* [PATCH v4 00/20] rust: I/O type generalization and projection
@ 2026-06-11 16:28 Gary Guo
2026-06-11 16:28 ` [PATCH v4 01/20] rust: io: add dynamically-sized `Region` type Gary Guo
` (19 more replies)
0 siblings, 20 replies; 40+ messages in thread
From: Gary Guo @ 2026-06-11 16:28 UTC (permalink / raw)
To: Alice Ryhl, Daniel Almeida, Greg Kroah-Hartman, Rafael J. Wysocki,
Miguel Ojeda, Boqun Feng, Gary Guo, Björn Roy Baron,
Benno Lossin, Andreas Hindborg, Trevor Gross, Bjorn Helgaas,
Krzysztof Wilczyński, Abdiel Janulgue, Robin Murphy,
Alexandre Courbot, David Airlie, Simona Vetter
Cc: Danilo Krummrich, driver-core, rust-for-linux, linux-kernel,
linux-pci, nova-gpu, dri-devel, Laura Nao
This series presents a major rework of I/O types, as a summary:
- Make I/O regions typed. The existing untyped region still exists
with a dynamically sized `Region` type.
- Create I/O view types to represent subregion of a full I/O region mapped.
A projection macro is added to allow safely create such subviews.
- Split I/O traits, make I/O views play a central role, avoid
duplicate monomorphization and less `unsafe` code.
- Add a `SysMem` backend, and make `Coherent` implement `Io`.
- Add copying methods (memcpy_{from,to}io and friends).
This series generalize `Mmio` type from just an untyped region to typed
representations (so `MmioRaw<T>` is `__iomem *T`). This allows us to remove
the `IoKnownSize` trait; the information is sourced from just the pointer
from the `KnownSize` trait instead.
Building on top of that, `Mmio` and `ConfigSpace` have been converted to
typed views of I/O regions rather than just a big chunk of untyped I/O
memory. These changes made it possible to implement `Io` trait for
`Coherent<T>`.
Shared system memory, `SysMem` is also added to the series, given it
similarity in implementation compared to `Coherent`. In fact, the series
use `SysMem` to implement `Coherent`'s I/O methods.
Built on these generalization, this series add `io_project!()`.
`io_project!()` performs a safe way to project a bigger view to a small
subviews, and some Nova code has been converted in this series to
demonstrate cleanups possible with this addition.
New `io_read!()`, `io_write!()` has been added that supersedes
`dma_read!()`, `dma_write!()` macro. Although, they work for primitives
only (to be exact, types that the backend is `IoCapable` of).
One feature that was lost from the old `dma_read!()` and `dma_write!()`
series was the ability to read/write a large structs. However, the
semantics was unclear to begin with, as there was no guarantee about their
atomicity even for structs that were small enough to fit in u32.
For completeness, I've also included the support for copying methods,
although this does not need to be taken together and can become a follow
up.
The last commit in the series is a reference on how you'd implement
`iosys_map` using an enum type. It automatically gains all the methods via
`Io` trait and can be projected with the macros.
Suggested-by: Danilo Krummrich <dakr@kernel.org>
Link: https://rust-for-linux.zulipchat.com/#narrow/channel/288089-General/topic/Generic.20I.2FO.20backends/near/571198078
---
Changes in v4:
- Added `Send` and `Sync` for types that internally uses raw pointers. (Sashiko)
- Make `Region` always 4-byte aligned. (Sashiko)
- Removed `copy_from_io_slice` method due to unsoundness when regions
overlap. (Sashiko) This means that `is_mapped` hack is not needed anymore
so I've also cleaned up.
- Switch `FromBytes`/`IntoBytes` to zerocopy from kernel::transmute.
- Changed `Either` to specific-purpose `IoSysMap` enum (Miguel).
- Link to v3: https://patch.msgid.link/20260608-io_projection-v3-0-c5cde13a5ec4@garyguo.net
Changes in v3:
- This version presents a major rework from the last version, mostly inspired
by discussions that happen during RustWeek. Notably, the new individual
view types are now the central piece of `Io` traits rather than an ad-hoc
addon using the `View` type. They also benefit from type-erasure; the
original type of `Mmio` or `Coherent` doesn't matter anymore for subviews.
