rust: hide bindings::lock_class_key from drivers

This is in preparation for using lock classes in gpio drivers and
executors. (Which is a requirement imposed by the C implementation, not
something new to Rust.)

This takes us closer to making the `bindings` module private to the
`kernel` crate.

Signed-off-by: Wedson Almeida Filho <[email protected]>

Author: wedsonaf

rust/kernel/device.rs

@@ -11,7 +11,7 @@ use crate::{
     bindings,
     revocable::{Revocable, RevocableGuard},
     str::CStr,
-    sync::{NeedsLockClass, RevocableMutex, RevocableMutexGuard, UniqueRef},
+    sync::{LockClassKey, NeedsLockClass, RevocableMutex, RevocableMutexGuard, UniqueRef},
     Result,
 };
 use core::{
@@ -240,26 +240,13 @@ pub struct Data<T, U, V> {
 #[macro_export]
 macro_rules! new_device_data {
     ($reg:expr, $res:expr, $gen:expr, $name:literal) => {{
-        static mut CLASS1: core::mem::MaybeUninit<$crate::bindings::lock_class_key> =
-            core::mem::MaybeUninit::uninit();
-        static mut CLASS2: core::mem::MaybeUninit<$crate::bindings::lock_class_key> =
-            core::mem::MaybeUninit::uninit();
+        static CLASS1: $crate::sync::LockClassKey = $crate::sync::LockClassKey::new();
+        static CLASS2: $crate::sync::LockClassKey = $crate::sync::LockClassKey::new();
         let regs = $reg;
         let res = $res;
         let gen = $gen;
         let name = $crate::c_str!($name);
-        // SAFETY: `CLASS1` and `CLASS2` are never used by Rust code directly; the C portion of the
-        // kernel may change it though.
-        unsafe {
-            $crate::device::Data::try_new(
-                regs,
-                res,
-                gen,
-                name,
-                CLASS1.as_mut_ptr(),
-                CLASS2.as_mut_ptr(),
-            )
-        }
+        $crate::device::Data::try_new(regs, res, gen, name, &CLASS1, &CLASS2)
     }};
 }
 
@@ -268,18 +255,13 @@ impl<T, U, V> Data<T, U, V> {
     ///
     /// It is recommended that the [`new_device_data`] macro be used as it automatically creates
     /// the lock classes.
-    ///
-    /// # Safety
-    ///
-    /// `key1` and `key2` must point to valid memory locations and remain valid until `self` is
-    /// dropped.
-    pub unsafe fn try_new(
+    pub fn try_new(
         registrations: T,
         resources: U,
         general: V,
         name: &'static CStr,
-        key1: *mut bindings::lock_class_key,
-        key2: *mut bindings::lock_class_key,
+        key1: &'static LockClassKey,
+        key2: &'static LockClassKey,
     ) -> Result<Pin<UniqueRef<Self>>> {
         let mut ret = Pin::from(UniqueRef::try_new(Self {
             // SAFETY: We call `RevocableMutex::init` below.
@@ -290,9 +272,7 @@ impl<T, U, V> Data<T, U, V> {
 
         // SAFETY: `Data::registrations` is pinned when `Data` is.
         let pinned = unsafe { ret.as_mut().map_unchecked_mut(|d| &mut d.registrations) };
-
-        // SAFETY: The safety requirements of this function satisfy those of `RevocableMutex::init`.
-        unsafe { pinned.init(name, key1, key2) };
+        pinned.init(name, key1, key2);
         Ok(ret)
     }
 

rust/kernel/sync.rs

@@ -22,7 +22,7 @@
 //! ```
 
 use crate::{bindings, str::CStr};
-use core::pin::Pin;
+use core::{cell::UnsafeCell, mem::MaybeUninit, pin::Pin};
 
 mod arc;
 mod condvar;
@@ -48,25 +48,37 @@ pub use rwsem::{RevocableRwSemaphore, RevocableRwSemaphoreGuard, RwSemaphore};
 pub use seqlock::{SeqLock, SeqLockReadGuard};
 pub use spinlock::{RawSpinLock, SpinLock};
 
