Add unsafe accessors for the region for reading or writing large
blocks of data.
Reviewed-by: Andreas Hindborg <a.hindborg@kernel.org>
Signed-off-by: Abdiel Janulgue <abdiel.janulgue@gmail.com>
---
rust/kernel/dma.rs | 87 ++++++++++++++++++++++++++++++++++++++++++++++
1 file changed, 87 insertions(+)
diff --git a/rust/kernel/dma.rs b/rust/kernel/dma.rs
index 24a6f10370c4..24025ec602ff 100644
--- a/rust/kernel/dma.rs
+++ b/rust/kernel/dma.rs
@@ -218,6 +218,93 @@ pub fn dma_handle(&self) -> bindings::dma_addr_t {
self.dma_handle
}
+ /// Returns the data from the region starting from `offset` as a slice.
+ /// `offset` and `count` are in units of `T`, not the number of bytes.
+ ///
+ /// Due to the safety requirements of slice, the caller should consider that the region could
+ /// be modified by the device at anytime. For ringbuffer type of r/w access or use-cases where
+ /// the pointer to the live data is needed, `start_ptr()` or `start_ptr_mut()` could be
+ /// used instead.
+ ///
+ /// # Safety
+ ///
+ /// * Callers must ensure that no hardware operations that involve the buffer are currently
+ /// taking place while the returned slice is live.
+ /// * Callers must ensure that this call does not race with a write to the same region while
+ /// while the returned slice is live.
+ pub unsafe fn as_slice(&self, offset: usize, count: usize) -> Result<&[T]> {
+ let end = offset.checked_add(count).ok_or(EOVERFLOW)?;
+ if end >= self.count {
+ return Err(EINVAL);
+ }
+ // SAFETY:
+ // - The pointer is valid due to type invariant on `CoherentAllocation`,
+ // we've just checked that the range and index is within bounds. The immutability of the
+ // of data is also guaranteed by the safety requirements of the function.
+ // - `offset` can't overflow since it is smaller than `self.count` and we've checked
+ // that `self.count` won't overflow early in the constructor.
+ Ok(unsafe { core::slice::from_raw_parts(self.cpu_addr.add(offset), count) })
+ }
+
+ /// Performs the same functionality as [`CoherentAllocation::as_slice`], except that a mutable
+ /// slice is returned.
+ ///
+ /// # Safety
+ ///
+ /// * Callers must ensure that no hardware operations that involve the buffer are currently
+ /// taking place while the returned slice is live.
+ /// * Callers must ensure that this call does not race with a read or write to the same region
+ /// while the returned slice is live.
+ pub unsafe fn as_slice_mut(&self, offset: usize, count: usize) -> Result<&mut [T]> {
+ let end = offset.checked_add(count).ok_or(EOVERFLOW)?;
+ if end >= self.count {
+ return Err(EINVAL);
+ }
+ // SAFETY:
+ // - The pointer is valid due to type invariant on `CoherentAllocation`,
+ // we've just checked that the range and index is within bounds. The immutability of the
+ // of data is also guaranteed by the safety requirements of the function.
+ // - `offset` can't overflow since it is smaller than `self.count` and we've checked
+ // that `self.count` won't overflow early in the constructor.
+ Ok(unsafe { core::slice::from_raw_parts_mut(self.cpu_addr.add(offset), count) })
+ }
+
+ /// Writes data to the region starting from `offset`. `offset` is in units of `T`, not the
+ /// number of bytes.
+ ///
+ /// # Safety
+ ///
+ /// * Callers must ensure that no hardware operations that involve the buffer overlaps with
+ /// this write.
+ /// * Callers must ensure that this call does not race with a read or write to the same region
+ /// that overlaps with this write.
+ ///
+ /// # Examples
+ ///
+ /// ```
+ /// # fn test(alloc: &mut kernel::dma::CoherentAllocation<u8>) -> Result {
+ /// let somedata: [u8; 4] = [0xf; 4];
+ /// let buf: &[u8] = &somedata;
+ /// // SAFETY: No hw operation on the device and no other r/w access to the region at this point.