This removes the need of specifying generics on types that take
`CoherentView` on Nova code, which is something that I'm not fully happy
with in the last version.
- Add `SysMem` backend and use it for `Coherent` (Laura Nao).
- Add examples to copying methods and read_val/write_val (Andreas).
- Add a reference patch on `Either` implementation.
- Link to v2: https://patch.msgid.link/20260421-io_projection-v2-0-4c251c692ef4@garyguo.net
Changes in v2:
- Rebased on projection syntax rework
- Added a new patch to forbid use of untyped I/O accessors and register
macros on typed I/O structs (Alex).
- Fixed a few safety comments (Andreas).
- Added a new patch that implements copying methods (see above).
- Link to v1: https://lore.kernel.org/rust-for-linux/20260323153807.1360705-1-gary@kernel.org/
To: Danilo Krummrich <dakr@kernel.org>
To: Alice Ryhl <aliceryhl@google.com>
To: Daniel Almeida <daniel.almeida@collabora.com>
To: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: "Rafael J. Wysocki" <rafael@kernel.org>
To: Miguel Ojeda <ojeda@kernel.org>
To: Boqun Feng <boqun@kernel.org>
To: Gary Guo <gary@garyguo.net>
To: Björn Roy Baron <bjorn3_gh@protonmail.com>
To: Benno Lossin <lossin@kernel.org>
To: Andreas Hindborg <a.hindborg@kernel.org>
To: Trevor Gross <tmgross@umich.edu>
To: Bjorn Helgaas <bhelgaas@google.com>
To: Krzysztof Wilczyński <kwilczynski@kernel.org>
To: Abdiel Janulgue <abdiel.janulgue@gmail.com>
To: Robin Murphy <robin.murphy@arm.com>
To: Alexandre Courbot <acourbot@nvidia.com>
To: David Airlie <airlied@gmail.com>
To: Simona Vetter <simona@ffwll.ch>
Cc: driver-core@lists.linux.dev
Cc: rust-for-linux@vger.kernel.org
Cc: linux-kernel@vger.kernel.org
Cc: linux-pci@vger.kernel.org
Cc: nova-gpu@lists.linux.dev
Cc: dri-devel@lists.freedesktop.org
---
Gary Guo (19):
rust: io: add dynamically-sized `Region` type
rust: io: add missing safety requirement in `IoCapable` methods
rust: io: restrict untyped IO access and `register!` to `Region`
rust: io: implement `Io` on reference types instead
rust: io: generalize `MmioRaw` to pointer to arbitrary type
rust: io: rename `Mmio` to `MmioOwned`
rust: io: implement `Mmio` as view type
rust: pci: io: make `ConfigSpace` a view
rust: io: use view types instead of addresses for `Io`
rust: io: remove `MmioOwned`
rust: io: move `Io` methods to extension trait
rust: prelude: add `zerocopy{,_derive}::IntoBytes`
rust: io: add projection macro and methods
rust: io: implement a view type for `Coherent`
rust: io: add `read_val` and `write_val` functions on `Io`
gpu: nova-core: use I/O projection for cleaner encapsulation
rust: dma: drop `dma_read!` and `dma_write!` API
rust: io: add copying methods
rust: io: implement `IoSysMap`
Laura Nao (1):
rust: io: add I/O backend for system memory with volatile access
drivers/gpu/nova-core/gsp.rs | 53 +-
drivers/gpu/nova-core/gsp/cmdq.rs | 66 +-
drivers/gpu/nova-core/gsp/fw.rs | 82 +--
rust/helpers/io.c | 13 +
rust/kernel/devres.rs | 24 +-
rust/kernel/dma.rs | 280 +++----
rust/kernel/io.rs | 1472 +++++++++++++++++++++++++++++--------
rust/kernel/io/mem.rs | 29 +-
rust/kernel/io/poll.rs | 6 +-
rust/kernel/io/register.rs | 45 +-
rust/kernel/lib.rs | 3 +
rust/kernel/pci.rs | 1 -
rust/kernel/pci/io.rs | 168 +++--
rust/kernel/prelude.rs | 10 +-
rust/kernel/ptr.rs | 12 +
