xref: /linux/rust/kernel/interop/list.rs (revision 9e1e9d660255d7216067193d774f338d08d8528d)
1 // SPDX-License-Identifier: GPL-2.0
2 
3 //! Rust interface for C doubly circular intrusive linked lists.
4 //!
5 //! This module provides Rust abstractions for iterating over C `list_head`-based
6 //! linked lists. It should only be used for cases where C and Rust code share
7 //! direct access to the same linked list through a C interop interface.
8 //!
9 //! Note: This *must not* be used by Rust components that just need a linked list
10 //! primitive. Use [`kernel::list::List`] instead.
11 //!
12 //! # Examples
13 //!
14 //! ```
15 //! use kernel::{
16 //!     bindings,
17 //!     interop::list::clist_create,
18 //!     types::Opaque,
19 //! };
20 //! # // Create test list with values (0, 10, 20) - normally done by C code but it is
21 //! # // emulated here for doctests using the C bindings.
22 //! # use core::mem::MaybeUninit;
23 //! #
24 //! # /// C struct with embedded `list_head` (typically will be allocated by C code).
25 //! # #[repr(C)]
26 //! # pub struct SampleItemC {
27 //! #     pub value: i32,
28 //! #     pub link: bindings::list_head,
29 //! # }
30 //! #
31 //! # let mut head = MaybeUninit::<bindings::list_head>::uninit();
32 //! #
33 //! # let head = head.as_mut_ptr();
34 //! # // SAFETY: `head` and all the items are test objects allocated in this scope.
35 //! # unsafe { bindings::INIT_LIST_HEAD(head) };
36 //! #
37 //! # let mut items = [
38 //! #     MaybeUninit::<SampleItemC>::uninit(),
39 //! #     MaybeUninit::<SampleItemC>::uninit(),
40 //! #     MaybeUninit::<SampleItemC>::uninit(),
41 //! # ];
42 //! #
43 //! # for (i, item) in items.iter_mut().enumerate() {
44 //! #     let ptr = item.as_mut_ptr();
45 //! #     // SAFETY: `ptr` points to a valid `MaybeUninit<SampleItemC>`.
46 //! #     unsafe { (*ptr).value = i as i32 * 10 };
47 //! #     // SAFETY: `&raw mut` creates a pointer valid for `INIT_LIST_HEAD`.
48 //! #     unsafe { bindings::INIT_LIST_HEAD(&raw mut (*ptr).link) };
49 //! #     // SAFETY: `link` was just initialized and `head` is a valid list head.
50 //! #     unsafe { bindings::list_add_tail(&mut (*ptr).link, head) };
51 //! # }
52 //!
53 //! /// Rust wrapper for the C struct.
54 //! ///
55 //! /// The list item struct in this example is defined in C code as:
56 //! ///
57 //! /// ```c
58 //! /// struct SampleItemC {
59 //! ///     int value;
60 //! ///     struct list_head link;
61 //! /// };
62 //! /// ```
63 //! #[repr(transparent)]
64 //! pub struct Item(Opaque<SampleItemC>);
65 //!
66 //! impl Item {
67 //!     pub fn value(&self) -> i32 {
68 //!         // SAFETY: `Item` has the same layout as `SampleItemC`.
69 //!         unsafe { (*self.0.get()).value }
70 //!     }
71 //! }
72 //!
73 //! // Create typed [`CList`] from sentinel head.
74 //! // SAFETY: `head` is valid and initialized, items are `SampleItemC` with
75 //! // embedded `link` field, and `Item` is `#[repr(transparent)]` over `SampleItemC`.
76 //! let list = unsafe { clist_create!(head, Item, SampleItemC, link) };
77 //!
78 //! // Iterate directly over typed items.
79 //! let mut found_0 = false;
80 //! let mut found_10 = false;
81 //! let mut found_20 = false;
82 //!
83 //! for item in list.iter() {
84 //!     let val = item.value();
85 //!     if val == 0 { found_0 = true; }
86 //!     if val == 10 { found_10 = true; }
87 //!     if val == 20 { found_20 = true; }
88 //! }
89 //!
90 //! assert!(found_0 && found_10 && found_20);
91 //! ```
92 
93 use core::{
94     iter::FusedIterator,
95     marker::PhantomData, //
96 };
97 
98 use crate::{
99     bindings,
100     types::Opaque, //
101 };
102 
103 use pin_init::{
104     pin_data,
105     pin_init,
106     PinInit, //
107 };
108 
109 /// FFI wrapper for a C `list_head` object used in intrusive linked lists.
110 ///
111 /// # Invariants
112 ///
113 /// - The underlying `list_head` is initialized with valid non-`NULL` `next`/`prev` pointers.
