From: Asahi Lina <[email protected]> This allows Page references to be returned as borrowed references, without necessarily owning the struct page.
Signed-off-by: Asahi Lina <[email protected]> [ Andreas: Fix formatting and add a safety comment. ] Signed-off-by: Andreas Hindborg <[email protected]> --- rust/kernel/page.rs | 38 +++++++++++++++++++++++++------------- 1 file changed, 25 insertions(+), 13 deletions(-) diff --git a/rust/kernel/page.rs b/rust/kernel/page.rs index bf3bed7e2d3fe..e21f02ae47b72 100644 --- a/rust/kernel/page.rs +++ b/rust/kernel/page.rs @@ -10,6 +10,11 @@ bindings, error::code::*, error::Result, + types::{ + Opaque, + Ownable, + Owned, // + }, uaccess::UserSliceReader, // }; use core::{ @@ -83,7 +88,7 @@ pub const fn page_align(addr: usize) -> usize { /// /// [`VBox`]: kernel::alloc::VBox /// [`Vmalloc`]: kernel::alloc::allocator::Vmalloc -pub struct BorrowedPage<'a>(ManuallyDrop<Page>, PhantomData<&'a Page>); +pub struct BorrowedPage<'a>(ManuallyDrop<NonNull<Page>>, PhantomData<&'a Page>); impl<'a> BorrowedPage<'a> { /// Constructs a [`BorrowedPage`] from a raw pointer to a `struct page`. @@ -93,7 +98,9 @@ impl<'a> BorrowedPage<'a> { /// - `ptr` must point to a valid `bindings::page`. /// - `ptr` must remain valid for the entire lifetime `'a`. pub unsafe fn from_raw(ptr: NonNull<bindings::page>) -> Self { - let page = Page { page: ptr }; + let page: NonNull<Page> = + // SAFETY: By function safety requirements `ptr` is non null. + unsafe { NonNull::new_unchecked(ptr.as_ptr().cast()) }; // INVARIANT: The safety requirements guarantee that `ptr` is valid for the entire lifetime // `'a`. @@ -105,7 +112,8 @@ impl<'a> Deref for BorrowedPage<'a> { type Target = Page; fn deref(&self) -> &Self::Target { - &self.0 + // SAFETY: By type invariant `self.0` is convertible to a reference for `'a`. + unsafe { self.0.as_ref() } } } @@ -126,8 +134,9 @@ pub trait AsPageIter { /// # Invariants /// /// The pointer is valid, and has ownership over the page. +#[repr(transparent)] pub struct Page { - page: NonNull<bindings::page>, + page: Opaque<bindings::page>, } // SAFETY: Pages have no logic that relies on them staying on a given thread, so moving them across @@ -161,19 +170,20 @@ impl Page { /// # Ok::<(), kernel::alloc::AllocError>(()) /// ``` #[inline] - pub fn alloc_page(flags: Flags) -> Result<Self, AllocError> { + pub fn alloc_page(flags: Flags) -> Result<Owned<Self>, AllocError> { // SAFETY: Depending on the value of `gfp_flags`, this call may sleep. Other than that, it // is always safe to call this method. let page = unsafe { bindings::alloc_pages(flags.as_raw(), 0) }; let page = NonNull::new(page).ok_or(AllocError)?; - // INVARIANT: We just successfully allocated a page, so we now have ownership of the newly - // allocated page. We transfer that ownership to the new `Page` object. - Ok(Self { page }) + // SAFETY: We just successfully allocated a page, so we now have ownership of the newly + // allocated page. We transfer that ownership to the new `Owned<Page>` object. + // Since `Page` is transparent, we can cast the pointer directly. + Ok(unsafe { Owned::from_raw(page.cast()) }) } /// Returns a raw pointer to the page. pub fn as_ptr(&self) -> *mut bindings::page { - self.page.as_ptr() + Opaque::cast_into(&self.page) } /// Get the node id containing this page. @@ -348,10 +358,12 @@ pub unsafe fn copy_from_user_slice_raw( } } -impl Drop for Page { +impl Ownable for Page { #[inline] - fn drop(&mut self) { - // SAFETY: By the type invariants, we have ownership of the page and can free it. - unsafe { bindings::__free_pages(self.page.as_ptr(), 0) }; + unsafe fn release(&mut self) { + let ptr: *mut Self = self; + // SAFETY: By the function safety requirements, we have ownership of the page and can free + // it. Since Page is transparent, we can cast the raw pointer directly. + unsafe { bindings::__free_pages(ptr.cast(), 0) }; } } -- 2.51.2
