// SPDX-License-Identifier: GPL-2.012// Copyright (C) 2025 Google LLC.34//! Rust API for bitmap.5//!6//! C headers: [`include/linux/bitmap.h`](srctree/include/linux/bitmap.h).78use crate::alloc::{AllocError, Flags};9use crate::bindings;10#[cfg(not(CONFIG_RUST_BITMAP_HARDENED))]11use crate::pr_err;12use core::ptr::NonNull;1314/// Represents a C bitmap. Wraps underlying C bitmap API.15///16/// # Invariants17///18/// Must reference a `[c_ulong]` long enough to fit `data.len()` bits.19#[cfg_attr(CONFIG_64BIT, repr(align(8)))]20#[cfg_attr(not(CONFIG_64BIT), repr(align(4)))]21pub struct Bitmap {22data: [()],23}2425impl Bitmap {26/// Borrows a C bitmap.27///28/// # Safety29///30/// * `ptr` holds a non-null address of an initialized array of `unsigned long`31/// that is large enough to hold `nbits` bits.32/// * the array must not be freed for the lifetime of this [`Bitmap`]33/// * concurrent access only happens through atomic operations34pub unsafe fn from_raw<'a>(ptr: *const usize, nbits: usize) -> &'a Bitmap {35let data: *const [()] = core::ptr::slice_from_raw_parts(ptr.cast(), nbits);36// INVARIANT: `data` references an initialized array that can hold `nbits` bits.37// SAFETY:38// The caller guarantees that `data` (derived from `ptr` and `nbits`)39// points to a valid, initialized, and appropriately sized memory region40// that will not be freed for the lifetime 'a.41// We are casting `*const [()]` to `*const Bitmap`. The `Bitmap`42// struct is a ZST with a `data: [()]` field. This means its layout43// is compatible with a slice of `()`, and effectively it's a "thin pointer"44// (its size is 0 and alignment is 1). The `slice_from_raw_parts`45// function correctly encodes the length (number of bits, not elements)46// into the metadata of the fat pointer. Therefore, dereferencing this47// pointer as `&Bitmap` is safe given the caller's guarantees.48unsafe { &*(data as *const Bitmap) }49}5051/// Borrows a C bitmap exclusively.52///53/// # Safety54///55/// * `ptr` holds a non-null address of an initialized array of `unsigned long`56/// that is large enough to hold `nbits` bits.57/// * the array must not be freed for the lifetime of this [`Bitmap`]58/// * no concurrent access may happen.59pub unsafe fn from_raw_mut<'a>(ptr: *mut usize, nbits: usize) -> &'a mut Bitmap {60let data: *mut [()] = core::ptr::slice_from_raw_parts_mut(ptr.cast(), nbits);61// INVARIANT: `data` references an initialized array that can hold `nbits` bits.62// SAFETY:63// The caller guarantees that `data` (derived from `ptr` and `nbits`)64// points to a valid, initialized, and appropriately sized memory region65// that will not be freed for the lifetime 'a.66// Furthermore, the caller guarantees no concurrent access will happen,67// which upholds the exclusivity requirement for a mutable reference.68// Similar to `from_raw`, casting `*mut [()]` to `*mut Bitmap` is69// safe because `Bitmap` is a ZST with a `data: [()]` field,70// making its layout compatible with a slice of `()`.71unsafe { &mut *(data as *mut Bitmap) }72}7374/// Returns a raw pointer to the backing [`Bitmap`].75pub fn as_ptr(&self) -> *const usize {76core::ptr::from_ref::<Bitmap>(self).cast::<usize>()77}7879/// Returns a mutable raw pointer to the backing [`Bitmap`].80pub fn as_mut_ptr(&mut self) -> *mut usize {81core::ptr::from_mut::<Bitmap>(self).cast::<usize>()82}8384/// Returns length of this [`Bitmap`].85#[expect(clippy::len_without_is_empty)]86pub fn len(&self) -> usize {87self.data.len()88}89}9091/// Holds either a pointer to array of `unsigned long` or a small bitmap.92#[repr(C)]93union BitmapRepr {94bitmap: usize,95ptr: NonNull<usize>,96}9798macro_rules! bitmap_assert {99($cond:expr, $($arg:tt)+) => {100#[cfg(CONFIG_RUST_BITMAP_HARDENED)]101assert!