lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <fe1386ab-49c0-415d-8bbb-ff14b8197782@dakr.org>
Date: Fri, 5 Jul 2024 13:39:32 +0200
From: Danilo Krummrich <me@...r.org>
To: Viresh Kumar <viresh.kumar@...aro.org>,
 "Rafael J. Wysocki" <rafael@...nel.org>,
 Miguel Ojeda <miguel.ojeda.sandonis@...il.com>,
 Miguel Ojeda <ojeda@...nel.org>, Alex Gaynor <alex.gaynor@...il.com>,
 Wedson Almeida Filho <wedsonaf@...il.com>, Boqun Feng
 <boqun.feng@...il.com>, Gary Guo <gary@...yguo.net>,
 Björn Roy Baron <bjorn3_gh@...tonmail.com>,
 Benno Lossin <benno.lossin@...ton.me>,
 Andreas Hindborg <a.hindborg@...sung.com>, Alice Ryhl <aliceryhl@...gle.com>
Cc: linux-pm@...r.kernel.org, Vincent Guittot <vincent.guittot@...aro.org>,
 Stephen Boyd <sboyd@...nel.org>, Nishanth Menon <nm@...com>,
 rust-for-linux@...r.kernel.org,
 Manos Pitsidianakis <manos.pitsidianakis@...aro.org>,
 Erik Schilling <erik.schilling@...aro.org>,
 Alex Bennée <alex.bennee@...aro.org>,
 Joakim Bech <joakim.bech@...aro.org>, Rob Herring <robh@...nel.org>,
 linux-kernel@...r.kernel.org
Subject: Re: [RFC PATCH V3 6/8] rust: Extend cpufreq bindings for driver
 registration

On 7/3/24 09:14, Viresh Kumar wrote:
> This extends the cpufreq bindings with bindings for registering a
> driver.
> 
> Signed-off-by: Viresh Kumar <viresh.kumar@...aro.org>
> ---
>   rust/kernel/cpufreq.rs | 482 ++++++++++++++++++++++++++++++++++++++++-
>   1 file changed, 479 insertions(+), 3 deletions(-)
> 
> diff --git a/rust/kernel/cpufreq.rs b/rust/kernel/cpufreq.rs
> index 6f9d34ebbcb0..66dad18f4ab6 100644
> --- a/rust/kernel/cpufreq.rs
> +++ b/rust/kernel/cpufreq.rs
> @@ -9,14 +9,16 @@
>   use crate::{
>       bindings, clk, cpumask,
>       device::Device,
> -    error::{code::*, from_err_ptr, to_result, Result, VTABLE_DEFAULT_ERROR},
> +    error::{code::*, from_err_ptr, from_result, to_result, Result, VTABLE_DEFAULT_ERROR},
>       prelude::*,
> -    types::{ARef, ForeignOwnable},
> +    types::ForeignOwnable,
>   };
>   
>   use core::{
> +    cell::UnsafeCell,
> +    marker::PhantomData,
>       pin::Pin,
> -    ptr::self,
> +    ptr::{self, addr_of_mut},
>   };
>   
>   use macros::vtable;
> @@ -563,3 +565,477 @@ fn register_em(_policy: &mut Policy) {
>           kernel::build_error(VTABLE_DEFAULT_ERROR)
>       }
>   }
> +
> +/// Registration of a cpufreq driver.
> +pub struct Registration<T: Driver> {
> +    registered: bool,
> +    drv: UnsafeCell<bindings::cpufreq_driver>,
> +    _p: PhantomData<T>,
> +}
> +
> +// SAFETY: `Registration` doesn't offer any methods or access to fields when shared between threads
> +// or CPUs, so it is safe to share it.
> +unsafe impl<T: Driver> Sync for Registration<T> {}
> +
> +// SAFETY: Registration with and unregistration from the cpufreq subsystem can happen from any thread.