+/// Represents a lockdep class. It's a wrapper around C's `lock_class_key`.
+#[repr(transparent)]
+pub struct LockClassKey(UnsafeCell<MaybeUninit<bindings::lock_class_key>>);
+
+// SAFETY: This is a wrapper around a lock class key, so it is safe to use references to it from
+// any thread.
+unsafe impl Sync for LockClassKey {}
+
+impl LockClassKey {
+    /// Creates a new lock class key.
+    pub const fn new() -> Self {
+        Self(UnsafeCell::new(MaybeUninit::uninit()))
+    }
+
+    fn get(&self) -> *mut bindings::lock_class_key {
+        self.0.get().cast()
+    }
+}
+
 /// Safely initialises an object that has an `init` function that takes a name and a lock class as
 /// arguments, examples of these are [`Mutex`] and [`SpinLock`]. Each of them also provides a more
 /// specialised name that uses this macro.
 #[doc(hidden)]
 #[macro_export]
 macro_rules! init_with_lockdep {
     ($obj:expr, $name:expr) => {{
-        static mut CLASS1: core::mem::MaybeUninit<$crate::bindings::lock_class_key> =
-            core::mem::MaybeUninit::uninit();
-        static mut CLASS2: core::mem::MaybeUninit<$crate::bindings::lock_class_key> =
-            core::mem::MaybeUninit::uninit();
+        static CLASS1: $crate::sync::LockClassKey = $crate::sync::LockClassKey::new();
+        static CLASS2: $crate::sync::LockClassKey = $crate::sync::LockClassKey::new();
         let obj = $obj;
         let name = $crate::c_str!($name);
-        // SAFETY: `CLASS1` and `CLASS2` are never used by Rust code directly; the C portion of the
-        // kernel may change it though.
-        #[allow(unused_unsafe)]
-        unsafe {
-            $crate::sync::NeedsLockClass::init(obj, name, CLASS1.as_mut_ptr(), CLASS2.as_mut_ptr())
-        };
+        $crate::sync::NeedsLockClass::init(obj, name, &CLASS1, &CLASS2)
     }};
 }
 
@@ -79,16 +91,11 @@ pub trait NeedsLockClass {
     ///
     /// Callers are encouraged to use the [`init_with_lockdep`] macro as it automatically creates a
     /// new lock class on each usage.
-    ///
-    /// # Safety
-    ///
-    /// `key1` and `key2` must point to valid memory locations and remain valid until `self` is
-    /// dropped.
-    unsafe fn init(
+    fn init(
         self: Pin<&mut Self>,
         name: &'static CStr,
-        key1: *mut bindings::lock_class_key,
-        key2: *mut bindings::lock_class_key,
+        key1: &'static LockClassKey,
+        key2: &'static LockClassKey,
     );
 }
 

rust/kernel/sync/condvar.rs

@@ -5,7 +5,7 @@
 //! This module allows Rust code to use the kernel's [`struct wait_queue_head`] as a condition
 //! variable.
 
-use super::{Guard, Lock, LockInfo, NeedsLockClass};
+use super::{Guard, Lock, LockClassKey, LockInfo, NeedsLockClass};
 use crate::{bindings, str::CStr, task::Task, Opaque};
 use core::{marker::PhantomPinned, pin::Pin};
 
@@ -127,12 +127,14 @@ impl CondVar {
 }
 
 impl NeedsLockClass for CondVar {
-    unsafe fn init(
+    fn init(
         self: Pin<&mut Self>,
         name: &'static CStr,
-        key: *mut bindings::lock_class_key,
-        _: *mut bindings::lock_class_key,
+        key: &'static LockClassKey,
+        _: &'static LockClassKey,
     ) {
-        unsafe { bindings::__init_waitqueue_head(self.wait_list.get(), name.as_char_ptr(), key) };
+        unsafe {
+            bindings::__init_waitqueue_head(self.wait_list.get(), name.as_char_ptr(), key.get())
+        };
     }
 }

rust/kernel/sync/guard.rs

@@ -6,8 +6,8 @@
 //! the ([`Lock`]) trait. It also contains the definition of the trait, which can be leveraged by
 //! other constructs to work on generic locking primitives.
 
