[PATCH 1/3] rust: fs: add a new type for file::Offset

[PATCH 1/3] rust: fs: add a new type for file::Offset

[Danilo Krummrich]

Replace the existing file::Offset type alias with a new type.

Compared to a type alias, a new type allows for more fine grained
control over the operations that (semantically) make sense for a
specific type.

Cc: Alexander Viro <viro@zeniv.linux.org.uk>
Cc: Christian Brauner <brauner@kernel.org>
Cc: Jan Kara <jack@suse.cz>
Reviewed-by: Alice Ryhl <aliceryhl@google.com>
Reviewed-by: Alexandre Courbot <acourbot@nvidia.com>
Suggested-by: Miguel Ojeda <ojeda@kernel.org>
Link: https://github.com/Rust-for-Linux/linux/issues/1198
Signed-off-by: Danilo Krummrich <dakr@kernel.org>
---
 rust/kernel/debugfs/file_ops.rs |   4 +-
 rust/kernel/fs/file.rs          | 159 +++++++++++++++++++++++++++++++-
 rust/kernel/uaccess.rs          |   4 +-
 3 files changed, 159 insertions(+), 8 deletions(-)

diff --git a/rust/kernel/debugfs/file_ops.rs b/rust/kernel/debugfs/file_ops.rs
index 6c8928902a0b..8e45c15d3c90 100644
--- a/rust/kernel/debugfs/file_ops.rs
+++ b/rust/kernel/debugfs/file_ops.rs
@@ -261,7 +261,7 @@ extern "C" fn blob_read<T: BinaryWriter>(
     // SAFETY:
     // - `ppos` is a valid `file::Offset` pointer.
     // - We have exclusive access to `ppos`.
-    let pos: &mut file::Offset = unsafe { &mut *ppos };
+    let pos = unsafe { file::Offset::from_raw(ppos) };
 
     let mut writer = UserSlice::new(UserPtr::from_ptr(buf.cast()), count).writer();
 
@@ -316,7 +316,7 @@ extern "C" fn blob_write<T: BinaryReader>(
     // SAFETY:
     // - `ppos` is a valid `file::Offset` pointer.
     // - We have exclusive access to `ppos`.
-    let pos: &mut file::Offset = unsafe { &mut *ppos };
+    let pos = unsafe { file::Offset::from_raw(ppos) };
 
     let mut reader = UserSlice::new(UserPtr::from_ptr(buf.cast_mut().cast()), count).reader();
 
diff --git a/rust/kernel/fs/file.rs b/rust/kernel/fs/file.rs
index 23ee689bd240..655019f336d9 100644
--- a/rust/kernel/fs/file.rs
+++ b/rust/kernel/fs/file.rs
@@ -15,12 +15,163 @@
     sync::aref::{ARef, AlwaysRefCounted},
     types::{NotThreadSafe, Opaque},
 };
-use core::ptr;
+use core::{num::TryFromIntError, ptr};
 
