rust: CStr overhaul

`CStr` is overhauled to make using it more similar to use a `str`.
`c_str` macro can now check if the literal supplied have any internal
NUL (which would violate CStr contract).

Signed-off-by: Gary Guo <[email protected]>

Author: nbdd0121

drivers/android/rust_binder.rs

@@ -10,7 +10,7 @@
 use alloc::{boxed::Box, sync::Arc};
 use core::pin::Pin;
 use kernel::{
-    cstr,
+    c_str,
     io_buffer::IoBufferWriter,
     linked_list::{GetLinks, GetLinksWrapped, Links},
     miscdev::Registration,
@@ -119,7 +119,7 @@ impl KernelModule for BinderModule {
         let pinned_ctx = Context::new()?;
         let ctx = unsafe { Pin::into_inner_unchecked(pinned_ctx) };
         let reg = Registration::<Arc<Context>>::new_pinned::<process::Process>(
-            cstr!("rust_binder"),
+            c_str!("rust_binder"),
             None,
             ctx,
         )?;

rust/kernel/chrdev.rs

@@ -15,7 +15,6 @@ use core::mem::MaybeUninit;
 use core::pin::Pin;
 
 use crate::bindings;
-use crate::c_types;
 use crate::error::{Error, KernelResult};
 use crate::file_operations;
 use crate::types::CStr;
@@ -31,7 +30,7 @@ struct RegistrationInner<const N: usize> {
 ///
 /// May contain up to a fixed number (`N`) of devices. Must be pinned.
 pub struct Registration<const N: usize> {
-    name: CStr<'static>,
+    name: &'static CStr,
     minors_start: u16,
     this_module: &'static crate::ThisModule,
     inner: Option<RegistrationInner<N>>,
@@ -48,7 +47,7 @@ impl<const N: usize> Registration<{ N }> {
     /// are going to pin the registration right away, call
     /// [`Self::new_pinned()`] instead.
     pub fn new(
-        name: CStr<'static>,
+        name: &'static CStr,
         minors_start: u16,
         this_module: &'static crate::ThisModule,
     ) -> Self {
@@ -64,7 +63,7 @@ impl<const N: usize> Registration<{ N }> {
     ///
     /// This does *not* register the device: see [`Self::register()`].
     pub fn new_pinned(
-        name: CStr<'static>,
+        name: &'static CStr,
         minors_start: u16,
         this_module: &'static crate::ThisModule,
     ) -> KernelResult<Pin<Box<Self>>> {
@@ -90,7 +89,7 @@ impl<const N: usize> Registration<{ N }> {
                     &mut dev,
                     this.minors_start.into(),
                     N.try_into()?,
-                    this.name.as_ptr() as *const c_types::c_char,
+                    this.name.as_ptr(),
                 )
             };
             if res != 0 {

rust/kernel/lib.rs

@@ -19,6 +19,7 @@
     const_fn,
     const_mut_refs,
     const_panic,
+    const_raw_ptr_deref,
     try_reserve
 )]
 #![deny(clippy::complexity)]
@@ -65,6 +66,9 @@ pub mod iov_iter;
 mod types;
 pub mod user_ptr;
 
+#[doc(hidden)]
+pub use macros;
+
 pub use crate::error::{Error, KernelResult};
 pub use crate::types::{CStr, Mode};
 

rust/kernel/miscdev.rs

@@ -8,7 +8,7 @@
 
 use crate::error::{Error, KernelResult};
 use crate::file_operations::{FileOpenAdapter, FileOpener, FileOperationsVtable};
-use crate::{bindings, c_types, CStr};
+use crate::{bindings, CStr};
 use alloc::boxed::Box;
 use core::marker::PhantomPinned;
 use core::pin::Pin;
@@ -41,7 +41,7 @@ impl<T: Sync> Registration<T> {
     ///
     /// Returns a pinned heap-allocated representation of the registration.
     pub fn new_pinned<F: FileOpener<T>>(
-        name: CStr<'static>,
+        name: &'static CStr,
         minor: Option<i32>,
         context: T,
     ) -> KernelResult<Pin<Box<Self>>> {
@@ -56,7 +56,7 @@ impl<T: Sync> Registration<T> {
     /// self-referential. If a minor is not given, the kernel allocates a new one if possible.
     pub fn register<F: FileOpener<T>>(
         self: Pin<&mut Self>,
-        name: CStr<'static>,
+        name: &'static CStr,
         minor: Option<i32>,
     ) -> KernelResult {
         // SAFETY: We must ensure that we never move out of `this`.
@@ -68,7 +68,7 @@ impl<T: Sync> Registration<T> {
 
