106cb58b3SAlice Ryhl // SPDX-License-Identifier: GPL-2.0 206cb58b3SAlice Ryhl 306cb58b3SAlice Ryhl // Copyright (C) 2025 Google LLC. 406cb58b3SAlice Ryhl 506cb58b3SAlice Ryhl //! IO vectors. 606cb58b3SAlice Ryhl //! 706cb58b3SAlice Ryhl //! C headers: [`include/linux/iov_iter.h`](srctree/include/linux/iov_iter.h), 806cb58b3SAlice Ryhl //! [`include/linux/uio.h`](srctree/include/linux/uio.h) 906cb58b3SAlice Ryhl 1006cb58b3SAlice Ryhl use crate::{ 1106cb58b3SAlice Ryhl alloc::{Allocator, Flags}, 1206cb58b3SAlice Ryhl bindings, 1306cb58b3SAlice Ryhl prelude::*, 1406cb58b3SAlice Ryhl types::Opaque, 1506cb58b3SAlice Ryhl }; 1606cb58b3SAlice Ryhl use core::{marker::PhantomData, mem::MaybeUninit, ptr, slice}; 1706cb58b3SAlice Ryhl 1806cb58b3SAlice Ryhl const ITER_SOURCE: bool = bindings::ITER_SOURCE != 0; 19*ce2e0829SAlice Ryhl const ITER_DEST: bool = bindings::ITER_DEST != 0; 20*ce2e0829SAlice Ryhl 21*ce2e0829SAlice Ryhl // Compile-time assertion for the above constants. 22*ce2e0829SAlice Ryhl const _: () = { 23*ce2e0829SAlice Ryhl build_assert!( 24*ce2e0829SAlice Ryhl ITER_SOURCE != ITER_DEST, 25*ce2e0829SAlice Ryhl "ITER_DEST and ITER_SOURCE should be different." 26*ce2e0829SAlice Ryhl ); 27*ce2e0829SAlice Ryhl }; 2806cb58b3SAlice Ryhl 2906cb58b3SAlice Ryhl /// An IO vector that acts as a source of data. 3006cb58b3SAlice Ryhl /// 3106cb58b3SAlice Ryhl /// The data may come from many different sources. This includes both things in kernel-space and 3206cb58b3SAlice Ryhl /// reading from userspace. It's not necessarily the case that the data source is immutable, so 3306cb58b3SAlice Ryhl /// rewinding the IO vector to read the same data twice is not guaranteed to result in the same 3406cb58b3SAlice Ryhl /// bytes. It's also possible that the data source is mapped in a thread-local manner using e.g. 3506cb58b3SAlice Ryhl /// `kmap_local_page()`, so this type is not `Send` to ensure that the mapping is read from the 3606cb58b3SAlice Ryhl /// right context in that scenario. 3706cb58b3SAlice Ryhl /// 3806cb58b3SAlice Ryhl /// # Invariants 3906cb58b3SAlice Ryhl /// 4006cb58b3SAlice Ryhl /// Must hold a valid `struct iov_iter` with `data_source` set to `ITER_SOURCE`. For the duration 4106cb58b3SAlice Ryhl /// of `'data`, it must be safe to read from this IO vector using the standard C methods for this 4206cb58b3SAlice Ryhl /// purpose. 4306cb58b3SAlice Ryhl #[repr(transparent)] 4406cb58b3SAlice Ryhl pub struct IovIterSource<'data> { 4506cb58b3SAlice Ryhl iov: Opaque<bindings::iov_iter>, 4606cb58b3SAlice Ryhl /// Represent to the type system that this value contains a pointer to readable data it does 4706cb58b3SAlice Ryhl /// not own. 4806cb58b3SAlice Ryhl _source: PhantomData<&'data [u8]>, 4906cb58b3SAlice Ryhl } 5006cb58b3SAlice Ryhl 5106cb58b3SAlice Ryhl impl<'data> IovIterSource<'data> { 5206cb58b3SAlice Ryhl /// Obtain an `IovIterSource` from a raw pointer. 5306cb58b3SAlice Ryhl /// 5406cb58b3SAlice Ryhl /// # Safety 5506cb58b3SAlice Ryhl /// 5606cb58b3SAlice Ryhl /// * The referenced `struct iov_iter` must be valid and must only be accessed through the 5706cb58b3SAlice Ryhl /// returned reference for the duration of `'iov`. 