-Identifier: GPL-2.0 2 3 //! This module provides a wrapper for the C `struct request` type. 4 //! 5 //! C header: [`include/linux/blk-mq.h`](srctree/include/linux/blk-mq.h) 6 7 use crate::{ 8 bindings, 9 block::mq::Operations, 10 error::Result, 11 sync::{atomic::Relaxed, Refcount}, 12 types::{ARef, AlwaysRefCounted, Opaque}, 13 }; 14 use core::{marker::PhantomData, ptr::NonNull}; 15 16 /// A wrapper around a blk-mq [`struct request`]. This represents an IO request. 17 /// 18 /// # Implementation details 19 /// 20 /// There are four states for a request that the Rust bindings care about: 21 /// 22 /// 1. Request is owned by block layer (refcount 0). 23 /// 2. Request is owned by driver but with zero [`ARef`]s in existence 24 /// (refcount 1). 25 /// 3. Request is owned by driver with exactly one [`ARef`] in existence 26 /// (refcount 2). 27 /// 4. Request is owned by driver with more than one [`ARef`] in existence 28 /// (refcount > 2). 29 /// 30 /// 31 /// We need to track 1 and 2 to ensure we fail tag to request conversions for 32 /// requests that are not owned by the driver. 33 /// 34 /// We need to track 3 and 4 to ensure that it is safe to end the request and hand 35 /// back ownership to the block layer. 36 /// 37 /// Note that the driver can still obtain new `ARef` even if there is no `ARef`s in existence by 38 /// using `tag_to_rq`, hence the need to distinguish B and C. 39 /// 40 /// The states are tracked through the private `refcount` field of 41 /// `RequestDataWrapper`. This structure lives in the private data area of the C 42 /// [`struct request`]. 43 /// 44 /// # Invariants 45 /// 46 /// * `self.0` is a valid [`struct request`] created by the C portion of the 47 /// kernel. 48 /// * The private data area associated with this request must be an initialized 49 /// and valid `RequestDataWrapper<T>`. 50 /// * `self` is reference counted by atomic modification of 51 /// `self.wrapper_ref().refcount()`. 52 /// 53 /// [`struct request`]: srctree/include/linux/blk-mq.h 54 /// 55 #[repr(transparent)] 56 pub struct Request<T: Operations>(Opaque<bindings::request>, PhantomData<T>); 57 58 impl<T: Operations> Request<T> { 59 /// Create an [`ARef<Request>`] from a [`struct request`] pointer. 60 /// 61 /// # Safety 62 /// 63 /// * The caller must own a refcount on `ptr` that is transferred to the 64 /// returned [`ARef`]. 65 /// * The type invariants for [`Request`] must hold for the pointee of `ptr`. 66 /// 67 /// [`struct request`]: srctree/include/linux/blk-mq.h 68 pub(crate) unsafe fn aref_from_raw(ptr: *mut bindings::request) -> ARef<Self> { 69 // INVARIANT: By the safety requirements of this function, invariants are upheld. 70 // SAFETY: By the safety requirement of this function, we own a 71 // reference count that we can pass to `ARef`. 72 unsafe { ARef::from_raw(NonNull::new_unchecked(ptr.cast())) } 73 } 74 75 /// Notify the block layer that a request is going to be processed now. 76 /// 77 /// The block layer uses this hook to do proper initializations such as 78 /// starting the timeout timer. It is a requirement that block device 79 /// drivers call this function when starting to process a request. 80 /// 81 /// # Safety 82 /// 83 /// The caller must have exclusive ownership of `self`, that is 84 /// `self.wrapper_ref().refcount() == 2`. 85 pub(crate) unsafe fn start_unchecked(this: &ARef<Self>) { 86 // SAFETY: By type invariant, `self.0` is a valid `struct request` and 87 // we have exclusive access. 88 unsafe { bindings::blk_mq_start_request(this.0.get()) }; 89 } 90 91 /// Try to take exclusive ownership of `this` by dropping the refcount to 0. 92 /// This fails if `this` is not the only [`ARef`] pointing to the underlying 93 /// [`Request`]. 94 /// 95 /// If the operation is successful, [`Ok`] is returned with a pointer to the 96 /// C [`struct request`]. If the operation fails, `this` is returned in the 97 /// [`Err`] variant. 98 /// 99 /// [`struct request`]: srctree/include/linux/blk-mq.h 100 fn try_set_end(this: ARef<Self>) -> Result<*mut bindings::request, ARef<Self>> { 101 // To hand back the ownership, we need the current refcount to be 2. 102 // Since we can race with `TagSet::tag_to_rq`, this needs to atomically reduce 103 // refcount to 0. `Refcount` does not provide a way to do this, so use the underlying 104 // atomics directly. 105 if let Err(_old) = this 106 .wrapper_ref() 107 .refcount() 108 .as_atomic() 109 .cmpxchg(2, 0, Relaxed) 110 { 111 return Err(this); 112 } 113 114 let request_ptr = this.0.get(); 115 core::mem::forget(this); 116 117 Ok(request_ptr) 118 } 119 120 /// Notify the block layer that the request has been completed without errors. 