samples/rust/rust_dma.rs | 12 +-
16 files changed, 1604 insertions(+), 672 deletions(-)
---
base-commit: abe651837cb394f76d738a7a747322fca3bf17ba
change-id: 20260421-io_projection-16e7dc5ba7e4
Best regards,
--
Gary Guo <gary@garyguo.net>
^ permalink raw reply [flat|nested] 40+ messages in thread
* [PATCH v4 01/20] rust: io: add dynamically-sized `Region` type
2026-06-11 16:28 [PATCH v4 00/20] rust: I/O type generalization and projection Gary Guo
@ 2026-06-11 16:28 ` Gary Guo
2026-06-11 16:28 ` [PATCH v4 02/20] rust: io: add missing safety requirement in `IoCapable` methods Gary Guo
` (18 subsequent siblings)
19 siblings, 0 replies; 40+ messages in thread
From: Gary Guo @ 2026-06-11 16:28 UTC (permalink / raw)
To: Alice Ryhl, Daniel Almeida, Greg Kroah-Hartman, Rafael J. Wysocki,
Miguel Ojeda, Boqun Feng, Gary Guo, Björn Roy Baron,
Benno Lossin, Andreas Hindborg, Trevor Gross, Bjorn Helgaas,
Krzysztof Wilczyński, Abdiel Janulgue, Robin Murphy,
Alexandre Courbot, David Airlie, Simona Vetter
Cc: Danilo Krummrich, driver-core, rust-for-linux, linux-kernel,
linux-pci, nova-gpu, dri-devel
Currently many I/O related structs carry a `SIZE` parameter to denote the
minimum size of the I/O region, while they also carry a field indicating
the actual size. Proliferation of the pattern creates a lot of duplicated
code, and makes it hard to create typed views of I/O.
Introduce a `Region` type that carries the `SIZE` parameter. It is a
wrapper of `[u8]`, which makes it dynamically sized with a metadata of
`usize`. This way, pointers to `Region` naturally carry size information.
This type is required to be 4-byte aligned.
Expose the minimum size information via `MIN_SIZE` constant of the
`KnownSize` trait. Similarly, expose the minimum alignment information via
`KnownSize::MIN_ALIGN`.
With these changes, it is possible to add an associated type to `Io` trait
to represent the type of I/O region. For untyped regions, this is the newly
added `Region` type. Remove `IoKnownSize` as it is no longer necessary. Use
the same mechanism to indicate minimum size of PCI config spaces.
Signed-off-by: Gary Guo <gary@garyguo.net>
---
rust/kernel/devres.rs | 6 +--
rust/kernel/io.rs | 130 +++++++++++++++++++++++++++++++++-----------------
rust/kernel/lib.rs | 3 ++
rust/kernel/pci.rs | 1 -
rust/kernel/pci/io.rs | 40 +++++++---------
rust/kernel/ptr.rs | 12 +++++
6 files changed, 118 insertions(+), 74 deletions(-)
diff --git a/rust/kernel/devres.rs b/rust/kernel/devres.rs
index 11ce500e9b76..ed30ccc6e68e 100644
--- a/rust/kernel/devres.rs
+++ b/rust/kernel/devres.rs
@@ -68,7 +68,6 @@ struct Inner<T> {
/// devres::Devres,
/// io::{
/// Io,
-/// IoKnownSize,
/// Mmio,
/// MmioRaw,
/// PhysAddr, //
@@ -297,10 +296,7 @@ pub fn device(&self) -> &Device {
/// use kernel::{
/// device::Core,
/// devres::Devres,
- /// io::{
- /// Io,
- /// IoKnownSize, //
- /// },
+ /// io::Io,
/// pci, //
/// };
///
diff --git a/rust/kernel/io.rs b/rust/kernel/io.rs
index fcc7678fd9e3..bef571dad6eb 100644
--- a/rust/kernel/io.rs
+++ b/rust/kernel/io.rs
@@ -6,7 +6,11 @@
use crate::{
bindings,
- prelude::*, //
+ prelude::*,
+ ptr::{
+ Alignment,
+ KnownSize, //
+ }, //
};
pub mod mem;
@@ -31,6 +35,58 @@
/// `CONFIG_PHYS_ADDR_T_64BIT`, and it can be a u64 even on 32-bit architectures.
