[v3,4/9] rust: workqueue: add low-level workqueue bindings
Commit Message
Define basic low-level bindings to a kernel workqueue. The API defined
here can only be used unsafely. Later commits will provide safe
wrappers.
Co-developed-by: Gary Guo <gary@garyguo.net>
Signed-off-by: Gary Guo <gary@garyguo.net>
Signed-off-by: Alice Ryhl <aliceryhl@google.com>
Reviewed-by: Martin Rodriguez Reboredo <yakoyoku@gmail.com>
Reviewed-by: Andreas Hindborg (Samsung) <nmi@metaspace.dk>
Reviewed-by: Benno Lossin <benno.lossin@proton.me>
---
v2 -> v3:
* Update documentation to say "guarantees section".
* Add Reviewed-by from Martin, Andreas, Benno.
rust/bindings/bindings_helper.h | 1 +
rust/kernel/lib.rs | 1 +
rust/kernel/workqueue.rs | 108 ++++++++++++++++++++++++++++++++
3 files changed, 110 insertions(+)
create mode 100644 rust/kernel/workqueue.rs
Comments
On Tue, Jul 11, 2023 at 09:32:58AM +0000, Alice Ryhl wrote:
> Define basic low-level bindings to a kernel workqueue. The API defined
> here can only be used unsafely. Later commits will provide safe
> wrappers.
>
> Co-developed-by: Gary Guo <gary@garyguo.net>
> Signed-off-by: Gary Guo <gary@garyguo.net>
> Signed-off-by: Alice Ryhl <aliceryhl@google.com>
> Reviewed-by: Martin Rodriguez Reboredo <yakoyoku@gmail.com>
> Reviewed-by: Andreas Hindborg (Samsung) <nmi@metaspace.dk>
> Reviewed-by: Benno Lossin <benno.lossin@proton.me>
> ---
> v2 -> v3:
> * Update documentation to say "guarantees section".
> * Add Reviewed-by from Martin, Andreas, Benno.
>
> rust/bindings/bindings_helper.h | 1 +
> rust/kernel/lib.rs | 1 +
> rust/kernel/workqueue.rs | 108 ++++++++++++++++++++++++++++++++
> 3 files changed, 110 insertions(+)
> create mode 100644 rust/kernel/workqueue.rs
>
> diff --git a/rust/bindings/bindings_helper.h b/rust/bindings/bindings_helper.h
> index 3e601ce2548d..4e1c0938c8cb 100644
> --- a/rust/bindings/bindings_helper.h
> +++ b/rust/bindings/bindings_helper.h
> @@ -11,6 +11,7 @@
> #include <linux/refcount.h>
> #include <linux/wait.h>
> #include <linux/sched.h>
> +#include <linux/workqueue.h>
>
> /* `bindgen` gets confused at certain things. */
> const gfp_t BINDINGS_GFP_KERNEL = GFP_KERNEL;
> diff --git a/rust/kernel/lib.rs b/rust/kernel/lib.rs
> index 6963d11092c4..6d63f4f6bb8a 100644
> --- a/rust/kernel/lib.rs
> +++ b/rust/kernel/lib.rs
> @@ -45,6 +45,7 @@
> pub mod sync;
> pub mod task;
> pub mod types;
> +pub mod workqueue;
>
> #[doc(hidden)]
> pub use bindings;
> diff --git a/rust/kernel/workqueue.rs b/rust/kernel/workqueue.rs
> new file mode 100644
> index 000000000000..060d26dfcc7d
> --- /dev/null
> +++ b/rust/kernel/workqueue.rs
> @@ -0,0 +1,108 @@
> +// SPDX-License-Identifier: GPL-2.0
> +
> +//! Work queues.
> +//!
> +//! C header: [`include/linux/workqueue.h`](../../../../include/linux/workqueue.h)
> +
> +use crate::{bindings, types::Opaque};
> +
> +/// A kernel work queue.
> +///
> +/// Wraps the kernel's C `struct workqueue_struct`.
> +///
> +/// It allows work items to be queued to run on thread pools managed by the kernel. Several are
> +/// always available, for example, `system`, `system_highpri`, `system_long`, etc.
> +#[repr(transparent)]
> +pub struct Queue(Opaque<bindings::workqueue_struct>);
> +
> +// SAFETY: Kernel workqueues are usable from any thread.
> +unsafe impl Send for Queue {}
> +unsafe impl Sync for Queue {}
I don't think "usable from any thread" is the accurate wording here, it
sounds to me that there are types that cannot be used for a particular
type of threads ;-)
Maybe
// SAFETY: Accesses to workqueues used by [`Queue`] are
// thread-safe.
?
Rest of this patch looks good to me.
Reviewed-by: Boqun Feng <boqun.feng@gmail.com>
Regards,
Boqun
> +
> +impl Queue {
> + /// Use the provided `struct workqueue_struct` with Rust.