121 /// 122 /// This function will return [`Err`] if `this` is not the only [`ARef`] 123 /// referencing the request. 124 pub fn end_ok(this: ARef<Self>) -> Result<(), ARef<Self>> { 125 let request_ptr = Self::try_set_end(this)?; 126 127 // SAFETY: By type invariant, `this.0` was a valid `struct request`. The 128 // success of the call to `try_set_end` guarantees that there are no 129 // `ARef`s pointing to this request. Therefore it is safe to hand it 130 // back to the block layer. 131 unsafe { 132 bindings::blk_mq_end_request( 133 request_ptr, 134 bindings::BLK_STS_OK as bindings::blk_status_t, 135 ) 136 }; 137 138 Ok(()) 139 } 140 141 /// Return a pointer to the [`RequestDataWrapper`] stored in the private area 142 /// of the request structure. 143 /// 144 /// # Safety 145 /// 146 /// - `this` must point to a valid allocation of size at least size of 147 /// [`Self`] plus size of [`RequestDataWrapper`]. 148 pub(crate) unsafe fn wrapper_ptr(this: *mut Self) -> NonNull<RequestDataWrapper> { 149 let request_ptr = this.cast::<bindings::request>(); 150 // SAFETY: By safety requirements for this function, `this` is a 151 // valid allocation. 152 let wrapper_ptr = 153 unsafe { bindings::blk_mq_rq_to_pdu(request_ptr).cast::<RequestDataWrapper>() }; 154 // SAFETY: By C API contract, wrapper_ptr points to a valid allocation 155 // and is not null. 156 unsafe { NonNull::new_unchecked(wrapper_ptr) } 157 } 158 159 /// Return a reference to the [`RequestDataWrapper`] stored in the private 160 /// area of the request structure. 161 pub(crate) fn wrapper_ref(&self) -> &RequestDataWrapper { 162 // SAFETY: By type invariant, `self.0` is a valid allocation. Further, 163 // the private data associated with this request is initialized and 164 // valid. The existence of `&self` guarantees that the private data is 165 // valid as a shared reference. 166 unsafe { Self::wrapper_ptr(core::ptr::from_ref(self).cast_mut()).as_ref() } 167 } 168 } 169 170 /// A wrapper around data stored in the private area of the C [`struct request`]. 171 /// 172 /// [`struct request`]: srctree/include/linux/blk-mq.h 173 pub(crate) struct RequestDataWrapper { 174 /// The Rust request refcount has the following states: 175 /// 176 /// - 0: The request is owned by C block layer. 177 /// - 1: The request is owned by Rust abstractions but there are no [`ARef`] references to it. 178 /// - 2+: There are [`ARef`] references to the request. 179 refcount: Refcount, 180 } 181 182 impl RequestDataWrapper { 183 /// Return a reference to the refcount of the request that is embedding 184 /// `self`. 185 pub(crate) fn refcount(&self) -> &Refcount { 186 &self.refcount 187 } 188 189 /// Return a pointer to the refcount of the request that is embedding the 190 /// pointee of `this`. 191 /// 192 /// # Safety 193 /// 194 /// - `this` must point to a live allocation of at least the size of `Self`. 195 pub(crate) unsafe fn refcount_ptr(this: *mut Self) -> *mut Refcount { 196 // SAFETY: Because of the safety requirements of this function, the 197 // field projection is safe. 198 unsafe { &raw mut (*this).refcount } 199 } 200 } 201 202 // SAFETY: Exclusive access is thread-safe for `Request`. `Request` has no `&mut 203 // self` methods and `&self` methods that mutate `self` are internally 204 // synchronized. 205 unsafe impl<T: Operations> Send for Request<T> {} 206 207 // SAFETY: Shared access is thread-safe for `Request`. `&self` methods that 208 // mutate `self` are internally synchronized` 209 unsafe impl<T: Operations> Sync for Request<T> {} 210 211 // SAFETY: All instances of `Request<T>` are reference counted. This 212 // implementation of `AlwaysRefCounted` ensure that increments to the ref count 213 // keeps the object alive in memory at least until a matching reference count 214 // decrement is executed. 215 unsafe impl<T: Operations> AlwaysRefCounted for Request<T> { 216 fn inc_ref(&self) { 217 self.wrapper_ref().refcount().inc(); 218 } 219 220 unsafe fn dec_ref(obj: core::ptr::NonNull<Self>) { 221 // SAFETY: The type invariants of `ARef` guarantee that `obj` is valid 222 // for read. 223 let wrapper_ptr = unsafe { Self::wrapper_ptr(obj.as_ptr()).as_ptr() }; 224 // SAFETY: The type invariant of `Request` guarantees that the private 225 // data area is initialized and valid. 226 let refcount = unsafe { &*RequestDataWrapper::refcount_ptr(wrapper_ptr) }; 227 228 #[cfg_attr(not(CONFIG_DEBUG_MISC), allow(unused_variables))] 229 let is_zero = refcount.dec_and_test(); 230 231 #[cfg(CONFIG_DEBUG_MISC)] 232 if is_zero { 233 panic!("Request reached refcount zero in Rust abstractions"); 234 } 235 } 236 } 237