         // SAFETY: The adapter is compatible with `misc_register`.
         this.mdev.fops = unsafe { FileOperationsVtable::<Self, F>::build() };
-        this.mdev.name = name.as_ptr() as *const c_types::c_char;
+        this.mdev.name = name.as_ptr();
         this.mdev.minor = minor.unwrap_or(bindings::MISC_DYNAMIC_MINOR as i32);
 
         let ret = unsafe { bindings::misc_register(&mut this.mdev) };

rust/kernel/sync/condvar.rs

@@ -130,7 +130,7 @@ impl CondVar {
 }
 
 impl NeedsLockClass for CondVar {
-    unsafe fn init(self: Pin<&Self>, name: CStr<'static>, key: *mut bindings::lock_class_key) {
-        bindings::__init_waitqueue_head(self.wait_list.get(), name.as_ptr() as _, key);
+    unsafe fn init(self: Pin<&Self>, name: &'static CStr, key: *mut bindings::lock_class_key) {
+        bindings::__init_waitqueue_head(self.wait_list.get(), name.as_ptr(), key);
     }
 }

rust/kernel/sync/mod.rs

@@ -51,7 +51,7 @@ macro_rules! init_with_lockdep {
         // SAFETY: `CLASS` is never used by Rust code directly; the kernel may change it though.
         #[allow(unused_unsafe)]
         unsafe {
-            $crate::sync::NeedsLockClass::init($obj, $crate::cstr!($name), CLASS.as_mut_ptr())
+            $crate::sync::NeedsLockClass::init($obj, $crate::c_str!($name), CLASS.as_mut_ptr())
         };
     }};
 }
@@ -69,7 +69,7 @@ pub trait NeedsLockClass {
     /// # Safety
     ///
     /// `key` must point to a valid memory location as it will be used by the kernel.
-    unsafe fn init(self: Pin<&Self>, name: CStr<'static>, key: *mut bindings::lock_class_key);
+    unsafe fn init(self: Pin<&Self>, name: &'static CStr, key: *mut bindings::lock_class_key);
 }
 
 /// Determines if a signal is pending on the current process.

rust/kernel/sync/mutex.rs

@@ -71,8 +71,8 @@ impl<T: ?Sized> Mutex<T> {
 }
 
 impl<T: ?Sized> NeedsLockClass for Mutex<T> {
-    unsafe fn init(self: Pin<&Self>, name: CStr<'static>, key: *mut bindings::lock_class_key) {
-        bindings::__mutex_init(self.mutex.get(), name.as_ptr() as _, key);
+    unsafe fn init(self: Pin<&Self>, name: &'static CStr, key: *mut bindings::lock_class_key) {
+        bindings::__mutex_init(self.mutex.get(), name.as_ptr(), key);
     }
 }
 

rust/kernel/sync/spinlock.rs

@@ -85,8 +85,8 @@ impl<T: ?Sized> SpinLock<T> {
 }
 
 impl<T: ?Sized> NeedsLockClass for SpinLock<T> {
-    unsafe fn init(self: Pin<&Self>, name: CStr<'static>, key: *mut bindings::lock_class_key) {
-        rust_helper_spin_lock_init(self.spin_lock.get(), name.as_ptr() as _, key);
+    unsafe fn init(self: Pin<&Self>, name: &'static CStr, key: *mut bindings::lock_class_key) {
+        rust_helper_spin_lock_init(self.spin_lock.get(), name.as_ptr(), key);
     }
 }
 

rust/kernel/sysctl.rs

@@ -16,6 +16,7 @@ use crate::{
     bindings, c_types, error,
     io_buffer::IoBufferWriter,
     types,
+    types::CStr,
     user_ptr::{UserSlicePtr, UserSlicePtrWriter},
 };
 
