rust: CStr overhaul

`CStr` is overhauled to make using it more similar to use a `str`.

Signed-off-by: Gary Guo <[email protected]>

Author: nbdd0121

drivers/android/rust_binder.rs

@@ -10,7 +10,7 @@
 use alloc::{boxed::Box, sync::Arc};
 use core::pin::Pin;
 use kernel::{
-    cstr,
+    c_str,
     io_buffer::IoBufferWriter,
     linked_list::{GetLinks, GetLinksWrapped, Links},
     miscdev::Registration,
@@ -111,7 +111,7 @@ impl KernelModule for BinderModule {
         let pinned_ctx = Context::new()?;
         let ctx = unsafe { Pin::into_inner_unchecked(pinned_ctx) };
         let reg = Registration::<Arc<Context>>::new_pinned::<process::Process>(
-            cstr!("rust_binder"),
+            c_str!("rust_binder"),
             None,
             ctx,
         )?;

rust/kernel/c_types.rs

@@ -117,18 +117,3 @@ mod c {
 }
 
 pub use c::*;
-
-/// Reads string until null byte is reached and returns slice excluding the
-/// terminating null.
-///
-/// # Safety
-///
-/// The data from the pointer until the null terminator must be valid for reads
-/// and not mutated for all of `'a`. The length of the string must also be less
-/// than `isize::MAX`. See the documentation on
-/// [`core::slice::from_raw_parts()`] for further details on safety of
-/// converting a pointer to a slice.
-pub unsafe fn c_string_bytes<'a>(ptr: *const crate::c_types::c_char) -> &'a [u8] {
-    let length = crate::bindings::strlen(ptr) as usize;
-    &core::slice::from_raw_parts(ptr as *const u8, length)
-}

rust/kernel/chrdev.rs

@@ -17,7 +17,7 @@ use crate::bindings;
 use crate::c_types;
 use crate::error::{Error, Result};
 use crate::file_operations;
-use crate::types::CStr;
+use crate::str::CStr;
 
 /// Character device.
 ///
@@ -87,7 +87,7 @@ struct RegistrationInner<const N: usize> {
 ///
 /// May contain up to a fixed number (`N`) of devices. Must be pinned.
 pub struct Registration<const N: usize> {
-    name: CStr<'static>,
+    name: &'static CStr,
     minors_start: u16,
     this_module: &'static crate::ThisModule,
     inner: Option<RegistrationInner<N>>,
@@ -104,7 +104,7 @@ impl<const N: usize> Registration<{ N }> {
     /// are going to pin the registration right away, call
     /// [`Self::new_pinned()`] instead.
     pub fn new(
-        name: CStr<'static>,
+        name: &'static CStr,
         minors_start: u16,
         this_module: &'static crate::ThisModule,
     ) -> Self {
@@ -120,7 +120,7 @@ impl<const N: usize> Registration<{ N }> {
     ///
     /// This does *not* register the device: see [`Self::register()`].
     pub fn new_pinned(
-        name: CStr<'static>,
+        name: &'static CStr,
         minors_start: u16,
         this_module: &'static crate::ThisModule,
     ) -> Result<Pin<Box<Self>>> {
@@ -146,7 +146,7 @@ impl<const N: usize> Registration<{ N }> {
                     &mut dev,
                     this.minors_start.into(),
                     N.try_into()?,
-                    this.name.as_ptr() as *const c_types::c_char,
+                    this.name.as_char_ptr(),
                 )
             };
             if res != 0 {

rust/kernel/lib.rs

@@ -19,6 +19,7 @@
     const_fn,
     const_mut_refs,
     const_panic,
+    const_raw_ptr_deref,
     try_reserve
 )]
 #![deny(clippy::complexity)]
@@ -44,6 +45,7 @@ pub mod file;
 pub mod file_operations;
 pub mod miscdev;
 pub mod pages;
+pub mod str;
 
 pub mod linked_list;
 mod raw_list;
@@ -66,7 +68,7 @@ mod types;
 pub mod user_ptr;
 
 pub use crate::error::{Error, Result};
-pub use crate::types::{CStr, Mode};
+pub use crate::types::Mode;
 
 /// Page size defined in terms of the `PAGE_SHIFT` macro from C.
 ///

rust/kernel/miscdev.rs

@@ -6,9 +6,10 @@
 //!
 //! Reference: <https://www.kernel.org/doc/html/latest/driver-api/misc_devices.html>
 
