Adds support for doing array copies of data in and out of IO regions. Fixed size arrays allow for compile-time bound checking, while slice arguments allow for dynamically checked copies.
Signed-off-by: Matthew Maurer <[email protected]> --- rust/kernel/io.rs | 72 ++++++++++++++++++++++++++++++++++++++++++++++++++++++- 1 file changed, 71 insertions(+), 1 deletion(-) diff --git a/rust/kernel/io.rs b/rust/kernel/io.rs index 056a3ec71647b866a9a4b4c9abe9a0844f126930..6e74245eced2c267ba3b5b744eab3bc2db670e71 100644 --- a/rust/kernel/io.rs +++ b/rust/kernel/io.rs @@ -266,8 +266,9 @@ macro_rules! define_write { #[inline] const fn offset_valid<U>(offset: usize, size: usize) -> bool { let type_size = core::mem::size_of::<U>(); + let type_align = core::mem::align_of::<U>(); if let Some(end) = offset.checked_add(type_size) { - end <= size && offset % type_size == 0 + end <= size && offset % type_align == 0 } else { false } @@ -323,6 +324,25 @@ fn io_addr<U>(&self, offset: usize) -> Result<usize> { self.addr().checked_add(offset).ok_or(EINVAL) } + /// Returns the absolute I/O address for a given `offset`, performing runtime bounds checks + /// to ensure the entire range is available. + #[inline] + fn io_addr_range<U>(&self, offset: usize, count: usize) -> Result<usize> { + if count != 0 { + // These ranges are contiguous, so we can just check the first and last elements. + let bytes = (count - 1) + .checked_mul(core::mem::size_of::<U>()) + .ok_or(EINVAL)?; + let end = offset.checked_add(bytes).ok_or(EINVAL)?; + if !offset_valid::<U>(offset, self.maxsize()) || !offset_valid::<U>(end, self.maxsize()) + { + return Err(EINVAL); + } + } + + self.addr().checked_add(offset).ok_or(EINVAL) + } + /// Returns the absolute I/O address for a given `offset`, /// performing compile-time bound checks. // Always inline to optimize out error path of `build_assert`. @@ -605,4 +625,54 @@ pub unsafe fn from_raw(raw: &MmioRaw<SIZE>) -> &Self { pub try_write64_relaxed, call_mmio_write(writeq_relaxed) <- u64 ); + + /// Write a known size buffer to an offset known at compile time. + /// + /// Bound checks are performed at compile time, hence if the offset is not known at compile + /// time, the build will fail, and the buffer size must be statically known. + #[inline] + pub fn copy_from<const N: usize>(&self, src: &[u8; N], offset: usize) { + let addr = self.io_addr_assert::<[u8; N]>(offset); + // SAFETY: By the type invariant `addr` is a valid address for MMIO operations, and by the + // assertion it's valid for `N` bytes. + unsafe { bindings::memcpy_toio(addr as *mut c_void, src.as_ptr().cast(), N) } + } + + /// Write the contents of a slice to an offset. + /// + /// Bound checks are performed at runtime and will fail if the offset (plus the slice size) is + /// out of bounds. + #[inline] + pub fn try_copy_from(&self, src: &[u8], offset: usize) -> Result<()> { + let addr = self.io_addr_range::<u8>(offset, src.len())?; + // SAFETY: By the type invariant `addr` is a valid address for MMIO operations, and by the + // range check it's valid for `src.len()` bytes. + unsafe { bindings::memcpy_toio(addr as *mut c_void, src.as_ptr().cast(), src.len()) }; + Ok(()) + } + + /// Read a known size buffer from an offset known at compile time. + /// + /// Bound checks are performed at compile time, hence if the offset is not known at compile + /// time, the build will fail, and the buffer size must be statically known. + #[inline] + pub fn copy_to<const N: usize>(&self, dst: &mut [u8; N], offset: usize) { + let addr = self.io_addr_assert::<[u8; N]>(offset); + // SAFETY: By the type invariant `addr` is a valid address for MMIO operations, and by the + // assertion it's valid for `N` bytes. + unsafe { bindings::memcpy_fromio(dst.as_mut_ptr().cast(), addr as *mut c_void, N) } + } + + /// Read into a slice from an offset. + /// + /// Bound checks are performed at runtime and will fail if the offset (plus the slice size) is + /// out of bounds. + #[inline] + pub fn try_copy_to(&self, dst: &mut [u8], offset: usize) -> Result<()> { + let addr = self.io_addr_range::<u8>(offset, dst.len())?; + // SAFETY: By the type invariant `addr` is a valid address for MMIO operations, and by the + // range check, it's valid for `dst.len()` bytes. + unsafe { bindings::memcpy_fromio(dst.as_mut_ptr().cast(), addr as *mut c_void, dst.len()) } + Ok(()) + } } -- 2.53.0.rc2.204.g2597b5adb4-goog
