From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 8E0FFC02193 for ; Mon, 3 Feb 2025 09:35:42 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 1ADB028000E; Mon, 3 Feb 2025 04:35:42 -0500 (EST) Received: by kanga.kvack.org (Postfix, from userid 40) id 15DB5280002; Mon, 3 Feb 2025 04:35:42 -0500 (EST) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 023D928000E; Mon, 3 Feb 2025 04:35:41 -0500 (EST) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0014.hostedemail.com [216.40.44.14]) by kanga.kvack.org (Postfix) with ESMTP id D8ACE280002 for ; Mon, 3 Feb 2025 04:35:41 -0500 (EST) Received: from smtpin08.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay09.hostedemail.com (Postfix) with ESMTP id 60874823A0 for ; Mon, 3 Feb 2025 09:35:39 +0000 (UTC) X-FDA: 83078125998.08.A0E7B66 Received: from mail-wr1-f53.google.com (mail-wr1-f53.google.com [209.85.221.53]) by imf12.hostedemail.com (Postfix) with ESMTP id 5C43B40009 for ; Mon, 3 Feb 2025 09:35:37 +0000 (UTC) Authentication-Results: imf12.hostedemail.com; dkim=pass header.d=google.com header.s=20230601 header.b=pFp1gV39; dmarc=pass (policy=reject) header.from=google.com; spf=pass (imf12.hostedemail.com: domain of aliceryhl@google.com designates 209.85.221.53 as permitted sender) smtp.mailfrom=aliceryhl@google.com ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1738575337; a=rsa-sha256; cv=none; b=cwULqMRjFiLQ6ZQ3pMXzdyrPzZuoDzqQNc5KX2Ue3N/5mi9UX81zIwhIIAT/ABDc7SY14m Pyl7Co4wYeL5c57LUi8BpNVC4zaxSyrdDsVpBi9o+0UHlWVYhRDDAUz2FNcHXPX3/VrZwQ W2iidOzIUfrCqH9qSpP8aRX3rD/Szd0= ARC-Authentication-Results: i=1; imf12.hostedemail.com; dkim=pass header.d=google.com header.s=20230601 header.b=pFp1gV39; dmarc=pass (policy=reject) header.from=google.com; spf=pass (imf12.hostedemail.com: domain of aliceryhl@google.com designates 209.85.221.53 as permitted sender) smtp.mailfrom=aliceryhl@google.com ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1738575337; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=PAGCUE13i820gweBIRdTlY3cwxZN3YMksoO7IfRjEXA=; b=CN5BUN0B8K51lYonY0ujFYh/bi5Equ3JXgMN4LFezaPMbe2gJVlqqHb2J02jwLwWYx30xg ZxbYsadybYAIyADDAiFyjFy88KNrFkf16HEmQbzDRGecfzfNtkDQDrCOcnFEkaGw2YComX 05PTjF25L7v+rdIWU6T5CxvR10PZxmE= Received: by mail-wr1-f53.google.com with SMTP id ffacd0b85a97d-38be3bfb045so3428625f8f.0 for ; Mon, 03 Feb 2025 01:35:37 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20230601; t=1738575336; x=1739180136; darn=kvack.org; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=PAGCUE13i820gweBIRdTlY3cwxZN3YMksoO7IfRjEXA=; b=pFp1gV39ymN/CN/CcOwdOLlT8O11qm6h5pNwclOFJqwVPEb5SU5uL8uanJRg9gClH1 pjvGQc/GqirGSQBSXab6TcTO70kPKmLCiTzaMAlG2hF6WyvVa6D6up0e7tkjTldJdQL/ gfDH2owyIMw5rgiclboUfiBKQWZ/aNJmsm3GT2xPDRA72zlH55uYMj1kU9vbZNeiDA9A 1VoA7LE5VA+k9364mNzDONbAClmEUjA12X2kBLrTRdb1GPIpJpbVJegqGpdNKPxx+3NP MbnhzllH/oT7YebDx/ZuUL7W6rGKYUhvPQDOp34Xl7qIw1cPeFHaCq82Yzp1rRXcOtgQ YRcA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1738575336; x=1739180136; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=PAGCUE13i820gweBIRdTlY3cwxZN3YMksoO7IfRjEXA=; b=nFB/ENMQq11i3xhdTqt1Q+alLqqqXp/Uv5NlJBmWPoOfL6fZDMQwc4SMewnXfb3wBh +JCQU8lSvjcSK7pKU1D/kLBE0bLPVt6UgrrL6CYXj8vUDmHPVzPTz+re7tR8SnTaMQUp