+use crate::bindings;
 use crate::error::{Error, Result};
 use crate::file_operations::{FileOpenAdapter, FileOpener, FileOperationsVtable};
-use crate::{bindings, c_types, CStr};
+use crate::str::CStr;
 use alloc::boxed::Box;
 use core::marker::PhantomPinned;
 use core::pin::Pin;
@@ -41,7 +42,7 @@ impl<T: Sync> Registration<T> {
     ///
     /// Returns a pinned heap-allocated representation of the registration.
     pub fn new_pinned<F: FileOpener<T>>(
-        name: CStr<'static>,
+        name: &'static CStr,
         minor: Option<i32>,
         context: T,
     ) -> Result<Pin<Box<Self>>> {
@@ -56,7 +57,7 @@ impl<T: Sync> Registration<T> {
     /// self-referential. If a minor is not given, the kernel allocates a new one if possible.
     pub fn register<F: FileOpener<T>>(
         self: Pin<&mut Self>,
-        name: CStr<'static>,
+        name: &'static CStr,
         minor: Option<i32>,
     ) -> Result {
         // SAFETY: We must ensure that we never move out of `this`.
@@ -68,7 +69,7 @@ impl<T: Sync> Registration<T> {
 
         // SAFETY: The adapter is compatible with `misc_register`.
         this.mdev.fops = unsafe { FileOperationsVtable::<Self, F>::build() };
-        this.mdev.name = name.as_ptr() as *const c_types::c_char;
+        this.mdev.name = name.as_char_ptr();
         this.mdev.minor = minor.unwrap_or(bindings::MISC_DYNAMIC_MINOR as i32);
 
         let ret = unsafe { bindings::misc_register(&mut this.mdev) };

rust/kernel/module_param.rs

@@ -4,6 +4,7 @@
 //!
 //! C header: [`include/linux/moduleparam.h`](../../../include/linux/moduleparam.h)
 
+use crate::str::CStr;
 use core::fmt::Write;
 
 /// Types that can be used for module parameters.
@@ -70,7 +71,7 @@ pub trait ModuleParam: core::fmt::Display + core::marker::Sized {
         let arg = if val.is_null() {
             None
         } else {
-            Some(crate::c_types::c_string_bytes(val))
+            Some(CStr::from_char_ptr(val).as_bytes())
         };
         match Self::try_from_param_arg(arg) {
             Some(new_value) => {

