mirror of
https://github.com/torvalds/linux.git
synced 2025-08-16 22:51:39 +02:00
ec7714e494
Toolchain and infrastructure:
- KUnit '#[test]'s:
- Support KUnit-mapped 'assert!' macros.
The support that landed last cycle was very basic, and the
'assert!' macros panicked since they were the standard library
ones. Now, they are mapped to the KUnit ones in a similar way to
how is done for doctests, reusing the infrastructure there.
With this, a failing test like:
#[test]
fn my_first_test() {
assert_eq!(42, 43);
}
will report:
# my_first_test: ASSERTION FAILED at rust/kernel/lib.rs:251
Expected 42 == 43 to be true, but is false
# my_first_test.speed: normal
not ok 1 my_first_test
- Support tests with checked 'Result' return types.
The return value of test functions that return a 'Result' will be
checked, thus one can now easily catch errors when e.g. using the
'?' operator in tests.
With this, a failing test like:
#[test]
fn my_test() -> Result {
f()?;
Ok(())
}
will report:
# my_test: ASSERTION FAILED at rust/kernel/lib.rs:321
Expected is_test_result_ok(my_test()) to be true, but is false
# my_test.speed: normal
not ok 1 my_test
- Add 'kunit_tests' to the prelude.
- Clarify the remaining language unstable features in use.
- Compile 'core' with edition 2024 for Rust >= 1.87.
- Workaround 'bindgen' issue with forward references to 'enum' types.
- objtool: relax slice condition to cover more 'noreturn' functions.
- Use absolute paths in macros referencing 'core' and 'kernel' crates.
- Skip '-mno-fdpic' flag for bindgen in GCC 32-bit arm builds.
- Clean some 'doc_markdown' lint hits -- we may enable it later on.
'kernel' crate:
- 'alloc' module:
- 'Box': support for type coercion, e.g. 'Box<T>' to 'Box<dyn U>' if
'T' implements 'U'.
- 'Vec': implement new methods (prerequisites for nova-core and
binder): 'truncate', 'resize', 'clear', 'pop',
'push_within_capacity' (with new error type 'PushError'),
'drain_all', 'retain', 'remove' (with new error type
'RemoveError'), insert_within_capacity' (with new error type
'InsertError').
In addition, simplify 'push' using 'spare_capacity_mut', split
'set_len' into 'inc_len' and 'dec_len', add type invariant
'len <= capacity' and simplify 'truncate' using 'dec_len'.
- 'time' module:
- Morph the Rust hrtimer subsystem into the Rust timekeeping
subsystem, covering delay, sleep, timekeeping, timers. This new
subsystem has all the relevant timekeeping C maintainers listed in
the entry.
- Replace 'Ktime' with 'Delta' and 'Instant' types to represent a
duration of time and a point in time.
- Temporarily add 'Ktime' to 'hrtimer' module to allow 'hrtimer' to
delay converting to 'Instant' and 'Delta'.
- 'xarray' module:
- Add a Rust abstraction for the 'xarray' data structure. This
abstraction allows Rust code to leverage the 'xarray' to store
types that implement 'ForeignOwnable'. This support is a dependency
for memory backing feature of the Rust null block driver, which is
waiting to be merged.
- Set up an entry in 'MAINTAINERS' for the XArray Rust support.
Patches will go to the new Rust XArray tree and then via the Rust
subsystem tree for now.
- Allow 'ForeignOwnable' to carry information about the pointed-to
type. This helps asserting alignment requirements for the pointer
passed to the foreign language.
- 'container_of!': retain pointer mut-ness and add a compile-time check
of the type of the first parameter ('$field_ptr').
- Support optional message in 'static_assert!'.
- Add C FFI types (e.g. 'c_int') to the prelude.
- 'str' module: simplify KUnit tests 'format!' macro, convert
'rusttest' tests into KUnit, take advantage of the '-> Result'
support in KUnit '#[test]'s.
- 'list' module: add examples for 'List', fix path of 'assert_pinned!'
(so far unused macro rule).
- 'workqueue' module: remove 'HasWork::OFFSET'.
- 'page' module: add 'inline' attribute.
'macros' crate:
- 'module' macro: place 'cleanup_module()' in '.exit.text' section.
