From: Alice Ryhl <aliceryhl@google.com>
To: Andreas Hindborg <a.hindborg@kernel.org>
Cc: "Lorenzo Stoakes" <lorenzo.stoakes@oracle.com>,
"Liam R. Howlett" <Liam.Howlett@oracle.com>,
"Miguel Ojeda" <ojeda@kernel.org>,
"Boqun Feng" <boqun.feng@gmail.com>,
"Gary Guo" <gary@garyguo.net>,
"Björn Roy Baron" <bjorn3_gh@protonmail.com>,
"Benno Lossin" <lossin@kernel.org>,
"Trevor Gross" <tmgross@umich.edu>,
"Danilo Krummrich" <dakr@kernel.org>,
"Will Deacon" <will@kernel.org>,
"Peter Zijlstra" <peterz@infradead.org>,
"Mark Rutland" <mark.rutland@arm.com>,
linux-mm@kvack.org, rust-for-linux@vger.kernel.org,
linux-kernel@vger.kernel.org
Subject: Re: [PATCH v3] rust: page: add byte-wise atomic memory copy methods
Date: Tue, 17 Feb 2026 12:03:00 +0000 [thread overview]
Message-ID: <aZRY9HthKwVJrAf1@google.com> (raw)
In-Reply-To: <20260213-page-volatile-io-v3-1-d60487b04d40@kernel.org>
On Fri, Feb 13, 2026 at 07:42:53AM +0100, Andreas Hindborg wrote:
> When copying data from buffers that are mapped to user space, it is
> impossible to guarantee absence of concurrent memory operations on those
> buffers. Copying data to/from `Page` from/to these buffers would be
> undefined behavior if no special considerations are made.
>
> Add methods on `Page` to read and write the contents using byte-wise atomic
> operations.
>
> Also improve clarity by specifying additional requirements on
> `read_raw`/`write_raw` methods regarding concurrent operations on involved
> buffers.
>
> Signed-off-by: Andreas Hindborg <a.hindborg@kernel.org>
> +/// Copy `len` bytes from `src` to `dst` using byte-wise atomic operations.
> +///
> +/// This copy operation is volatile.
> +///
> +/// # Safety
> +///
> +/// Callers must ensure that:
> +///
> +/// - `src` is valid for reads for `len` bytes for the duration of the call.
> +/// - `dst` is valid for writes for `len` bytes for the duration of the call.
> +/// - For the duration of the call, other accesses to the areas described by `src`, `dst` and `len`,
> +/// must not cause data races (defined by [`LKMM`]) against atomic operations executed by this
> +/// function. Note that if all other accesses are atomic, then this safety requirement is
> +/// trivially fulfilled.
> +///
> +/// [`LKMM`]: srctree/tools/memory-model
> +pub unsafe fn atomic_per_byte_memcpy(src: *const u8, dst: *mut u8, len: usize) {
> + // SAFETY: By the safety requirements of this function, the following operation will not:
> + // - Trap.
> + // - Invalidate any reference invariants.
> + // - Race with any operation by the Rust AM, as `bindings::memcpy` is a byte-wise atomic
> + // operation and all operations by the Rust AM to the involved memory areas use byte-wise
> + // atomic semantics.
> + unsafe {
> + bindings::memcpy(
> + dst.cast::<kernel::ffi::c_void>(),
> + src.cast::<kernel::ffi::c_void>(),
> + len,
Are we sure that LLVM will not say "memcpy is a special function name, I
know what it means" and optimize this like a non-atomic memcpy?
I think we should consider using the
std::intrinsics::volatile_copy_nonoverlapping_memory
intrinsic until Rust stabilizes a built-in atomic per-byte memcpy. Yes I
know the intrinsic is unstable, but we should at least ask the Rust
folks about it. They are plausibly ok with this particular usage.
Alice
next prev parent reply other threads:[~2026-02-17 12:03 UTC|newest]
Thread overview: 27+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-02-13 6:42 Andreas Hindborg
2026-02-13 11:28 ` Peter Zijlstra
2026-02-13 12:45 ` Andreas Hindborg
2026-02-13 14:35 ` Peter Zijlstra
2026-02-13 16:42 ` Boqun Feng
2026-02-14 8:18 ` Andreas Hindborg
2026-02-17 18:47 ` Boqun Feng
2026-02-13 17:44 ` Boqun Feng
2026-02-14 8:04 ` Andreas Hindborg
2026-02-17 8:55 ` Peter Zijlstra
2026-02-17 9:42 ` Gary Guo
2026-02-17 10:47 ` Will Deacon
2026-02-17 17:10 ` Boqun Feng
2026-02-18 8:53 ` Peter Zijlstra
2026-02-18 11:20 ` Peter Zijlstra
2026-02-17 12:03 ` Alice Ryhl [this message]
2026-02-17 17:32 ` Boqun Feng
2026-02-17 23:10 ` Gary Guo
2026-02-18 9:40 ` Alice Ryhl
2026-02-18 10:20 ` Peter Zijlstra
2026-02-18 11:36 ` Gary Guo
2026-02-18 12:12 ` Peter Zijlstra
2026-02-18 11:56 ` Miguel Ojeda
2026-02-18 12:00 ` Alice Ryhl
2026-02-18 12:07 ` Miguel Ojeda
2026-02-18 12:33 ` Andreas Hindborg
2026-02-18 14:42 ` Benno Lossin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=aZRY9HthKwVJrAf1@google.com \
--to=aliceryhl@google.com \
--cc=Liam.Howlett@oracle.com \
--cc=a.hindborg@kernel.org \
--cc=bjorn3_gh@protonmail.com \
--cc=boqun.feng@gmail.com \
--cc=dakr@kernel.org \
--cc=gary@garyguo.net \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=lorenzo.stoakes@oracle.com \
--cc=lossin@kernel.org \
--cc=mark.rutland@arm.com \
--cc=ojeda@kernel.org \
--cc=peterz@infradead.org \
--cc=rust-for-linux@vger.kernel.org \
--cc=tmgross@umich.edu \
--cc=will@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox