From nobody Mon Jun 8 05:25:28 2026 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-alma10-1.taild15c8.ts.net [100.103.45.18]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 633CF3B7770; Fri, 5 Jun 2026 12:49:31 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=100.103.45.18 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780663772; cv=none; b=ErQcSstJHJIVlTNhKxQdMD+XJ6TumI68X4J3EqEZUnTuxakZoE4jxiPqU5J8UTyl1i/4+eUDmvD6eO71eYlc4lV1GyqeiCoNzT+gu/uCZzXLoWBvSPijhl+a2UssBJPxddFfSiapif4XY4vqhBoPi7f8+N7qV53llBuvZOpv1UM= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780663772; c=relaxed/simple; bh=AelOEKha7GwTPFJdgoQQNjBmJCDzWgaXA39VobkZzlQ=; h=From:Date:Subject:MIME-Version:Content-Type:Message-Id:References: In-Reply-To:To:Cc; b=rQRConXDwa6h6BgxORmYnC0ZJmTFmkHT9u0Raqs7z9B5uYc9Y5xmIZlbapn7An4sXZIz75BkdODBydNWbQBDVvbHEiVC1wiLTsjAIHjTs5QLcc7l1DXepzloMUDoKXFTF3acE07/tnLN1u644GODLiOAt3HfbEOgbLUqAPpvTE0= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=Lnniuxn6; arc=none smtp.client-ip=100.103.45.18 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="Lnniuxn6" Received: by smtp.kernel.org (Postfix) with ESMTPSA id 8BB1C1F00893; Fri, 5 Jun 2026 12:49:27 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=kernel.org; s=k20260515; t=1780663771; bh=DbXvzqzWUI/yNPOIrBVfVpZL6e03sj4LaZM/QYpv8vM=; h=From:Date:Subject:References:In-Reply-To:To:Cc; b=Lnniuxn6zpcULhgD86Zhf0jeGeat3INq1QENC+Sop/i/8bGteKv/mrWHE+7W3Jwxc keasW1MGaUmrwkAoM2dmE3gOeyUfRckryjBj2OpLE4DfNvUgTk+7B/oWuxhZGC8PjD qWy8YOpMT5MWGoLrhkMJxThiguUtONFUj5LOpooIchKY6C20S+FXtzRvH9D8AWM/uw S4zkifYchvwcNAAOMi8qL/4sO985EylJXWhWsejA8yHsSS3JamwwLBL9YsPiIxDCZ/ UZyWwhqfnz7sm6zltX5XHsLdOVDvuXDspx46t0zVeuP0de/0dO1GVxmHBchQCvm+KF F5eBPZ7pBKSow== From: Andreas Hindborg Date: Fri, 05 Jun 2026 14:49:14 +0200 Subject: [PATCH v2 1/2] rust: page: add `SafePage` for race-free page access Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Message-Id: <20260605-page-additions-v2-1-03f04c8fdbbf@kernel.org> References: <20260605-page-additions-v2-0-03f04c8fdbbf@kernel.org> In-Reply-To: <20260605-page-additions-v2-0-03f04c8fdbbf@kernel.org> To: Alice Ryhl , Miguel Ojeda , Gary Guo , =?utf-8?q?Bj=C3=B6rn_Roy_Baron?= , Benno Lossin , Trevor Gross , Danilo Krummrich , Lorenzo Stoakes , "Liam R. Howlett" , Boqun Feng , Lorenzo Stoakes , "Liam R. Howlett" , Boqun Feng Cc: linux-mm@kvack.org, rust-for-linux@vger.kernel.org, linux-kernel@vger.kernel.org, Andreas Hindborg X-Mailer: b4 0.16-dev X-Developer-Signature: v=1; a=openpgp-sha256; l=4342; i=a.hindborg@kernel.org; h=from:subject:message-id; bh=AelOEKha7GwTPFJdgoQQNjBmJCDzWgaXA39VobkZzlQ=; b=owEBbQKS/ZANAwAKAfpQKQiqxb3QAcsmYgBqIsXOnWIygn8Vagmtn4BvhUyA54DhFiX+GqHf3 rcWSH+7qj6JAjMEAAEKAB0WIQRXitnI2WZ2JirAaob6UCkIqsW90AUCaiLFzgAKCRD6UCkIqsW9 0KDPD/wMbFzdfGL4JHtCnbq0hmUaI2BPJbBiOMFMIOKGztxXzGWLm8dWGL6HoCLKAl3EsJNGXtx 2ZpIV7WmOrWIAbAklAreGAgmpiDsTVBF4XHQiDjszP72ZE4glAHF0Z1di2pqmNBR9RRruV0H+MH QD+HdyV77pVYqiEGv9m3ZWeH/tuSP4r88hrAg/UbF0eVOaKUU83DfSoxahRgBByJAZKUHULhxq/ tXQfC4nkHUH+FLe+vk39JDQPxsWeHnaVHe+c2gYGOVvW47B33Ra+oX0vcW0Ty0cNYYeIJH6hLYM iSyFJpRqI2nHkHjud11gNeRrvJd7m5c7OH6x1Ym8OaGfo4U8QNTLjh/mKPvdPevZWArkimyOR4w 0BfnxijniadAUC+qj7lsYHPFt0BnL/aQjYe00uyoZ2zYR4gmBMDjDTVCpbdIi39KQjuhgF3Bcwm 5vHsTIfDGaLWYe12xSYAZvyUxc13xeaVEpSAliOG1+VK7KL6O5OZL6r3uiag5HXAjDg6POliC+B aVev1PAe51A8UrYLR8d9J+04A73jHL6Dg++nfdSsIyUsyVjXjnA/8iYnDPGcfnYHqfkMvPyjj0G xp9LUSluY/7422BOR40JG5Tk3wo6QxhPTfet9h/Ee6F8Qr5kuZs9Uw3OTIamF16UxxevVx2Oy4K xzOlM3UW2luVfqQ== X-Developer-Key: i=a.hindborg@kernel.org; a=openpgp; fpr=3108C10F46872E248D1FB221376EB100563EF7A7 `SafePage` wraps a regular page but adds an invariant that the page data area does not incur data races. This means `SafePage` cannot be mapped to user space or shared with devices, and it becomes simpler to directly reference the contents of the page. Signed-off-by: Andreas Hindborg --- rust/kernel/page.rs | 73 +++++++++++++++++++++++++++++++++++++++++++++----= ---- 1 file changed, 62 insertions(+), 11 deletions(-) diff --git a/rust/kernel/page.rs b/rust/kernel/page.rs index d56ae597f692..f143b42d1bd6 100644 --- a/rust/kernel/page.rs +++ b/rust/kernel/page.rs @@ -8,8 +8,10 @@ Flags, // }, bindings, - error::code::*, - error::Result, + error::{ + code::*, + Result, // + }, types::{ Opaque, Ownable, @@ -20,7 +22,7 @@ use core::{ marker::PhantomData, mem::ManuallyDrop, - ops::Deref, + ops::{Deref, DerefMut}, ptr::{ self, NonNull, // @@ -193,14 +195,10 @@ impl Page { /// ``` #[inline] pub fn alloc_page(flags: Flags) -> Result, AllocError> { - // SAFETY: Depending on the value of `gfp_flags`, this call may sl= eep. Other than that, it - // is always safe to call this method. - let page =3D unsafe { bindings::alloc_pages(flags.as_raw(), 0) }; - let page =3D NonNull::new(page).ok_or(AllocError)?; - // SAFETY: We just successfully allocated a page, so we now have o= wnership of the newly - // allocated page. We transfer that ownership to the new `Owned` object. - // Since `Page` is transparent, we can cast the pointer directly. - Ok(unsafe { Owned::from_raw(page.cast()) }) + let page =3D SafePage::alloc_page(flags)?; + // SAFETY: `SafePage` is `#[repr(transparent)]` over `Page`, so a = pointer to a `SafePage` + // with ownership is also a pointer to a `Page` with ownership. + Ok(unsafe { Owned::from_raw(Owned::into_raw(page).cast()) }) } =20 /// Returns a raw pointer to the page. @@ -401,3 +399,56 @@ unsafe fn release(&mut self) { unsafe { bindings::__free_pages(ptr.cast(), 0) }; } } + +/// A page whose data area follows standard Rust aliasing rules. +/// +/// [`SafePage`] has the same usage constraints as other Rust types. Thus,= it cannot be mapped to +/// user space or shared with devices. This makes it safe to reference the= contents of the page +/// while the page is mapped in kernel space. +/// +/// # Invariants +/// +/// The data of this page is accessed only through references to [`SafePag= e`]. While a shared +/// reference to a [`SafePage`] exists, there are no writes to its data. W= hile an exclusive +/// reference exists, there are no other reads or writes of its data. +#[repr(transparent)] +pub struct SafePage(Page); + +impl SafePage { + /// Allocate a new `SafePage`. + pub fn alloc_page(flags: Flags) -> Result, AllocError> { + // SAFETY: Depending on the value of `gfp_flags`, this call may sl= eep. Other than that, it + // is always safe to call this method. + let page =3D unsafe { bindings::alloc_pages(flags.as_raw(), 0) }; + let page =3D NonNull::new(page).ok_or(AllocError)?; + + // SAFETY: We just successfully allocated a page, so we now have o= wnership of the newly + // allocated page. We transfer that ownership to the new `Owned` object. Since + // `Page` and `SafePage` are transparent, we can cast to the raw p= age pointer directly. + Ok(unsafe { Owned::from_raw(page.cast()) }) + } +} + +impl Ownable for SafePage { + #[inline] + unsafe fn release(&mut self) { + let ptr: *mut Self =3D self; + // SAFETY: By the function safety requirements, we have ownership = of the page and can free + // it. Since `SafePage` and `Page` are transparent, we can cast th= e raw pointer directly. + unsafe { bindings::__free_pages(ptr.cast(), 0) }; + } +} + +impl Deref for SafePage { + type Target =3D Page; + + fn deref(&self) -> &Self::Target { + &self.0 + } +} + +impl DerefMut for SafePage { + fn deref_mut(&mut self) -> &mut Self::Target { + &mut self.0 + } +} --=20 2.51.2 From nobody Mon Jun 8 05:25:28 2026 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-alma10-1.taild15c8.ts.net [100.103.45.18]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 67F2F3CFF6C; Fri, 5 Jun 2026 12:49:39 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=100.103.45.18 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780663780; cv=none; b=trrrWaoOe3oJmrpSt+lRgkuuhfCy/VJpqAdnHq75X5UFHpIFUSsGvVN+PDBZ3knjqpKICknxsTv04rfq0SWYED8iinVmXqzUw/taPncDnLDMS+gMgqBMcvy0w1nQrMFSX19H1nDfCcr5To4WkAFhBqtlRQVPhqqri5bb+RJakA8= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780663780; c=relaxed/simple; bh=dzp6cOSqfyflttG0MeQMpzGj5B+SlllJR/JvQBXauF8=; h=From:Date:Subject:MIME-Version:Content-Type:Message-Id:References: In-Reply-To:To:Cc; b=lwAzd3bBB82dRJbnlDaT/Jp6AjtlKO5poSUExB0tDc4sJ7WsgGw/UJ3TqkKiXB7du36ymPtBzYbfV0Xz6Fkc/NDVOx497BBZCLkUdaonf9HPuP3hGJlk4DHPpjanrxyLDnxYeILXn5hLfhMzaFUC3aUNb5+ttQAkywlXOmsAw3Y= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=lCC93ulo; arc=none