($cond, $($arg)*);102}103}104105macro_rules! bitmap_assert_return {106($cond:expr, $($arg:tt)+) => {107#[cfg(CONFIG_RUST_BITMAP_HARDENED)]108assert!($cond, $($arg)*);109110#[cfg(not(CONFIG_RUST_BITMAP_HARDENED))]111if !($cond) {112pr_err!($($arg)*);113return114}115}116}117118/// Represents an owned bitmap.119///120/// Wraps underlying C bitmap API. See [`Bitmap`] for available121/// methods.122///123/// # Examples124///125/// Basic usage126///127/// ```128/// use kernel::alloc::flags::GFP_KERNEL;129/// use kernel::bitmap::BitmapVec;130///131/// let mut b = BitmapVec::new(16, GFP_KERNEL)?;132///133/// assert_eq!(16, b.len());134/// for i in 0..16 {135/// if i % 4 == 0 {136/// b.set_bit(i);137/// }138/// }139/// assert_eq!(Some(0), b.next_bit(0));140/// assert_eq!(Some(1), b.next_zero_bit(0));141/// assert_eq!(Some(4), b.next_bit(1));142/// assert_eq!(Some(5), b.next_zero_bit(4));143/// assert_eq!(Some(12), b.last_bit());144/// # Ok::<(), Error>(())145/// ```146///147/// # Invariants148///149/// * `nbits` is `<= MAX_LEN`.150/// * if `nbits <= MAX_INLINE_LEN`, then `repr` is a `usize`.151/// * otherwise, `repr` holds a non-null pointer to an initialized152/// array of `unsigned long` that is large enough to hold `nbits` bits.153pub struct BitmapVec {154/// Representation of bitmap.155repr: BitmapRepr,156/// Length of this bitmap. Must be `<= MAX_LEN`.157nbits: usize,158}159160impl core::ops::Deref for BitmapVec {161type Target = Bitmap;162163fn deref(&self) -> &Bitmap {164let ptr = if self.nbits <= BitmapVec::MAX_INLINE_LEN {165// SAFETY: Bitmap is represented inline.166#[allow(unused_unsafe, reason = "Safe since Rust 1.92.0")]167unsafe {168core::ptr::addr_of!(self.repr.bitmap)169}170} else {171// SAFETY: Bitmap is represented as array of `unsigned long`.172unsafe { self.repr.ptr.as_ptr() }173};174175// SAFETY: We got the right pointer and invariants of [`Bitmap`] hold.176// An inline bitmap is treated like an array with single element.177unsafe { Bitmap::from_raw(ptr, self.nbits) }178}179}180181impl core::ops::DerefMut for BitmapVec {182fn deref_mut(&mut self) -> &mut Bitmap {183let ptr = if self.nbits <= BitmapVec::MAX_INLINE_LEN {184// SAFETY: Bitmap is represented inline.185#[allow(unused_unsafe, reason = "Safe since Rust 1.92.0")]186unsafe {187core::ptr::addr_of_mut!(self.repr.bitmap)188}189} else {190// SAFETY: Bitmap is represented as array of `unsigned long`.191unsafe { self.repr.ptr.as_ptr() }192};193194// SAFETY: We got the right pointer and invariants of [`BitmapVec`] hold.195// An inline bitmap is treated like an array with single element.196unsafe { Bitmap::from_raw_mut(ptr, self.nbits) }197}198}199200/// Enable ownership transfer to other threads.201///202/// SAFETY: We own the underlying bitmap representation.203unsafe impl Send for BitmapVec {}204205/// Enable unsynchronized concurrent access to [`BitmapVec`] through shared references.206///207/// SAFETY: `deref()` will return a reference to a [`Bitmap`]. Its methods208/// take immutable references are either atomic or read-only.209unsafe impl Sync for BitmapVec {}210211impl Drop for BitmapVec {212fn drop(&mut self) {213if self.nbits <= BitmapVec::MAX_INLINE_LEN {214return;215}216// SAFETY: `self.ptr` was returned by the C `bitmap_zalloc`.217//218// INVARIANT: there is no other use of the `self.ptr` after this219// call and the value is being dropped so the broken invariant is220// not observable on function exit.221unsafe { bindings::bitmap_free(self.repr.ptr.as_ptr()) };222}223}224225impl BitmapVec {226/// The maximum possible length of a `BitmapVec`.227pub const MAX_LEN: usize = i32::MAX as usize;228229/// The