@@ -130,19 +131,19 @@ unsafe extern "C" fn proc_handler<T: SysctlStorage>(
 impl<T: SysctlStorage> Sysctl<T> {
     /// Registers a single entry in `sysctl`.
     pub fn register(
-        path: types::CStr<'static>,
-        name: types::CStr<'static>,
+        path: &'static CStr,
+        name: &'static CStr,
         storage: T,
         mode: types::Mode,
     ) -> error::KernelResult<Sysctl<T>> {
-        if name.contains('/') {
+        if name.as_bytes().contains(&b'/') {
             return Err(error::Error::EINVAL);
         }
 
         let storage = Box::try_new(storage)?;
         let mut table = vec![
             bindings::ctl_table {
-                procname: name.as_ptr() as *const i8,
+                procname: name.as_ptr(),
                 mode: mode.as_int(),
                 data: &*storage as *const T as *mut c_types::c_void,
                 proc_handler: Some(proc_handler::<T>),
@@ -157,8 +158,7 @@ impl<T: SysctlStorage> Sysctl<T> {
         ]
         .into_boxed_slice();
 
-        let result =
-            unsafe { bindings::register_sysctl(path.as_ptr() as *const i8, table.as_mut_ptr()) };
+        let result = unsafe { bindings::register_sysctl(path.as_ptr(), table.as_mut_ptr()) };
         if result.is_null() {
             return Err(error::Error::ENOMEM);
         }

rust/kernel/types.rs

@@ -4,9 +4,8 @@
 //!
 //! C header: [`include/linux/types.h`](../../../../include/linux/types.h)
 
-use core::ops::Deref;
-
 use crate::bindings;
+use crate::c_types;
 
 /// Permissions.
 ///
@@ -27,31 +26,100 @@ impl Mode {
     }
 }
 
+/// Possible errors when using conversion functions in [`CStr`] and [`CBoundedStr`].
+#[derive(Debug, Clone, Copy)]
+pub enum CStrConvertError {
+    BoundExceeded,
+    InteriorNul,
+    NotNulTerminated,
+}
+
 /// A string that is guaranteed to have exactly one `NUL` byte, which is at the
 /// end.
 ///
 /// Used for interoperability with kernel APIs that take C strings.
 #[repr(transparent)]
-pub struct CStr<'a>(&'a str);
+pub struct CStr([u8]);
+
+impl CStr {
+    /// Returns the length of this string excluding NUL.
+    pub const fn len(&self) -> usize {
+        self.0.len() - 1
+    }
+
+    /// Returns the length of this string with NUL.
+    pub const fn len_with_nul(&self) -> usize {
+        self.0.len()
+    }
+
+    /// Returns `true` if the string only includes `NUL`.
+    pub const fn is_empty(&self) -> bool {
+        self.len() == 0
+    }
+
+    /// Wraps a raw C string pointer.
+    ///
+    /// # Safety
+    ///
+    /// `ptr` must be a valid pointer to a NUL-terminated C string, and it must
+    /// last at least `'a`. When `CStr` is alive, the memory pointed by `ptr`
+    /// must not change.
+    pub unsafe fn from_ptr<'a>(ptr: *const c_types::c_char) -> &'a Self {
+        let len = bindings::strlen(ptr);
+        Self::from_bytes_with_nul_unchecked(core::slice::from_raw_parts(ptr as _, len as _))
+    }
+
+    /// Creates a [`CStr`] form a `[u8]`.
+    ///
+    /// The provided slice must be nul-terminated, does not contain any
+    /// interior nul bytes.
+    pub fn from_bytes_with_nul(bytes: &[u8]) -> Result<&Self, CStrConvertError> {
+        if bytes.is_empty() {
+            return Err(CStrConvertError::NotNulTerminated);
+        }
+        if bytes[bytes.len() - 1] != 0 {
+            return Err(CStrConvertError::NotNulTerminated);
+        }
+        if bytes[..bytes.len()].contains(&0) {
+            return Err(CStrConvertError::InteriorNul);
+        }
+        // SAFETY: We just checked that all properties hold.
+        Ok(unsafe { Self::from_bytes_with_nul_unchecked(bytes) })
+    }
 