smtp.client-ip=100.103.45.18 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="lCC93ulo" Received: by smtp.kernel.org (Postfix) with ESMTPSA id B10051F00899; Fri, 5 Jun 2026 12:49:35 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=kernel.org; s=k20260515; t=1780663779; bh=j747jOREbIkvFsg/aHzSYOHlVF+tB6wBTmNCEvHgfnA=; h=From:Date:Subject:References:In-Reply-To:To:Cc; b=lCC93uloqOF6Saw4qFLkFpI/H4rGKgYjI51PNWwxmotH8za1SoVm56NPQqTXeY7/2 ne0HYAGSfgKUAraTPThkkiJKcsyK3eo90LhQ1idfdBtxgA9hwA7Ji3DP4YuNjpiie4 D7ULucSlvem2NtX+aAdW1OjdvVQdykCaoRtvFVpEs04KRc1WGTN189VhaU6XwitOSU mgUT+o8ojnPwq5ye5vLfi0/Xb2wSlyTf2rqQRGVHbUT+dutEWrRKtvILXIZEg7hNFd AajWgDpq40hmDymOTPaj4r0qs36S6g059nwsqXKvxUxfmBlt0XrdccdVv4E9Hfml4W +HVn+kYY9ONcA== From: Andreas Hindborg Date: Fri, 05 Jun 2026 14:49:15 +0200 Subject: [PATCH v2 2/2] rust: page: add method to copy data between safe pages Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Message-Id: <20260605-page-additions-v2-2-03f04c8fdbbf@kernel.org> References: <20260605-page-additions-v2-0-03f04c8fdbbf@kernel.org> In-Reply-To: <20260605-page-additions-v2-0-03f04c8fdbbf@kernel.org> To: Alice Ryhl , Miguel Ojeda , Gary Guo , =?utf-8?q?Bj=C3=B6rn_Roy_Baron?= , Benno Lossin , Trevor Gross , Danilo Krummrich , Lorenzo Stoakes , "Liam R. Howlett" , Boqun Feng , Lorenzo Stoakes , "Liam R. Howlett" , Boqun Feng Cc: linux-mm@kvack.org, rust-for-linux@vger.kernel.org, linux-kernel@vger.kernel.org, Andreas Hindborg X-Mailer: b4 0.16-dev X-Developer-Signature: v=1; a=openpgp-sha256; l=3310; i=a.hindborg@kernel.org; h=from:subject:message-id; bh=dzp6cOSqfyflttG0MeQMpzGj5B+SlllJR/JvQBXauF8=; b=owEBbQKS/ZANAwAKAfpQKQiqxb3QAcsmYgBqIsXPwpB4FTMvmdQ+DkEJMq1tlEwRJQ/YlCbJg EfQD8YbWNOJAjMEAAEKAB0WIQRXitnI2WZ2JirAaob6UCkIqsW90AUCaiLFzwAKCRD6UCkIqsW9 0IwqD/9kbmi0nAXUhpyZgyZPFjcP242UtyBBoopaXPnPhF7rf8pCj6WUmqGhbm4Q1qUYj3KueeY 82yfgiSPhEWM2JNNVDwfBAN4e98UQDMRKw6Kv7IgXnk0XLh93TYmUKl/gxJBvJuDmqfJ8it63r4 jBmNdGkw608QaFXnUloqPKJ9TB7LLo55kQzeSqwexJ1eNRj38rt3Hnh6+ziOF08KuCHjxrJ2vGq zDd7l36PLd139G7vEbvWwfjDgu+mXs9CktjRuoC4xyjf/qirnfi64PFHsRLPDb8LaKvcQSpMZJm wp4IZCWZmllxSEj9QvAlbup+7aLjUQFhF3nr/UepEikqdXbHWddCNWrYvtUcytaZHh8nSw5oeVF z02cvlo67msFQ1ten/H5E/OxB7imEn41OEU5EWs7NsK78baW7sskoqlEhGwwEZOVE5ZB18Sjbdb aGDReVZgJsoOqzVwPBooFvJOm/QUpgGYUE+wuscrF28+y7jU57zWD/W9Up7pclit3ObfWbDMsT9 hsDUaqK884CSWo46BzaeOZQoeptZ1DwSIjwINW0ts5LGFBlTt8U9FZAA1DYThGaSm2k6ctusbL8 SHVS0JSxHWDUvQNqB/JGVAnQBsa8/TavOFKCWiYqQbUS2cFlRu97C0YUa97wVnFffojf08mCu7D ubZxxW+0Krag5bw== X-Developer-Key: i=a.hindborg@kernel.org; a=openpgp; fpr=3108C10F46872E248D1FB221376EB100563EF7A7 Add `SafePage::copy_to_page` to copy data from one page to another at a given offset. Because `SafePage` cannot be mapped to user space