5806cb58b3SAlice Ryhl /// * The referenced `struct iov_iter` must have `data_source` set to `ITER_SOURCE`. 5906cb58b3SAlice Ryhl /// * For the duration of `'data`, it must be safe to read from this IO vector using the 6006cb58b3SAlice Ryhl /// standard C methods for this purpose. 6106cb58b3SAlice Ryhl #[track_caller] 6206cb58b3SAlice Ryhl #[inline] 6306cb58b3SAlice Ryhl pub unsafe fn from_raw<'iov>(ptr: *mut bindings::iov_iter) -> &'iov mut IovIterSource<'data> { 6406cb58b3SAlice Ryhl // SAFETY: The caller ensures that `ptr` is valid. 6506cb58b3SAlice Ryhl let data_source = unsafe { (*ptr).data_source }; 6606cb58b3SAlice Ryhl assert_eq!(data_source, ITER_SOURCE); 6706cb58b3SAlice Ryhl 6806cb58b3SAlice Ryhl // SAFETY: The caller ensures the type invariants for the right durations, and 6906cb58b3SAlice Ryhl // `IovIterSource` is layout compatible with `struct iov_iter`. 7006cb58b3SAlice Ryhl unsafe { &mut *ptr.cast::<IovIterSource<'data>>() } 7106cb58b3SAlice Ryhl } 7206cb58b3SAlice Ryhl 7306cb58b3SAlice Ryhl /// Access this as a raw `struct iov_iter`. 7406cb58b3SAlice Ryhl #[inline] 7506cb58b3SAlice Ryhl pub fn as_raw(&mut self) -> *mut bindings::iov_iter { 7606cb58b3SAlice Ryhl self.iov.get() 7706cb58b3SAlice Ryhl } 7806cb58b3SAlice Ryhl 7906cb58b3SAlice Ryhl /// Returns the number of bytes available in this IO vector. 8006cb58b3SAlice Ryhl /// 8106cb58b3SAlice Ryhl /// Note that this may overestimate the number of bytes. For example, reading from userspace 8206cb58b3SAlice Ryhl /// memory could fail with `EFAULT`, which will be treated as the end of the IO vector. 8306cb58b3SAlice Ryhl #[inline] 8406cb58b3SAlice Ryhl pub fn len(&self) -> usize { 8506cb58b3SAlice Ryhl // SAFETY: We have shared access to this IO vector, so we can read its `count` field. 8606cb58b3SAlice Ryhl unsafe { 8706cb58b3SAlice Ryhl (*self.iov.get()) 8806cb58b3SAlice Ryhl .__bindgen_anon_1 8906cb58b3SAlice Ryhl .__bindgen_anon_1 9006cb58b3SAlice Ryhl .as_ref() 9106cb58b3SAlice Ryhl .count 9206cb58b3SAlice Ryhl } 9306cb58b3SAlice Ryhl } 9406cb58b3SAlice Ryhl 9506cb58b3SAlice Ryhl /// Returns whether there are any bytes left in this IO vector. 9606cb58b3SAlice Ryhl /// 9706cb58b3SAlice Ryhl /// This may return `true` even if there are no more bytes available. For example, reading from 9806cb58b3SAlice Ryhl /// userspace memory could fail with `EFAULT`, which will be treated as the end of the IO vector. 9906cb58b3SAlice Ryhl #[inline] 10006cb58b3SAlice Ryhl pub fn is_empty(&self) -> bool { 10106cb58b3SAlice Ryhl self.len() == 0 10206cb58b3SAlice Ryhl } 10306cb58b3SAlice Ryhl 10406cb58b3SAlice Ryhl /// Advance this IO vector by `bytes` bytes. 10506cb58b3SAlice Ryhl /// 10606cb58b3SAlice Ryhl /// If `bytes` is larger than the size of this IO vector, it is advanced to the end. 10706cb58b3SAlice Ryhl #[inline] 10806cb58b3SAlice Ryhl pub fn advance(&mut self, bytes: usize) { 10906cb58b3SAlice Ryhl // SAFETY: By the type invariants, `self.iov` is a valid IO vector. 11006cb58b3SAlice Ryhl unsafe { bindings::iov_iter_advance(self.as_raw(), bytes) }; 11106cb58b3SAlice Ryhl } 11206cb58b3SAlice Ryhl 11306cb58b3SAlice Ryhl /// Advance this IO vector backwards by `bytes` bytes. 11406cb58b3SAlice Ryhl /// 11506cb58b3SAlice Ryhl /// # Safety 11606cb58b3SAlice Ryhl /// 11706cb58b3SAlice Ryhl /// The IO vector must not be reverted to before its beginning. 11806cb58b3SAlice Ryhl #[inline] 11906cb58b3SAlice Ryhl pub unsafe fn revert(&mut self, bytes: usize) { 12006cb58b3SAlice Ryhl // SAFETY: By the type invariants, `self.iov` is a valid IO vector, and the caller 12106cb58b3SAlice Ryhl // ensures that `bytes` is in bounds. 12206cb58b3SAlice Ryhl unsafe { bindings::iov_iter_revert(self.as_raw(), bytes) }; 12306cb58b3SAlice Ryhl } 12406cb58b3SAlice Ryhl 12506cb58b3SAlice Ryhl /// Read data from this IO vector. 12606cb58b3SAlice Ryhl /// 12706cb58b3SAlice Ryhl /// Returns the number of bytes that have been copied. 12806cb58b3SAlice Ryhl #[inline] 12906cb58b3SAlice Ryhl pub fn copy_from_iter(&mut self, out: &mut [u8]) -> usize { 13006cb58b3SAlice Ryhl // SAFETY: `Self::copy_from_iter_raw` guarantees that it will not write any uninitialized 13106cb58b3SAlice Ryhl // bytes in the provided buffer, so `out` is still a valid `u8` slice after this call. 13206cb58b3SAlice Ryhl let out = unsafe { &mut *(ptr::from_mut(out) as *mut [MaybeUninit<u8>]) }; 13306cb58b3SAlice Ryhl 13406cb58b3SAlice Ryhl self.copy_from_iter_raw(out).len() 13506cb58b3SAlice Ryhl } 13606cb58b3SAlice Ryhl 13706cb58b3SAlice Ryhl /// Read data from this IO vector and append it to a vector. 13806cb58b3SAlice Ryhl /// 13906cb58b3SAlice Ryhl /// Returns the number of bytes that have been copied. 14006cb58b3SAlice Ryhl #[inline] 14106cb58b3SAlice Ryhl pub fn copy_from_iter_vec<A: Allocator>( 14206cb58b3SAlice Ryhl &mut self, 14306cb58b3SAlice Ryhl out: &mut Vec<u8, A>, 14406cb58b3SAlice Ryhl flags: Flags, 14506cb58b3SAlice Ryhl ) -> Result<usize> { 14606cb58b3SAlice Ryhl out.reserve(self.len(), flags)?; 14706cb58b3SAlice Ryhl let len = self.copy_from_iter_raw(out.spare_capacity_mut()).len(); 14806cb58b3SAlice Ryhl // SAFETY: 14906cb58b3SAlice Ryhl // - `len` is the length of a subslice of the spare capacity, so `len` is at most the 15006cb58b3SAlice Ryhl // length of the spare capacity. 15106cb58b3SAlice Ryhl // - `Self::copy_from_iter_raw` guarantees that the first `len` bytes of the spare capacity 15206cb58b3SAlice Ryhl // have been initialized. 15306cb58b3SAlice Ryhl unsafe { out.inc_len(len) }; 15406cb58b3SAlice Ryhl Ok(len) 15506cb58b3SAlice Ryhl } 15606cb58b3SAlice Ryhl 15706cb58b3SAlice Ryhl /// Read data from this IO vector into potentially uninitialized memory. 15806cb58b3SAlice Ryhl /// 15906cb58b3SAlice Ryhl /// Returns the sub-slice of the output that has been initialized. If the returned slice is 16006cb58b3SAlice Ryhl /// shorter than the input buffer, then the entire IO vector has been read. 16106cb58b3SAlice Ryhl /// 16206cb58b3SAlice Ryhl /// This will never write uninitialized bytes to the provided buffer. 