QLIB5nF4Itd3g3jrVAm+VpRdC0MLh4P1rmKOln4lXtfbnHyvYDBypacE9xwvY5j6ieV1 3IeH02n3r3oJ/EcPF36bimjJ5hMtBegudrU0RkwCD5YEULNTw9Te1r1vrxLImhYMJLgD ZD2MIFHSWLtgHNtKU1BNvFtCBmUNL4J3a+img7lYNVEoS5qbn3Cse83k8trcU9GxC0aL pOJA== X-Forwarded-Encrypted: i=1; AJvYcCXunn2E1YovbfZQamaL1mRQ9jp44mw4dEZr0jHZ2UjrjYSh1SfiIBbthmr7aevsRUSyOLzSpAvYIg==@kvack.org X-Gm-Message-State: AOJu0Yy/rM+VD5wD4EnkyH+Wml0QZRmu1uKoQ9P7YTiOR9huwv3YYaRI R6eAMeMe4vGKr1Jd8xITfrsS8YPh6o52PR1g2KcX4vpKZfVTLxyAdVRw0onE0SfhMqi5gjLAK+g 4KQi38KhSKOMsLZxc1Wi+8dg5YisgjLrIHd90 X-Gm-Gg: ASbGncskQZ+yVuIsL+GmO3a+EfxDRb4wjOAcrT86gdi052HBSAKIGf6g/uihplnJNS+ Si/OdSW+eJYMjsbvuFxxaLXxXmwrlfTj4DcFDEyXoL1tB4DjSXB8LbQwuddTNRw7FOm6cnI6znp YuFiH116EfySvzdj07UFX4U0oP X-Google-Smtp-Source: AGHT+IFV2ERUah2TD2/kP6wJT9HY9fEdAeATVJ+Xaft/21AS/YnAutg4iqnUPMYwT7txa0oOOasZngp82NrdVa86DOs= X-Received: by 2002:a5d:6d82:0:b0:38b:dc3d:e4bc with SMTP id ffacd0b85a97d-38c5a9a3fa2mr13681749f8f.19.1738575335683; Mon, 03 Feb 2025 01:35:35 -0800 (PST) MIME-Version: 1.0 References: <20250202-rust-page-v1-0-e3170d7fe55e@asahilina.net> <20250202-rust-page-v1-5-e3170d7fe55e@asahilina.net> In-Reply-To: <20250202-rust-page-v1-5-e3170d7fe55e@asahilina.net> From: Alice Ryhl Date: Mon, 3 Feb 2025 10:35:23 +0100 X-Gm-Features: AWEUYZlQZ7OHmwC09KmBnatETxY8tKhdEgNvEV1CTacQkRBgKwreOugRVwipZos Message-ID: Subject: Re: [PATCH 5/6] rust: page: Add physical address conversion functions To: Asahi Lina Cc: Miguel Ojeda , Alex Gaynor , Boqun Feng , Gary Guo , =?UTF-8?Q?Bj=C3=B6rn_Roy_Baron?= , Benno Lossin , Andreas Hindborg , Trevor Gross , Jann Horn , Matthew Wilcox , Paolo Bonzini , Danilo Krummrich , Wedson Almeida Filho , Valentin Obst , Andrew Morton , linux-mm@kvack.org, airlied@redhat.com, Abdiel Janulgue , rust-for-linux@vger.kernel.org, linux-kernel@vger.kernel.org, asahi@lists.linux.dev Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Rspamd-Server: rspam04 X-Rspamd-Queue-Id: 5C43B40009 X-Stat-Signature: tox77mnxrfx49oayn3zknosqjhz8ff5f X-Rspam-User: X-HE-Tag: 1738575337-183709 X-HE-Meta: U2FsdGVkX19JuWUvYuAil/QaOBFkoQ5FDo6lDHE7QRHvJCayZy0m/hIrGTUIci4QqddAZvl8/SYxAcFzxR3MM+XP6pP2RznHnNC9Zio4fgWLpSlEsvIuNBxGRjsL8pkPHi2KFN29g5gpdUMd9yFwshFlW9BQG+zoZxmr763XelPE9aumjgI1f57O4TiNFkUZ/MaObWGF6GaJm9QYitQ3BOr89hr2AV+zsUffZdyflVXU330H8PGplBF0n5WMUl88GnLUz32JgZJGK4RzqA9QguSoVSfS7wQPu314ziaO9cMQL4VwGDvoVOsnjBe2eBr6Je4JEZMzGHaSCEdvNgtg0nH2c5L7r29IloWy/18/Nqy+4RTChxvrpUq+H/XxrMlVpd2soJIb/miTkd6ayJWzMWKT0Q1P5Nh2YPKhb+k5IVHRAkxyyWmLTd/VhOzvjHOpTu2/XZrEKdkxNCCCLbHkPGWbLEqEG1ZblPsV5cUncU6igxPIPG4nw6QR2zKW5FVgJejLavQUg1TuhCnNLcituA7iG7Xska/F2wLYex6SFa8pzvkjX8fw2B0jL30dIbWRvHmLIHRNco613L9Kcdpmn5Ets+pjIbqqp00ZPM9iNcU9KI2PmMg9cU2Ud1Ngp1Rr7XVq9CeYEkYBsmf6RMDg81oYH48eHyjoZBW1/guC0zgJhSHj3wrxR9qYCZ960/LLdX0zEvvQcRU6sslcUoRVjBskA0DdfBZHVUM33ZsJhb+qOkYqZYKSMLfQ11uGVHrUV2434H5b5m0bpCjJXm6O/OWqqrocNEYBNi8npL316ix5OdJIdDfQolaNBVqpQpZOF3yfBwTN1ZsIrSUmEusUnaD/GG37MHSM9cq44TQRlXQTZuMohHfLK8z/l6pA+8Zgcbw2Icso5HQwQugRkMEtgTvRqGEczgYbLQ9GJv8J1DIap7lRMpJ8HpjBhLcAfx2/6I6fwr7gENO7eAP0JlU LJko3Fe4 