> +// Additionally, `T::Data` (which is dropped during unregistration) is `Send`, so it is okay to move
> +// `Registration` to different threads.
> +#[allow(clippy::non_send_fields_in_send_ty)]
> +unsafe impl<T: Driver> Send for Registration<T> {}
> +
> +impl<T: Driver> Registration<T> {
> +    /// Creates new [`Registration`] but does not register it yet.
> +    ///
> +    /// It is allowed to move.
> +    fn new() -> Result<Box<Self>> {
> +        Ok(Box::new(
> +            Self {
> +                registered: false,
> +                drv: UnsafeCell::new(bindings::cpufreq_driver::default()),
> +                _p: PhantomData,
> +            },
> +            GFP_KERNEL,
> +        )?)
> +    }
> +
> +    /// Registers a cpufreq driver with the rest of the kernel.
> +    pub fn register(
> +        name: &'static CStr,
> +        data: T::Data,
> +        flags: u16,
> +        boost: bool,
> +    ) -> Result<Box<Self>> {

If you directly call `register` from `new` you can avoid having `Self::registered`.
It's also a bit cleaner, once you got an instance of `Registration` it means something
is registered, once it's dropped, it's unregistered.

> +        let mut reg = Self::new()?;
> +        let drv = reg.drv.get_mut();
> +
> +        // Account for the trailing null character.
> +        let len = name.len() + 1;
> +        if len > drv.name.len() {
> +            return Err(EINVAL);
> +        };
> +
> +        // SAFETY: `name` is a valid Cstr, and we are copying it to an array of equal or larger
> +        // size.
> +        let name = unsafe { &*(name.as_bytes_with_nul() as *const [u8] as *const [i8]) };
> +        drv.name[..len].copy_from_slice(name);
> +
> +        drv.boost_enabled = boost;
> +        drv.flags = flags;
> +
> +        // Allocate an array of 3 pointers to be passed to the C code.
> +        let mut attr = Box::new([ptr::null_mut(); 3], GFP_KERNEL)?;
> +        let mut next = 0;
> +
> +        // SAFETY: The C code returns a valid pointer here, which is again passed to the C code in
> +        // an array.
> +        attr[next] =
> +            unsafe { addr_of_mut!(bindings::cpufreq_freq_attr_scaling_available_freqs) as *mut _ };
> +        next += 1;
> +
> +        if boost {
> +            // SAFETY: The C code returns a valid pointer here, which is again passed to the C code
> +            // in an array.
> +            attr[next] =
> +                unsafe { addr_of_mut!(bindings::cpufreq_freq_attr_scaling_boost_freqs) as *mut _ };
> +            next += 1;
> +        }
> +        attr[next] = ptr::null_mut();
> +
> +        // Pass the ownership of the memory block to the C code. This will be freed when
> +        // the [`Registration`] object goes out of scope.
> +        drv.attr = Box::leak(attr) as *mut _;
> +
> +        // Initialize mandatory callbacks.
> +        drv.init = Some(Self::init_callback);
> +        drv.verify = Some(Self::verify_callback);
> +
> +        // Initialize optional callbacks.