'pin-init' crate:
- Add 'Wrapper<T>' trait for creating pin-initializers for wrapper
structs with a structurally pinned value such as 'UnsafeCell<T>' or
'MaybeUninit<T>'.
- Add 'MaybeZeroable' derive macro to try to derive 'Zeroable', but
not error if not all fields implement it. This is needed to derive
'Zeroable' for all bindgen-generated structs.
- Add 'unsafe fn cast_[pin_]init()' functions to unsafely change the
initialized type of an initializer. These are utilized by the
'Wrapper<T>' implementations.
- Add support for visibility in 'Zeroable' derive macro.
- Add support for 'union's in 'Zeroable' derive macro.
- Upstream dev news: streamline CI, fix some bugs. Add new workflows
to check if the user-space version and the one in the kernel tree
have diverged. Use the issues tab [1] to track them, which should
help folks report and diagnose issues w.r.t. 'pin-init' better.
[1] https://github.com/rust-for-linux/pin-init/issues
Documentation:
- Testing: add docs on the new KUnit '#[test]' tests.
- Coding guidelines: explain that '///' vs. '//' applies to private
items too. Add section on C FFI types.
- Quick Start guide: update Ubuntu instructions and split them into
"25.04" and "24.04 LTS and older".
And a few other cleanups and improvements.
-----BEGIN PGP SIGNATURE-----
iQIzBAABCgAdFiEEPjU5OPd5QIZ9jqqOGXyLc2htIW0FAmhBAvYACgkQGXyLc2ht
IW3qvA/+KRTCYKcI6JyUT9TdhRmaaMsQ0/5j6Kx4CfRQPZTSWsXyBEU75yEIZUQD
SUGQFwmMAYeAKQD1SumFCRy973VzUO45DyKM+7vuVhKN1ZjnAtv63+31C3UFATlA
8Tm3GCqQEGKl4IER7xI3D/vpZA5FOv+GotjNieF3O9FpHDCvV/JQScq9I2oXQPCt
17kRLww/DTfpf4qiLmxmxHn6nCsbecdfEce1kfjk3nNuE6B2tPf+ddYOwunLEvkB
LA4Cr6T1Cy1ovRQgxg9Pdkl/0Rta0tFcsKt1LqPgjR+n95stsHgAzbyMGuUKoeZx
u2R2pwlrJt6Xe4CEZgTIRfYWgF81qUzdcPuflcSMDCpH0nTep74A2lIiWUHWZSh4
LbPh7r90Q8YwGKVJiWqLfHUmQBnmTEm3D2gydSExPKJXSzB4Rbv4w4fPF3dhzMtC
4+KvmHKIojFkAdTLt+5rkKipJGo/rghvQvaQr9JOu+QO4vfhkesB4pUWC4sZd9A9
GJBP97ynWAsXGGaeaaSli0b851X+VE/WIDOmPMselbA3rVADChE6HsJnY/wVVeWK
jupvAhUExSczDPCluGv8T9EVXvv6+fg3bB5pD6R01NNJe6iE/LIDQ5Gj5rg4qahM
EFzMgPj6hMt5McvWI8q1/ym0bzdeC2/cmaV6E14hvphAZoORUKI=
=JRqL
-----END PGP SIGNATURE-----
Merge tag 'rust-6.16' of git://git.kernel.org/pub/scm/linux/kernel/git/ojeda/linux
Pull Rust updates from Miguel Ojeda:
"Toolchain and infrastructure:
- KUnit '#[test]'s:
- Support KUnit-mapped 'assert!' macros.
The support that landed last cycle was very basic, and the
'assert!' macros panicked since they were the standard library
ones. Now, they are mapped to the KUnit ones in a similar way to
how is done for doctests, reusing the infrastructure there.
With this, a failing test like:
#[test]
fn my_first_test() {
assert_eq!(42, 43);
}
will report:
# my_first_test: ASSERTION FAILED at rust/kernel/lib.rs:251
Expected 42 == 43 to be true, but is false
# my_first_test.speed: normal
not ok 1 my_first_test
- Support tests with checked 'Result' return types.
The return value of test functions that return a 'Result' will
be checked, thus one can now easily catch errors when e.g. using
the '?' operator in tests.
