From nobody Sat Oct 4 14:10:44 2025 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 970C530E28E; Fri, 15 Aug 2025 17:11:18 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1755277880; cv=none; b=QEKsRI/Xd/sUxNpuQlpVktrr5bam3HOJdk/allTTrqoFUt4GGtKGJYfJP7JxVC7fYNaJMzXHEtWmfPSfrz5sgNzjiRcUHEgb8tTYgbQyT8/ZUzvP6YVpuk+PaFTM1TEzbW1Fss0U/2Jeyy6MSIY+PxxBC/K32xSsdLkUnYTQTOU= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1755277880; c=relaxed/simple; bh=WJBROFFDcaspyFeWuewO8p0H/4y/HNn0jxzNgWjBUkI=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=C9fDxqC98AUPNyxEzN72pFCezhvnZJ2kmS9CZXNOLP4he4Y9yGvJZPK1303QSnGDmN8f0Bp3GJX4KOa256kE9bM3SMNp6+VW9/SXMjTwVPIuhe1wVUuDqg/xEGjkggklPPI60kk2me3DXIg8eBe0rs6gMkAKt+Onx02t96pQhNE= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=m4H7elrt; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="m4H7elrt" Received: by smtp.kernel.org (Postfix) with ESMTPSA id AA5B0C4CEF6; Fri, 15 Aug 2025 17:11:14 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1755277878; bh=WJBROFFDcaspyFeWuewO8p0H/4y/HNn0jxzNgWjBUkI=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=m4H7elrtYjc4FH2dtqWlsqVbSRz8DR24f0KZPaT1jZ7fWx/wVC8IX0vBGmX+j12mH QWxYDhDuVRxTIXww0HfDcMfjdnRtx93fHtwUsfQFbWBgizzya3Y92qHQ4I28hXMFJG OFsYFCCpoK9RK4QEzhmc4NGXMhdiDOwboYWDeJzmtOH1yEo843hSFYqUkSA3qGVPsO xUv7IxHuqGTDuWzA5GWfut7RTJH0mzdsJEzWzVWqjIEUSY21LjpO/xw5xersP8YTM6 P9bi9tvoCncgP9Hc7If8Wfxbl0Yue2ZLZa9kYis6SuM4twxixVmZOysom1Qq1uNVkg h3vK8ViLub3Sw== From: Danilo Krummrich To: akpm@linux-foundation.org, ojeda@kernel.org, alex.gaynor@gmail.com, boqun.feng@gmail.com, gary@garyguo.net, bjorn3_gh@protonmail.com, lossin@kernel.org, a.hindborg@kernel.org, aliceryhl@google.com, tmgross@umich.edu, abdiel.janulgue@gmail.com, acourbot@nvidia.com, jgg@ziepe.ca, lyude@redhat.com, robin.murphy@arm.com, daniel.almeida@collabora.com Cc: rust-for-linux@vger.kernel.org, linux-kernel@vger.kernel.org, Danilo Krummrich Subject: [PATCH 2/4] rust: scatterlist: Add type-state abstraction for sg_table Date: Fri, 15 Aug 2025 19:10:03 +0200 Message-ID: <20250815171058.299270-3-dakr@kernel.org> X-Mailer: git-send-email 2.50.1 In-Reply-To: <20250815171058.299270-1-dakr@kernel.org> References: <20250815171058.299270-1-dakr@kernel.org> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" Add a safe Rust abstraction for the kernel's scatter-gather list facilities (`struct scatterlist` and `struct sg_table`). This commit introduces `SGTable`, a wrapper that uses a type-state pattern to provide compile-time guarantees about ownership and lifetime. The abstraction provides two primary states: - `SGTable>`: Represents a table whose resources are fully managed by Rust. It takes ownership of a page provider `P`, allocates the underlying `struct sg_table`, maps it for DMA, and handles all cleanup automatically upon drop. The DMA mapping's lifetime is tied to the associated device using `Devres`, ensuring it is correctly unmapped before the device is unbound. - `SGTable` (or just `SGTable`): A zero-cost representation of an externally managed `struct sg_table`. It is created from a raw pointer using `SGTable::as_ref()` and provides a lifetime-bound reference (`&'a SGTable`) for operations like iteration. The API exposes a safe iterator that yields `&SGEntry` references, allowing drivers to easily access the DMA address and length of each segment in the list. Co-developed-by: Abdiel Janulgue Signed-off-by: Abdiel Janulgue Signed-off-by: Danilo Krummrich --- rust/helpers/helpers.c | 1 + rust/helpers/scatterlist.c | 24 ++ rust/kernel/lib.rs | 1 + rust/kernel/scatterlist.rs | 433 +++++++++++++++++++++++++++++++++++++ 4 files changed, 459 insertions(+) create mode 100644 rust/helpers/scatterlist.c create mode 100644 