+ /// unsafe { alloc.write(buf, 0)?; }
+ /// # Ok::<(), Error>(()) }
+ /// ```
+ pub unsafe fn write(&self, src: &[T], offset: usize) -> Result {
+ let end = offset.checked_add(src.len()).ok_or(EOVERFLOW)?;
+ if end >= self.count {
+ return Err(EINVAL);
+ }
+ // SAFETY:
+ // - The pointer is valid due to type invariant on `CoherentAllocation`
+ // and we've just checked that the range and index is within bounds.
+ // - `offset` can't overflow since it is smaller than `self.count` and we've checked
+ // that `self.count` won't overflow early in the constructor.
+ unsafe {
+ core::ptr::copy_nonoverlapping(src.as_ptr(), self.cpu_addr.add(offset), src.len())
+ };
+ Ok(())
+ }
+
/// Returns a pointer to an element from the region with bounds checking. `offset` is in
/// units of `T`, not the number of bytes.
///
--
2.43.0"Abdiel Janulgue" <abdiel.janulgue@gmail.com> writes:
> Add unsafe accessors for the region for reading or writing large
> blocks of data.
>
> Reviewed-by: Andreas Hindborg <a.hindborg@kernel.org>
> Signed-off-by: Abdiel Janulgue <abdiel.janulgue@gmail.com>
> ---
> rust/kernel/dma.rs | 87 ++++++++++++++++++++++++++++++++++++++++++++++
> 1 file changed, 87 insertions(+)
>
> diff --git a/rust/kernel/dma.rs b/rust/kernel/dma.rs
> index 24a6f10370c4..24025ec602ff 100644
> --- a/rust/kernel/dma.rs
> +++ b/rust/kernel/dma.rs
> @@ -218,6 +218,93 @@ pub fn dma_handle(&self) -> bindings::dma_addr_t {
> self.dma_handle
> }
>
> + /// Returns the data from the region starting from `offset` as a slice.
> + /// `offset` and `count` are in units of `T`, not the number of bytes.
> + ///
> + /// Due to the safety requirements of slice, the caller should consider that the region could
> + /// be modified by the device at anytime.
The user does not need to consider this, because the safety requirements
make sure this is not a problem. The user only needs to consider the
safety requirements.
>> For ringbuffer type of r/w access or use-cases where
> + /// the pointer to the live data is needed, `start_ptr()` or `start_ptr_mut()` could be
> + /// used instead.
> + ///
> + /// # Safety
> + ///
> + /// * Callers must ensure that no hardware operations that involve the buffer are currently
> + /// taking place while the returned slice is live.
> + /// * Callers must ensure that this call does not race with a write to the same region while
> + /// while the returned slice is live.
> + pub unsafe fn as_slice(&self, offset: usize, count: usize) -> Result<&[T]> {
> + let end = offset.checked_add(count).ok_or(EOVERFLOW)?;
> + if end >= self.count {
> + return Err(EINVAL);
> + }
> + // SAFETY:
> + // - The pointer is valid due to type invariant on `CoherentAllocation`,
> + // we've just checked that the range and index is within bounds. The immutability of the
> + // of data is also guaranteed by the safety requirements of the function.
> + // - `offset` can't overflow since it is smaller than `self.count` and we've checked
> + // that `self.count` won't overflow early in the constructor.
> + Ok(unsafe { core::slice::from_raw_parts(self.cpu_addr.add(offset), count) })
> + }
> +
> + /// Performs the same functionality as [`CoherentAllocation::as_slice`], except that a mutable
> + /// slice is returned.
> + ///
> + /// # Safety
> + ///
> + /// * Callers must ensure that no hardware operations that involve the buffer are currently
> + /// taking place while the returned slice is live.
> + /// * Callers must ensure that this call does not race with a read or write to the same region
> + /// while the returned slice is live.
> + pub unsafe fn as_slice_mut(&self, offset: usize, count: usize) -> Result<&mut [T]> {
> + let end = offset.checked_add(count).ok_or(EOVERFLOW)?;
> + if end >= self.count {
> + return Err(EINVAL);
> + }
> + // SAFETY:
> + // - The pointer is valid due to type invariant on `CoherentAllocation`,
> + // we've just checked that the range and index is within bounds. The immutability of the
> + // of data is also guaranteed by the safety requirements of the function.
Formatting nit: could you indent the paragraph under the bullet:
- The pointer is valid due to type invariant on `CoherentAllocation`,
we've just checked that the range and index is within bounds. The immutability of the
of data is also guaranteed by the safety requirements of the function.