16306cb58b3SAlice Ryhl #[inline] 16406cb58b3SAlice Ryhl pub fn copy_from_iter_raw(&mut self, out: &mut [MaybeUninit<u8>]) -> &mut [u8] { 16506cb58b3SAlice Ryhl let capacity = out.len(); 16606cb58b3SAlice Ryhl let out = out.as_mut_ptr().cast::<u8>(); 16706cb58b3SAlice Ryhl 16806cb58b3SAlice Ryhl // GUARANTEES: The C API guarantees that it does not write uninitialized bytes to the 16906cb58b3SAlice Ryhl // provided buffer. 17006cb58b3SAlice Ryhl // SAFETY: 17106cb58b3SAlice Ryhl // * By the type invariants, it is still valid to read from this IO vector. 17206cb58b3SAlice Ryhl // * `out` is valid for writing for `capacity` bytes because it comes from a slice of 17306cb58b3SAlice Ryhl // that length. 17406cb58b3SAlice Ryhl let len = unsafe { bindings::_copy_from_iter(out.cast(), capacity, self.as_raw()) }; 17506cb58b3SAlice Ryhl 17606cb58b3SAlice Ryhl // SAFETY: The underlying C api guarantees that initialized bytes have been written to the 17706cb58b3SAlice Ryhl // first `len` bytes of the spare capacity. 17806cb58b3SAlice Ryhl unsafe { slice::from_raw_parts_mut(out, len) } 17906cb58b3SAlice Ryhl } 18006cb58b3SAlice Ryhl } 181*ce2e0829SAlice Ryhl 182*ce2e0829SAlice Ryhl /// An IO vector that acts as a destination for data. 183*ce2e0829SAlice Ryhl /// 184*ce2e0829SAlice Ryhl /// IO vectors support many different types of destinations. This includes both buffers in 185*ce2e0829SAlice Ryhl /// kernel-space and writing to userspace. It's possible that the destination buffer is mapped in a 186*ce2e0829SAlice Ryhl /// thread-local manner using e.g. `kmap_local_page()`, so this type is not `Send` to ensure that 187*ce2e0829SAlice Ryhl /// the mapping is written to the right context in that scenario. 188*ce2e0829SAlice Ryhl /// 189*ce2e0829SAlice Ryhl /// # Invariants 190*ce2e0829SAlice Ryhl /// 191*ce2e0829SAlice Ryhl /// Must hold a valid `struct iov_iter` with `data_source` set to `ITER_DEST`. For the duration of 192*ce2e0829SAlice Ryhl /// `'data`, it must be safe to write to this IO vector using the standard C methods for this 193*ce2e0829SAlice Ryhl /// purpose. 194*ce2e0829SAlice Ryhl #[repr(transparent)] 195*ce2e0829SAlice Ryhl pub struct IovIterDest<'data> { 196*ce2e0829SAlice Ryhl iov: Opaque<bindings::iov_iter>, 197*ce2e0829SAlice Ryhl /// Represent to the type system that this value contains a pointer to writable data it does 198*ce2e0829SAlice Ryhl /// not own. 199*ce2e0829SAlice Ryhl _source: PhantomData<&'data mut [u8]>, 200*ce2e0829SAlice Ryhl } 201*ce2e0829SAlice Ryhl 202*ce2e0829SAlice Ryhl impl<'data> IovIterDest<'data> { 203*ce2e0829SAlice Ryhl /// Obtain an `IovIterDest` from a raw pointer. 204*ce2e0829SAlice Ryhl /// 205*ce2e0829SAlice Ryhl /// # Safety 206*ce2e0829SAlice Ryhl /// 207*ce2e0829SAlice Ryhl /// * The referenced `struct iov_iter` must be valid and must only be accessed through the 208*ce2e0829SAlice Ryhl /// returned reference for the duration of `'iov`. 