-impl CStr<'_> {
-    /// Creates a [`CStr`] from a [`str`] without performing any additional
+    /// Creates a [`CStr`] from a `[u8]` without performing any additional
     /// checks.
     ///
     /// # Safety
     ///
-    /// `data` *must* end with a `NUL` byte, and should only have only a single
+    /// `bytes` *must* end with a `NUL` byte, and should only have a single
     /// `NUL` byte (or the string will be truncated).
-    pub const unsafe fn new_unchecked(data: &str) -> CStr {
-        CStr(data)
+    #[inline]
+    pub const unsafe fn from_bytes_with_nul_unchecked(bytes: &[u8]) -> &CStr {
+        // Note: This can be done using pointer deref (which requires
+        //       const_raw_ptr_deref to be const) or transmute (which requires
+        //       const_transmute to be const) or ptr::from_raw_parts (which
+        //       requires ptr_metadata).
+        //       While none of them are current stable, it is very likely that
+        //       one of them will eventually be.
+        &*(bytes as *const [u8] as *const Self)
     }
-}
 
-impl Deref for CStr<'_> {
-    type Target = str;
+    /// Returns a C pointer to the string.
+    pub const fn as_ptr(&self) -> *const c_types::c_char {
+        self.0.as_ptr() as _
+    }
 
-    fn deref(&self) -> &str {
-        self.0
+    /// Convert the string to a byte slice without the trailing 0 byte.
+    #[inline]
+    pub fn as_bytes(&self) -> &[u8] {
+        &self.0[..self.0.len() - 1]
+    }
+
+    /// Convert the string to a byte slice containing the trailing 0 byte.
+    #[inline]
+    pub const fn as_bytes_with_nul(&self) -> &[u8] {
+        &self.0
     }
 }
 
@@ -62,12 +130,15 @@ impl Deref for CStr<'_> {
 /// # Examples
 ///
 /// ```rust,no_run
-/// const MY_CSTR: CStr<'static> = cstr!("My awesome CStr!");
+/// const MY_CSTR: &'static CStr = c_str!("My awesome CStr!");
 /// ```
 #[macro_export]
-macro_rules! cstr {
-    ($str:expr) => {{
-        let s = concat!($str, "\x00");
-        unsafe { $crate::CStr::new_unchecked(s) }
+macro_rules! c_str {
+    ($str:literal) => {{
+        const C: &'static $crate::CStr = {
+            let s = $crate::macros::append_nul!($str);
+            unsafe { $crate::CStr::from_bytes_with_nul_unchecked(s) }
+        };
+        C
     }};
 }

rust/macros/c_str.rs

@@ -0,0 +1,36 @@
+// SPDX-License-Identifier: GPL-2.0
+
+use crate::syn::{
+    buffer::{Cursor, TokenBuffer},
+    Lit,
+};
+use proc_macro::{Literal, TokenStream, TokenTree};
+
+fn try_any_string(cursor: Cursor<'_>) -> Option<(Vec<u8>, Cursor<'_>)> {
+    let (lit, next) = cursor.literal()?;
+    let lit = Lit::new(lit);
+    let (content, suffix) = match &lit {
+        Lit::ByteStr(str) => Some((str.value(), str.suffix())),
+        Lit::Str(str) => Some((str.value().into_bytes(), str.suffix())),
+        _ => None,
+    }?;
+    if !suffix.is_empty() {
+        return None;
+    }
+    Some((content, next))
+}
+
+pub fn append_nul(ts: TokenStream) -> TokenStream {
+    let buffer = TokenBuffer::new(ts);
+    let cursor = buffer.begin();
+
+    let (mut content, cursor) = try_any_string(cursor).expect("Expected string or byte string");
+    assert!(cursor.eof(), "Expected EOF");
+
+    if content.contains(&0) {
+        panic!("String contains interior NUL bytes");
+    }
+
+    content.push(0);
+    TokenTree::Literal(Literal::byte_string(&content)).into()
+}