rust/kernel/str.rs

@@ -0,0 +1,225 @@
+// SPDX-License-Identifier: GPL-2.0
+
+//! String representations.
+
+use core::ops::{self, Deref, Index};
+
+use crate::bindings;
+use crate::c_types;
+
+/// Byte string without UTF-8 validity guarantee.
+///
+/// `BStr` is simply an alias to `[u8]`, but has a more evident semantical meaning.
+pub type BStr = [u8];
+
+/// Creates a new [`BStr`] from a string literal.
+///
+/// `b_str!` converts the supplied string literal to byte string, so non-ASCII
+/// characters can be included.
+///
+/// # Examples
+///
+/// ```rust,no_run
+/// const MY_BSTR: &'static BStr = b_str!("My awesome BStr!");
+/// ```
+#[macro_export]
+macro_rules! b_str {
+    ($str:literal) => {{
+        const S: &'static str = $str;
+        const C: &'static $crate::str::BStr = S.as_bytes();
+        C
+    }};
+}
+
+/// Possible errors when using conversion functions in [`CStr`].
+#[derive(Debug, Clone, Copy)]
+pub enum CStrConvertError {
+    /// Supplied bytes contain an interior `NUL`.
+    InteriorNul,
+
+    /// Supplied bytes are not terminated by `NUL`.
+    NotNulTerminated,
+}
+
+impl From<CStrConvertError> for crate::Error {
+    #[inline]
+    fn from(_: CStrConvertError) -> crate::Error {
+        crate::Error::EINVAL
+    }
+}
+
+/// A string that is guaranteed to have exactly one `NUL` byte, which is at the
+/// end.
+///
+/// Used for interoperability with kernel APIs that take C strings.
+#[repr(transparent)]
+pub struct CStr([u8]);
+
+impl CStr {
+    /// Returns the length of this string excluding `NUL`.
+    #[inline]
+    pub const fn len(&self) -> usize {
+        self.0.len() - 1
+    }
+
+    /// Returns the length of this string with `NUL`.
+    #[inline]
+    pub const fn len_with_nul(&self) -> usize {
+        self.0.len()
+    }
+
+    /// Returns `true` if the string only includes `NUL`.
+    #[inline]
+    pub const fn is_empty(&self) -> bool {
+        self.len() == 0
+    }
+
+    /// Wraps a raw C string pointer.
+    ///
+    /// # Safety
+    ///
+    /// `ptr` must be a valid pointer to a `NUL`-terminated C string, and it must
+    /// last at least `'a`. When `CStr` is alive, the memory pointed by `ptr`
+    /// must not be mutated.
+    #[inline]
+    pub unsafe fn from_char_ptr<'a>(ptr: *const c_types::c_char) -> &'a Self {
+        let len = bindings::strlen(ptr) + 1;
+        Self::from_bytes_with_nul_unchecked(core::slice::from_raw_parts(ptr as _, len as _))
+    }
+
+    /// Creates a [`CStr`] from a `[u8]`.
+    ///
+    /// The provided slice must be `NUL`-terminated, does not contain any
+    /// interior `NUL` bytes.
+    pub fn from_bytes_with_nul(bytes: &[u8]) -> Result<&Self, CStrConvertError> {
+        if bytes.is_empty() {
+            return Err(CStrConvertError::NotNulTerminated);
+        }
+        if bytes[bytes.len() - 1] != 0 {
+            return Err(CStrConvertError::NotNulTerminated);
+        }
+        if bytes[..bytes.len()].contains(&0) {
+            return Err(CStrConvertError::InteriorNul);
+        }
+        // SAFETY: We just checked that all properties hold.
+        Ok(unsafe { Self::from_bytes_with_nul_unchecked(bytes) })
+    }
+
+    /// Creates a [`CStr`] from a `[u8]` without performing any additional
+    /// checks.
+    ///
+    /// # Safety
+    ///
+    /// `bytes` *must* end with a `NUL` byte, and should only have a single
+    /// `NUL` byte (or the string will be truncated).
+    #[inline]
+    pub const unsafe fn from_bytes_with_nul_unchecked(bytes: &[u8]) -> &CStr {
+        // Note: This can be done using pointer deref (which requires
+        //       const_raw_ptr_deref to be const) or transmute (which requires
+        //       const_transmute to be const) or ptr::from_raw_parts (which
+        //       requires ptr_metadata).
+        //       While none of them are current stable, it is very likely that
+        //       one of them will eventually be.
+        &*(bytes as *const [u8] as *const Self)
+    }
+
+    /// Returns a C pointer to the string.
+    #[inline]
+    pub const fn as_char_ptr(&self) -> *const c_types::c_char {
+        self.0.as_ptr() as _
+    }
+
+    /// Convert the string to a byte slice without the trailing 0 byte.
+    #[inline]
+    pub fn as_bytes(&self) -> &[u8] {
+        &self.0[..self.0.len() - 1]
+    }
+
+    /// Convert the string to a byte slice containing the trailing 0 byte.
+    #[inline]
+    pub const fn as_bytes_with_nul(&self) -> &[u8] {
+        &self.0
+    }
+}
+
+impl AsRef<BStr> for CStr {
+    #[inline]
+    fn as_ref(&self) -> &BStr {
+        self.as_bytes()
+    }
+}
+
+impl Deref for CStr {
+    type Target = BStr;
+
+    #[inline]
+    fn deref(&self) -> &Self::Target {
+        self.as_bytes()
+    }
+}
+
+impl Index<ops::RangeFrom<usize>> for CStr {
+    type Output = CStr;
+
+    #[inline]
+    fn index(&self, index: ops::RangeFrom<usize>) -> &Self::Output {
+        assert!(
+            index.start <= self.len(),
+            "range start index {} out of range for slice of length {}",
+            index.start,
+            self.len()
+        );
+        // SAFETY: We just checked the length.
+        unsafe { Self::from_bytes_with_nul_unchecked(&self.0[index.start..]) }
+    }
+}
+
+impl Index<ops::RangeFull> for CStr {
+    type Output = CStr;
+
+    #[inline]
+    fn index(&self, _index: ops::RangeFull) -> &Self::Output {
+        self
+    }
+}
+
+#[doc(hidden)]
+pub trait CStrIndex {}
+
+impl CStrIndex for usize {}
+impl CStrIndex for ops::Range<usize> {}
+impl CStrIndex for ops::RangeInclusive<usize> {}
+impl CStrIndex for ops::RangeToInclusive<usize> {}
+
+impl<Idx> Index<Idx> for CStr
+where
+    Idx: CStrIndex,
+    BStr: Index<Idx>,
+{
+    type Output = <BStr as Index<Idx>>::Output;
+
+    #[inline]
+    fn index(&self, index: Idx) -> &Self::Output {
+        &self.0[index]
+    }
+}
+
+/// Creates a new [`CStr`] from a string literal.
+///
+/// The string literal should not contain any `NUL` bytes.
+///
+/// # Examples
+///
+/// ```rust,no_run
+/// const MY_CSTR: &'static CStr = c_str!("My awesome CStr!");
+/// ```
+#[macro_export]
+macro_rules! c_str {
+    ($str:literal) => {{
+        // FIXME: Check that `$str` does not contain interior `NUL`.
+        const S: &str = concat!($str, "\0");
+        const C: &$crate::str::CStr =
+            { unsafe { $crate::str::CStr::from_bytes_with_nul_unchecked(S.as_bytes()) } };
+        C
+    }};
+}