P4sUDOzZyQdFcRCr7p23p8rzONdSHmVrXHBN2MGZAyej01hQ6JowJ//H1qGAqXgPApp7bFbfauTHiCSTmKpCE7LAk1u1MuBInnicJFgf6aaom1N+wKj/OIFiY2VEDLW1OYNAUYoCupKWu+FWg/PBw0F0HgfCzZHdzOL6UaHoYNjpQ17CyNkLSH0w0eggKBtbVmOjizb5sBhZRcW82rlDB9m5n36ST8tyGsAOQYHGI5VEOlprheb9jMME6v9IRwamtMLoJ525AHqnvebQabarlMEdpZXS3zuoan0NSsBT55jpR+CMeGCXfK1SGh0/QZb5qyRiGzJ4daOZ0Ejw= X-Bogosity: Unsure, tests=bogofilter, spamicity=0.499945, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: List-Subscribe: List-Unsubscribe: On Sun, Feb 2, 2025 at 2:06=E2=80=AFPM Asahi Lina wrot= e: > > Add methods to allow code using the Page type to obtain the physical > address of a page, convert to and from an (owned) physical address, and > borrow a Page from a physical address. Most of these operations are, as > you might expect, unsafe. > > These primitives are useful to implement page table structures in Rust, > and to implement arbitrary physical memory access (as needed to walk > arbitrary page tables and dereference through them). These mechanisms > are, of course, fraught with danger, and are only expected to be used > for core memory management code (in e.g. drivers with their own device > page table implementations) and for debug features such as crash dumps > of device memory. > > Signed-off-by: Asahi Lina > --- > rust/helpers/page.c | 26 +++++++++++++++++++++ > rust/kernel/page.rs | 65 +++++++++++++++++++++++++++++++++++++++++++++++= ++++++ > 2 files changed, 91 insertions(+) > > diff --git a/rust/helpers/page.c b/rust/helpers/page.c > index b3f2b8fbf87fc9aa89cb1636736c52be16411301..1c3bd68818d77f7ce7806329b= 8f040a7d4205bb3 100644 > --- a/rust/helpers/page.c > +++ b/rust/helpers/page.c > @@ -1,5 +1,6 @@ > // SPDX-License-Identifier: GPL-2.0 > > +#include > #include > #include > > @@ -17,3 +18,28 @@ void rust_helper_kunmap_local(const void *addr) > { > kunmap_local(addr); > } > + > +struct page *rust_helper_phys_to_page(phys_addr_t phys) > +{ > + return phys_to_page(phys); > +} > + > +phys_addr_t rust_helper_page_to_phys(struct page *page) > +{ > + return page_to_phys(page); > +} > + > +unsigned long rust_helper_phys_to_pfn(phys_addr_t phys) > +{ > + return __phys_to_pfn(phys); > +} > + > +struct page *rust_helper_pfn_to_page(unsigned long pfn) > +{ > + return pfn_to_page(pfn); > +} > + > +bool rust_helper_pfn_valid(unsigned long pfn) > +{ > + return pfn_valid(pfn); > +} > diff --git a/rust/kernel/page.rs b/rust/kernel/page.rs > index fe5f879f9d1a86083fd55c682fad9d52466f79a2..67cd7006fa63ab5aed4c4de2b= e639ed8e1fbc2ba 100644 > --- a/rust/kernel/page.rs > +++ b/rust/kernel/page.rs > @@ -3,6 +3,7 @@ > //! Kernel page allocation and management. > > use crate::{ > + addr::*, > alloc::{AllocError, Flags}, > bindings, > error::code::*, > @@ -10,6 +11,7 @@ > types::{Opaque, Ownable, Owned}, > uaccess::UserSliceReader, > }; > +use core::mem::ManuallyDrop; > use core::ptr::{self, NonNull}; > > /// A bitwise shift for the page size. > @@ -249,6 +251,69 @@ pub unsafe fn copy_from_user_slice_raw( > reader.read_raw(unsafe { core::slice::from_raw_parts_mut(dst= .cast(), len) }) > }) > } > + > + /// Returns the physical address of this page. > + pub fn phys(&self) -> PhysicalAddr { > + // SAFETY: `page` is valid due to the type invariants on `Page`. > + unsafe { bindings::page_to_phys(self.as_ptr()) } > + } > + > + /// Converts