209*ce2e0829SAlice Ryhl /// * The referenced `struct iov_iter` must have `data_source` set to `ITER_DEST`. 210*ce2e0829SAlice Ryhl /// * For the duration of `'data`, it must be safe to write to this IO vector using the 211*ce2e0829SAlice Ryhl /// standard C methods for this purpose. 212*ce2e0829SAlice Ryhl #[track_caller] 213*ce2e0829SAlice Ryhl #[inline] 214*ce2e0829SAlice Ryhl pub unsafe fn from_raw<'iov>(ptr: *mut bindings::iov_iter) -> &'iov mut IovIterDest<'data> { 215*ce2e0829SAlice Ryhl // SAFETY: The caller ensures that `ptr` is valid. 216*ce2e0829SAlice Ryhl let data_source = unsafe { (*ptr).data_source }; 217*ce2e0829SAlice Ryhl assert_eq!(data_source, ITER_DEST); 218*ce2e0829SAlice Ryhl 219*ce2e0829SAlice Ryhl // SAFETY: The caller ensures the type invariants for the right durations, and 220*ce2e0829SAlice Ryhl // `IovIterSource` is layout compatible with `struct iov_iter`. 221*ce2e0829SAlice Ryhl unsafe { &mut *ptr.cast::<IovIterDest<'data>>() } 222*ce2e0829SAlice Ryhl } 223*ce2e0829SAlice Ryhl 224*ce2e0829SAlice Ryhl /// Access this as a raw `struct iov_iter`. 225*ce2e0829SAlice Ryhl #[inline] 226*ce2e0829SAlice Ryhl pub fn as_raw(&mut self) -> *mut bindings::iov_iter { 227*ce2e0829SAlice Ryhl self.iov.get() 228*ce2e0829SAlice Ryhl } 229*ce2e0829SAlice Ryhl 230*ce2e0829SAlice Ryhl /// Returns the number of bytes available in this IO vector. 231*ce2e0829SAlice Ryhl /// 232*ce2e0829SAlice Ryhl /// Note that this may overestimate the number of bytes. For example, reading from userspace 233*ce2e0829SAlice Ryhl /// memory could fail with EFAULT, which will be treated as the end of the IO vector. 234*ce2e0829SAlice Ryhl #[inline] 235*ce2e0829SAlice Ryhl pub fn len(&self) -> usize { 236*ce2e0829SAlice Ryhl // SAFETY: We have shared access to this IO vector, so we can read its `count` field. 237*ce2e0829SAlice Ryhl unsafe { 238*ce2e0829SAlice Ryhl (*self.iov.get()) 239*ce2e0829SAlice Ryhl .__bindgen_anon_1 240*ce2e0829SAlice Ryhl .__bindgen_anon_1 241*ce2e0829SAlice Ryhl .as_ref() 242*ce2e0829SAlice Ryhl .count 243*ce2e0829SAlice Ryhl } 244*ce2e0829SAlice Ryhl } 245*ce2e0829SAlice Ryhl 246*ce2e0829SAlice Ryhl /// Returns whether there are any bytes left in this IO vector. 247*ce2e0829SAlice Ryhl /// 248*ce2e0829SAlice Ryhl /// This may return `true` even if there are no more bytes available. For example, reading from 249*ce2e0829SAlice Ryhl /// userspace memory could fail with EFAULT, which will be treated as the end of the IO vector. 250*ce2e0829SAlice Ryhl #[inline] 251*ce2e0829SAlice Ryhl pub fn is_empty(&self) -> bool { 252*ce2e0829SAlice Ryhl self.len() == 0 253*ce2e0829SAlice Ryhl } 254*ce2e0829SAlice Ryhl 255*ce2e0829SAlice Ryhl /// Advance this IO vector by `bytes` bytes. 256*ce2e0829SAlice Ryhl /// 257*ce2e0829SAlice Ryhl /// If `bytes` is larger than the size of this IO vector, it is advanced to the end. 258*ce2e0829SAlice Ryhl #[inline] 259*ce2e0829SAlice Ryhl pub fn advance(&mut self, bytes: usize) { 260*ce2e0829SAlice Ryhl // SAFETY: By the type invariants, `self.iov` is a valid IO vector. 