maximum length that uses the inline representation.230pub const MAX_INLINE_LEN: usize = usize::BITS as usize;231232/// Construct a longest possible inline [`BitmapVec`].233#[inline]234pub fn new_inline() -> Self {235// INVARIANT: `nbits <= MAX_INLINE_LEN`, so an inline bitmap is the right repr.236BitmapVec {237repr: BitmapRepr { bitmap: 0 },238nbits: BitmapVec::MAX_INLINE_LEN,239}240}241242/// Constructs a new [`BitmapVec`].243///244/// Fails with [`AllocError`] when the [`BitmapVec`] could not be allocated. This245/// includes the case when `nbits` is greater than `MAX_LEN`.246#[inline]247pub fn new(nbits: usize, flags: Flags) -> Result<Self, AllocError> {248if nbits <= BitmapVec::MAX_INLINE_LEN {249return Ok(BitmapVec {250repr: BitmapRepr { bitmap: 0 },251nbits,252});253}254if nbits > Self::MAX_LEN {255return Err(AllocError);256}257let nbits_u32 = u32::try_from(nbits).unwrap();258// SAFETY: `MAX_INLINE_LEN < nbits` and `nbits <= MAX_LEN`.259let ptr = unsafe { bindings::bitmap_zalloc(nbits_u32, flags.as_raw()) };260let ptr = NonNull::new(ptr).ok_or(AllocError)?;261// INVARIANT: `ptr` returned by C `bitmap_zalloc` and `nbits` checked.262Ok(BitmapVec {263repr: BitmapRepr { ptr },264nbits,265})266}267268/// Returns length of this [`Bitmap`].269#[allow(clippy::len_without_is_empty)]270#[inline]271pub fn len(&self) -> usize {272self.nbits273}274275/// Fills this `Bitmap` with random bits.276#[cfg(CONFIG_FIND_BIT_BENCHMARK_RUST)]277pub fn fill_random(&mut self) {278// SAFETY: `self.as_mut_ptr` points to either an array of the279// appropriate length or one usize.280unsafe {281bindings::get_random_bytes(282self.as_mut_ptr().cast::<ffi::c_void>(),283usize::div_ceil(self.nbits, bindings::BITS_PER_LONG as usize)284* bindings::BITS_PER_LONG as usize285/ 8,286);287}288}289}290291impl Bitmap {292/// Set bit with index `index`.293///294/// ATTENTION: `set_bit` is non-atomic, which differs from the naming295/// convention in C code. The corresponding C function is `__set_bit`.296///297/// If CONFIG_RUST_BITMAP_HARDENED is not enabled and `index` is greater than298/// or equal to `self.nbits`, does nothing.299///300/// # Panics301///302/// Panics if CONFIG_RUST_BITMAP_HARDENED is enabled and `index` is greater than303/// or equal to `self.nbits`.304#[inline]305pub fn set_bit(&mut self, index: usize) {306bitmap_assert_return!(307index < self.len(),308"Bit `index` must be < {}, was {}",309self.len(),310index311);312// SAFETY: Bit `index` is within bounds.313unsafe { bindings::__set_bit(index, self.as_mut_ptr()) };314}315316/// Set bit with index `index`, atomically.317///318/// This is a relaxed atomic operation (no implied memory barriers).319///320/// ATTENTION: The naming convention differs from C, where the corresponding321/// function is called `set_bit`.322///323/// If CONFIG_RUST_BITMAP_HARDENED is not enabled and `index` is greater than324/// or equal to `self.len()`, does nothing.325///326/// # Panics327///328/// Panics if CONFIG_RUST_BITMAP_HARDENED is enabled and `index` is greater than329/// or equal to `self.len()`.330#[inline]331pub fn set_bit_atomic(&self, index: usize) {332bitmap_assert_return!(333index < self.len(),334"Bit `index` must be < {}, was {}",335self.len(),336index337);338// SAFETY: `index` is within bounds and the caller has ensured that339// there is no mix of non-atomic and atomic operations.340unsafe { bindings::set_bit(index, self.as_ptr().cast_mut()) };341}342343/// Clear `index` bit.344///345/// ATTENTION: `clear_bit` is non-atomic, which differs from the naming346/// convention in C code. The corresponding C function is `__clear_bit`.347///348/// If CONFIG_RUST_BITMAP_HARDENED is not enabled and `index` is greater than349/// or equal to `self.len()`, does nothing.350///351/// # Panics352///353/// Panics if CONFIG_RUST_BITMAP_HARDENED is enabled and `index` is greater than354/// or equal to `self.len()`.355#[inline]356pub fn clear_bit(&mut self, index: usize) {357bitmap_assert_return!