-use super::NeedsLockClass;
-use crate::{bindings, str::CStr, Bool, False, True};
+use super::{LockClassKey, NeedsLockClass};
+use crate::{str::CStr, Bool, False, True};
 use core::pin::Pin;
 
 /// Allows mutual exclusion primitives that implement the [`Lock`] trait to automatically unlock
@@ -144,26 +144,16 @@ pub trait LockFactory {
 /// A lock that can be initialised with a single lock class key.
 pub trait LockIniter {
     /// Initialises the lock instance so that it can be safely used.
-    ///
-    /// # Safety
-    ///
-    /// `key` must point to a valid memory location that will remain valid until the lock is
-    /// dropped.
-    unsafe fn init_lock(
-        self: Pin<&mut Self>,
-        name: &'static CStr,
-        key: *mut bindings::lock_class_key,
-    );
+    fn init_lock(self: Pin<&mut Self>, name: &'static CStr, key: &'static LockClassKey);
 }
 
 impl<L: LockIniter> NeedsLockClass for L {
-    unsafe fn init(
+    fn init(
         self: Pin<&mut Self>,
         name: &'static CStr,
-        key: *mut bindings::lock_class_key,
-        _: *mut bindings::lock_class_key,
+        key: &'static LockClassKey,
+        _: &'static LockClassKey,
     ) {
-        // SAFETY: The safety requirements of this function satisfy those of `init_lock`.
-        unsafe { self.init_lock(name, key) };
+        self.init_lock(name, key);
     }
 }

rust/kernel/sync/mutex.rs

@@ -4,7 +4,7 @@
 //!
 //! This module allows Rust code to use the kernel's [`struct mutex`].
 
-use super::{Guard, Lock, LockFactory, LockIniter, WriteLock};
+use super::{Guard, Lock, LockClassKey, LockFactory, LockIniter, WriteLock};
 use crate::{bindings, str::CStr, Opaque};
 use core::{cell::UnsafeCell, marker::PhantomPinned, pin::Pin};
 
@@ -82,12 +82,8 @@ impl<T> LockFactory for Mutex<T> {
 }
 
 impl<T> LockIniter for Mutex<T> {
-    unsafe fn init_lock(
-        self: Pin<&mut Self>,
-        name: &'static CStr,
-        key: *mut bindings::lock_class_key,
-    ) {
-        unsafe { bindings::__mutex_init(self.mutex.get(), name.as_char_ptr(), key) };
+    fn init_lock(self: Pin<&mut Self>, name: &'static CStr, key: &'static LockClassKey) {
+        unsafe { bindings::__mutex_init(self.mutex.get(), name.as_char_ptr(), key.get()) };
     }
 }
 

rust/kernel/sync/revocable.rs

@@ -3,9 +3,8 @@
 //! Synchronisation primitives where access to their contents can be revoked at runtime.
 
 use crate::{
-    bindings,
     str::CStr,
-    sync::{Guard, Lock, LockFactory, LockInfo, NeedsLockClass, ReadLock, WriteLock},
+    sync::{Guard, Lock, LockClassKey, LockFactory, LockInfo, NeedsLockClass, ReadLock, WriteLock},
     True,
 };
 use core::{
@@ -130,18 +129,15 @@ impl<F: LockFactory, T> NeedsLockClass for Revocable<F, T>
 where
     F::LockedType<Inner<T>>: NeedsLockClass,
 {
-    unsafe fn init(
+    fn init(
         self: Pin<&mut Self>,
         name: &'static CStr,
-        key1: *mut bindings::lock_class_key,
-        key2: *mut bindings::lock_class_key,
+        key1: &'static LockClassKey,
+        key2: &'static LockClassKey,
     ) {
         // SAFETY: `inner` is pinned when `self` is.
         let inner = unsafe { self.map_unchecked_mut(|r| &mut r.inner) };
-
-        // SAFETY: The safety requirements of this function satisfy the ones for `inner.init`
-        // (they're the same).
-        unsafe { inner.init(name, key1, key2) };
+        inner.init(name, key1, key2);
     }
 }
 

rust/kernel/sync/rwsem.rs

@@ -6,7 +6,10 @@
 //!
 //! C header: [`include/linux/rwsem.h`](../../../../include/linux/rwsem.h)
 