a Rust-owned Page into its physical address. > + /// > + /// The caller is responsible for calling [`Page::from_phys()`] to a= void leaking memory. > + pub fn into_phys(this: Owned) -> PhysicalAddr { > + ManuallyDrop::new(this).phys() > + } > + > + /// Converts a physical address to a Rust-owned Page. > + /// > + /// # Safety > + /// The caller must ensure that the physical address was previously = returned by a call to > + /// [`Page::into_phys()`], and that the physical address is no longe= r used after this call, > + /// nor is [`Page::from_phys()`] called again on it. > + pub unsafe fn from_phys(phys: PhysicalAddr) -> Owned { > + // SAFETY: By the safety requirements, the physical address must= be valid and > + // have come from `into_phys()`, so phys_to_page() cannot fail a= nd > + // must return the original struct page pointer. > + unsafe { Owned::from_raw(NonNull::new_unchecked(bindings::phys_t= o_page(phys)).cast()) } > + } > + > + /// Borrows a Page from a physical address, without taking over owne= rship. > + /// > + /// If the physical address does not have a `struct page` entry or i= s not > + /// part of a System RAM region, returns None. > + /// > + /// # Safety > + /// The caller must ensure that the physical address, if it is backe= d by a `struct page`, > + /// remains available for the duration of the borrowed lifetime. > + pub unsafe fn borrow_phys(phys: &PhysicalAddr) -> Option<&Self> { > + // SAFETY: This is always safe, as it is just arithmetic > + let pfn =3D unsafe { bindings::phys_to_pfn(*phys) }; > + // SAFETY: This function is safe to call with any pfn > + if !unsafe { bindings::pfn_valid(pfn) && bindings::page_is_ram(p= fn) !=3D 0 } { > + None > + } else { > + // SAFETY: We have just checked that the pfn is valid above,= so it must > + // have a corresponding struct page. By the safety requireme= nts, we can > + // return a borrowed reference to it. > + Some(unsafe { &*(bindings::pfn_to_page(pfn) as *mut Self as = *const Self) }) > + } > + } > + > + /// Borrows a Page from a physical address, without taking over owne= rship > + /// nor checking for validity. > + /// > + /// # Safety > + /// The caller must ensure that the physical address is backed by a = `struct page` and > + /// corresponds to System RAM. This is true when the address was ret= urned by > + /// [`Page::into_phys()`]. > + pub unsafe fn borrow_phys_unchecked(phys: &PhysicalAddr) -> &Self { Should this be pub unsafe fn borrow_phys_unchecked<'a>(phys: PhysicalAddr) -> &'a Self ? That's how the signature of these raw methods usually goes, and then your safety requirements say that the requirements must hold for the duration of 'a. > + // SAFETY: This is always safe, as it is just arithmetic > + let pfn =3D unsafe { bindings::phys_to_pfn(*phys) }; > + // SAFETY: The caller guarantees that the pfn is valid. By the s= afety > + // requirements, we can return a borrowed reference to it. > + unsafe { &*(bindings::pfn_to_page(pfn) as *mut Self as *const Se= lf) } Can this just be &*bindings::pfn_to_page(pfn).cast() ? Alice > + } > } > > // SAFETY: `Owned` objects returned by Page::alloc_page() follow t= he requirements of > > -- > 2.47.1 >