userspace: update k_object API to support immutable objects

The k_object API associates mutable state structures with known kernel
objects to support userspace.  The kernel objects themselves are not
modified by the API, and in some cases (e.g. device structures) may be
const-qualified.  Update the API so that pointers to these const
kernel objects can be passed without casting away the const qualifier.

Fixes #27399

Signed-off-by: Peter Bigot <[email protected]>

Author: pabigot

include/kernel.h

@@ -227,24 +227,24 @@ struct z_object_assignment {
  *
  * @param obj Address of the kernel object
  */
-void z_object_init(void *obj);
+void z_object_init(const void *obj);
 #else
 /* LCOV_EXCL_START */
 #define K_THREAD_ACCESS_GRANT(thread, ...)
 
 /**
  * @internal
  */
-static inline void z_object_init(void *obj)
+static inline void z_object_init(const void *obj)
 {
 	ARG_UNUSED(obj);
 }
 
 /**
  * @internal
  */
-static inline void z_impl_k_object_access_grant(void *object,
-					       struct k_thread *thread)
+static inline void z_impl_k_object_access_grant(const void *object,
+						struct k_thread *thread)
 {
 	ARG_UNUSED(object);
 	ARG_UNUSED(thread);
@@ -253,7 +253,7 @@ static inline void z_impl_k_object_access_grant(void *object,
 /**
  * @internal
  */
-static inline void k_object_access_revoke(void *object,
+static inline void k_object_access_revoke(const void *object,
 					  struct k_thread *thread)
 {
 	ARG_UNUSED(object);
@@ -263,12 +263,12 @@ static inline void k_object_access_revoke(void *object,
 /**
  * @internal
  */
-static inline void z_impl_k_object_release(void *object)
+static inline void z_impl_k_object_release(const void *object)
 {
 	ARG_UNUSED(object);
 }
 
-static inline void k_object_access_all_grant(void *object)
+static inline void k_object_access_all_grant(const void *object)
 {
 	ARG_UNUSED(object);
 }
@@ -285,7 +285,8 @@ static inline void k_object_access_all_grant(void *object)
  * @param object Address of kernel object
  * @param thread Thread to grant access to the object
  */
-__syscall void k_object_access_grant(void *object, struct k_thread *thread);
+__syscall void k_object_access_grant(const void *object,
+				     struct k_thread *thread);
 
 /**
  * Revoke a thread's access to a kernel object
@@ -297,7 +298,7 @@ __syscall void k_object_access_grant(void *object, struct k_thread *thread);
  * @param object Address of kernel object
  * @param thread Thread to remove access to the object
  */
-void k_object_access_revoke(void *object, struct k_thread *thread);
+void k_object_access_revoke(const void *object, struct k_thread *thread);
 
 /**
  * @brief Release an object
@@ -308,7 +309,7 @@ void k_object_access_revoke(void *object, struct k_thread *thread);
  * @param object The object to be released
  *
  */
-__syscall void k_object_release(void *object);
+__syscall void k_object_release(const void *object);
 
 /**
  * Grant all present and future threads access to an object
@@ -327,7 +328,7 @@ __syscall void k_object_release(void *object);
  *
  * @param object Address of kernel object
  */
-void k_object_access_all_grant(void *object);
+void k_object_access_all_grant(const void *object);
 
 /**
  * Allocate a kernel object of a designated type

include/syscall_handler.h

@@ -89,8 +89,8 @@ int z_object_validate(struct z_object *ko, enum k_objects otype,
  * @param ko If retval=-EPERM, struct z_object * that was looked up, or NULL
  * @param otype Expected type of the kernel object
  */
-extern void z_dump_object_error(int retval, void *obj, struct z_object *ko,
-				enum k_objects otype);
+extern void z_dump_object_error(int retval, const void *obj,
+				struct z_object *ko, enum k_objects otype);
 
 /**
  * Kernel object validation function
@@ -102,7 +102,7 @@ extern void z_dump_object_error(int retval, void *obj, struct z_object *ko,
  * @return Kernel object's metadata, or NULL if the parameter wasn't the
  * memory address of a kernel object
  */
-extern struct z_object *z_object_find(void *obj);
+extern struct z_object *z_object_find(const void *obj);
 
 typedef void (*_wordlist_cb_func_t)(struct z_object *ko, void *context);
 
@@ -157,7 +157,7 @@ extern void z_thread_perms_all_clear(struct k_thread *thread);
  *
  * @param object Address of the kernel object
  */
-void z_object_uninit(void *obj);
+void z_object_uninit(const void *obj);
 
 /**
  * Initialize and reset permissions to only access by the caller
@@ -176,7 +176,7 @@ void z_object_uninit(void *obj);
  *
  * @param object Address of the kernel object
  */
-void z_object_recycle(void *obj);
+void z_object_recycle(const void *obj);
 
 /**
  * @brief Obtain the size of a C string passed from user mode
@@ -426,7 +426,7 @@ extern int z_user_string_copy(char *dst, const char *src, size_t maxlen);
 	Z_SYSCALL_MEMORY_ARRAY(ptr, nmemb, size, 1)
 
 static inline int z_obj_validation_check(struct z_object *ko,
-					 void *obj,
+					 const void *obj,
 					 enum k_objects otype,
 					 enum _obj_init_check init)
 {
@@ -446,8 +446,10 @@ static inline int z_obj_validation_check(struct z_object *ko,
 }
 
 #define Z_SYSCALL_IS_OBJ(ptr, type, init) \
-	Z_SYSCALL_VERIFY_MSG(z_obj_validation_check(z_object_find((void *)ptr), (void *)ptr, \
-				   type, init) == 0, "access denied")
+	Z_SYSCALL_VERIFY_MSG(z_obj_validation_check(			\
+				     z_object_find((const void *)ptr),	\
+				     (const void *)ptr,			\
+				     type, init) == 0, "access denied")
 