With this, a failing test like:
#[test]
fn my_test() -> Result {
f()?;
Ok(())
}
will report:
# my_test: ASSERTION FAILED at rust/kernel/lib.rs:321
Expected is_test_result_ok(my_test()) to be true, but is false
# my_test.speed: normal
not ok 1 my_test
- Add 'kunit_tests' to the prelude.
- Clarify the remaining language unstable features in use.
- Compile 'core' with edition 2024 for Rust >= 1.87.
- Workaround 'bindgen' issue with forward references to 'enum' types.
- objtool: relax slice condition to cover more 'noreturn' functions.
- Use absolute paths in macros referencing 'core' and 'kernel'
crates.
- Skip '-mno-fdpic' flag for bindgen in GCC 32-bit arm builds.
- Clean some 'doc_markdown' lint hits -- we may enable it later on.
'kernel' crate:
- 'alloc' module:
- 'Box': support for type coercion, e.g. 'Box<T>' to 'Box<dyn U>'
if 'T' implements 'U'.
- 'Vec': implement new methods (prerequisites for nova-core and
binder): 'truncate', 'resize', 'clear', 'pop',
'push_within_capacity' (with new error type 'PushError'),
'drain_all', 'retain', 'remove' (with new error type
'RemoveError'), insert_within_capacity' (with new error type
'InsertError').
In addition, simplify 'push' using 'spare_capacity_mut', split
'set_len' into 'inc_len' and 'dec_len', add type invariant 'len
<= capacity' and simplify 'truncate' using 'dec_len'.
- 'time' module:
- Morph the Rust hrtimer subsystem into the Rust timekeeping
subsystem, covering delay, sleep, timekeeping, timers. This new
subsystem has all the relevant timekeeping C maintainers listed
in the entry.
- Replace 'Ktime' with 'Delta' and 'Instant' types to represent a
duration of time and a point in time.
- Temporarily add 'Ktime' to 'hrtimer' module to allow 'hrtimer'
to delay converting to 'Instant' and 'Delta'.
- 'xarray' module:
- Add a Rust abstraction for the 'xarray' data structure. This
abstraction allows Rust code to leverage the 'xarray' to store
types that implement 'ForeignOwnable'. This support is a
dependency for memory backing feature of the Rust null block
driver, which is waiting to be merged.
- Set up an entry in 'MAINTAINERS' for the XArray Rust support.
Patches will go to the new Rust XArray tree and then via the
Rust subsystem tree for now.
- Allow 'ForeignOwnable' to carry information about the pointed-to
type. This helps asserting alignment requirements for the
pointer passed to the foreign language.
- 'container_of!': retain pointer mut-ness and add a compile-time
check of the type of the first parameter ('$field_ptr').
- Support optional message in 'static_assert!'.
- Add C FFI types (e.g. 'c_int') to the prelude.
- 'str' module: simplify KUnit tests 'format!' macro, convert
'rusttest' tests into KUnit, take advantage of the '-> Result'
support in KUnit '#[test]'s.
- 'list' module: add examples for 'List', fix path of
'assert_pinned!' (so far unused macro rule).
- 'workqueue' module: remove 'HasWork::OFFSET'.
- 'page' module: add 'inline' attribute.
'macros' crate:
- 'module' macro: place 'cleanup_module()' in '.exit.text' section.
'pin-init' crate:
- Add 'Wrapper<T>' trait for creating pin-initializers for wrapper
structs with a structurally pinned value such as 'UnsafeCell<T>' or
'MaybeUninit<T>'.
- Add 'MaybeZeroable' derive macro to try to derive 'Zeroable', but
not error if not all fields implement it. This is needed to derive
'Zeroable' for all bindgen-generated structs.
- Add 'unsafe fn cast_[pin_]init()' functions to unsafely change the
initialized type of an initializer. These are utilized by the
'Wrapper<T>' implementations.
- Add support for visibility in 'Zeroable' derive macro.
- Add support for 'union's in 'Zeroable' derive macro.
- Upstream dev news: streamline CI, fix some bugs. Add new workflows
to check if the user-space version and the one in the kernel tree
have diverged. Use the issues tab [1] to track them, which should
help folks report and diagnose issues w.r.t. 'pin-init' better.
[1] https://github.com/rust-for-linux/pin-init/issues
Documentation:
- Testing: add docs on the new KUnit '#[test]' tests.