> + ///
> + /// # Safety
> + ///
> + /// The caller must ensure that the provided raw pointer is not dangling, that it points at a
> + /// valid workqueue, and that it remains valid until the end of 'a.
> + pub unsafe fn from_raw<'a>(ptr: *const bindings::workqueue_struct) -> &'a Queue {
> + // SAFETY: The `Queue` type is `#[repr(transparent)]`, so the pointer cast is valid. The
> + // caller promises that the pointer is not dangling.
> + unsafe { &*(ptr as *const Queue) }
> + }
> +
> + /// Enqueues a work item.
> + ///
> + /// This may fail if the work item is already enqueued in a workqueue.
> + ///
> + /// The work item will be submitted using `WORK_CPU_UNBOUND`.
> + pub fn enqueue<W, const ID: u64>(&self, w: W) -> W::EnqueueOutput
> + where
> + W: RawWorkItem<ID> + Send + 'static,
> + {
> + let queue_ptr = self.0.get();
> +
> + // SAFETY: We only return `false` if the `work_struct` is already in a workqueue. The other
> + // `__enqueue` requirements are not relevant since `W` is `Send` and static.
> + //
> + // The call to `bindings::queue_work_on` will dereference the provided raw pointer, which
> + // is ok because `__enqueue` guarantees that the pointer is valid for the duration of this
> + // closure.
> + //
> + // Furthermore, if the C workqueue code accesses the pointer after this call to
> + // `__enqueue`, then the work item was successfully enqueued, and `bindings::queue_work_on`
> + // will have returned true. In this case, `__enqueue` promises that the raw pointer will
> + // stay valid until we call the function pointer in the `work_struct`, so the access is ok.
> + unsafe {
> + w.__enqueue(move |work_ptr| {
> + bindings::queue_work_on(bindings::WORK_CPU_UNBOUND as _, queue_ptr, work_ptr)
> + })
> + }
> + }
> +}
> +
> +/// A raw work item.
> +///
> +/// This is the low-level trait that is designed for being as general as possible.
> +///
> +/// The `ID` parameter to this trait exists so that a single type can provide multiple
> +/// implementations of this trait. For example, if a struct has multiple `work_struct` fields, then
> +/// you will implement this trait once for each field, using a different id for each field. The
> +/// actual value of the id is not important as long as you use different ids for different fields
> +/// of the same struct. (Fields of different structs need not use different ids.)
> +///
> +/// Note that the id is used only to select the right method to call during compilation. It wont be
> +/// part of the final executable.
> +///
> +/// # Safety
> +///
> +/// Implementers must ensure that any pointers passed to a `queue_work_on` closure by `__enqueue`
> +/// remain valid for the duration specified in the guarantees section of the documentation for
> +/// `__enqueue`.
> +pub unsafe trait RawWorkItem<const ID: u64> {
> + /// The return type of [`Queue::enqueue`].
> + type EnqueueOutput;
> +
> + /// Enqueues this work item on a queue using the provided `queue_work_on` method.
> + ///
> + /// # Guarantees
> + ///
> + /// If this method calls the provided closure, then the raw pointer is guaranteed to point at a
> + /// valid `work_struct` for the duration of the call to the closure. If the closure returns
> + /// true, then it is further guaranteed that the pointer remains valid until someone calls the
> + /// function pointer stored in the `work_struct`.
> + ///
> + /// # Safety
> + ///
> + /// The provided closure may only return `false` if the `work_struct` is already in a workqueue.
> + ///
> + /// If the work item type is annotated with any lifetimes, then you must not call the function
> + /// pointer after any such lifetime expires. (Never calling the function pointer is okay.)
> + ///
> + /// If the work item type is not [`Send`], then the function pointer must be called on the same
> + /// thread as the call to `__enqueue`.
> + unsafe fn __enqueue<F>(self, queue_work_on: F) -> Self::EnqueueOutput
> + where
> + F: FnOnce(*mut bindings::work_struct) -> bool;
> +}
> --
> 2.41.0.255.g8b1d071c50-goog
>
Boqun Feng <boqun.feng@gmail.com> writes:
>> +// SAFETY: Kernel workqueues are usable from any thread.
>> +unsafe impl Send for Queue {}
>> +unsafe impl Sync for Queue {}
>
> I don't think "usable from any thread" is the accurate wording here, it
> sounds to me that there are types that cannot be used for a particular
> type of threads ;-)
>
> Maybe
>
> // SAFETY: Accesses to workqueues used by [`Queue`] are
> // thread-safe.
>
> ?
Sure, I'll make that change in the next version.
Alice
@@ -11,6 +11,7 @@
#include <linux/refcount.h>
#include <linux/wait.h>
#include <linux/sched.h>
+#include <linux/workqueue.h>
/* `bindgen` gets confused at certain things. */
const gfp_t BINDINGS_GFP_KERNEL = GFP_KERNEL;
@@ -45,6 +45,7 @@
pub mod sync;
pub mod task;
pub mod types;
+pub mod workqueue;
#[doc(hidden)]
pub use bindings;
new file mode 100644
@@ -0,0 +1,108 @@
+// SPDX-License-Identifier: GPL-2.0
+
+//! Work queues.
