Adds support for doing array copies of data in and out of IO regions.
Fixed size arrays allow for compile-time bound checking, while slice
arguments allow for dynamically checked copies.
Signed-off-by: Matthew Maurer <mmaurer@google.com>
---
rust/kernel/io.rs | 72 ++++++++++++++++++++++++++++++++++++++++++++++++++++++-
1 file changed, 71 insertions(+), 1 deletion(-)
diff --git a/rust/kernel/io.rs b/rust/kernel/io.rs
index 056a3ec71647b866a9a4b4c9abe9a0844f126930..6e74245eced2c267ba3b5b744eab3bc2db670e71 100644
--- a/rust/kernel/io.rs
+++ b/rust/kernel/io.rs
@@ -266,8 +266,9 @@ macro_rules! define_write {
#[inline]
const fn offset_valid<U>(offset: usize, size: usize) -> bool {
let type_size = core::mem::size_of::<U>();
+ let type_align = core::mem::align_of::<U>();
if let Some(end) = offset.checked_add(type_size) {
- end <= size && offset % type_size == 0
+ end <= size && offset % type_align == 0
} else {
false
}
@@ -323,6 +324,25 @@ fn io_addr<U>(&self, offset: usize) -> Result<usize> {
self.addr().checked_add(offset).ok_or(EINVAL)
}
+ /// Returns the absolute I/O address for a given `offset`, performing runtime bounds checks
+ /// to ensure the entire range is available.
+ #[inline]
+ fn io_addr_range<U>(&self, offset: usize, count: usize) -> Result<usize> {
+ if count != 0 {
+ // These ranges are contiguous, so we can just check the first and last elements.
+ let bytes = (count - 1)
+ .checked_mul(core::mem::size_of::<U>())
+ .ok_or(EINVAL)?;
+ let end = offset.checked_add(bytes).ok_or(EINVAL)?;
+ if !offset_valid::<U>(offset, self.maxsize()) || !offset_valid::<U>(end, self.maxsize())
+ {
+ return Err(EINVAL);
+ }
+ }
+
+ self.addr().checked_add(offset).ok_or(EINVAL)
+ }
+
/// Returns the absolute I/O address for a given `offset`,
/// performing compile-time bound checks.
// Always inline to optimize out error path of `build_assert`.
@@ -605,4 +625,54 @@ pub unsafe fn from_raw(raw: &MmioRaw<SIZE>) -> &Self {
pub try_write64_relaxed,
call_mmio_write(writeq_relaxed) <- u64
);
+
+ /// Write a known size buffer to an offset known at compile time.
+ ///
+ /// Bound checks are performed at compile time, hence if the offset is not known at compile
+ /// time, the build will fail, and the buffer size must be statically known.
+ #[inline]
+ pub fn copy_from<const N: usize>(&self, src: &[u8; N], offset: usize) {
+ let addr = self.io_addr_assert::<[u8; N]>(offset);
+ // SAFETY: By the type invariant `addr` is a valid address for MMIO operations, and by the
+ // assertion it's valid for `N` bytes.
+ unsafe { bindings::memcpy_toio(addr as *mut c_void, src.as_ptr().cast(), N) }
+ }
+
+ /// Write the contents of a slice to an offset.
+ ///
+ /// Bound checks are performed at runtime and will fail if the offset (plus the slice size) is
+ /// out of bounds.
+ #[inline]
+ pub fn try_copy_from(&self, src: &[u8], offset: usize) -> Result<()> {
+ let addr = self.io_addr_range::<u8>(offset, src.len())?;
+ // SAFETY: By the type invariant `addr` is a valid address for MMIO operations, and by the
+ // range check it's valid for `src.len()` bytes.
+ unsafe { bindings::memcpy_toio(addr as *mut c_void, src.as_ptr().cast(), src.len()) };
+ Ok(())
+ }
+
+ /// Read a known size buffer from an offset known at compile time.
+ ///
+ /// Bound checks are performed at compile time, hence if the offset is not known at compile
+ /// time, the build will fail, and the buffer size must be statically known.
+ #[inline]
+ pub fn copy_to<const N: usize>(&self, dst: &mut [u8; N], offset: usize) {
+ let addr = self.io_addr_assert::<[u8; N]>(offset);
+ // SAFETY: By the type invariant `addr` is a valid address for MMIO operations, and by the
+ // assertion it's valid for `N` bytes.
+ unsafe { bindings::memcpy_fromio(dst.as_mut_ptr().cast(), addr as *mut c_void, N) }
+ }
+
+ /// Read into a slice from an offset.
+ ///
+ /// Bound checks are performed at runtime and will fail if the offset (plus the slice size) is
+ /// out of bounds.
+ #[inline]
+ pub fn try_copy_to(&self, dst: &mut [u8], offset: usize) -> Result<()> {
+ let addr = self.io_addr_range::<u8>(offset, dst.len())?;
+ // SAFETY: By the type invariant `addr` is a valid address for MMIO operations, and by the
+ // range check, it's valid for `dst.len()` bytes.
+ unsafe { bindings::memcpy_fromio(dst.as_mut_ptr().cast(), addr as *mut c_void, dst.len()) }
+ Ok(())
+ }
}
--
2.53.0.rc2.204.g2597b5adb4-googOn Tue Feb 3, 2026 at 4:46 PM CET, Matthew Maurer wrote: > Adds support for doing array copies of data in and out of IO regions. > Fixed size arrays allow for compile-time bound checking, while slice > arguments allow for dynamically checked copies. > > Signed-off-by: Matthew Maurer <mmaurer@google.com> This patch needs to go on top of the recent I/O rework and should be generalized through an IoSlice type [1]. [1] https://rust-for-linux.zulipchat.com/#narrow/channel/288089-General/topic/Generic.20I.2FO.20backends/with/571639597
© 2016 - 2026 Red Hat, Inc.