or shared with devices, there are no data races and the copy can be performed using the existing `with_pointer_into_page` and `write_raw` methods. Signed-off-by: Andreas Hindborg --- rust/kernel/page.rs | 48 ++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 48 insertions(+) diff --git a/rust/kernel/page.rs b/rust/kernel/page.rs index f143b42d1bd6..2307e1f06360 100644 --- a/rust/kernel/page.rs +++ b/rust/kernel/page.rs @@ -23,6 +23,7 @@ marker::PhantomData, mem::ManuallyDrop, ops::{Deref, DerefMut}, + pin::Pin, ptr::{ self, NonNull, // @@ -427,6 +428,53 @@ pub fn alloc_page(flags: Flags) -> Result,= AllocError> { // `Page` and `SafePage` are transparent, we can cast to the raw p= age pointer directly. Ok(unsafe { Owned::from_raw(page.cast()) }) } + + /// Copies `len` bytes from this page to `dst` at the specified byte o= ffset. + /// + /// Copying starts within both pages at the same offset. + /// + /// # Examples + /// + /// ``` + /// use kernel::error::code::EINVAL; + /// use kernel::page::{SafePage, PAGE_SIZE}; + /// + /// let mut src_page =3D SafePage::alloc_page(GFP_KERNEL)?; + /// let mut dst_page =3D SafePage::alloc_page(GFP_KERNEL)?; + /// + /// let data =3D [0xdeu8, 0xad, 0xbe, 0xef]; + /// // SAFETY: `data` is valid for reading `data.len()` bytes, and `sr= c_page` is exclusively + /// // owned, so there is no concurrent access to its data. + /// unsafe { src_page.write_raw(data.as_ptr(), 0, data.len())? }; + /// + /// assert!(src_page.copy_to_page(dst_page.as_pin_mut(), 0, data.len()= ).is_ok()); + /// + /// let mut buf =3D [0u8; 4]; + /// // SAFETY: `buf` is valid for writing `buf.len()` bytes, and `dst_= page` is exclusively + /// // owned, so there is no concurrent access to its data. + /// unsafe { dst_page.read_raw(buf.as_mut_ptr(), 0, buf.len())? }; + /// assert_eq!(buf, data); + /// + /// // A copy that would extend past the end of the page fails with `E= INVAL`. + /// assert_eq!( + /// src_page.copy_to_page(dst_page.as_pin_mut(), 0, PAGE_SIZE + 1), + /// Err(EINVAL), + /// ); + /// # Ok::<(), kernel::error::Error>(()) + /// ``` + pub fn copy_to_page(&self, dst: Pin<&mut Self>, offset: usize, len: us= ize) -> Result { + // INVARIANT: The following code makes sure to not cause data race= s. + self.with_pointer_into_page(offset, len, |src| { + // SAFETY: + // - If `with_pointer_into_page` calls into this closure, then= it has performed a + // bounds check and guarantees that `src` is valid for `len`= bytes. + // - By type invariant and existence of shared reference, ther= e are no writes to + // `src` during this call. + // - By exclusive ownership of `dst`, there are no other write= s to `dst` during this + // call. + unsafe { dst.write_raw(src, offset, len) } + }) + } } =20 impl Ownable for SafePage { --=20 2.51.2