rust/kernel/scatterlist.rs diff --git a/rust/helpers/helpers.c b/rust/helpers/helpers.c index 7cf7fe95e41d..e94542bf6ea7 100644 --- a/rust/helpers/helpers.c +++ b/rust/helpers/helpers.c @@ -39,6 +39,7 @@ #include "rcu.c" #include "refcount.c" #include "regulator.c" +#include "scatterlist.c" #include "security.c" #include "signal.c" #include "slab.c" diff --git a/rust/helpers/scatterlist.c b/rust/helpers/scatterlist.c new file mode 100644 index 000000000000..80c956ee09ab --- /dev/null +++ b/rust/helpers/scatterlist.c @@ -0,0 +1,24 @@ +// SPDX-License-Identifier: GPL-2.0 + +#include + +dma_addr_t rust_helper_sg_dma_address(struct scatterlist *sg) +{ + return sg_dma_address(sg); +} + +unsigned int rust_helper_sg_dma_len(struct scatterlist *sg) +{ + return sg_dma_len(sg); +} + +struct scatterlist *rust_helper_sg_next(struct scatterlist *sg) +{ + return sg_next(sg); +} + +void rust_helper_dma_unmap_sgtable(struct device *dev, struct sg_table *sg= t, + enum dma_data_direction dir, unsigned long attrs) +{ + return dma_unmap_sgtable(dev, sgt, dir, attrs); +} diff --git a/rust/kernel/lib.rs b/rust/kernel/lib.rs index ed53169e795c..55acbc893736 100644 --- a/rust/kernel/lib.rs +++ b/rust/kernel/lib.rs @@ -113,6 +113,7 @@ pub mod rbtree; pub mod regulator; pub mod revocable; +pub mod scatterlist; pub mod security; pub mod seq_file; pub mod sizes; diff --git a/rust/kernel/scatterlist.rs b/rust/kernel/scatterlist.rs new file mode 100644 index 000000000000..4caaf8cfbf83 --- /dev/null +++ b/rust/kernel/scatterlist.rs @@ -0,0 +1,433 @@ +// SPDX-License-Identifier: GPL-2.0 + +//! Abstractions for scatter-gather lists. +//! +//! C header: [`include/linux/scatterlist.h`](srctree/include/linux/scatte= rlist.h) +//! +//! Scatter-gather (SG) I/O is a memory access technique that allows devic= es to perform DMA +//! operations on data buffers that are not physically contiguous in memor= y. It works by creating a +//! "scatter-gather list", an array where each entry specifies the address= and length of a +//! physically contiguous memory segment. +//! +//! The device's DMA controller can then read this list and process the se= gments sequentially as +//! part of one logical I/O request. This avoids the need for a single, la= rge, physically contiguous +//! memory buffer, which can be difficult or impossible to allocate. +//! +//! This module provides safe Rust abstractions over the kernel's `struct = scatterlist` and +//! `struct sg_table` types. +//! +//! The main entry point is the [`SGTable`] type, which represents a compl= ete scatter-gather table. +//! It can be either: +//! +//! - An owned table ([`SGTable>`]), created from a Rust memory b= uffer (e.g., [`VVec`]). +//! This type manages the allocation of the `struct sg_table`, the DMA m= apping of the buffer, and +//! the automatic cleanup of all resources. +//! - A borrowed reference (&[`SGTable`]), which provides safe, read-only = access to a table that was +//! allocated by other (e.g., C) code. +//! +//! Individual entries in the table are represented by [`SGEntry`], which = can be accessed by +//! iterating over an [`SGTable`]. + +use crate::{ + alloc, + alloc::allocator::VmallocPageIter, + bindings, + device::{Bound, Device}, + devres::Devres, + dma, error, page, + prelude::*, + types::{ARef, Opaque}, +}; +use core::{ops::Deref, ptr::NonNull}; + +/// A single entry in a scatter-gather list. +/// +/// An `SGEntry` represents a single, physically contiguous segment of mem= ory that has been mapped +/// for DMA. +/// +/// Instances of this struct are obtained by iterating over an [`SGTable`]= . Drivers do not create +/// or own [`SGEntry`] objects directly. +#[repr(transparent)] +pub struct SGEntry(Opaque); + +impl SGEntry { + /// Convert a raw `struct