(358index < self.len(),359"Bit `index` must be < {}, was {}",360self.len(),361index362);363// SAFETY: `index` is within bounds.364unsafe { bindings::__clear_bit(index, self.as_mut_ptr()) };365}366367/// Clear `index` bit, atomically.368///369/// This is a relaxed atomic operation (no implied memory barriers).370///371/// ATTENTION: The naming convention differs from C, where the corresponding372/// function is called `clear_bit`.373///374/// If CONFIG_RUST_BITMAP_HARDENED is not enabled and `index` is greater than375/// or equal to `self.len()`, does nothing.376///377/// # Panics378///379/// Panics if CONFIG_RUST_BITMAP_HARDENED is enabled and `index` is greater than380/// or equal to `self.len()`.381#[inline]382pub fn clear_bit_atomic(&self, index: usize) {383bitmap_assert_return!(384index < self.len(),385"Bit `index` must be < {}, was {}",386self.len(),387index388);389// SAFETY: `index` is within bounds and the caller has ensured that390// there is no mix of non-atomic and atomic operations.391unsafe { bindings::clear_bit(index, self.as_ptr().cast_mut()) };392}393394/// Copy `src` into this [`Bitmap`] and set any remaining bits to zero.395///396/// # Examples397///398/// ```399/// use kernel::alloc::{AllocError, flags::GFP_KERNEL};400/// use kernel::bitmap::BitmapVec;401///402/// let mut long_bitmap = BitmapVec::new(256, GFP_KERNEL)?;403///404/// assert_eq!(None, long_bitmap.last_bit());405///406/// let mut short_bitmap = BitmapVec::new(16, GFP_KERNEL)?;407///408/// short_bitmap.set_bit(7);409/// long_bitmap.copy_and_extend(&short_bitmap);410/// assert_eq!(Some(7), long_bitmap.last_bit());411///412/// # Ok::<(), AllocError>(())413/// ```414#[inline]415pub fn copy_and_extend(&mut self, src: &Bitmap) {416let len = core::cmp::min(src.len(), self.len());417// SAFETY: access to `self` and `src` is within bounds.418unsafe {419bindings::bitmap_copy_and_extend(420self.as_mut_ptr(),421src.as_ptr(),422len as u32,423self.len() as u32,424)425};426}427428/// Finds last set bit.429///430/// # Examples431///432/// ```433/// use kernel::alloc::{AllocError, flags::GFP_KERNEL};434/// use kernel::bitmap::BitmapVec;435///436/// let bitmap = BitmapVec::new(64, GFP_KERNEL)?;437///438/// match bitmap.last_bit() {439/// Some(idx) => {440/// pr_info!("The last bit has index {idx}.\n");441/// }442/// None => {443/// pr_info!("All bits in this bitmap are 0.\n");444/// }445/// }446/// # Ok::<(), AllocError>(())447/// ```448#[inline]449pub fn last_bit(&self) -> Option<usize> {450// SAFETY: `_find_next_bit` access is within bounds due to invariant.451let index = unsafe { bindings::_find_last_bit(self.as_ptr(), self.len()) };452if index >= self.len() {453None454} else {455Some(index)456}457}458459/// Finds next set bit, starting from `start`.460///461/// Returns `None` if `start` is greater or equal to `self.nbits`.462#[inline]463pub fn next_bit(&self, start: usize) -> Option<usize> {464bitmap_assert!(465start < self.len(),466"`start` must be < {} was {}",467self.len(),468start469);470// SAFETY: `_find_next_bit` tolerates out-of-bounds arguments and returns a471// value larger than or equal to `self.len()` in that case.472let index = unsafe { bindings::_find_next_bit(self.as_ptr(), self.len(), start) };473if index >= self.len() {474None475} else {476Some(index)477}478}479480/// Finds next zero bit, starting from `start`.481/// Returns `None` if `start` is greater than or equal to `self.len()`.482#[inline]483pub fn next_zero_bit(&self, start: usize) -> Option<usize> {484bitmap_assert!