Best regards,
Andreas Hindborg
Hi Abdiel,
On Thu Mar 27, 2025 at 5:11 AM JST, Abdiel Janulgue wrote:
> Add unsafe accessors for the region for reading or writing large
> blocks of data.
>
> Reviewed-by: Andreas Hindborg <a.hindborg@kernel.org>
> Signed-off-by: Abdiel Janulgue <abdiel.janulgue@gmail.com>
> ---
> rust/kernel/dma.rs | 87 ++++++++++++++++++++++++++++++++++++++++++++++
> 1 file changed, 87 insertions(+)
>
> diff --git a/rust/kernel/dma.rs b/rust/kernel/dma.rs
> index 24a6f10370c4..24025ec602ff 100644
> --- a/rust/kernel/dma.rs
> +++ b/rust/kernel/dma.rs
> @@ -218,6 +218,93 @@ pub fn dma_handle(&self) -> bindings::dma_addr_t {
> self.dma_handle
> }
>
> + /// Returns the data from the region starting from `offset` as a slice.
> + /// `offset` and `count` are in units of `T`, not the number of bytes.
> + ///
> + /// Due to the safety requirements of slice, the caller should consider that the region could
> + /// be modified by the device at anytime. For ringbuffer type of r/w access or use-cases where
> + /// the pointer to the live data is needed, `start_ptr()` or `start_ptr_mut()` could be
> + /// used instead.
> + ///
> + /// # Safety
> + ///
> + /// * Callers must ensure that no hardware operations that involve the buffer are currently
> + /// taking place while the returned slice is live.
> + /// * Callers must ensure that this call does not race with a write to the same region while
> + /// while the returned slice is live.
> + pub unsafe fn as_slice(&self, offset: usize, count: usize) -> Result<&[T]> {
> + let end = offset.checked_add(count).ok_or(EOVERFLOW)?;
> + if end >= self.count {
IIUC this should be `if end > self.count`.
> + return Err(EINVAL);
> + }
> + // SAFETY:
> + // - The pointer is valid due to type invariant on `CoherentAllocation`,
> + // we've just checked that the range and index is within bounds. The immutability of the
> + // of data is also guaranteed by the safety requirements of the function.
> + // - `offset` can't overflow since it is smaller than `self.count` and we've checked
> + // that `self.count` won't overflow early in the constructor.
> + Ok(unsafe { core::slice::from_raw_parts(self.cpu_addr.add(offset), count) })
> + }
> +
> + /// Performs the same functionality as [`CoherentAllocation::as_slice`], except that a mutable
> + /// slice is returned.
> + ///
> + /// # Safety
> + ///
> + /// * Callers must ensure that no hardware operations that involve the buffer are currently
> + /// taking place while the returned slice is live.
> + /// * Callers must ensure that this call does not race with a read or write to the same region
> + /// while the returned slice is live.
> + pub unsafe fn as_slice_mut(&self, offset: usize, count: usize) -> Result<&mut [T]> {
> + let end = offset.checked_add(count).ok_or(EOVERFLOW)?;
> + if end >= self.count {
Ditto.
> + return Err(EINVAL);
> + }
> + // SAFETY:
> + // - The pointer is valid due to type invariant on `CoherentAllocation`,
> + // we've just checked that the range and index is within bounds. The immutability of the
> + // of data is also guaranteed by the safety requirements of the function.
> + // - `offset` can't overflow since it is smaller than `self.count` and we've checked
> + // that `self.count` won't overflow early in the constructor.
> + Ok(unsafe { core::slice::from_raw_parts_mut(self.cpu_addr.add(offset), count) })
> + }
> +
> + /// Writes data to the region starting from `offset`. `offset` is in units of `T`, not the
> + /// number of bytes.
> + ///
> + /// # Safety
> + ///
> + /// * Callers must ensure that no hardware operations that involve the buffer overlaps with
> + /// this write.
> + /// * Callers must ensure that this call does not race with a read or write to the same region
> + /// that overlaps with this write.
