From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 4462CC02192 for ; Mon, 3 Feb 2025 09:54:01 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id B5B49280002; Mon, 3 Feb 2025 04:54:00 -0500 (EST) Received: by kanga.kvack.org (Postfix, from userid 40) id AE4716B0093; Mon, 3 Feb 2025 04:54:00 -0500 (EST) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 9D289280002; Mon, 3 Feb 2025 04:54:00 -0500 (EST) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0011.hostedemail.com [216.40.44.11]) by kanga.kvack.org (Postfix) with ESMTP id 7F1BE6B008A for ; Mon, 3 Feb 2025 04:54:00 -0500 (EST) Received: from smtpin30.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay10.hostedemail.com (Postfix) with ESMTP id 2EFD3C2608 for ; Mon, 3 Feb 2025 09:53:56 +0000 (UTC) X-FDA: 83078172072.30.472D553 Received: from gimli.kloenk.de (gimli.kloenk.de [49.12.72.200]) by imf18.hostedemail.com (Postfix) with ESMTP id 410D11C000B for ; Mon, 3 Feb 2025 09:53:53 +0000 (UTC) Authentication-Results: imf18.hostedemail.com; dkim=pass header.d=kloenk.dev header.s=mail header.b=ZTFtFUx1; spf=pass (imf18.hostedemail.com: domain of me@kloenk.dev designates 49.12.72.200 as permitted sender) smtp.mailfrom=me@kloenk.dev; dmarc=pass (policy=reject) header.from=kloenk.dev ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1738576434; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=3H5iq9A3tQ3hrA+8GYMBIQFWr4KutMcbtiEaeICkxs4=; b=1MW3zvK/mgDxsN7z8XJYA8ieZFiKPHldVv+UcwzdiYYA/Nw4GXNwy/StWfophmTK/3Wnjn s66VsRyA4NHH1fLWOFdyukyoQTSc7A7O0xHlYc3mNYY46flkL9eNVFmnZqPCP/w37xyVcI aEjFdQm8G2DTc4wT4T1yuA/UNpjmjPA= ARC-Authentication-Results: i=1; imf18.hostedemail.com; dkim=pass header.d=kloenk.dev header.s=mail header.b=ZTFtFUx1; spf=pass (imf18.hostedemail.com: domain of me@kloenk.dev designates 49.12.72.200 as permitted sender) smtp.mailfrom=me@kloenk.dev; dmarc=pass (policy=reject) header.from=kloenk.dev ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1738576434; a=rsa-sha256; cv=none; b=L6npph1xNz3FdZbx858F92lpF/8GO7rosyEe+LbqF+z2EPEmmPTeAvCcBHSz+2uhSFF5+q ZNLJJAZZx+L8FD8tuhzWGvj2d5GzjnuWA9Xx7P0OAMHbHpLfWmEC7aFtXOsIBMe/9B2jP8 KsV7tjiBaGZ9yM8rokK0tGU9T2phpyM= From: Fiona Behrens DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=kloenk.dev; s=mail; t=1738576432; bh=3H5iq9A3tQ3hrA+8GYMBIQFWr4KutMcbtiEaeICkxs4=; h=From:To:Cc:Subject:In-Reply-To:References:Date; b=ZTFtFUx139H7TvSqA0wxnR5/OWqcwS1fhiwWGACck4Y0ARngUwg7UL7wQ0y9nM2xl J3MqKp4Aaof7+tBR19wvBuFZK3BCa4AhliLjjrvVLqSc9EvTNJKOFtASjc8rmICQXI rcyLTrzvVlJx5NDc5g5oqu/oD2PFpKHpN4SR+m4U= To: Asahi Lina Cc: Miguel Ojeda , Alex Gaynor , Boqun Feng , Gary Guo , =?utf-8?Q?Bj=C3=B6rn?= Roy Baron , Benno Lossin , Andreas Hindborg , Alice Ryhl , Trevor Gross , Jann Horn , Matthew Wilcox , Paolo Bonzini , Danilo Krummrich , Wedson Almeida Filho , Valentin Obst , Andrew Morton , linux-mm@kvack.org, airlied@redhat.com, Abdiel Janulgue , rust-for-linux@vger.kernel.org, linux-kernel@vger.kernel.org, asahi@lists.linux.dev Subject: Re: [PATCH 5/6] rust: page: Add physical address conversion functions In-Reply-To: <20250202-rust-page-v1-5-e3170d7fe55e@asahilina.net> (Asahi Lina's message of "Sun, 02 Feb 2025 22:05:47 +0900") References: <20250202-rust-page-v1-0-e3170d7fe55e@asahilina.net> <20250202-rust-page-v1-5-e3170d7fe55e@asahilina.net> Date: Mon, 03 Feb 2025 10:53:51 +0100 Message-ID: <87jza74amo.fsf@kloenk.dev> MIME-Version: 1.0 Content-Type: text/plain X-Rspam-User: X-Rspamd-Server: rspam09 X-Rspamd-Queue-Id: 410D11C000B X-Stat-Signature: k5q9bshndya9cttaqs3yksy7a9eqnn1f X-HE-Tag: 1738576433-274692 