> +        drv.setpolicy = if T::HAS_SETPOLICY {
> +            Some(Self::setpolicy_callback)
> +        } else {
> +            None
> +        };
> +        drv.target = if T::HAS_TARGET {
> +            Some(Self::target_callback)
> +        } else {
> +            None
> +        };
> +        drv.target_index = if T::HAS_TARGET_INDEX {
> +            Some(Self::target_index_callback)
> +        } else {
> +            None
> +        };
> +        drv.fast_switch = if T::HAS_FAST_SWITCH {
> +            Some(Self::fast_switch_callback)
> +        } else {
> +            None
> +        };
> +        drv.adjust_perf = if T::HAS_ADJUST_PERF {
> +            Some(Self::adjust_perf_callback)
> +        } else {
> +            None
> +        };
> +        drv.get_intermediate = if T::HAS_GET_INTERMEDIATE {
> +            Some(Self::get_intermediate_callback)
> +        } else {
> +            None
> +        };
> +        drv.target_intermediate = if T::HAS_TARGET_INTERMEDIATE {
> +            Some(Self::target_intermediate_callback)
> +        } else {
> +            None
> +        };
> +        drv.get = if T::HAS_GET {
> +            Some(Self::get_callback)
> +        } else {
> +            None
> +        };
> +        drv.update_limits = if T::HAS_UPDATE_LIMITS {
> +            Some(Self::update_limits_callback)
> +        } else {
> +            None
> +        };
> +        drv.bios_limit = if T::HAS_BIOS_LIMIT {
> +            Some(Self::bios_limit_callback)
> +        } else {
> +            None
> +        };
> +        drv.online = if T::HAS_ONLINE {
> +            Some(Self::online_callback)
> +        } else {
> +            None
> +        };
> +        drv.offline = if T::HAS_OFFLINE {
> +            Some(Self::offline_callback)
> +        } else {
> +            None
> +        };
> +        drv.exit = if T::HAS_EXIT {
> +            Some(Self::exit_callback)
> +        } else {
> +            None
> +        };
> +        drv.suspend = if T::HAS_SUSPEND {
> +            Some(Self::suspend_callback)
> +        } else {
> +            None
> +        };
> +        drv.resume = if T::HAS_RESUME {
> +            Some(Self::resume_callback)
> +        } else {
> +            None
> +        };
> +        drv.ready = if T::HAS_READY {
> +            Some(Self::ready_callback)
> +        } else {
> +            None
> +        };
> +        drv.set_boost = if T::HAS_SET_BOOST {
> +            Some(Self::set_boost_callback)
> +        } else {
> +            None
> +        };
> +        drv.register_em = if T::HAS_REGISTER_EM {
> +            Some(Self::register_em_callback)
> +        } else {
> +            None
> +        };
> +
> +        // Set driver data before registering the driver, as the cpufreq core may call few
> +        // callbacks before `cpufreq_register_driver()` returns.
> +        reg.set_data(data)?;
> +
> +        // SAFETY: It is safe to register the driver with the cpufreq core in the C code.
> +        to_result(unsafe { bindings::cpufreq_register_driver(reg.drv.get()) })?;
> +        reg.registered = true;
> +        Ok(reg)
> +    }
> +
> +    /// Returns the previous set data for a cpufreq driver.
> +    pub fn data<D: ForeignOwnable>() -> Option<<D>::Borrowed<'static>> {
> +        // SAFETY: The driver data is earlier set by us from [`set_data()`].
> +        let data = unsafe { bindings::cpufreq_get_driver_data() };
> +        if data.is_null() {
> +            None
> +        } else {
> +            // SAFETY: The driver data is earlier set by us from [`set_data()`].
> +            Some(unsafe { D::borrow(data) })
> +        }
> +    }
> +
> +    // Sets the data for a cpufreq driver.
> +    fn set_data(&mut self, data: T::Data) -> Result<()> {
> +        let drv = self.drv.get_mut();
> +
> +        if drv.driver_data.is_null() {
> +            // Pass the ownership of the data to the foreign interface.
> +            drv.driver_data = <T::Data as ForeignOwnable>::into_foreign(data) as _;
> +            Ok(())
> +        } else {
> +            Err(EBUSY)
> +        }
> +    }
> +
> +    // Clears and returns the data for a cpufreq driver.
> +    fn clear_data(&mut self) -> Option<T::Data> {
> +        let drv = self.drv.get_mut();
> +
> +        if drv.driver_data.is_null() {
> +            None
> +        } else {
> +            // SAFETY: By the type invariants, we know that `self` owns a reference, so it is safe to
> +            // relinquish it now.
> +            let data = Some(unsafe { <T::Data as ForeignOwnable>::from_foreign(drv.driver_data) });
> +            drv.driver_data = ptr::null_mut();
> +            data
> +        }
> +    }
> +}
> +
> +// cpufreq driver callbacks.