> + ///
> + /// # Examples
> + ///
> + /// ```
> + /// # fn test(alloc: &mut kernel::dma::CoherentAllocation<u8>) -> Result {
> + /// let somedata: [u8; 4] = [0xf; 4];
> + /// let buf: &[u8] = &somedata;
> + /// // SAFETY: No hw operation on the device and no other r/w access to the region at this point.
> + /// unsafe { alloc.write(buf, 0)?; }
> + /// # Ok::<(), Error>(()) }
> + /// ```
> + pub unsafe fn write(&self, src: &[T], offset: usize) -> Result {
> + let end = offset.checked_add(src.len()).ok_or(EOVERFLOW)?;
> + if end >= self.count {
Ditto.
> + return Err(EINVAL);
> + }
> + // SAFETY:
> + // - The pointer is valid due to type invariant on `CoherentAllocation`
> + // and we've just checked that the range and index is within bounds.
> + // - `offset` can't overflow since it is smaller than `self.count` and we've checked
> + // that `self.count` won't overflow early in the constructor.
> + unsafe {
> + core::ptr::copy_nonoverlapping(src.as_ptr(), self.cpu_addr.add(offset), src.len())
> + };
How about leveraging as_slice_mut() so this unsafe block can be removed?
Cheers,
Alex.
Hi Alex,
On 08/04/2025 06:08, Alexandre Courbot wrote:
>> + }
>> + // SAFETY:
>> + // - The pointer is valid due to type invariant on `CoherentAllocation`
>> + // and we've just checked that the range and index is within bounds.
>> + // - `offset` can't overflow since it is smaller than `self.count` and we've checked
>> + // that `self.count` won't overflow early in the constructor.
>> + unsafe {
>> + core::ptr::copy_nonoverlapping(src.as_ptr(), self.cpu_addr.add(offset), src.len())
>> + };
>
> How about leveraging as_slice_mut() so this unsafe block can be removed?
as_slice_mut is still unsafe, no? So we couldn't remove unsafe block still?
Thanks,
Abdiel
On Thu Apr 10, 2025 at 6:02 PM JST, Abdiel Janulgue wrote:
> Hi Alex,
>
> On 08/04/2025 06:08, Alexandre Courbot wrote:
>>> + }
>>> + // SAFETY:
>>> + // - The pointer is valid due to type invariant on `CoherentAllocation`
>>> + // and we've just checked that the range and index is within bounds.
>>> + // - `offset` can't overflow since it is smaller than `self.count` and we've checked
>>> + // that `self.count` won't overflow early in the constructor.
>>> + unsafe {
>>> + core::ptr::copy_nonoverlapping(src.as_ptr(), self.cpu_addr.add(offset), src.len())
>>> + };
>>
>> How about leveraging as_slice_mut() so this unsafe block can be removed?
>
> as_slice_mut is still unsafe, no? So we couldn't remove unsafe block still?
Ah, that's right. In that case it would at least factorize the bound
check and make the method a bit shorter, unless I missed something else.
Few doc nits...
On Wed, Mar 26, 2025 at 9:13 PM Abdiel Janulgue
<abdiel.janulgue@gmail.com> wrote:
>
> + /// Due to the safety requirements of slice, the caller should consider that the region could
Which requirements in particular? Link?
> + /// be modified by the device at anytime. For ringbuffer type of r/w access or use-cases where
at anytime -> "at any time" or "anytime"
> + /// the pointer to the live data is needed, `start_ptr()` or `start_ptr_mut()` could be
Intra-doc links where possible.
> + /// Writes data to the region starting from `offset`. `offset` is in units of `T`, not the
> + /// number of bytes.
I would double-check how it looks in the rendered docs (same for the
other method) -- the second sentence may be best in another paragraph,
i.e. outside the title, since it is special in the rendered
documentation ("short description"), unless you want to e.g.
differentiate from another variant.
> + // SAFETY:
> + // - The pointer is valid due to type invariant on `CoherentAllocation`
> + // and we've just checked that the range and index is within bounds.
Please indent the comments as you would the docs -- the docs ones are
correct, and Clippy should check those, but it doesn't check normal
comments, sadly.
Thanks!
Cheers,
Miguel
On Wed Mar 26, 2025 at 9:11 PM CET, Abdiel Janulgue wrote:
> + /// Returns the data from the region starting from `offset` as a slice.
> + /// `offset` and `count` are in units of `T`, not the number of bytes.