- Coding guidelines: explain that '///' vs. '//' applies to private
items too. Add section on C FFI types.
- Quick Start guide: update Ubuntu instructions and split them into
"25.04" and "24.04 LTS and older".
And a few other cleanups and improvements"
* tag 'rust-6.16' of git://git.kernel.org/pub/scm/linux/kernel/git/ojeda/linux: (78 commits)
rust: list: Fix typo `much` in arc.rs
rust: check type of `$ptr` in `container_of!`
rust: workqueue: remove HasWork::OFFSET
rust: retain pointer mut-ness in `container_of!`
Documentation: rust: testing: add docs on the new KUnit `#[test]` tests
Documentation: rust: rename `#[test]`s to "`rusttest` host tests"
rust: str: take advantage of the `-> Result` support in KUnit `#[test]`'s
rust: str: simplify KUnit tests `format!` macro
rust: str: convert `rusttest` tests into KUnit
rust: add `kunit_tests` to the prelude
rust: kunit: support checked `-> Result`s in KUnit `#[test]`s
rust: kunit: support KUnit-mapped `assert!` macros in `#[test]`s
rust: make section names plural
rust: list: fix path of `assert_pinned!`
rust: compile libcore with edition 2024 for 1.87+
rust: dma: add missing Markdown code span
rust: task: add missing Markdown code spans and intra-doc links
rust: pci: fix docs related to missing Markdown code spans
rust: alloc: add missing Markdown code span
rust: alloc: add missing Markdown code spans
...
391 lines
15 KiB
Rust
391 lines
15 KiB
Rust
// SPDX-License-Identifier: GPL-2.0
|
|
|
|
//! Direct memory access (DMA).
|
|
//!
|
|
//! C header: [`include/linux/dma-mapping.h`](srctree/include/linux/dma-mapping.h)
|
|
|
|
use crate::{
|
|
bindings, build_assert,
|
|
device::{Bound, Device},
|
|
error::code::*,
|
|
error::Result,
|
|
transmute::{AsBytes, FromBytes},
|
|
types::ARef,
|
|
};
|
|
|
|
/// Possible attributes associated with a DMA mapping.
|
|
///
|
|
/// They can be combined with the operators `|`, `&`, and `!`.
|
|
///
|
|
/// Values can be used from the [`attrs`] module.
|
|
///
|
|
/// # Examples
|
|
///
|
|
/// ```
|
|
/// # use kernel::device::{Bound, Device};
|
|
/// use kernel::dma::{attrs::*, CoherentAllocation};
|
|
///
|
|
/// # fn test(dev: &Device<Bound>) -> Result {
|
|
/// let attribs = DMA_ATTR_FORCE_CONTIGUOUS | DMA_ATTR_NO_WARN;
|
|
/// let c: CoherentAllocation<u64> =
|
|
/// CoherentAllocation::alloc_attrs(dev, 4, GFP_KERNEL, attribs)?;
|
|
/// # Ok::<(), Error>(()) }
|
|
/// ```
|
|
#[derive(Clone, Copy, PartialEq)]
|
|
#[repr(transparent)]
|
|
pub struct Attrs(u32);
|
|
|
|
impl Attrs {
|
|
/// Get the raw representation of this attribute.
|
|
pub(crate) fn as_raw(self) -> crate::ffi::c_ulong {
|
|
self.0 as _
|
|
}
|
|
|
|
/// Check whether `flags` is contained in `self`.
|
|
pub fn contains(self, flags: Attrs) -> bool {
|
|
(self & flags) == flags
|
|
}
|
|
}
|
|
|
|
impl core::ops::BitOr for Attrs {
|
|
type Output = Self;
|
|
fn bitor(self, rhs: Self) -> Self::Output {
|
|
Self(self.0 | rhs.0)
|
|
}
|
|
}
|
|
|
|
impl core::ops::BitAnd for Attrs {
|
|
type Output = Self;
|
|
fn bitand(self, rhs: Self) -> Self::Output {
|
|
Self(self.0 & rhs.0)
|
|
}
|
|
}
|
|
|
|
impl core::ops::Not for Attrs {
|
|
type Output = Self;
|
|
fn not(self) -> Self::Output {
|
|
Self(!self.0)
|
|
}
|
|
}
|
|
|
|
/// DMA mapping attributes.