261*ce2e0829SAlice Ryhl unsafe { bindings::iov_iter_advance(self.as_raw(), bytes) }; 262*ce2e0829SAlice Ryhl } 263*ce2e0829SAlice Ryhl 264*ce2e0829SAlice Ryhl /// Advance this IO vector backwards by `bytes` bytes. 265*ce2e0829SAlice Ryhl /// 266*ce2e0829SAlice Ryhl /// # Safety 267*ce2e0829SAlice Ryhl /// 268*ce2e0829SAlice Ryhl /// The IO vector must not be reverted to before its beginning. 269*ce2e0829SAlice Ryhl #[inline] 270*ce2e0829SAlice Ryhl pub unsafe fn revert(&mut self, bytes: usize) { 271*ce2e0829SAlice Ryhl // SAFETY: By the type invariants, `self.iov` is a valid IO vector, and the caller 272*ce2e0829SAlice Ryhl // ensures that `bytes` is in bounds. 273*ce2e0829SAlice Ryhl unsafe { bindings::iov_iter_revert(self.as_raw(), bytes) }; 274*ce2e0829SAlice Ryhl } 275*ce2e0829SAlice Ryhl 276*ce2e0829SAlice Ryhl /// Write data to this IO vector. 277*ce2e0829SAlice Ryhl /// 278*ce2e0829SAlice Ryhl /// Returns the number of bytes that were written. If this is shorter than the provided slice, 279*ce2e0829SAlice Ryhl /// then no more bytes can be written. 280*ce2e0829SAlice Ryhl #[inline] 281*ce2e0829SAlice Ryhl pub fn copy_to_iter(&mut self, input: &[u8]) -> usize { 282*ce2e0829SAlice Ryhl // SAFETY: 283*ce2e0829SAlice Ryhl // * By the type invariants, it is still valid to write to this IO vector. 284*ce2e0829SAlice Ryhl // * `input` is valid for `input.len()` bytes. 285*ce2e0829SAlice Ryhl unsafe { bindings::_copy_to_iter(input.as_ptr().cast(), input.len(), self.as_raw()) } 286*ce2e0829SAlice Ryhl } 287*ce2e0829SAlice Ryhl 288*ce2e0829SAlice Ryhl /// Utility for implementing `read_iter` given the full contents of the file. 289*ce2e0829SAlice Ryhl /// 290*ce2e0829SAlice Ryhl /// The full contents of the file being read from is represented by `contents`. This call will 291*ce2e0829SAlice Ryhl /// write the appropriate sub-slice of `contents` and update the file position in `ppos` so 292*ce2e0829SAlice Ryhl /// that the file will appear to contain `contents` even if takes multiple reads to read the 293*ce2e0829SAlice Ryhl /// entire file. 294*ce2e0829SAlice Ryhl #[inline] 295*ce2e0829SAlice Ryhl pub fn simple_read_from_buffer(&mut self, ppos: &mut i64, contents: &[u8]) -> Result<usize> { 296*ce2e0829SAlice Ryhl if *ppos < 0 { 297*ce2e0829SAlice Ryhl return Err(EINVAL); 298*ce2e0829SAlice Ryhl } 299*ce2e0829SAlice Ryhl let Ok(pos) = usize::try_from(*ppos) else { 300*ce2e0829SAlice Ryhl return Ok(0); 301*ce2e0829SAlice Ryhl }; 302*ce2e0829SAlice Ryhl if pos >= contents.len() { 303*ce2e0829SAlice Ryhl return Ok(0); 304*ce2e0829SAlice Ryhl } 305*ce2e0829SAlice Ryhl 306*ce2e0829SAlice Ryhl // BOUNDS: We just checked that `pos < contents.len()` above. 307*ce2e0829SAlice Ryhl let num_written = self.copy_to_iter(&contents[pos..]); 308*ce2e0829SAlice Ryhl 309*ce2e0829SAlice Ryhl // OVERFLOW: `pos+num_written <= contents.len() <= isize::MAX <= i64::MAX`. 310*ce2e0829SAlice Ryhl *ppos = (pos + num_written) as i64; 311*ce2e0829SAlice Ryhl 312*ce2e0829SAlice Ryhl Ok(num_written) 313*ce2e0829SAlice Ryhl } 314*ce2e0829SAlice Ryhl } 315