kernel/transmute.rs
1// SPDX-License-Identifier: GPL-2.0
2
3//! Traits for transmuting types.
4
5use core::mem::size_of;
6
7/// Types for which any bit pattern is valid.
8///
9/// Not all types are valid for all values. For example, a `bool` must be either zero or one, so
10/// reading arbitrary bytes into something that contains a `bool` is not okay.
11///
12/// It's okay for the type to have padding, as initializing those bytes has no effect.
13///
14/// # Examples
15///
16/// ```
17/// use kernel::transmute::FromBytes;
18///
19/// # fn test() -> Option<()> {
20/// let raw = [1, 2, 3, 4];
21///
22/// let result = u32::from_bytes(&raw)?;
23///
24/// #[cfg(target_endian = "little")]
25/// assert_eq!(*result, 0x4030201);
26///
27/// #[cfg(target_endian = "big")]
28/// assert_eq!(*result, 0x1020304);
29///
30/// # Some(()) }
31/// # test().ok_or(EINVAL)?;
32/// # Ok::<(), Error>(())
33/// ```
34///
35/// # Safety
36///
37/// All bit-patterns must be valid for this type. This type must not have interior mutability.
38pub unsafe trait FromBytes {
39 /// Converts a slice of bytes to a reference to `Self`.
40 ///
41 /// Succeeds if the reference is properly aligned, and the size of `bytes` is equal to that of
42 /// `T` and different from zero.
43 ///
44 /// Otherwise, returns [`None`].
45 fn from_bytes(bytes: &[u8]) -> Option<&Self>
46 where
47 Self: Sized,
48 {
49 let slice_ptr = bytes.as_ptr().cast::<Self>();
50 let size = size_of::<Self>();
51
52 #[allow(clippy::incompatible_msrv)]
53 if bytes.len() == size && slice_ptr.is_aligned() {
54 // SAFETY: Size and alignment were just checked.
55 unsafe { Some(&*slice_ptr) }
56 } else {
57 None
58 }
59 }
60
61 /// Converts a mutable slice of bytes to a reference to `Self`.
62 ///
63 /// Succeeds if the reference is properly aligned, and the size of `bytes` is equal to that of
64 /// `T` and different from zero.
65 ///
66 /// Otherwise, returns [`None`].
67 fn from_bytes_mut(bytes: &mut [u8]) -> Option<&mut Self>
68 where
69 Self: AsBytes + Sized,
70 {
71 let slice_ptr = bytes.as_mut_ptr().cast::<Self>();
72 let size = size_of::<Self>();
73
74 #[allow(clippy::incompatible_msrv)]
75 if bytes.len() == size && slice_ptr.is_aligned() {
76 // SAFETY: Size and alignment were just checked.
77 unsafe { Some(&mut *slice_ptr) }
78 } else {
79 None
80 }
81 }
82
83 /// Creates an owned instance of `Self` by copying `bytes`.
84 ///
85 /// Unlike [`FromBytes::from_bytes`], which requires aligned input, this method can be used on
86 /// non-aligned data at the cost of a copy.
87 fn from_bytes_copy(bytes: &[u8]) -> Option<Self>
88 where
89 Self: Sized,
90 {
91 if bytes.len() == size_of::<Self>() {
92 // SAFETY: we just verified that `bytes` has the same size as `Self`, and per the
93 // invariants of `FromBytes`, any byte sequence of the correct length is a valid value
94 // for `Self`.
95 Some(unsafe { core::ptr::read_unaligned(bytes.as_ptr().cast::<Self>()) })
96 } else {
97 None
98 }
99 }
100}
101
102macro_rules! impl_frombytes {
103 ($($({$($generics:tt)*})? $t:ty, )*) => {
104 // SAFETY: Safety comments written in the macro invocation.
105 $(unsafe impl$($($generics)*)? FromBytes for $t {})*
106 };
107}
108
109impl_frombytes! {
110 // SAFETY: All bit patterns are acceptable values of the types below.
111 u8, u16, u32, u64, usize,
112 i8, i16, i32, i64, isize,
113
114 // SAFETY: If all bit patterns are acceptable for individual values in an array, then all bit
115 // patterns are also acceptable for arrays of that type.
116 {<T: FromBytes>} [T],
117 {<T: FromBytes, const N: usize>} [T; N],
118}
119
120/// Types that can be viewed as an immutable slice of initialized bytes.
121///
122/// If a struct implements this trait, then it is okay to copy it byte-for-byte to userspace. This
123/// means that it should not have any padding, as padding bytes are uninitialized. Reading
124/// uninitialized memory is not just undefined behavior, it may even lead to leaking sensitive
125/// information on the stack to userspace.
126///
127/// The struct should also not hold kernel pointers, as kernel pointer addresses are also considered
128/// sensitive. However, leaking kernel pointers is not considered undefined behavior by Rust, so
129/// this is a correctness requirement, but not a safety requirement.
130///
131/// # Safety
132///
133/// Values of this type may not contain any uninitialized bytes. This type must not have interior
134/// mutability.
135pub unsafe trait AsBytes {
136 /// Returns `self` as a slice of bytes.
137 fn as_bytes(&self) -> &[u8] {
138 // CAST: `Self` implements `AsBytes` thus all bytes of `self` are initialized.
139 let data = core::ptr::from_ref(self).cast::<u8>();
140 let len = core::mem::size_of_val(self);
141
142 // SAFETY: `data` is non-null and valid for reads of `len * sizeof::<u8>()` bytes.
143 unsafe { core::slice::from_raw_parts(data, len) }
144 }
145
146 /// Returns `self` as a mutable slice of bytes.
147 fn as_bytes_mut(&mut self) -> &mut [u8]
148 where
149 Self: FromBytes,
150 {
151 // CAST: `Self` implements both `AsBytes` and `FromBytes` thus making `Self`
152 // bi-directionally transmutable to `[u8; size_of_val(self)]`.
153 let data = core::ptr::from_mut(self).cast::<u8>();
154 let len = core::mem::size_of_val(self);
155
156 // SAFETY: `data` is non-null and valid for read and writes of `len * sizeof::<u8>()`
157 // bytes.
158 unsafe { core::slice::from_raw_parts_mut(data, len) }
159 }
160}
161
162macro_rules! impl_asbytes {
163 ($($({$($generics:tt)*})? $t:ty, )*) => {
164 // SAFETY: Safety comments written in the macro invocation.
165 $(unsafe impl$($($generics)*)? AsBytes for $t {})*
166 };
167}
168
169impl_asbytes! {
170 // SAFETY: Instances of the following types have no uninitialized portions.
171 u8, u16, u32, u64, usize,
172 i8, i16, i32, i64, isize,
173 bool,
174 char,
175 str,
176
177 // SAFETY: If individual values in an array have no uninitialized portions, then the array
178 // itself does not have any uninitialized portions either.
179 {<T: AsBytes>} [T],
180 {<T: AsBytes, const N: usize>} [T; N],
181}