|
|
pub mod attrs {
|
|
use super::Attrs;
|
|
|
|
/// Specifies that reads and writes to the mapping may be weakly ordered, that is that reads
|
|
/// and writes may pass each other.
|
|
pub const DMA_ATTR_WEAK_ORDERING: Attrs = Attrs(bindings::DMA_ATTR_WEAK_ORDERING);
|
|
|
|
/// Specifies that writes to the mapping may be buffered to improve performance.
|
|
pub const DMA_ATTR_WRITE_COMBINE: Attrs = Attrs(bindings::DMA_ATTR_WRITE_COMBINE);
|
|
|
|
/// Lets the platform to avoid creating a kernel virtual mapping for the allocated buffer.
|
|
pub const DMA_ATTR_NO_KERNEL_MAPPING: Attrs = Attrs(bindings::DMA_ATTR_NO_KERNEL_MAPPING);
|
|
|
|
/// Allows platform code to skip synchronization of the CPU cache for the given buffer assuming
|
|
/// that it has been already transferred to 'device' domain.
|
|
pub const DMA_ATTR_SKIP_CPU_SYNC: Attrs = Attrs(bindings::DMA_ATTR_SKIP_CPU_SYNC);
|
|
|
|
/// Forces contiguous allocation of the buffer in physical memory.
|
|
pub const DMA_ATTR_FORCE_CONTIGUOUS: Attrs = Attrs(bindings::DMA_ATTR_FORCE_CONTIGUOUS);
|
|
|
|
/// This is a hint to the DMA-mapping subsystem that it's probably not worth the time to try
|
|
/// to allocate memory to in a way that gives better TLB efficiency.
|
|
pub const DMA_ATTR_ALLOC_SINGLE_PAGES: Attrs = Attrs(bindings::DMA_ATTR_ALLOC_SINGLE_PAGES);
|
|
|
|
/// This tells the DMA-mapping subsystem to suppress allocation failure reports (similarly to
|
|
/// `__GFP_NOWARN`).
|
|
pub const DMA_ATTR_NO_WARN: Attrs = Attrs(bindings::DMA_ATTR_NO_WARN);
|
|
|
|
/// Used to indicate that the buffer is fully accessible at an elevated privilege level (and
|
|
/// ideally inaccessible or at least read-only at lesser-privileged levels).
|
|
pub const DMA_ATTR_PRIVILEGED: Attrs = Attrs(bindings::DMA_ATTR_PRIVILEGED);
|
|
}
|
|
|
|
/// An abstraction of the `dma_alloc_coherent` API.
|
|
///
|
|
/// This is an abstraction around the `dma_alloc_coherent` API which is used to allocate and map
|
|
/// large consistent DMA regions.
|
|
///
|
|
/// A [`CoherentAllocation`] instance contains a pointer to the allocated region (in the
|
|
/// processor's virtual address space) and the device address which can be given to the device
|
|
/// as the DMA address base of the region. The region is released once [`CoherentAllocation`]
|
|
/// is dropped.
|
|
///
|
|
/// # Invariants
|
|
///
|
|
/// For the lifetime of an instance of [`CoherentAllocation`], the `cpu_addr` is a valid pointer
|
|
/// to an allocated region of consistent memory and `dma_handle` is the DMA address base of
|
|
/// the region.
|
|
// TODO
|
|
//
|
|
// DMA allocations potentially carry device resources (e.g.IOMMU mappings), hence for soundness
|
|
// reasons DMA allocation would need to be embedded in a `Devres` container, in order to ensure
|
|
// that device resources can never survive device unbind.
|
|
//
|
|
// However, it is neither desirable nor necessary to protect the allocated memory of the DMA
|
|
// allocation from surviving device unbind; it would require RCU read side critical sections to
|
|
// access the memory, which may require subsequent unnecessary copies.
|
|
//
|
|
// Hence, find a way to revoke the device resources of a `CoherentAllocation`, but not the
|
|
// entire `CoherentAllocation` including the allocated memory itself.
|
|
pub struct CoherentAllocation<T: AsBytes + FromBytes> {
|
|
dev: ARef<Device>,
|
|
dma_handle: bindings::dma_addr_t,
|
|
count: usize,
|
|
cpu_addr: *mut T,
|
|
dma_attrs: Attrs,
|
|
}
|
|
|
|
impl<T: AsBytes + FromBytes> CoherentAllocation<T> {
|
|
/// Allocates a region of `size_of::<T> * count` of consistent memory.
|
|
///
|
|
/// # Examples
|
|
///
|
|
/// ```
|
|
/// # use kernel::device::{Bound, Device};
|
|
/// use kernel::dma::{attrs::*, CoherentAllocation};
|
|
///
|
|
/// # fn test(dev: &Device<Bound>) -> Result {
|
|
/// let c: CoherentAllocation<u64> =
|
|
/// CoherentAllocation::alloc_attrs(dev, 4, GFP_KERNEL, DMA_ATTR_NO_WARN)?;
|
|
/// # Ok::<(), Error>(()) }
|
|
/// ```
|
|
pub fn alloc_attrs(
|
|
dev: &Device<Bound>,
|
|
count: usize,
|
|
gfp_flags: kernel::alloc::Flags,
|
|
dma_attrs: Attrs,
|
|
) -> Result<CoherentAllocation<T>> {
|
|
build_assert!(
|
|
core::mem::size_of::<T>() > 0,
|
|
"It doesn't make sense for the allocated type to be a ZST"
|
|
);
|
|
|
|
let size = count
|
|
.checked_mul(core::mem::size_of::<T>())
|
|
.ok_or(EOVERFLOW)?;
|
|
let mut dma_handle = 0;
|
|
// SAFETY: Device pointer is guaranteed as valid by the type invariant on `Device`.
|
|
let ret = unsafe {
|
|
bindings::dma_alloc_attrs(
|
|
dev.as_raw(),
|
|
size,
|
|
&mut dma_handle,
|
|
gfp_flags.as_raw(),
|
|
dma_attrs.as_raw(),
|
|
)
|
|
};
|
|
if ret.is_null() {
|
|
return Err(ENOMEM);
|
|
}
|
|
// INVARIANT: We just successfully allocated a coherent region which is accessible for
|
|
// `count` elements, hence the cpu address is valid. We also hold a refcounted reference
|
|
// to the device.
|
|
Ok(Self {
|
|
dev: dev.into(),
|
|
dma_handle,
|
|
count,
|
|
cpu_addr: ret as *mut T,
|
|
dma_attrs,
|
|
})
|
|
}
|
|
|
|
/// Performs the same functionality as [`CoherentAllocation::alloc_attrs`], except the
|
|
/// `dma_attrs` is 0 by default.
|
|
pub fn alloc_coherent(
|
|
dev: &Device<Bound>,
|
|
count: usize,
|
|
gfp_flags: kernel::alloc::Flags,
|
|
) -> Result<CoherentAllocation<T>> {
|
|
CoherentAllocation::alloc_attrs(dev, count, gfp_flags, Attrs(0))
|
|
}
|
|
|
|
/// Returns the base address to the allocated region in the CPU's virtual address space.
|
|
pub fn start_ptr(&self) -> *const T {
|
|
self.cpu_addr
|
|
}
|
|
|
|
/// Returns the base address to the allocated region in the CPU's virtual address space as
|
|
/// a mutable pointer.
|
|
pub fn start_ptr_mut(&mut self) -> *mut T {
|
|
self.cpu_addr
|
|
}
|
|
|
|
/// Returns a DMA handle which may given to the device as the DMA address base of
|
|
/// the region.
|
|
pub fn dma_handle(&self) -> bindings::dma_addr_t {
|
|
self.dma_handle
|
|
}
|
|
|
|
/// Returns a pointer to an element from the region with bounds checking. `offset` is in
|
|
/// units of `T`, not the number of bytes.
|
|
///
|
|
/// Public but hidden since it should only be used from [`dma_read`] and [`dma_write`] macros.
|
|
#[doc(hidden)]
|
|
pub fn item_from_index(&self, offset: usize) -> Result<*mut T> {
|
|
if offset >= self.count {
|
|
return Err(EINVAL);
|
|
}
|
|
// SAFETY:
|
|
// - The pointer is valid due to type invariant on `CoherentAllocation`
|
|
// and we've just checked that the range and index is within bounds.