pub type ResourceSize = bindings::resource_size_t;
+/// Untyped I/O region.
+///
+/// This type can be used when an I/O region without known type information has a compile-time known
+/// minimum size (and a runtime known actual size).
+///
+/// This must be 4-byte aligned.
+///
+/// # Invariants
+///
+/// Size of the region is at least as large as the `SIZE` generic parameter.
+#[repr(C, align(4))]
+pub struct Region<const SIZE: usize = 0> {
+ inner: [u8],
+}
+
+impl<const SIZE: usize> Region<SIZE> {
+ /// Create a raw mutable pointer from given base address and size.
+ ///
+ /// `size` should be at least as large as the minimum size `SIZE`, and `base` and `size` should
+ /// be 4-byte aligned to uphold the type invariant.
+ ///
+ /// Just like other methods on raw pointers, it is not unsafe to create a raw pointer
+ /// that does not uphold the type invariants. However such pointers are not valid.
+ #[inline]
+ pub fn ptr_from_raw_parts_mut(base: *mut u8, size: usize) -> *mut Self {
+ core::ptr::slice_from_raw_parts_mut(base, size) as *mut Region<SIZE>
+ }
+
+ /// Create a raw mutable pointer from given base address and size.
+ ///
+ /// The alignment of `base` is checked, and `size` is checked against the minimum size specified
+ /// via const generics.
+ #[inline]
+ pub fn ptr_try_from_raw_parts_mut(base: *mut u8, size: usize) -> Result<*mut Self> {
+ if size < SIZE || base.align_offset(4) != 0 || !size.is_multiple_of(4) {
+ return Err(EINVAL);
+ }
+
+ Ok(Self::ptr_from_raw_parts_mut(base, size))
+ }
+}
+
+impl<const SIZE: usize> KnownSize for Region<SIZE> {
+ const MIN_SIZE: usize = SIZE;
+ const MIN_ALIGN: Alignment = Alignment::new::<4>();
+
+ #[inline(always)]
+ fn size(p: *const Self) -> usize {
+ (p as *const [u8]).len()
+ }
+}
+
/// Raw representation of an MMIO region.
///
/// By itself, the existence of an instance of this structure does not provide any guarantees that
@@ -85,7 +141,6 @@ pub fn maxsize(&self) -> usize {
/// ffi::c_void,
/// io::{
/// Io,
-/// IoKnownSize,
/// Mmio,
/// MmioRaw,
/// PhysAddr,
@@ -241,12 +296,25 @@ fn offset(self) -> usize {
/// For MMIO regions, all widths (u8, u16, u32, and u64 on 64-bit systems) are typically
/// supported. For PCI configuration space, u8, u16, and u32 are supported but u64 is not.
pub trait Io {
+ /// Type of this I/O region. For untyped regions, [`Region`] can be used.
+ type Target: ?Sized + KnownSize;
+
/// Returns the base address of this mapping.
fn addr(&self) -> usize;
/// Returns the maximum size of this mapping.
fn maxsize(&self) -> usize;
+ /// Returns the absolute I/O address for a given `offset`,
+ /// performing compile-time bound checks.
+ // Always inline to optimize out error path of `build_assert`.
+ #[inline(always)]
+ fn io_addr_assert<U>(&self, offset: usize) -> usize {
+ build_assert!(offset_valid::<U>(offset, Self::Target::MIN_SIZE));
+
+ self.addr() + offset
+ }
+
/// Returns the absolute I/O address for a given `offset`,
/// performing runtime bound checks.