X-HE-Meta: U2FsdGVkX19LkxpX10Vrx015siVRxGSWaLWnF+EsguDzsbvPxsbLczCOpiNcxLcmnoCIBpfrNEHsaYPcQ90qOwINhCfKvAunr+RIE/UrK0G0+lFB+H6USVJsKFD+jWJdO8pbUlDqJ7itREEwfzKBsudaJbyl3/fbMwt+a6YESJC57UxhAEbPFEnm9Wx8vvq63YcySbscrze0PF6i73TjDqj/JhqJUvLqlXAOansxIRZPlKk4LPQQDqyc0kLBKKbcaYAIFPcLhpTnUCQ5hecTHqjwdcgY9SUoZHEDeCDsJfKAHo8MaS2hy+Q7IJgZcZ802sBWqEAcIG3B79QC8IkQ6Z8Y11GskiOvbjPLG6Lj0u70u2yaI/fdLRoexdm1k/zVPQyMhSZ7ABQa3TIiB4/h/lMhiXKAwZl1+gbTqOpa5x/ePWxRW+sWkDlR5ckwNw9EOdXJSQtQ+IC1s6eMFqc3iFF5IcpaprP11mWppUL9HIXTbVVUX3I3cfFg95aga0bsLHN5pkjf70/H2ONH41aA1KlKCRwFadyXkEbFovc8sMvoIMjKjCzTRTsqFhXInKhA1r01jSrnLpzcFBQHDAQkKsiBvdN6TozDiLHATR+Gvl+7NCrjS3OUVLlg4zSJaQ5Jk+n/0+atn6VqrCpIbHbMww1rLj3j2g1e9XqKw9Ki0/+CmrupZzcDjFh3htPt//vzxEfqF3ADZxJRgHwSWJZCjncyHERHaihtVEa1VDyKm5cki2HgrSexnbvHo31gkXL9diUQR+q0ayFV98bIyRJZt5iUSRGjT3S34B4JfPzry9O35FrOtXwuyGxQFP0OkeLx3CtGDeAABCQXU/9qvwibZO4+dA2VD4XjV9LsqZWlinv9PGmM7f2sawDT4kr08b8WmMMuVor2BPaLqgCG4B5IjJL6GqhZFQn2ls1h5O8ZsNT29MseC+AiHrQ+kHH6nF7IM9C72HRlgvE4+8oNWX3 Pfu8QUTu NGlqN/EC/nVgcNfyoqYXRgiXKwDTT20k+T7Wkbx3ImfsVIu/yKxdRiIma77YKl7vK0pMSEvJB0RfQ15t8GVCOvTWJ27J4tHWQc7ASvojGlhdbqTdm9evHx/Gnz6nkVGtgMd71gBW5M3c5KjCYPOMsFMFAGrCPSe+TJTq6KELNfsXZpSeRRy9rX4MCYobm5+etDsQtk/erxC4kHPoj514SjTG5NtAoqEpuQ/86nydhGsqxGBJnl6FKatZwU3Fh6yeZmCQ7 X-Bogosity: Unsure, tests=bogofilter, spamicity=0.498229, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: List-Subscribe: List-Unsubscribe: Asahi Lina writes: > Add methods to allow code using the Page type to obtain the physical > address of a page, convert to and from an (owned) physical address, and > borrow a Page from a physical address. Most of these operations are, as > you might expect, unsafe. > > These primitives are useful to implement page table structures in Rust, > and to implement arbitrary physical memory access (as needed to walk > arbitrary page tables and dereference through them). These mechanisms > are, of course, fraught with danger, and are only expected to be used > for core memory management code (in e.g. drivers with their own device > page table implementations) and for debug features such as crash dumps > of device memory. > > Signed-off-by: Asahi Lina > --- > rust/helpers/page.c | 26 +++++++++++++++++++++ > rust/kernel/page.rs | 65 +++++++++++++++++++++++++++++++++++++++++++++++++++++ > 2 files changed, 91 insertions(+) > > diff --git a/rust/helpers/page.c b/rust/helpers/page.c > index b3f2b8fbf87fc9aa89cb1636736c52be16411301..1c3bd68818d77f7ce7806329b8f040a7d4205bb3 100644 > --- a/rust/helpers/page.c > +++ b/rust/helpers/page.c > @@ -1,5 +1,6 @@ > // SPDX-License-Identifier: GPL-2.0 > > +#include > #include > #include > > @@ -17,3 +18,28 @@ void rust_helper_kunmap_local(const void *addr) > { > kunmap_local(addr); > } > + > +struct page *rust_helper_phys_to_page(phys_addr_t phys) > +{ > + return phys_to_page(phys); > +} > + > +phys_addr_t rust_helper_page_to_phys(struct page *page) > +{ > + return page_to_phys(page); > +} > + > +unsigned long rust_helper_phys_to_pfn(phys_addr_t phys) > +{ > + return __phys_to_pfn(phys); > +} > + > +struct page *rust_helper_pfn_to_page(unsigned long pfn) > +{ > + return pfn_to_page(pfn); > +} > + > +bool rust_helper_pfn_valid(unsigned long pfn) > +{ > + return pfn_valid(pfn); > +} > diff --git a/rust/kernel/page.rs b/rust/kernel/page.rs > index fe5f879f9d1a86083fd55c682fad9d52466f79a2..67cd7006fa63ab5aed4c4de2be639ed8e1fbc2ba 100644 > --- a/rust/kernel/page.rs > +++ b/rust/kernel/page.rs > @@ -3,6 +3,7 @@ > //! Kernel page allocation and management. > > use crate::{ > + addr::*, > alloc::{AllocError, Flags}, > bindings, > error::code::*, > @@ -10,6 +11,7 @@ > types::{Opaque, Ownable, Owned}, > uaccess::UserSliceReader, > }; > +use core::mem::ManuallyDrop; > use core::ptr::{self, NonNull}; > > /// A bitwise shift for the page size. > @@ -249,6 +251,69 @@ pub unsafe fn copy_from_user_slice_raw( > reader.read_raw(unsafe { core::slice::from_raw_parts_mut(dst.cast(), len) }) > }) > } > + > + /// Returns the physical address of this page. > + pub fn phys(&self) -> PhysicalAddr { Rust uses for similar references `as_*` so `as_phys`, would it make sense to use the same naming format here? Thanks, Fiona > + // SAFETY: `page` is valid due to the type invariants on `Page`. > + unsafe { bindings::page_to_phys(self.as_ptr()) } > + } > + > + /// Converts a Rust-owned Page into its physical address. > + /// > + /// The caller is responsible for calling [`Page::from_phys()`] to avoid leaking memory. > + pub fn into_phys(this: Owned) -> PhysicalAddr { > + ManuallyDrop::new(this).phys() > + } > + > + /// Converts a physical address to a Rust-owned Page. > + /// > + /// # Safety > + /// The caller must ensure that the physical address was previously returned by a call to > + /// [`Page::into_phys()`], and that the physical address is no longer used after this call, > + /// nor is [`Page::from_phys()`] called again on it. > + pub unsafe fn from_phys(phys: PhysicalAddr) -> Owned { > + // SAFETY: By the safety requirements, the physical address must be valid and > + // have come from `into_phys()`, so phys_to_page() cannot fail and > + // must return the original struct page pointer. > + unsafe { Owned::from_raw(NonNull::new_unchecked(bindings::phys_to_page(phys)).cast()) } > + } > + > + /// Borrows a Page from a physical address, without taking over ownership. > + /// > + /// If the physical address does not have a `struct page` entry or is not > + /// part of a System RAM region, returns None. > + /// > + /// # Safety > + /// The caller must ensure that the physical address, if it is backed by a `struct page`, > + /// remains available for the duration of the borrowed lifetime. > + pub unsafe fn borrow_phys(phys: &PhysicalAddr) -> Option<&Self> { > + // SAFETY: This is always safe, as it is just arithmetic > + let pfn = unsafe { bindings::phys_to_pfn(*phys) }; > + // SAFETY: This function is safe to call with any pfn > + if !unsafe { bindings::pfn_valid(pfn) && bindings::page_is_ram(pfn) != 0 } { > + None > + } else { > + // SAFETY: We have just checked that the pfn is valid above, so it must > + // have a corresponding struct page. By the safety requirements, we can > + // return a borrowed reference to it. > + Some(unsafe { &*(bindings::pfn_to_page(pfn) as *mut Self as *const Self) }) > + } > + } > + > + /// Borrows a Page from a physical address, without taking over ownership > + /// nor checking for validity. > + /// > + /// # Safety > + /// The caller must ensure that the physical address is backed by a `struct page` and > + /// corresponds to System RAM. This is true when the address was returned by > + /// [`Page::into_phys()`]. > + pub unsafe fn borrow_phys_unchecked(phys: &PhysicalAddr) -> &Self { > + // SAFETY: This is always safe, as it is just arithmetic > + let pfn = unsafe { bindings::phys_to_pfn(*phys) }; > + // SAFETY: The caller guarantees that the pfn is valid. By the safety > + // requirements, we can return a borrowed reference to it. > + unsafe { &*(bindings::pfn_to_page(pfn) as *mut Self as *const Self) } > + } > } > > // SAFETY: `Owned` objects returned by Page::alloc_page() follow the requirements of