-/// Primitive type representing the offset within a [`File`].
+/// Representation of an offset within a [`File`].
 ///
-/// Type alias for `bindings::loff_t`.
-pub type Offset = bindings::loff_t;
+/// Transparent wrapper around `bindings::loff_t`.
+#[repr(transparent)]
+#[derive(Copy, Clone, Debug, PartialEq, Eq, PartialOrd, Ord, Default)]
+pub struct Offset(pub bindings::loff_t);
+
+impl Offset {
+    /// The largest value that can be represented by this type.
+    pub const MAX: Self = Self(bindings::loff_t::MAX);
+
+    /// The smallest value that can be represented by this type.
+    pub const MIN: Self = Self(bindings::loff_t::MIN);
+
+    /// Create a mutable [`Offset`] reference from the raw `*mut bindings::loff_t`.
+    ///
+    /// # Safety
+    ///
+    /// - `offset` must be a valid pointer to a `bindings::loff_t`.
+    /// - The caller must guarantee exclusive access to `offset`.
+    #[inline]
+    pub const unsafe fn from_raw<'a>(offset: *mut bindings::loff_t) -> &'a mut Self {
+        // SAFETY: By the safety requirements of this function
+        // - `offset` is a valid pointer to a `bindings::loff_t`,
+        // - we have exclusive access to `offset`.
+        unsafe { &mut *offset.cast() }
+    }
+
+    /// Returns `true` if the [`Offset`] is negative.
+    ///
+    /// # Examples
+    ///
+    /// ```
+    /// use kernel::fs::file::Offset;
+    ///
+    /// let offset = Offset::from(1);
+    /// assert!(!offset.is_negative());
+    ///
+    /// let offset = Offset::from(-1);
+    /// assert!(offset.is_negative());
+    /// ```
+    #[inline]
+    pub const fn is_negative(self) -> bool {
+        self.0.is_negative()
+    }
+
+    /// Saturating addition with another [`Offset`].
+    #[inline]
+    pub fn saturating_add(self, rhs: Offset) -> Offset {
+        Self(self.0.saturating_add(rhs.0))
+    }
+
+    /// Saturating addition with a [`usize`].
+    ///
+    /// If the [`usize`] fits in `bindings::loff_t` it is converted and added; otherwise the result
+    /// saturates to [`Offset::MAX`].
+    ///
+    /// # Examples
+    ///
+    /// ```
+    /// use kernel::fs::file::Offset;
+    ///
+    /// let offset = Offset::from(40);
+    ///
+    /// let offset = offset.saturating_add_usize(2);
+    /// assert_eq!(offset, Offset::from(42));
+    ///
+    /// let offset = Offset::MAX.saturating_sub_usize(1);
+    /// let offset = offset.saturating_add_usize(usize::MAX);
+    /// assert_eq!(offset, Offset::MAX);
+    /// ```
+    pub fn saturating_add_usize(self, rhs: usize) -> Offset {
+        match bindings::loff_t::try_from(rhs) {
+            Ok(rhs_loff) => Self(self.0.saturating_add(rhs_loff)),
+            Err(_) => Self::MAX,
+        }
+    }
+
+    /// Saturating subtraction with another [`Offset`].
+    #[inline]
+    pub fn saturating_sub(self, rhs: Offset) -> Offset {
+        Offset(self.0.saturating_sub(rhs.0))
+    }
+
+    /// Saturating subtraction with a [`usize`].
+    ///
+    /// # Examples
+    ///
+    /// ```
+    /// use kernel::fs::file::Offset;
+    ///
+    /// let offset = Offset::from(100);
+    /// let offset = offset.saturating_sub_usize(58);
+    /// assert_eq!(offset, Offset::from(42));
+    ///
+    /// let offset = Offset::MIN.saturating_add_usize(1);
+    /// let offset = offset.saturating_sub_usize(usize::MAX);
+    /// assert_eq!(offset, Offset::MIN);
+    /// ```
+    #[inline]
+    pub fn saturating_sub_usize(self, rhs: usize) -> Offset {
+        match bindings::loff_t::try_from(rhs) {
+            Ok(rhs_loff) => Offset(self.0.saturating_sub(rhs_loff)),
+            Err(_) => Self::MIN,
+        }
+    }
+}
+
+impl core::ops::Add<isize> for Offset {
+    type Output = Offset;
+
+    #[inline]
+    fn add(self, rhs: isize) -> Offset {
+        Offset(self.0 + rhs as bindings::loff_t)
+    }
+}
+
+impl core::ops::AddAssign<isize> for Offset {
+    #[inline]
+    fn add_assign(&mut self, rhs: isize) {
+        self.0 += rhs as bindings::loff_t;
+    }
+}
+
+impl From<bindings::loff_t> for Offset {
+    #[inline]
+    fn from(v: bindings::loff_t) -> Self {
+        Self(v)
+    }
+}
+
+impl From<Offset> for bindings::loff_t {
+    #[inline]
+    fn from(offset: Offset) -> Self {
+        offset.0
+    }
+}
+
+impl TryFrom<usize> for Offset {
+    type Error = TryFromIntError;
+
+    #[inline]
+    fn try_from(u: usize) -> Result<Self, Self::Error> {
+        Ok(Self(bindings::loff_t::try_from(u)?))
+    }
+}
+
+impl TryFrom<Offset> for usize {
+    type Error = TryFromIntError;
+
+    #[inline]
+    fn try_from(offset: Offset) -> Result<Self, Self::Error> {
+        usize::try_from(offset.0)
+    }
+}
 
 /// Flags associated with a [`File`].
 pub mod flags {
diff --git a/rust/kernel/uaccess.rs b/rust/kernel/uaccess.rs
index f989539a31b4..7bfc212e78d1 100644
--- a/rust/kernel/uaccess.rs
+++ b/rust/kernel/uaccess.rs
@@ -325,7 +325,7 @@ pub fn read_slice_file(&mut self, out: &mut [u8], offset: &mut file::Offset) ->
         let read = self.read_slice_partial(out, offset_index)?;
 