scatterlist *` to a `&'a SGEntry`. + /// + /// # Safety + /// + /// Callers must ensure that the `struct scatterlist` pointed to by `p= tr` is valid for the + /// lifetime `'a`. + unsafe fn as_ref<'a>(ptr: *mut bindings::scatterlist) -> &'a Self { + // SAFETY: The safety requirements of this function guarantee that= `ptr` is a valid pointer + // to a `struct scatterlist` for the duration of `'a`. + unsafe { &*ptr.cast() } + } + + /// Obtain the raw `struct scatterlist *`. + fn as_raw(&self) -> *mut bindings::scatterlist { + self.0.get() + } + + /// Returns the DMA address of this SG entry. + /// + /// This is the address that the device should use to access the memor= y segment. + pub fn dma_address(&self) -> bindings::dma_addr_t { + // SAFETY: `self.as_raw()` is a valid pointer to a `struct scatter= list`. + unsafe { bindings::sg_dma_address(self.as_raw()) } + } + + /// Returns the length of this SG entry in bytes. + pub fn dma_len(&self) -> u32 { + // SAFETY: `self.as_raw()` is a valid pointer to a `struct scatter= list`. + unsafe { bindings::sg_dma_len(self.as_raw()) } + } +} + +/// The borrowed type state of an [`SGTable`], representing a borrowed or = externally managed table. +#[repr(transparent)] +pub struct Borrowed(Opaque); + +// SAFETY: An instance of `Borrowed` can be send to any task. +unsafe impl Send for Borrowed {} + +/// A scatter-gather table. +/// +/// This struct is a wrapper around the kernel's `struct sg_table`. It man= ages a list of DMA-mapped +/// memory segments that can be passed to a device for I/O operations. +/// +/// The generic parameter `T` is used as a type state to distinguish betwe= en owned and borrowed +/// tables. +/// +/// - [`SGTable`]: An owned table created and managed entirely by = Rust code. It handles +/// allocation, DMA mapping, and cleanup of all associated resources. S= ee [`SGTable::new`]. +/// - [`SGTable`} (or simply [`SGTable`]): Represents a table w= hose lifetime is managed +/// externally. It can be used safely via a borrowed reference `&'a SGT= able`, where `'a` is the +/// external lifetime. +/// +/// All [`SGTable`] variants can be iterated over the individual [`SGEntry= `]s. +#[repr(transparent)] +#[pin_data] +pub struct SGTable { + #[pin] + inner: T, +} + +impl SGTable { + /// Creates a borrowed `&'a SGTable` from a raw `struct sg_table` poin= ter. + /// + /// This allows safe access to an `sg_table` that is managed elsewhere= (for example, in C code). + /// + /// # Safety + /// + /// Callers must ensure that the `struct sg_table` pointed to by `ptr`= is valid for the entire + /// lifetime of `'a`. + pub unsafe fn as_ref<'a>(ptr: *mut bindings::sg_table) -> &'a Self { + // SAFETY: The safety requirements of this function guarantee that= `ptr` is a valid pointer + // to a `struct sg_table` for the duration of `'a`. + unsafe { &*ptr.cast() } + } + + fn as_raw(&self) -> *mut bindings::sg_table { + self.inner.0.get() + } + + fn as_iter(&self) -> SGTableIter<'_> { + // SAFETY: `self.as_raw()` is a valid pointer to a `struct sg_tabl= e`. + let ptr =3D unsafe { (*self.as_raw()).sgl }; + + // SAFETY: `ptr` is guaranteed to be a valid pointer to a `struct = scatterlist`. + let pos =3D Some(unsafe { SGEntry::as_ref(ptr) }); + + SGTableIter { pos } + } +} + +/// # Invariants +/// +/// `sgt` is a valid pointer to a `struct sg_table` for the entire lifetim= e of an [`DmaMapSgt`]. +struct DmaMapSgt { + sgt: NonNull, + dev: ARef, + dir: dma::DataDirection, +} + +// SAFETY: An instance of `DmaMapSgt` can be send to any task. +unsafe impl Send for DmaMapSgt {} + +impl DmaMapSgt { + /// # Safety + /// + /// `sgt` must be a valid pointer to a `struct sg_table` for the entir= e lifetime of the + /// returned [`DmaMapSgt`]. + unsafe fn