(485start < self.len(),486"`start` must be < {} was {}",487self.len(),488start489);490// SAFETY: `_find_next_zero_bit` tolerates out-of-bounds arguments and returns a491// value larger than or equal to `self.len()` in that case.492let index = unsafe { bindings::_find_next_zero_bit(self.as_ptr(), self.len(), start) };493if index >= self.len() {494None495} else {496Some(index)497}498}499}500501use macros::kunit_tests;502503#[kunit_tests(rust_kernel_bitmap)]504mod tests {505use super::*;506use kernel::alloc::flags::GFP_KERNEL;507508#[test]509fn bitmap_borrow() {510let fake_bitmap: [usize; 2] = [0, 0];511let fake_bitmap_len = 2 * usize::BITS as usize;512// SAFETY: `fake_c_bitmap` is an array of expected length.513let b = unsafe { Bitmap::from_raw(fake_bitmap.as_ptr(), fake_bitmap_len) };514assert_eq!(fake_bitmap_len, b.len());515assert_eq!(None, b.next_bit(0));516}517518#[test]519fn bitmap_copy() {520let fake_bitmap: usize = 0xFF;521// SAFETY: `fake_c_bitmap` can be used as one-element array of expected length.522let b = unsafe { Bitmap::from_raw(core::ptr::addr_of!(fake_bitmap), 8) };523assert_eq!(8, b.len());524assert_eq!(None, b.next_zero_bit(0));525}526527#[test]528fn bitmap_vec_new() -> Result<(), AllocError> {529let b = BitmapVec::new(0, GFP_KERNEL)?;530assert_eq!(0, b.len());531532let b = BitmapVec::new(3, GFP_KERNEL)?;533assert_eq!(3, b.len());534535let b = BitmapVec::new(1024, GFP_KERNEL)?;536assert_eq!(1024, b.len());537538// Requesting too large values results in [`AllocError`].539let res = BitmapVec::new(1 << 31, GFP_KERNEL);540assert!(res.is_err());541Ok(())542}543544#[test]545fn bitmap_set_clear_find() -> Result<(), AllocError> {546let mut b = BitmapVec::new(128, GFP_KERNEL)?;547548// Zero-initialized549assert_eq!(None, b.next_bit(0));550assert_eq!(Some(0), b.next_zero_bit(0));551assert_eq!(None, b.last_bit());552553b.set_bit(17);554555assert_eq!(Some(17), b.next_bit(0));556assert_eq!(Some(17), b.next_bit(17));557assert_eq!(None, b.next_bit(18));558assert_eq!(Some(17), b.last_bit());559560b.set_bit(107);561562assert_eq!(Some(17), b.next_bit(0));563assert_eq!(Some(17), b.next_bit(17));564assert_eq!(Some(107), b.next_bit(18));565assert_eq!(Some(107), b.last_bit());566567b.clear_bit(17);568569assert_eq!(Some(107), b.next_bit(0));570assert_eq!(Some(107), b.last_bit());571Ok(())572}573574#[test]575fn owned_bitmap_out_of_bounds() -> Result<(), AllocError> {576// TODO: Kunit #[test]s do not support `cfg` yet,577// so we add it here in the body.578#[cfg(not(CONFIG_RUST_BITMAP_HARDENED))]579{580let mut b = BitmapVec::new(128, GFP_KERNEL)?;581b.set_bit(2048);582b.set_bit_atomic(2048);583b.clear_bit(2048);584b.clear_bit_atomic(2048);585assert_eq!(None, b.next_bit(2048));586assert_eq!(None, b.next_zero_bit(2048));587assert_eq!(None, b.last_bit());588}589Ok(())590}591592// TODO: uncomment once kunit supports [should_panic] and `cfg`.593// #[cfg(CONFIG_RUST_BITMAP_HARDENED)]594// #[test]595// #[should_panic]596// fn owned_bitmap_out_of_bounds() -> Result<(), AllocError> {597// let mut b = BitmapVec::new(128, GFP_KERNEL)?;598//599// b.set_bit(2048);600// }601602#[test]603fn bitmap_copy_and_extend() -> Result<(), AllocError> {604let mut long_bitmap = BitmapVec::new(256, GFP_KERNEL)?;605606long_bitmap.set_bit(3);607long_bitmap.set_bit(200);608609let mut short_bitmap = BitmapVec::new(32, GFP_KERNEL)?;610611short_bitmap.set_bit(17);612613long_bitmap.copy_and_extend(&short_bitmap);614615// Previous bits have been cleared.616assert_eq!(Some(17), long_bitmap.next_bit(0));617assert_eq!(Some(17), long_bitmap.last_bit());618Ok(())619}620}621622623