#[inline]
@@ -336,7 +404,7 @@ fn try_write64(&self, value: u64, offset: usize) -> Result
#[inline(always)]
fn read8(&self, offset: usize) -> u8
where
- Self: IoKnownSize + IoCapable<u8>,
+ Self: IoCapable<u8>,
{
self.read(offset)
}
@@ -345,7 +413,7 @@ fn read8(&self, offset: usize) -> u8
#[inline(always)]
fn read16(&self, offset: usize) -> u16
where
- Self: IoKnownSize + IoCapable<u16>,
+ Self: IoCapable<u16>,
{
self.read(offset)
}
@@ -354,7 +422,7 @@ fn read16(&self, offset: usize) -> u16
#[inline(always)]
fn read32(&self, offset: usize) -> u32
where
- Self: IoKnownSize + IoCapable<u32>,
+ Self: IoCapable<u32>,
{
self.read(offset)
}
@@ -363,7 +431,7 @@ fn read32(&self, offset: usize) -> u32
#[inline(always)]
fn read64(&self, offset: usize) -> u64
where
- Self: IoKnownSize + IoCapable<u64>,
+ Self: IoCapable<u64>,
{
self.read(offset)
}
@@ -372,7 +440,7 @@ fn read64(&self, offset: usize) -> u64
#[inline(always)]
fn write8(&self, value: u8, offset: usize)
where
- Self: IoKnownSize + IoCapable<u8>,
+ Self: IoCapable<u8>,
{
self.write(offset, value)
}
@@ -381,7 +449,7 @@ fn write8(&self, value: u8, offset: usize)
#[inline(always)]
fn write16(&self, value: u16, offset: usize)
where
- Self: IoKnownSize + IoCapable<u16>,
+ Self: IoCapable<u16>,
{
self.write(offset, value)
}
@@ -390,7 +458,7 @@ fn write16(&self, value: u16, offset: usize)
#[inline(always)]
fn write32(&self, value: u32, offset: usize)
where
- Self: IoKnownSize + IoCapable<u32>,
+ Self: IoCapable<u32>,
{
self.write(offset, value)
}
@@ -399,7 +467,7 @@ fn write32(&self, value: u32, offset: usize)
#[inline(always)]
fn write64(&self, value: u64, offset: usize)
where
- Self: IoKnownSize + IoCapable<u64>,
+ Self: IoCapable<u64>,
{
self.write(offset, value)
}
@@ -582,7 +650,7 @@ fn try_update<T, L, F>(&self, location: L, f: F) -> Result
fn read<T, L>(&self, location: L) -> T
where
L: IoLoc<T>,
- Self: IoKnownSize + IoCapable<L::IoType>,
+ Self: IoCapable<L::IoType>,
{
let address = self.io_addr_assert::<L::IoType>(location.offset());
@@ -614,7 +682,7 @@ fn read<T, L>(&self, location: L) -> T
fn write<T, L>(&self, location: L, value: T)
where
L: IoLoc<T>,
- Self: IoKnownSize + IoCapable<L::IoType>,
+ Self: IoCapable<L::IoType>,
{
let address = self.io_addr_assert::<L::IoType>(location.offset());
let io_value = value.into();
@@ -658,7 +726,7 @@ fn write_reg<T, L, V>(&self, value: V)
where
L: IoLoc<T>,
V: LocatedRegister<Location = L, Value = T>,
- Self: IoKnownSize + IoCapable<L::IoType>,
+ Self: IoCapable<L::IoType>,
{
let (location, value) = value.into_io_op();
@@ -690,7 +758,7 @@ fn write_reg<T, L, V>(&self, value: V)
fn update<T, L, F>(&self, location: L, f: F)
where
L: IoLoc<T>,
- Self: IoKnownSize + IoCapable<L::IoType> + Sized,
+ Self: IoCapable<L::IoType> + Sized,
F: FnOnce(T) -> T,
{
let address = self.io_addr_assert::<L::IoType>(location.offset());
@@ -704,28 +772,6 @@ fn update<T, L, F>(&self, location: L, f: F)
}
}
-/// Trait for types with a known size at compile time.