         // OVERFLOW: `offset + read <= data.len() <= isize::MAX <= Offset::MAX`
-        *offset += read as i64;
+        *offset += read as isize;
 
         Ok(read)
     }
@@ -518,7 +518,7 @@ pub fn write_slice_file(&mut self, data: &[u8], offset: &mut file::Offset) -> Re
         let written = self.write_slice_partial(data, offset_index)?;
 
         // OVERFLOW: `offset + written <= data.len() <= isize::MAX <= Offset::MAX`
-        *offset += written as i64;
+        *offset += written as isize;
 
         Ok(written)
     }

base-commit: f656279afde16afee3ac163b90584ddceacb4e61
-- 
2.51.2

[PATCH 2/3] rust fs: kiocb: take advantage from file::Offset

[Danilo Krummrich]

Make use of file::Offset, now that we have a dedicated type for it.

Suggested-by: Alice Ryhl <aliceryhl@google.com>
Signed-off-by: Danilo Krummrich <dakr@kernel.org>
---
 rust/kernel/fs/kiocb.rs          |  9 ++++++---
 samples/rust/rust_misc_device.rs | 10 +++++++---
 2 files changed, 13 insertions(+), 6 deletions(-)

diff --git a/rust/kernel/fs/kiocb.rs b/rust/kernel/fs/kiocb.rs
index 84c936cd69b0..3159b9ac2bf6 100644
--- a/rust/kernel/fs/kiocb.rs
+++ b/rust/kernel/fs/kiocb.rs
@@ -8,7 +8,10 @@
 
 use core::marker::PhantomData;
 use core::ptr::NonNull;
-use kernel::types::ForeignOwnable;
+use kernel::{
+    fs::file,
+    types::ForeignOwnable, //
+};
 
 /// Wrapper for the kernel's `struct kiocb`.
 ///
@@ -61,8 +64,8 @@ pub fn ki_pos(&self) -> i64 {
     }
 
     /// Gets a mutable reference to the `ki_pos` field.
-    pub fn ki_pos_mut(&mut self) -> &mut i64 {
+    pub fn ki_pos_mut(&mut self) -> &mut file::Offset {
         // SAFETY: We have exclusive access to the kiocb, so we can write to `ki_pos`.
-        unsafe { &mut (*self.as_raw()).ki_pos }
+        unsafe { file::Offset::from_raw(&raw mut (*self.as_raw()).ki_pos) }
     }
 }
diff --git a/samples/rust/rust_misc_device.rs b/samples/rust/rust_misc_device.rs
index d69bc33dbd99..6a9f59ccf71d 100644
--- a/samples/rust/rust_misc_device.rs
+++ b/samples/rust/rust_misc_device.rs
@@ -100,7 +100,11 @@
 use kernel::{
     c_str,
     device::Device,
-    fs::{File, Kiocb},
+    fs::{
+        file,
+        File,
+        Kiocb, //
+    },
     ioctl::{_IO, _IOC_SIZE, _IOR, _IOW},
     iov::{IovIterDest, IovIterSource},
     miscdevice::{MiscDevice, MiscDeviceOptions, MiscDeviceRegistration},
@@ -183,7 +187,7 @@ fn read_iter(mut kiocb: Kiocb<'_, Self::Ptr>, iov: &mut IovIterDest<'_>) -> Resu
 
         let inner = me.inner.lock();
         // Read the buffer contents, taking the file position into account.
-        let read = iov.simple_read_from_buffer(kiocb.ki_pos_mut(), &inner.buffer)?;
+        let read = iov.simple_read_from_buffer(&mut kiocb.ki_pos_mut().0, &inner.buffer)?;
 
         Ok(read)
     }
@@ -199,7 +203,7 @@ fn write_iter(mut kiocb: Kiocb<'_, Self::Ptr>, iov: &mut IovIterSource<'_>) -> R
         let len = iov.copy_from_iter_vec(&mut inner.buffer, GFP_KERNEL)?;
 
         // Set position to zero so that future `read` calls will see the new contents.
-        *kiocb.ki_pos_mut() = 0;
+        *kiocb.ki_pos_mut() = file::Offset::from(0);
 
         Ok(len)
     }
-- 
2.51.2

Re: [PATCH 2/3] rust fs: kiocb: take advantage from file::Offset

[Alice Ryhl]

On Wed, Nov 05, 2025 at 01:22:49AM +0100, Danilo Krummrich wrote:
> Make use of file::Offset, now that we have a dedicated type for it.
> 
> Suggested-by: Alice Ryhl <aliceryhl@google.com>
> Signed-off-by: Danilo Krummrich <dakr@kernel.org>

Reviewed-by: Alice Ryhl <aliceryhl@google.com>

[PATCH 3/3] rust: iov: take advantage from file::Offset

[Danilo Krummrich]

Make use of file::Offset, now that we have a dedicated type for it.

Suggested-by: Alice Ryhl <aliceryhl@google.com>
Signed-off-by: Danilo Krummrich <dakr@kernel.org>
---
 rust/kernel/iov.rs               | 13 +++++++++----
 samples/rust/rust_misc_device.rs |  2 +-
 2 files changed, 10 insertions(+), 5 deletions(-)

diff --git a/rust/kernel/iov.rs b/rust/kernel/iov.rs
index 43bae8923c46..a3b1233441b6 100644
--- a/rust/kernel/iov.rs
+++ b/rust/kernel/iov.rs
@@ -10,6 +10,7 @@
 use crate::{
     alloc::{Allocator, Flags},
     bindings,
+    fs::file,
     prelude::*,
     types::Opaque,
 };
@@ -292,8 +293,12 @@ pub fn copy_to_iter(&mut self, input: &[u8]) -> usize {
     /// that the file will appear to contain `contents` even if takes multiple reads to read the
     /// entire file.
     #[inline]
-    pub fn simple_read_from_buffer(&mut self, ppos: &mut i64, contents: &[u8]) -> Result<usize> {
-        if *ppos < 0 {
+    pub fn simple_read_from_buffer(
+        &mut self,
+        ppos: &mut file::Offset,
+        contents: &[u8],
+    ) -> Result<usize> {
+        if ppos.is_negative() {
             return Err(EINVAL);
         }
         let Ok(pos) = usize::try_from(*ppos) else {
@@ -306,8 +311,8 @@ pub fn simple_read_from_buffer(&mut self, ppos: &mut i64, contents: &[u8]) -> Re
         // BOUNDS: We just checked that `pos < contents.len()` above.
         let num_written = self.copy_to_iter(&contents[pos..]);
 
-        // OVERFLOW: `pos+num_written <= contents.len() <= isize::MAX <= i64::MAX`.
-        *ppos = (pos + num_written) as i64;
+        // OVERFLOW: `pos+num_written <= contents.len() <= isize::MAX <= file::Offset::MAX`.
+        *ppos += num_written as isize;
 
         Ok(num_written)
     }
diff --git a/samples/rust/rust_misc_device.rs b/samples/rust/rust_misc_device.rs
index 6a9f59ccf71d..edbcc761b4a2 100644
--- a/samples/rust/rust_misc_device.rs
+++ b/samples/rust/rust_misc_device.rs
@@ -187,7 +187,7 @@ fn read_iter(mut kiocb: Kiocb<'_, Self::Ptr>, iov: &mut IovIterDest<'_>) -> Resu
 
         let inner = me.inner.lock();
         // Read the buffer contents, taking the file position into account.
-        let read = iov.simple_read_from_buffer(&mut kiocb.ki_pos_mut().0, &inner.buffer)?;
+        let read = iov.simple_read_from_buffer(kiocb.ki_pos_mut(), &inner.buffer)?;
 
         Ok(read)
     }
-- 
2.51.2

Re: [PATCH 3/3] rust: iov: take advantage from file::Offset

[Alice Ryhl]

On Wed, Nov 05, 2025 at 01:22:50AM +0100, Danilo Krummrich wrote:
> Make use of file::Offset, now that we have a dedicated type for it.
> 
> Suggested-by: Alice Ryhl <aliceryhl@google.com>
> Signed-off-by: Danilo Krummrich <dakr@kernel.org>

Reviewed-by: Alice Ryhl <aliceryhl@google.com>

Re: [PATCH 1/3] rust: fs: add a new type for file::Offset

[Christian Brauner]