> + ///
> + /// Due to the safety requirements of slice, the caller should consider that the region could
> + /// be modified by the device at anytime. For ringbuffer type of r/w access or use-cases where
> + /// the pointer to the live data is needed, `start_ptr()` or `start_ptr_mut()` could be
> + /// used instead.
> + ///
> + /// # Safety
> + ///
> + /// * Callers must ensure that no hardware operations that involve the buffer are currently
> + /// taking place while the returned slice is live.
> + /// * Callers must ensure that this call does not race with a write to the same region while
> + /// while the returned slice is live.
> + pub unsafe fn as_slice(&self, offset: usize, count: usize) -> Result<&[T]> {
> + let end = offset.checked_add(count).ok_or(EOVERFLOW)?;
> + if end >= self.count {
> + return Err(EINVAL);
> + }
> + // SAFETY:
> + // - The pointer is valid due to type invariant on `CoherentAllocation`,
> + // we've just checked that the range and index is within bounds. The immutability of the
> + // of data is also guaranteed by the safety requirements of the function.
> + // - `offset` can't overflow since it is smaller than `self.count` and we've checked
> + // that `self.count` won't overflow early in the constructor.
> + Ok(unsafe { core::slice::from_raw_parts(self.cpu_addr.add(offset), count) })
I vaguely recall that there was some discussion on why this is OK (ie
the value behind the reference being modified by the device), but I
haven't followed it. Can you add the reasoning for why that is fine to
some comment here?
I also am not really fond of the phrase "hardware operations that
involve the buffer":
* what do you mean with "buffer"? `self`?
* what are "hardware operations"? (I no nothing about hardware, so that
might be a knowledge gap on my part)
* what does "involve" mean?
---
Cheers,
Benno
> + }
"Benno Lossin" <benno.lossin@proton.me> writes:
> On Wed Mar 26, 2025 at 9:11 PM CET, Abdiel Janulgue wrote:
>> + /// Returns the data from the region starting from `offset` as a slice.
>> + /// `offset` and `count` are in units of `T`, not the number of bytes.
>> + ///
>> + /// Due to the safety requirements of slice, the caller should consider that the region could
>> + /// be modified by the device at anytime. For ringbuffer type of r/w access or use-cases where
>> + /// the pointer to the live data is needed, `start_ptr()` or `start_ptr_mut()` could be
>> + /// used instead.
>> + ///
>> + /// # Safety
>> + ///
>> + /// * Callers must ensure that no hardware operations that involve the buffer are currently
>> + /// taking place while the returned slice is live.
>> + /// * Callers must ensure that this call does not race with a write to the same region while
>> + /// while the returned slice is live.
>> + pub unsafe fn as_slice(&self, offset: usize, count: usize) -> Result<&[T]> {
>> + let end = offset.checked_add(count).ok_or(EOVERFLOW)?;
>> + if end >= self.count {
>> + return Err(EINVAL);
>> + }
>> + // SAFETY:
>> + // - The pointer is valid due to type invariant on `CoherentAllocation`,
>> + // we've just checked that the range and index is within bounds. The immutability of the
>> + // of data is also guaranteed by the safety requirements of the function.
>> + // - `offset` can't overflow since it is smaller than `self.count` and we've checked
>> + // that `self.count` won't overflow early in the constructor.
>> + Ok(unsafe { core::slice::from_raw_parts(self.cpu_addr.add(offset), count) })
>
> I vaguely recall that there was some discussion on why this is OK (ie
> the value behind the reference being modified by the device), but I
> haven't followed it. Can you add the reasoning for why that is fine to
> some comment here?
My objection was with the function being safe. In this version it is
unsafe, and the safety requirement is that there must be no concurrent
reads/writes to the memory being operated on. That seems fine to me.
> I also am not really fond of the phrase "hardware operations that
> involve the buffer":
> * what do you mean with "buffer"? `self`?
> * what are "hardware operations"? (I no nothing about hardware, so that
> might be a knowledge gap on my part)
> * what does "involve" mean?
It is clear to me, but using terminology read/write to/from memory is
probably better. The operations being executed by hardware is not
strictly relevant. We could have a note cautioning that devices must
also obey this.
Best regards,
Andreas Hindborg
© 2016 - 2025 Red Hat, Inc.