-///
-/// This trait is implemented by I/O backends that have a compile-time known size,
-/// enabling the use of infallible I/O accessors with compile-time bounds checking.
-///
-/// Types implementing this trait can use the infallible methods in [`Io`] trait
-/// (e.g., `read8`, `write32`), which require `Self: IoKnownSize` bound.
-pub trait IoKnownSize: Io {
- /// Minimum usable size of this region.
- const MIN_SIZE: usize;
-
- /// Returns the absolute I/O address for a given `offset`,
- /// performing compile-time bound checks.
- // Always inline to optimize out error path of `build_assert`.
- #[inline(always)]
- fn io_addr_assert<U>(&self, offset: usize) -> usize {
- build_assert!(offset_valid::<U>(offset, Self::MIN_SIZE));
-
- self.addr() + offset
- }
-}
-
/// Implements [`IoCapable`] on `$mmio` for `$ty` using `$read_fn` and `$write_fn`.
macro_rules! impl_mmio_io_capable {
($mmio:ident, $(#[$attr:meta])* $ty:ty, $read_fn:ident, $write_fn:ident) => {
@@ -758,6 +804,8 @@ unsafe fn io_write(&self, value: $ty, address: usize) {
);
impl<const SIZE: usize> Io for Mmio<SIZE> {
+ type Target = Region<SIZE>;
+
/// Returns the base address of this mapping.
#[inline]
fn addr(&self) -> usize {
@@ -771,10 +819,6 @@ fn maxsize(&self) -> usize {
}
}
-impl<const SIZE: usize> IoKnownSize for Mmio<SIZE> {
- const MIN_SIZE: usize = SIZE;
-}
-
impl<const SIZE: usize> Mmio<SIZE> {
/// Converts an `MmioRaw` into an `Mmio` instance, providing the accessors to the MMIO mapping.
///
@@ -798,6 +842,8 @@ pub unsafe fn from_raw(raw: &MmioRaw<SIZE>) -> &Self {
pub struct RelaxedMmio<const SIZE: usize = 0>(Mmio<SIZE>);
impl<const SIZE: usize> Io for RelaxedMmio<SIZE> {
+ type Target = Region<SIZE>;
+
#[inline]
fn addr(&self) -> usize {
self.0.addr()
@@ -809,10 +855,6 @@ fn maxsize(&self) -> usize {
}
}
-impl<const SIZE: usize> IoKnownSize for RelaxedMmio<SIZE> {
- const MIN_SIZE: usize = SIZE;
-}
-
impl<const SIZE: usize> Mmio<SIZE> {
/// Returns a [`RelaxedMmio`] reference that performs relaxed I/O operations.
///
diff --git a/rust/kernel/lib.rs b/rust/kernel/lib.rs
index 9512af7156df..68f4d9a3425d 100644
--- a/rust/kernel/lib.rs
+++ b/rust/kernel/lib.rs
@@ -16,6 +16,9 @@
// Please see https://github.com/Rust-for-Linux/linux/issues/2 for details on
// the unstable features in use.
//
+// Stable since Rust 1.87.0.
+#![feature(unsigned_is_multiple_of)]
+//
// Stable since Rust 1.89.0.