 /**
  * @brief Runtime check driver object pointer for presence of operation

kernel/userspace.c

@@ -118,7 +118,7 @@ struct dyn_obj {
 	uint8_t data[]; /* The object itself */
 };
 
-extern struct z_object *z_object_gperf_find(void *obj);
+extern struct z_object *z_object_gperf_find(const void *obj);
 extern void z_object_gperf_wordlist_foreach(_wordlist_cb_func_t func,
 					     void *context);
 
@@ -357,7 +357,7 @@ void k_object_free(void *obj)
 	}
 }
 
-struct z_object *z_object_find(void *obj)
+struct z_object *z_object_find(const void *obj)
 {
 	struct z_object *ret;
 
@@ -366,7 +366,11 @@ struct z_object *z_object_find(void *obj)
 	if (ret == NULL) {
 		struct dyn_obj *dynamic_obj;
 
-		dynamic_obj = dyn_object_find(obj);
+		/* The cast to pointer-to-non-const violates MISRA
+		 * 11.8 but is justified since we know dynamic objects
+		 * were not declared with a const qualifier.
+		 */
+		dynamic_obj = dyn_object_find((void *)obj);
 		if (dynamic_obj != NULL) {
 			ret = &dynamic_obj->kobj;
 		}
@@ -533,7 +537,7 @@ static void dump_permission_error(struct z_object *ko)
 	LOG_HEXDUMP_ERR(ko->perms, sizeof(ko->perms), "permission bitmap");
 }
 
-void z_dump_object_error(int retval, void *obj, struct z_object *ko,
+void z_dump_object_error(int retval, const void *obj, struct z_object *ko,
 			enum k_objects otype)
 {
 	switch (retval) {
@@ -561,7 +565,7 @@ void z_dump_object_error(int retval, void *obj, struct z_object *ko,
 	}
 }
 
-void z_impl_k_object_access_grant(void *object, struct k_thread *thread)
+void z_impl_k_object_access_grant(const void *object, struct k_thread *thread)
 {
 	struct z_object *ko = z_object_find(object);
 
@@ -570,7 +574,7 @@ void z_impl_k_object_access_grant(void *object, struct k_thread *thread)
 	}
 }
 
-void k_object_access_revoke(void *object, struct k_thread *thread)
+void k_object_access_revoke(const void *object, struct k_thread *thread)
 {
 	struct z_object *ko = z_object_find(object);
 
@@ -579,12 +583,12 @@ void k_object_access_revoke(void *object, struct k_thread *thread)
 	}
 }
 
-void z_impl_k_object_release(void *object)
+void z_impl_k_object_release(const void *object)
 {
 	k_object_access_revoke(object, _current);
 }
 
-void k_object_access_all_grant(void *object)
+void k_object_access_all_grant(const void *object)
 {
 	struct z_object *ko = z_object_find(object);
 
@@ -626,7 +630,7 @@ int z_object_validate(struct z_object *ko, enum k_objects otype,
 	return 0;
 }
 
-void z_object_init(void *obj)
+void z_object_init(const void *obj)
 {
 	struct z_object *ko;
 
@@ -651,7 +655,7 @@ void z_object_init(void *obj)
 	ko->flags |= K_OBJ_FLAG_INITIALIZED;
 }
 
-void z_object_recycle(void *obj)
+void z_object_recycle(const void *obj)
 {
 	struct z_object *ko = z_object_find(obj);
 
@@ -662,7 +666,7 @@ void z_object_recycle(void *obj)
 	}
 }
 
-void z_object_uninit(void *obj)
+void z_object_uninit(const void *obj)
 {
 	struct z_object *ko;
 

kernel/userspace_handler.c

@@ -8,7 +8,7 @@
 #include <syscall_handler.h>
 #include <kernel_structs.h>
 
-static struct z_object *validate_any_object(void *obj)
+static struct z_object *validate_any_object(const void *obj)
 {
 	struct z_object *ko;
 	int ret;
@@ -36,7 +36,7 @@ static struct z_object *validate_any_object(void *obj)
  * To avoid double z_object_find() lookups, we don't call the implementation
  * function, but call a level deeper.
  */
-static inline void z_vrfy_k_object_access_grant(void *object,
+static inline void z_vrfy_k_object_access_grant(const void *object,
 						struct k_thread *thread)
 {
 	struct z_object *ko;
@@ -49,7 +49,7 @@ static inline void z_vrfy_k_object_access_grant(void *object,
 }
 #include <syscalls/k_object_access_grant_mrsh.c>
 
-static inline void z_vrfy_k_object_release(void *object)
+static inline void z_vrfy_k_object_release(const void *object)
 {
 	struct z_object *ko;
 

scripts/gen_kobject_list.py

@@ -711,7 +711,7 @@ def get_symbols(elf):
 # turned into a string, we told gperf to expect binary strings that are not
 # NULL-terminated.
 footer = """%%
-struct z_object *z_object_gperf_find(void *obj)
+struct z_object *z_object_gperf_find(const void *obj)
 {
     return z_object_lookup((const char *)obj, sizeof(void *));
 }
@@ -728,7 +728,7 @@ def get_symbols(elf):
 }
 
 #ifndef CONFIG_DYNAMIC_OBJECTS
-struct z_object *z_object_find(void *obj)
+struct z_object *z_object_find(const void *obj)
 	ALIAS_OF(z_object_gperf_find);
 
 void z_object_wordlist_foreach(_wordlist_cb_func_t func, void *context)