new( + sgt: NonNull, + dev: &Device, + dir: dma::DataDirection, + ) -> Result { + // SAFETY: + // - `dev.as_raw()` is a valid pointer to a `struct device`, which= is guaranteed to be + // bound to a driver for the duration of this call. + // - `sgt` is a valid pointer to a `struct sg_table`. + error::to_result(unsafe { + bindings::dma_map_sgtable(dev.as_raw(), sgt.as_ptr(), dir.as_r= aw(), 0) + })?; + + // INVARIANT: By the safety requirements of this function it is gu= aranteed that `sgt` is + // valid for the entire lifetime of this object instance. + Ok(Self { + sgt, + dev: dev.into(), + dir, + }) + } +} + +impl Drop for DmaMapSgt { + fn drop(&mut self) { + // SAFETY: + // - `self.dev.as_raw()` is a pointer to a valid `struct device`. + // - `self.dev` is the same device the mapping has been created fo= r in `Self::new()`. + // - `self.sgt.as_ptr()` is a valid pointer to a `struct sg_table`= by the type invariants + // of `Self`. + // - `self.dir` is the same `dma::DataDirection` the mapping has b= een created with in + // `Self::new()`. + unsafe { + bindings::dma_unmap_sgtable(self.dev.as_raw(), self.sgt.as_ptr= (), self.dir.as_raw(), 0) + }; + } +} + +#[repr(transparent)] +#[pin_data(PinnedDrop)] +struct RawSGTable { + #[pin] + sgt: Opaque, +} + +impl RawSGTable { + fn new( + mut pages: KVec<*mut bindings::page>, + size: usize, + max_segment: u32, + flags: alloc::Flags, + ) -> impl PinInit { + try_pin_init!(Self { + sgt <- Opaque::try_ffi_init(|slot: *mut bindings::sg_table| { + // `sg_alloc_table_from_pages_segment()` expects at least = one page, otherwise it + // produces a NPE. + if pages.is_empty() { + return Err(EINVAL); + } + + // SAFETY: + // - `slot` is a valid pointer to uninitialized memory. + // - As by the check above, `pages` is not empty. + error::to_result(unsafe { + bindings::sg_alloc_table_from_pages_segment( + slot, + pages.as_mut_ptr(), + pages.len().try_into()?, + 0, + size, + max_segment, + flags.as_raw(), + ) + }) + }), + }) + } + + fn as_raw(&self) -> *mut bindings::sg_table { + self.sgt.get() + } +} + +#[pinned_drop] +impl PinnedDrop for RawSGTable { + fn drop(self: Pin<&mut Self>) { + // SAFETY: `sgt` is a valid and initialized `struct sg_table`. + unsafe { bindings::sg_free_table(self.sgt.get()) }; + } +} + +/// The [`Owned`] type state of an [`SGTable`]. +/// +/// A [`SGTable`] signifies that the [`SGTable`] owns all associate= d resources: +/// +/// - The backing memory pages. +/// - The `struct sg_table` allocation (`sgt`). +/// - The DMA mapping, managed through a [`Devres`]-managed `DmaMapSgt`. +/// +/// Users interact with this type through the [`SGTable`] handle and do no= t need to manage +/// [`Owned`] directly. +#[pin_data] +pub struct Owned

{ + // Note: The drop order is relevant; we first have to unmap the `struc= t sg_table`, then free the + // `struct sg_table` and finally free the backing pages. + #[pin] + dma: Devres, + #[pin] + sgt: RawSGTable, + _pages: P, +} + +// SAFETY: An instance of `Owned` can be send to any task if `P` can be se= nd to any task. +unsafe impl Send for Owned

{} + +impl

Owned

+where + for<'a> P: page::AsPageIter =3D VmallocPageIter<'a>> + 'stati= c, +{ + fn new( + dev: &Device, + mut pages: P, + dir: dma::DataDirection, + flags: alloc::Flags, + ) -> Result + use<'_, P>> { + let page_iter =3D pages.page_iter(); + let size =3D page_iter.size(); + + let mut page_vec: KVec<*mut bindings::page> =3D + KVec::with_capacity(page_iter.page_count(), flags)?; + + for page in page_iter { + page_vec.push(page.as_ptr(), flags)?; + } + + // `dma_max_mapping_size` returns `size_t`, but `sg_alloc_table_fr= om_pages_segment()` takes + // an `unsigned int`. + let max_segment =3D { + // SAFETY: `dev.as_raw()` is a valid pointer to a `struct devi= ce`. + let size =3D unsafe { bindings::dma_max_mapping_size(dev.as_ra= w()) }; + if size =3D=3D 0 { + u32::MAX + } else { + size.min(u32::MAX as usize) as u32 + } + }; + + Ok(try_pin_init!