> +impl<T: Driver> Registration<T> {
> +    // Policy's init callback.
> +    extern "C" fn init_callback(ptr: *mut bindings::cpufreq_policy) -> core::ffi::c_int {
> +        from_result(|| {
> +            // SAFETY: `ptr` is valid by the contract with the C code. `policy` is alive only for the
> +            // duration of this call, so it is guaranteed to remain alive for the lifetime of
> +            // `ptr`.
> +            let mut policy = unsafe { Policy::from_raw_policy(ptr) };
> +
> +            let data = T::init(&mut policy)?;
> +            policy.set_data(data)?;
> +            Ok(0)
> +        })
> +    }
> +
> +    // Policy's exit callback.
> +    extern "C" fn exit_callback(ptr: *mut bindings::cpufreq_policy) -> core::ffi::c_int {
> +        from_result(|| {
> +            // SAFETY: `ptr` is valid by the contract with the C code. `policy` is alive only for the
> +            // duration of this call, so it is guaranteed to remain alive for the lifetime of
> +            // `ptr`.
> +            let mut policy = unsafe { Policy::from_raw_policy(ptr) };
> +
> +            let data = policy.clear_data();
> +            T::exit(&mut policy, data).map(|_| 0)
> +        })
> +    }
> +
> +    // Policy's online callback.
> +    extern "C" fn online_callback(ptr: *mut bindings::cpufreq_policy) -> core::ffi::c_int {
> +        from_result(|| {
> +            // SAFETY: `ptr` is valid by the contract with the C code. `policy` is alive only for the
> +            // duration of this call, so it is guaranteed to remain alive for the lifetime of
> +            // `ptr`.
> +            let mut policy = unsafe { Policy::from_raw_policy(ptr) };
> +            T::online(&mut policy).map(|_| 0)
> +        })
> +    }
> +
> +    // Policy's offline callback.
> +    extern "C" fn offline_callback(ptr: *mut bindings::cpufreq_policy) -> core::ffi::c_int {
> +        from_result(|| {
> +            // SAFETY: `ptr` is valid by the contract with the C code. `policy` is alive only for the
> +            // duration of this call, so it is guaranteed to remain alive for the lifetime of
> +            // `ptr`.
> +            let mut policy = unsafe { Policy::from_raw_policy(ptr) };
> +            T::offline(&mut policy).map(|_| 0)
> +        })
> +    }
> +
> +    // Policy's suspend callback.
> +    extern "C" fn suspend_callback(ptr: *mut bindings::cpufreq_policy) -> core::ffi::c_int {
> +        from_result(|| {
> +            // SAFETY: `ptr` is valid by the contract with the C code. `policy` is alive only for the
> +            // duration of this call, so it is guaranteed to remain alive for the lifetime of
> +            // `ptr`.
> +            let mut policy = unsafe { Policy::from_raw_policy(ptr) };
> +            T::suspend(&mut policy).map(|_| 0)
> +        })
> +    }
> +
> +    // Policy's resume callback.
> +    extern "C" fn resume_callback(ptr: *mut bindings::cpufreq_policy) -> core::ffi::c_int {
> +        from_result(|| {
> +            // SAFETY: `ptr` is valid by the contract with the C code. `policy` is alive only for the
> +            // duration of this call, so it is guaranteed to remain alive for the lifetime of
> +            // `ptr`.
> +            let mut policy = unsafe { Policy::from_raw_policy(ptr) };
> +            T::resume(&mut policy).map(|_| 0)
> +        })
> +    }
> +
> +    // Policy's ready callback.
> +    extern "C" fn ready_callback(ptr: *mut bindings::cpufreq_policy) {
> +        // SAFETY: `ptr` is valid by the contract with the C code. `policy` is alive only for the
> +        // duration of this call, so it is guaranteed to remain alive for the lifetime of
> +        // `ptr`.