+//!
+//! C header: [`include/linux/workqueue.h`](../../../../include/linux/workqueue.h)
+
+use crate::{bindings, types::Opaque};
+
+/// A kernel work queue.
+///
+/// Wraps the kernel's C `struct workqueue_struct`.
+///
+/// It allows work items to be queued to run on thread pools managed by the kernel. Several are
+/// always available, for example, `system`, `system_highpri`, `system_long`, etc.
+#[repr(transparent)]
+pub struct Queue(Opaque<bindings::workqueue_struct>);
+
+// SAFETY: Kernel workqueues are usable from any thread.
+unsafe impl Send for Queue {}
+unsafe impl Sync for Queue {}
+
+impl Queue {
+ /// Use the provided `struct workqueue_struct` with Rust.
+ ///
+ /// # Safety
+ ///
+ /// The caller must ensure that the provided raw pointer is not dangling, that it points at a
+ /// valid workqueue, and that it remains valid until the end of 'a.
+ pub unsafe fn from_raw<'a>(ptr: *const bindings::workqueue_struct) -> &'a Queue {
+ // SAFETY: The `Queue` type is `#[repr(transparent)]`, so the pointer cast is valid. The
+ // caller promises that the pointer is not dangling.
+ unsafe { &*(ptr as *const Queue) }
+ }
+
+ /// Enqueues a work item.
+ ///
+ /// This may fail if the work item is already enqueued in a workqueue.
+ ///
+ /// The work item will be submitted using `WORK_CPU_UNBOUND`.
+ pub fn enqueue<W, const ID: u64>(&self, w: W) -> W::EnqueueOutput
+ where
+ W: RawWorkItem<ID> + Send + 'static,
+ {
+ let queue_ptr = self.0.get();
+
+ // SAFETY: We only return `false` if the `work_struct` is already in a workqueue. The other
+ // `__enqueue` requirements are not relevant since `W` is `Send` and static.
+ //
+ // The call to `bindings::queue_work_on` will dereference the provided raw pointer, which
+ // is ok because `__enqueue` guarantees that the pointer is valid for the duration of this
+ // closure.
+ //
+ // Furthermore, if the C workqueue code accesses the pointer after this call to
+ // `__enqueue`, then the work item was successfully enqueued, and `bindings::queue_work_on`
+ // will have returned true. In this case, `__enqueue` promises that the raw pointer will
+ // stay valid until we call the function pointer in the `work_struct`, so the access is ok.
+ unsafe {
+ w.__enqueue(move |work_ptr| {
+ bindings::queue_work_on(bindings::WORK_CPU_UNBOUND as _, queue_ptr, work_ptr)
+ })
+ }
+ }
+}
+
+/// A raw work item.
+///
+/// This is the low-level trait that is designed for being as general as possible.
+///
+/// The `ID` parameter to this trait exists so that a single type can provide multiple
+/// implementations of this trait. For example, if a struct has multiple `work_struct` fields, then
+/// you will implement this trait once for each field, using a different id for each field. The
+/// actual value of the id is not important as long as you use different ids for different fields
+/// of the same struct. (Fields of different structs need not use different ids.)
+///
+/// Note that the id is used only to select the right method to call during compilation. It wont be
+/// part of the final executable.
+///
+/// # Safety
+///
+/// Implementers must ensure that any pointers passed to a `queue_work_on` closure by `__enqueue`
+/// remain valid for the duration specified in the guarantees section of the documentation for
+/// `__enqueue`.
+pub unsafe trait RawWorkItem<const ID: u64> {
+ /// The return type of [`Queue::enqueue`].
+ type EnqueueOutput;
+
+ /// Enqueues this work item on a queue using the provided `queue_work_on` method.
+ ///
+ /// # Guarantees
+ ///
+ /// If this method calls the provided closure, then the raw pointer is guaranteed to point at a
+ /// valid `work_struct` for the duration of the call to the closure. If the closure returns
+ /// true, then it is further guaranteed that the pointer remains valid until someone calls the
+ /// function pointer stored in the `work_struct`.
+ ///
+ /// # Safety
+ ///
+ /// The provided closure may only return `false` if the `work_struct` is already in a workqueue.
+ ///
+ /// If the work item type is annotated with any lifetimes, then you must not call the function
+ /// pointer after any such lifetime expires. (Never calling the function pointer is okay.)
+ ///
+ /// If the work item type is not [`Send`], then the function pointer must be called on the same
+ /// thread as the call to `__enqueue`.
+ unsafe fn __enqueue<F>(self, queue_work_on: F) -> Self::EnqueueOutput
+ where
+ F: FnOnce(*mut bindings::work_struct) -> bool;
+}