114 #[pin_data]
115 #[repr(transparent)]
116 pub struct CListHead {
117     #[pin]
118     inner: Opaque<bindings::list_head>,
119 }
120 
121 impl CListHead {
122     /// Create a `&CListHead` reference from a raw `list_head` pointer.
123     ///
124     /// # Safety
125     ///
126     /// - `ptr` must be a valid pointer to an initialized `list_head` (e.g. via
127     ///   `INIT_LIST_HEAD()`), with valid non-`NULL` `next`/`prev` pointers.
128     /// - `ptr` must remain valid for the lifetime `'a`.
129     /// - The list and all linked `list_head` nodes must not be modified from
130     ///   anywhere for the lifetime `'a`, unless done so via any [`CListHead`] APIs.
131     #[inline]
132     pub unsafe fn from_raw<'a>(ptr: *mut bindings::list_head) -> &'a Self {
133         // SAFETY:
134         // - `CListHead` has the same layout as `list_head`.
135         // - `ptr` is valid and unmodified for `'a` per caller guarantees.
136         unsafe { &*ptr.cast() }
137     }
138 
139     /// Get the raw `list_head` pointer.
140     #[inline]
141     pub fn as_raw(&self) -> *mut bindings::list_head {
142         self.inner.get()
143     }
144 
145     /// Get the next [`CListHead`] in the list.
146     #[inline]
147     pub fn next(&self) -> &Self {
148         let raw = self.as_raw();
149         // SAFETY:
150         // - `self.as_raw()` is valid and initialized per type invariants.
151         // - The `next` pointer is valid and non-`NULL` per type invariants
152         //   (initialized via `INIT_LIST_HEAD()` or equivalent).
153         unsafe { Self::from_raw((*raw).next) }
154     }
155 
156     /// Check if this node is linked in a list (not isolated).
157     #[inline]
158     pub fn is_linked(&self) -> bool {
159         let raw = self.as_raw();
160         // SAFETY: `self.as_raw()` is valid per type invariants.
161         unsafe { (*raw).next != raw && (*raw).prev != raw }
162     }
163 
164     /// Returns a pin-initializer for the list head.
165     pub fn new() -> impl PinInit<Self> {
166         pin_init!(Self {
167             // SAFETY: `INIT_LIST_HEAD` initializes `slot` to a valid empty list.
168             inner <- Opaque::ffi_init(|slot| unsafe { bindings::INIT_LIST_HEAD(slot) }),
169         })
170     }
171 }
172 
173 // SAFETY: `list_head` contains no thread-bound state; it only holds
174 // `next`/`prev` pointers.
175 unsafe impl Send for CListHead {}
176 
177 // SAFETY: `CListHead` can be shared among threads as modifications are
178 // not allowed at the moment.
179 unsafe impl Sync for CListHead {}
180 
181 impl PartialEq for CListHead {
182     #[inline]
183     fn eq(&self, other: &Self) -> bool {
184         core::ptr::eq(self, other)
185     }
186 }
187 
188 impl Eq for CListHead {}
189 
190 /// Low-level iterator over `list_head` nodes.
191 ///
192 /// An iterator used to iterate over a C intrusive linked list (`list_head`). The caller has to
193 /// perform conversion of returned [`CListHead`] to an item (using [`container_of`] or similar).
194 ///
195 /// # Invariants
196 ///
197 /// `current` and `sentinel` are valid references into an initialized linked list.
198 struct CListHeadIter<'a> {
199     /// Current position in the list.
200     current: &'a CListHead,
201     /// The sentinel head (used to detect end of iteration).
202     sentinel: &'a CListHead,
203 }
204 
205 impl<'a> Iterator for CListHeadIter<'a> {
206     type Item = &'a CListHead;
207 
208     #[inline]
209     fn next(&mut self) -> Option<Self::Item> {
210         // Check if we've reached the sentinel (end of list).
211         if self.current == self.sentinel {
212             return None;
213         }
214 
215         let item = self.current;
216         self.current = item.next();
217         Some(item)
218     }
219 }
220 
221 impl<'a> FusedIterator for CListHeadIter<'a> {}
222 
223 /// A typed C linked list with a sentinel head intended for FFI use-cases where
224 /// a C subsystem manages a linked list that Rust code needs to read. Generally
225 /// required only for special cases.
226 ///
227 /// A sentinel head [`CListHead`] represents the entire linked list and can be used
228 /// for iteration over items of type `T`; it is not associated with a specific item.
229 ///
230 /// The const generic `OFFSET` specifies the byte offset of the `list_head` field within
231 /// the struct that `T` wraps.
232 ///
233 /// # Invariants
234 ///
235 /// - The sentinel [`CListHead`] has valid non-`NULL` `next`/`prev` pointers.
236 /// - `OFFSET` is the byte offset of the `list_head` field within the struct that `T` wraps.