|
|
// - `offset` can't overflow since it is smaller than `self.count` and we've checked
|
|
// that `self.count` won't overflow early in the constructor.
|
|
Ok(unsafe { self.cpu_addr.add(offset) })
|
|
}
|
|
|
|
/// Reads the value of `field` and ensures that its type is [`FromBytes`].
|
|
///
|
|
/// # Safety
|
|
///
|
|
/// This must be called from the [`dma_read`] macro which ensures that the `field` pointer is
|
|
/// validated beforehand.
|
|
///
|
|
/// Public but hidden since it should only be used from [`dma_read`] macro.
|
|
#[doc(hidden)]
|
|
pub unsafe fn field_read<F: FromBytes>(&self, field: *const F) -> F {
|
|
// SAFETY:
|
|
// - By the safety requirements field is valid.
|
|
// - Using read_volatile() here is not sound as per the usual rules, the usage here is
|
|
// a special exception with the following notes in place. When dealing with a potential
|
|
// race from a hardware or code outside kernel (e.g. user-space program), we need that
|
|
// read on a valid memory is not UB. Currently read_volatile() is used for this, and the
|
|
// rationale behind is that it should generate the same code as READ_ONCE() which the
|
|
// kernel already relies on to avoid UB on data races. Note that the usage of
|
|
// read_volatile() is limited to this particular case, it cannot be used to prevent
|
|
// the UB caused by racing between two kernel functions nor do they provide atomicity.
|
|
unsafe { field.read_volatile() }
|
|
}
|
|
|
|
/// Writes a value to `field` and ensures that its type is [`AsBytes`].
|
|
///
|
|
/// # Safety
|
|
///
|
|
/// This must be called from the [`dma_write`] macro which ensures that the `field` pointer is
|
|
/// validated beforehand.
|
|
///
|
|
/// Public but hidden since it should only be used from [`dma_write`] macro.
|
|
#[doc(hidden)]
|
|
pub unsafe fn field_write<F: AsBytes>(&self, field: *mut F, val: F) {
|
|
// SAFETY:
|
|
// - By the safety requirements field is valid.
|
|
// - Using write_volatile() here is not sound as per the usual rules, the usage here is
|
|
// a special exception with the following notes in place. When dealing with a potential
|
|
// race from a hardware or code outside kernel (e.g. user-space program), we need that
|
|
// write on a valid memory is not UB. Currently write_volatile() is used for this, and the
|
|
// rationale behind is that it should generate the same code as WRITE_ONCE() which the
|
|
// kernel already relies on to avoid UB on data races. Note that the usage of
|
|
// write_volatile() is limited to this particular case, it cannot be used to prevent
|
|
// the UB caused by racing between two kernel functions nor do they provide atomicity.
|
|
unsafe { field.write_volatile(val) }
|
|
}
|
|
}
|
|
|
|
/// Note that the device configured to do DMA must be halted before this object is dropped.
|
|
impl<T: AsBytes + FromBytes> Drop for CoherentAllocation<T> {
|
|
fn drop(&mut self) {
|
|
let size = self.count * core::mem::size_of::<T>();
|
|
// SAFETY: Device pointer is guaranteed as valid by the type invariant on `Device`.
|
|
// The cpu address, and the dma handle are valid due to the type invariants on
|
|
// `CoherentAllocation`.
|
|
unsafe {
|
|
bindings::dma_free_attrs(
|
|
self.dev.as_raw(),
|
|
size,
|
|
self.cpu_addr as _,
|
|
self.dma_handle,
|
|
self.dma_attrs.as_raw(),
|
|
)
|
|
}
|
|
}
|
|
}
|
|
|
|
// SAFETY: It is safe to send a `CoherentAllocation` to another thread if `T`
|
|
// can be sent to another thread.
|
|
unsafe impl<T: AsBytes + FromBytes + Send> Send for CoherentAllocation<T> {}
|
|
|
|
/// Reads a field of an item from an allocated region of structs.
|
|
///
|
|
/// # Examples
|
|
///
|
|
/// ```
|
|
/// use kernel::device::Device;
|
|
/// use kernel::dma::{attrs::*, CoherentAllocation};
|
|
///
|
|
/// struct MyStruct { field: u32, }
|
|
///
|
|
/// // SAFETY: All bit patterns are acceptable values for `MyStruct`.