> +        let mut policy = unsafe { Policy::from_raw_policy(ptr) };
> +        T::ready(&mut policy);
> +    }
> +
> +    // Policy's verify callback.
> +    extern "C" fn verify_callback(ptr: *mut bindings::cpufreq_policy_data) -> core::ffi::c_int {
> +        from_result(|| {
> +            // SAFETY: `ptr` is valid by the contract with the C code. `policy` is alive only for the
> +            // duration of this call, so it is guaranteed to remain alive for the lifetime of
> +            // `ptr`.
> +            let mut data = unsafe { PolicyData::from_raw_policy_data(ptr) };
> +            T::verify(&mut data).map(|_| 0)
> +        })
> +    }
> +
> +    // Policy's setpolicy callback.
> +    extern "C" fn setpolicy_callback(ptr: *mut bindings::cpufreq_policy) -> core::ffi::c_int {
> +        from_result(|| {
> +            // SAFETY: `ptr` is valid by the contract with the C code. `policy` is alive only for the
> +            // duration of this call, so it is guaranteed to remain alive for the lifetime of
> +            // `ptr`.
> +            let mut policy = unsafe { Policy::from_raw_policy(ptr) };
> +            T::setpolicy(&mut policy).map(|_| 0)
> +        })
> +    }
> +
> +    // Policy's target callback.
> +    extern "C" fn target_callback(
> +        ptr: *mut bindings::cpufreq_policy,
> +        target_freq: u32,
> +        relation: u32,
> +    ) -> core::ffi::c_int {
> +        from_result(|| {
> +            // SAFETY: `ptr` is valid by the contract with the C code. `policy` is alive only for the
> +            // duration of this call, so it is guaranteed to remain alive for the lifetime of
> +            // `ptr`.
> +            let mut policy = unsafe { Policy::from_raw_policy(ptr) };
> +            T::target(&mut policy, target_freq, Relation::new(relation)?).map(|_| 0)
> +        })
> +    }
> +
> +    // Policy's target_index callback.
> +    extern "C" fn target_index_callback(
> +        ptr: *mut bindings::cpufreq_policy,
> +        index: u32,
> +    ) -> core::ffi::c_int {
> +        from_result(|| {
> +            // SAFETY: `ptr` is valid by the contract with the C code. `policy` is alive only for the
> +            // duration of this call, so it is guaranteed to remain alive for the lifetime of
> +            // `ptr`.
> +            let mut policy = unsafe { Policy::from_raw_policy(ptr) };
> +            T::target_index(&mut policy, index).map(|_| 0)
> +        })
> +    }
> +
> +    // Policy's fast_switch callback.
> +    extern "C" fn fast_switch_callback(
> +        ptr: *mut bindings::cpufreq_policy,
> +        target_freq: u32,
> +    ) -> core::ffi::c_uint {
> +        // SAFETY: `ptr` is valid by the contract with the C code. `policy` is alive only for the
> +        // duration of this call, so it is guaranteed to remain alive for the lifetime of
> +        // `ptr`.
> +        let mut policy = unsafe { Policy::from_raw_policy(ptr) };
> +        T::fast_switch(&mut policy, target_freq)
> +    }
> +
> +    // Policy's adjust_perf callback.
> +    extern "C" fn adjust_perf_callback(cpu: u32, min_perf: u64, target_perf: u64, capacity: u64) {
> +        if let Ok(mut policy) = Policy::from_cpu(cpu) {
> +            T::adjust_perf(&mut policy, min_perf, target_perf, capacity);
> +        }
> +    }
> +
> +    // Policy's get_intermediate callback.
> +    extern "C" fn get_intermediate_callback(
> +        ptr: *mut bindings::cpufreq_policy,
> +        index: u32,
> +    ) -> core::ffi::c_uint {
> +        // SAFETY: `ptr` is valid by the contract with the C code. `policy` is alive only for the
> +        // duration of this call, so it is guaranteed to remain alive for the lifetime of
> +        // `ptr`.