237 /// - All the list's `list_head` nodes have valid non-`NULL` `next`/`prev` pointers.
238 #[repr(transparent)]
239 pub struct CList<T, const OFFSET: usize>(CListHead, PhantomData<T>);
240 
241 impl<T, const OFFSET: usize> CList<T, OFFSET> {
242     /// Create a typed [`CList`] reference from a raw sentinel `list_head` pointer.
243     ///
244     /// # Safety
245     ///
246     /// - `ptr` must be a valid pointer to an initialized sentinel `list_head` (e.g. via
247     ///   `INIT_LIST_HEAD()`), with valid non-`NULL` `next`/`prev` pointers.
248     /// - `ptr` must remain valid for the lifetime `'a`.
249     /// - The list and all linked nodes must not be concurrently modified for the lifetime `'a`.
250     /// - The list must contain items where the `list_head` field is at byte offset `OFFSET`.
251     /// - `T` must be `#[repr(transparent)]` over the C struct.
252     #[inline]
253     pub unsafe fn from_raw<'a>(ptr: *mut bindings::list_head) -> &'a Self {
254         // SAFETY:
255         // - `CList` has the same layout as `CListHead` due to `#[repr(transparent)]`.
256         // - Caller guarantees `ptr` is a valid, sentinel `list_head` object.
257         unsafe { &*ptr.cast() }
258     }
259 
260     /// Check if the list is empty.
261     #[inline]
262     pub fn is_empty(&self) -> bool {
263         !self.0.is_linked()
264     }
265 
266     /// Create an iterator over typed items.
267     #[inline]
268     pub fn iter(&self) -> CListIter<'_, T, OFFSET> {
269         let head = &self.0;
270         CListIter {
271             head_iter: CListHeadIter {
272                 current: head.next(),
273                 sentinel: head,
274             },
275             _phantom: PhantomData,
276         }
277     }
278 }
279 
280 /// High-level iterator over typed list items.
281 pub struct CListIter<'a, T, const OFFSET: usize> {
282     head_iter: CListHeadIter<'a>,
283     _phantom: PhantomData<&'a T>,
284 }
285 
286 impl<'a, T, const OFFSET: usize> Iterator for CListIter<'a, T, OFFSET> {
287     type Item = &'a T;
288 
289     #[inline]
290     fn next(&mut self) -> Option<Self::Item> {
291         let head = self.head_iter.next()?;
292 
293         // Convert to item using `OFFSET`.
294         //
295         // SAFETY: The pointer calculation is valid because `OFFSET` is derived
296         // from `offset_of!` per type invariants.
297         Some(unsafe { &*head.as_raw().byte_sub(OFFSET).cast::<T>() })
298     }
299 }
300 
301 impl<'a, T, const OFFSET: usize> FusedIterator for CListIter<'a, T, OFFSET> {}
302 
303 /// Create a C doubly-circular linked list interface [`CList`] from a raw `list_head` pointer.
304 ///
305 /// This macro creates a `CList<T, OFFSET>` that can iterate over items of type `$rust_type`
306 /// linked via the `$field` field in the underlying C struct `$c_type`.
307 ///
308 /// # Arguments
309 ///
310 /// - `$head`: Raw pointer to the sentinel `list_head` object (`*mut bindings::list_head`).
311 /// - `$rust_type`: Each item's Rust wrapper type.
312 /// - `$c_type`: Each item's C struct type that contains the embedded `list_head`.
313 /// - `$field`: The name of the `list_head` field within the C struct.
314 ///
315 /// # Safety
316 ///
317 /// The caller must ensure:
318 ///
319 /// - `$head` is a valid, initialized sentinel `list_head` (e.g. via `INIT_LIST_HEAD()`)
320 ///   pointing to a list that is not concurrently modified for the lifetime of the [`CList`].
321 /// - The list contains items of type `$c_type` linked via an embedded `$field`.
322 /// - `$rust_type` is `#[repr(transparent)]` over `$c_type` or has compatible layout.
323 ///
324 /// # Examples
325 ///
326 /// Refer to the examples in the [`crate::interop::list`] module documentation.
327 #[macro_export]
328 macro_rules! clist_create {
329     ($head:expr, $rust_type:ty, $c_type:ty, $($field:tt).+) => {{
330         // Compile-time check that field path is a `list_head`.
331         let _: fn(*const $c_type) -> *const $crate::bindings::list_head =
332             |p| &raw const (*p).$($field).+;
333 
334         // Calculate offset and create `CList`.
335         const OFFSET: usize = ::core::mem::offset_of!($c_type, $($field).+);
336         $crate::interop::list::CList::<$rust_type, OFFSET>::from_raw($head)
337     }};
338 }
339 pub use clist_create;
340