On Wed, Nov 05, 2025 at 01:22:48AM +0100, Danilo Krummrich wrote:
> Replace the existing file::Offset type alias with a new type.
> 
> Compared to a type alias, a new type allows for more fine grained
> control over the operations that (semantically) make sense for a
> specific type.
> 
> Cc: Alexander Viro <viro@zeniv.linux.org.uk>
> Cc: Christian Brauner <brauner@kernel.org>
> Cc: Jan Kara <jack@suse.cz>
> Reviewed-by: Alice Ryhl <aliceryhl@google.com>
> Reviewed-by: Alexandre Courbot <acourbot@nvidia.com>
> Suggested-by: Miguel Ojeda <ojeda@kernel.org>
> Link: https://github.com/Rust-for-Linux/linux/issues/1198
> Signed-off-by: Danilo Krummrich <dakr@kernel.org>
> ---

What's the base for this?
If it's stuff that belongs to fs/ I'd prefer if it always uses a stable
-rc* version as base where possible.

Re: [PATCH 1/3] rust: fs: add a new type for file::Offset

[Danilo Krummrich]

On Wed Nov 5, 2025 at 11:59 AM CET, Christian Brauner wrote:
> On Wed, Nov 05, 2025 at 01:22:48AM +0100, Danilo Krummrich wrote:
>> Replace the existing file::Offset type alias with a new type.
>> 
>> Compared to a type alias, a new type allows for more fine grained
>> control over the operations that (semantically) make sense for a
>> specific type.
>> 
>> Cc: Alexander Viro <viro@zeniv.linux.org.uk>
>> Cc: Christian Brauner <brauner@kernel.org>
>> Cc: Jan Kara <jack@suse.cz>
>> Reviewed-by: Alice Ryhl <aliceryhl@google.com>
>> Reviewed-by: Alexandre Courbot <acourbot@nvidia.com>
>> Suggested-by: Miguel Ojeda <ojeda@kernel.org>
>> Link: https://github.com/Rust-for-Linux/linux/issues/1198
>> Signed-off-by: Danilo Krummrich <dakr@kernel.org>
>> ---
>
> What's the base for this?
> If it's stuff that belongs to fs/ I'd prefer if it always uses a stable
> -rc* version as base where possible.

Please see [1]; the base is [2] from the driver-core tree.

[1] https://lore.kernel.org/lkml/DE0C1KA14PDQ.Q2CJDDTQPWOK@kernel.org/
[2] https://git.kernel.org/pub/scm/linux/kernel/git/driver-core/driver-core.git/tree/?id=1bf5b90cd2f984e5d6ff6fd30d5d85f9f579b6f0

Re: [PATCH 1/3] rust: fs: add a new type for file::Offset

[Danilo Krummrich]

On Wed Nov 5, 2025 at 12:19 PM CET, Danilo Krummrich wrote:
> On Wed Nov 5, 2025 at 11:59 AM CET, Christian Brauner wrote:
>> On Wed, Nov 05, 2025 at 01:22:48AM +0100, Danilo Krummrich wrote:
>>> Replace the existing file::Offset type alias with a new type.
>>> 
>>> Compared to a type alias, a new type allows for more fine grained
>>> control over the operations that (semantically) make sense for a
>>> specific type.
>>> 
>>> Cc: Alexander Viro <viro@zeniv.linux.org.uk>
>>> Cc: Christian Brauner <brauner@kernel.org>
>>> Cc: Jan Kara <jack@suse.cz>
>>> Reviewed-by: Alice Ryhl <aliceryhl@google.com>
>>> Reviewed-by: Alexandre Courbot <acourbot@nvidia.com>
>>> Suggested-by: Miguel Ojeda <ojeda@kernel.org>
>>> Link: https://github.com/Rust-for-Linux/linux/issues/1198
>>> Signed-off-by: Danilo Krummrich <dakr@kernel.org>
>>> ---
>>
>> What's the base for this?
>> If it's stuff that belongs to fs/ I'd prefer if it always uses a stable
>> -rc* version as base where possible.
>
> Please see [1]; the base is [2] from the driver-core tree.

For more context, when I picked up the debugfs patch series from [1] I picked up
the patch that only introduced the file::Offset type alias for loff_t as a
dependency and sent this series as a follow-up.

Hence, I can either take this one through the driver-core tree as well, or, if
you prefer we can also wait for a cycle, so you can pick it up through the FS
tree.

> [1] https://lore.kernel.org/lkml/DE0C1KA14PDQ.Q2CJDDTQPWOK@kernel.org/
> [2] https://git.kernel.org/pub/scm/linux/kernel/git/driver-core/driver-core.git/tree/?id=1bf5b90cd2f984e5d6ff6fd30d5d85f9f579b6f0