> +        let mut policy = unsafe { Policy::from_raw_policy(ptr) };
> +        T::get_intermediate(&mut policy, index)
> +    }
> +
> +    // Policy's target_intermediate callback.
> +    extern "C" fn target_intermediate_callback(
> +        ptr: *mut bindings::cpufreq_policy,
> +        index: u32,
> +    ) -> core::ffi::c_int {
> +        from_result(|| {
> +            // SAFETY: `ptr` is valid by the contract with the C code. `policy` is alive only for the
> +            // duration of this call, so it is guaranteed to remain alive for the lifetime of
> +            // `ptr`.
> +            let mut policy = unsafe { Policy::from_raw_policy(ptr) };
> +            T::target_intermediate(&mut policy, index).map(|_| 0)
> +        })
> +    }
> +
> +    // Policy's get callback.
> +    extern "C" fn get_callback(cpu: u32) -> core::ffi::c_uint {
> +        // SAFETY: Get the policy for a CPU.
> +        Policy::from_cpu(cpu).map_or(0, |mut policy| T::get(&mut policy).map_or(0, |f| f))
> +    }
> +
> +    // Policy's update_limit callback.
> +    extern "C" fn update_limits_callback(cpu: u32) {
> +        // SAFETY: Get the policy for a CPU.
> +        if let Ok(mut policy) = Policy::from_cpu(cpu) {
> +            T::update_limits(&mut policy);
> +        }
> +    }
> +
> +    // Policy's bios_limit callback.
> +    extern "C" fn bios_limit_callback(cpu: i32, limit: *mut u32) -> core::ffi::c_int {
> +        from_result(|| {
> +            let mut policy = Policy::from_cpu(cpu as u32)?;
> +
> +            // SAFETY: The pointer is guaranteed by the C code to be valid.
> +            T::bios_limit(&mut policy, &mut (unsafe { *limit })).map(|_| 0)
> +        })
> +    }
> +
> +    // Policy's set_boost callback.
> +    extern "C" fn set_boost_callback(
> +        ptr: *mut bindings::cpufreq_policy,
> +        state: i32,
> +    ) -> core::ffi::c_int {
> +        from_result(|| {
> +            // SAFETY: `ptr` is valid by the contract with the C code. `policy` is alive only for the
> +            // duration of this call, so it is guaranteed to remain alive for the lifetime of
> +            // `ptr`.
> +            let mut policy = unsafe { Policy::from_raw_policy(ptr) };
> +            T::set_boost(&mut policy, state).map(|_| 0)
> +        })
> +    }
> +
> +    // Policy's register_em callback.
> +    extern "C" fn register_em_callback(ptr: *mut bindings::cpufreq_policy) {
> +        // SAFETY: `ptr` is valid by the contract with the C code. `policy` is alive only for the
> +        // duration of this call, so it is guaranteed to remain alive for the lifetime of
> +        // `ptr`.
> +        let mut policy = unsafe { Policy::from_raw_policy(ptr) };
> +        T::register_em(&mut policy);
> +    }
> +}
> +
> +impl<T: Driver> Drop for Registration<T> {
> +    // Removes the registration from the kernel if it has completed successfully before.
> +    fn drop(&mut self) {
> +        pr_info!("Registration dropped\n");
> +        let drv = self.drv.get_mut();
> +
> +        if self.registered {
> +            // SAFETY: The driver was earlier registered from `register()`.
> +            unsafe { bindings::cpufreq_unregister_driver(drv) };
> +        }
> +
> +        // Free the previously leaked memory to the C code.
> +        if !drv.attr.is_null() {
> +            // SAFETY: The pointer was earlier initialized from the result of `Box::leak`.
> +            unsafe { drop(Box::from_raw(drv.attr)) };
> +        }
> +
> +        // Free data
> +        drop(self.clear_data());
> +    }
> +}

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