(&this in Self { + sgt <- RawSGTable::new(page_vec, size, max_segment, flags), + dma <- { + // SAFETY: `this` is a valid pointer to uninitialized memo= ry. + let sgt =3D unsafe { &raw mut (*this.as_ptr()).sgt }.cast(= ); + + // SAFETY: `sgt` is guaranteed to be non-null. + let sgt =3D unsafe { NonNull::new_unchecked(sgt) }; + + // SAFETY: It is guaranteed that the object returned by `D= maMapSgt::new` won't + // out-live `sgt`. + Devres::new(dev, unsafe { DmaMapSgt::new(sgt, dev, dir) }) + }, + _pages: pages, + })) + } +} + +impl

SGTable> +where + for<'a> P: page::AsPageIter =3D VmallocPageIter<'a>> + 'stati= c, +{ + /// Allocates a new scatter-gather table from the given pages and maps= it for DMA. + /// + /// This constructor creates a new [`SGTable`] that takes owner= ship of `P`. + /// It allocates a `struct sg_table`, populates it with entries corres= ponding to the physical + /// pages of `P`, and maps the table for DMA with the specified [`Devi= ce`] and + /// [`dma::DataDirection`]. + /// + /// The DMA mapping is managed through [`Devres`], ensuring that the D= MA mapping is unmapped + /// once the associated [`Device`] is unbound, or when the [`SGTable`] is dropped. + /// + /// # Parameters + /// + /// * `dev`: The [`Device`] that will be performing the DMA. + /// * `pages`: The entity providing the backing pages. It must impleme= nt [`page::AsPageIter`]. + /// The ownership of this entity is moved into the new [`SGTable`]. + /// * `dir`: The [`dma::DataDirection`] of the DMA transfer. + /// * `flags`: Allocation flags for internal allocations (e.g., [`GFP_= KERNEL`]). + /// + /// # Examples + /// + /// ``` + /// use kernel::{ + /// device::{Bound, Device}, + /// dma, page, + /// prelude::*, + /// scatterlist::*, + /// }; + /// + /// fn test(dev: &Device) -> Result { + /// let size =3D 4 * page::PAGE_SIZE; + /// let pages =3D VVec::::with_capacity(size, GFP_KERNEL)?; + /// + /// let sgt =3D KBox::pin_init(SGTable::new( + /// dev, + /// pages, + /// dma::DataDirection::TO_DEVICE, + /// GFP_KERNEL, + /// ), GFP_KERNEL)?; + /// + /// Ok(()) + /// } + /// ``` + pub fn new( + dev: &Device, + pages: P, + dir: dma::DataDirection, + flags: alloc::Flags, + ) -> impl PinInit + use<'_, P> { + try_pin_init!(Self { + inner <- Owned::new(dev, pages, dir, flags)? + }) + } +} + +impl

Deref for SGTable> { + type Target =3D SGTable; + + fn deref(&self) -> &Self::Target { + // SAFETY: `self.inner.sgt.as_raw()` is a valid pointer to a `stru= ct sg_table` for the + // entire lifetime of `self`. + unsafe { SGTable::as_ref(self.inner.sgt.as_raw()) } + } +} + +mod private { + pub trait Sealed {} + + impl Sealed for super::Borrowed {} + impl

Sealed for super::Owned

{} +} + +impl<'a> IntoIterator for &'a SGTable { + type Item =3D &'a SGEntry; + type IntoIter =3D SGTableIter<'a>; + + fn into_iter(self) -> Self::IntoIter { + self.as_iter() + } +} + +/// An [`Iterator`] over the [`SGEntry`] items of an [`SGTable`]. +pub struct SGTableIter<'a> { + pos: Option<&'a SGEntry>, +} + +impl<'a> Iterator for SGTableIter<'a> { + type Item =3D &'a SGEntry; + + fn next(&mut self) -> Option { + let entry =3D self.pos?; + + // SAFETY: `entry.as_raw()` is a valid pointer to a `struct scatte= rlist`. + let next =3D unsafe { bindings::sg_next(entry.as_raw()) }; + + self.pos =3D (!next.is_null()).then(|| { + // SAFETY: If `next` is not NULL, `sg_next()` guarantees to re= turn a valid pointer to + // the next `struct scatterlist`. + unsafe { SGEntry::as_ref(next) } + }); + + Some(entry) + } +} --=20 2.50.1