-use super::{mutex::EmptyGuardContext, Guard, Lock, LockFactory, LockIniter, ReadLock, WriteLock};
+use super::{
+    mutex::EmptyGuardContext, Guard, Lock, LockClassKey, LockFactory, LockIniter, ReadLock,
+    WriteLock,
+};
 use crate::{bindings, str::CStr, Opaque};
 use core::{cell::UnsafeCell, marker::PhantomPinned, pin::Pin};
 
@@ -95,12 +98,8 @@ impl<T> LockFactory for RwSemaphore<T> {
 }
 
 impl<T> LockIniter for RwSemaphore<T> {
-    unsafe fn init_lock(
-        self: Pin<&mut Self>,
-        name: &'static CStr,
-        key: *mut bindings::lock_class_key,
-    ) {
-        unsafe { bindings::__init_rwsem(self.rwsem.get(), name.as_char_ptr(), key) };
+    fn init_lock(self: Pin<&mut Self>, name: &'static CStr, key: &'static LockClassKey) {
+        unsafe { bindings::__init_rwsem(self.rwsem.get(), name.as_char_ptr(), key.get()) };
     }
 }
 

rust/kernel/sync/seqlock.rs

@@ -7,7 +7,7 @@
 //!
 //! See <https://www.kernel.org/doc/Documentation/locking/seqlock.rst>.
 
-use super::{Guard, Lock, LockFactory, LockIniter, NeedsLockClass, ReadLock};
+use super::{Guard, Lock, LockClassKey, LockFactory, LockIniter, NeedsLockClass, ReadLock};
 use crate::{bindings, str::CStr, Opaque};
 use core::{cell::UnsafeCell, marker::PhantomPinned, ops::Deref, pin::Pin};
 
@@ -130,18 +130,17 @@ impl<L: Lock + ?Sized> SeqLock<L> {
 }
 
 impl<L: LockIniter + Lock + ?Sized> NeedsLockClass for SeqLock<L> {
-    unsafe fn init(
+    fn init(
         mut self: Pin<&mut Self>,
         name: &'static CStr,
-        key1: *mut bindings::lock_class_key,
-        key2: *mut bindings::lock_class_key,
+        key1: &'static LockClassKey,
+        key2: &'static LockClassKey,
     ) {
         // SAFETY: `write_lock` is pinned when `self` is.
         let pinned = unsafe { self.as_mut().map_unchecked_mut(|s| &mut s.write_lock) };
-        // SAFETY: `key1` is valid by the safety requirements of this function.
-        unsafe { pinned.init_lock(name, key1) };
-        // SAFETY: `key2` is valid by the safety requirements of this function.
-        unsafe { bindings::__seqcount_init(self.count.get(), name.as_char_ptr(), key2) };
+        pinned.init_lock(name, key1);
+        // SAFETY: `key2` is valid as it has a static lifetime.
+        unsafe { bindings::__seqcount_init(self.count.get(), name.as_char_ptr(), key2.get()) };
     }
 }
 

rust/kernel/sync/smutex.rs

@@ -46,7 +46,7 @@
 //! When the waiter queue is non-empty, unlocking the mutex always results in the first waiter being
 //! popped form the queue and awakened.
 
-use super::{mutex::EmptyGuardContext, Guard, Lock, LockFactory, LockIniter};
+use super::{mutex::EmptyGuardContext, Guard, Lock, LockClassKey, LockFactory, LockIniter};
 use crate::{bindings, str::CStr, Opaque};
 use core::sync::atomic::{AtomicUsize, Ordering};
 use core::{cell::UnsafeCell, pin::Pin};
@@ -153,12 +153,7 @@ impl<T> LockFactory for Mutex<T> {
 }
 
 impl<T> LockIniter for Mutex<T> {
-    unsafe fn init_lock(
-        self: Pin<&mut Self>,
-        _name: &'static CStr,
-        _key: *mut bindings::lock_class_key,
-    ) {
-    }
+    fn init_lock(self: Pin<&mut Self>, _name: &'static CStr, _key: &'static LockClassKey) {}
 }
 
 // SAFETY: The mutex implementation ensures mutual exclusion.