|
|
/// unsafe impl kernel::transmute::FromBytes for MyStruct{};
|
|
/// // SAFETY: Instances of `MyStruct` have no uninitialized portions.
|
|
/// unsafe impl kernel::transmute::AsBytes for MyStruct{};
|
|
///
|
|
/// # fn test(alloc: &kernel::dma::CoherentAllocation<MyStruct>) -> Result {
|
|
/// let whole = kernel::dma_read!(alloc[2]);
|
|
/// let field = kernel::dma_read!(alloc[1].field);
|
|
/// # Ok::<(), Error>(()) }
|
|
/// ```
|
|
#[macro_export]
|
|
macro_rules! dma_read {
|
|
($dma:expr, $idx: expr, $($field:tt)*) => {{
|
|
let item = $crate::dma::CoherentAllocation::item_from_index(&$dma, $idx)?;
|
|
// SAFETY: `item_from_index` ensures that `item` is always a valid pointer and can be
|
|
// dereferenced. The compiler also further validates the expression on whether `field`
|
|
// is a member of `item` when expanded by the macro.
|
|
unsafe {
|
|
let ptr_field = ::core::ptr::addr_of!((*item) $($field)*);
|
|
$crate::dma::CoherentAllocation::field_read(&$dma, ptr_field)
|
|
}
|
|
}};
|
|
($dma:ident [ $idx:expr ] $($field:tt)* ) => {
|
|
$crate::dma_read!($dma, $idx, $($field)*);
|
|
};
|
|
($($dma:ident).* [ $idx:expr ] $($field:tt)* ) => {
|
|
$crate::dma_read!($($dma).*, $idx, $($field)*);
|
|
};
|
|
}
|
|
|
|
/// Writes to a field of an item from an allocated region of structs.
|
|
///
|
|
/// # Examples
|
|
///
|
|
/// ```
|
|
/// use kernel::device::Device;
|
|
/// use kernel::dma::{attrs::*, CoherentAllocation};
|
|
///
|
|
/// struct MyStruct { member: u32, }
|
|
///
|
|
/// // SAFETY: All bit patterns are acceptable values for `MyStruct`.
|
|
/// unsafe impl kernel::transmute::FromBytes for MyStruct{};
|
|
/// // SAFETY: Instances of `MyStruct` have no uninitialized portions.
|
|
/// unsafe impl kernel::transmute::AsBytes for MyStruct{};
|
|
///
|
|
/// # fn test(alloc: &kernel::dma::CoherentAllocation<MyStruct>) -> Result {
|
|
/// kernel::dma_write!(alloc[2].member = 0xf);
|
|
/// kernel::dma_write!(alloc[1] = MyStruct { member: 0xf });
|
|
/// # Ok::<(), Error>(()) }
|
|
/// ```
|
|
#[macro_export]
|
|
macro_rules! dma_write {
|
|
($dma:ident [ $idx:expr ] $($field:tt)*) => {{
|
|
$crate::dma_write!($dma, $idx, $($field)*);
|
|
}};
|
|
($($dma:ident).* [ $idx:expr ] $($field:tt)* ) => {{
|
|
$crate::dma_write!($($dma).*, $idx, $($field)*);
|
|
}};
|
|
($dma:expr, $idx: expr, = $val:expr) => {
|
|
let item = $crate::dma::CoherentAllocation::item_from_index(&$dma, $idx)?;
|
|
// SAFETY: `item_from_index` ensures that `item` is always a valid item.
|
|
unsafe { $crate::dma::CoherentAllocation::field_write(&$dma, item, $val) }
|
|
};
|
|
($dma:expr, $idx: expr, $(.$field:ident)* = $val:expr) => {
|
|
let item = $crate::dma::CoherentAllocation::item_from_index(&$dma, $idx)?;
|
|
// SAFETY: `item_from_index` ensures that `item` is always a valid pointer and can be
|
|
// dereferenced. The compiler also further validates the expression on whether `field`
|
|
// is a member of `item` when expanded by the macro.
|
|
unsafe {
|
|
let ptr_field = ::core::ptr::addr_of_mut!((*item) $(.$field)*);
|
|
$crate::dma::CoherentAllocation::field_write(&$dma, ptr_field, $val)
|
|
}
|
|
};
|
|
}
|