#![feature(generic_arg_infer)]
//
diff --git a/rust/kernel/pci.rs b/rust/kernel/pci.rs
index 5071cae6543f..c6d6bd8f251d 100644
--- a/rust/kernel/pci.rs
+++ b/rust/kernel/pci.rs
@@ -43,7 +43,6 @@
pub use self::io::{
Bar,
ConfigSpace,
- ConfigSpaceKind,
ConfigSpaceSize,
Extended,
Normal, //
diff --git a/rust/kernel/pci/io.rs b/rust/kernel/pci/io.rs
index 0461e01aaa20..b4996aa059d8 100644
--- a/rust/kernel/pci/io.rs
+++ b/rust/kernel/pci/io.rs
@@ -10,11 +10,12 @@
io::{
Io,
IoCapable,
- IoKnownSize,
Mmio,
- MmioRaw, //
+ MmioRaw,
+ Region, //
},
- prelude::*, //
+ prelude::*,
+ ptr::KnownSize, //
};
use core::{
marker::PhantomData,
@@ -46,28 +47,21 @@ pub const fn into_raw(self) -> usize {
}
}
-/// Marker type for normal (256-byte) PCI configuration space.
-pub struct Normal;
+/// Alias for normal (256-byte) PCI configuration space.
+pub type Normal = Region<256>;
-/// Marker type for extended (4096-byte) PCIe configuration space.
-pub struct Extended;
+/// Alias for extended (4096-byte) PCIe configuration space.
+pub type Extended = Region<4096>;
/// Trait for PCI configuration space size markers.
///
/// This trait is implemented by [`Normal`] and [`Extended`] to provide
/// compile-time knowledge of the configuration space size.
-pub trait ConfigSpaceKind {
- /// The size of this configuration space in bytes.
- const SIZE: usize;
-}
+pub trait ConfigSpaceKind: KnownSize {}
-impl ConfigSpaceKind for Normal {
- const SIZE: usize = 256;
-}
+impl ConfigSpaceKind for Normal {}
-impl ConfigSpaceKind for Extended {
- const SIZE: usize = 4096;
-}
+impl ConfigSpaceKind for Extended {}
/// The PCI configuration space of a device.
///
@@ -77,7 +71,7 @@ impl ConfigSpaceKind for Extended {
/// The generic parameter `S` indicates the maximum size of the configuration space.
/// Use [`Normal`] for 256-byte legacy configuration space or [`Extended`] for
/// 4096-byte PCIe extended configuration space (default).
-pub struct ConfigSpace<'a, S: ConfigSpaceKind = Extended> {
+pub struct ConfigSpace<'a, S: ?Sized + ConfigSpaceKind = Extended> {
pub(crate) pdev: &'a Device<device::Bound>,
_marker: PhantomData<S>,
}
@@ -85,7 +79,7 @@ pub struct ConfigSpace<'a, S: ConfigSpaceKind = Extended> {
/// Implements [`IoCapable`] on [`ConfigSpace`] for `$ty` using `$read_fn` and `$write_fn`.
macro_rules! impl_config_space_io_capable {
($ty:ty, $read_fn:ident, $write_fn:ident) => {
- impl<'a, S: ConfigSpaceKind> IoCapable<$ty> for ConfigSpace<'a, S> {
+ impl<'a, S: ?Sized + ConfigSpaceKind> IoCapable<$ty> for ConfigSpace<'a, S> {
unsafe fn io_read(&self, address: usize) -> $ty {
let mut val: $ty = 0;
@@ -118,7 +112,9 @@ unsafe fn io_write(&self, value: $ty, address: usize) {
impl_config_space_io_capable!(u16, pci_read_config_word, pci_write_config_word);
impl_config_space_io_capable!(u32, pci_read_config_dword, pci_write_config_dword);
-impl<'a, S: ConfigSpaceKind> Io for ConfigSpace<'a, S> {
+impl<'a, S: ?Sized + ConfigSpaceKind> Io for ConfigSpace<'a, S> {
+ type Target = S;
+
/// Returns the base address of the I/O region. It is always 0 for configuration space.
#[inline]
fn addr(&self) -> usize {
@@ -132,10 +128,6 @@ fn maxsize(&self) -> usize {
}
}
-impl<'a, S: ConfigSpaceKind> IoKnownSize for ConfigSpace<'a, S> {
- const MIN_SIZE: usize = S::SIZE;
-}
-
/// A PCI BAR to perform I/O-Operations on.
///
/// I/O backend assumes that the device is little-endian and will automatically
diff --git a/rust/kernel/ptr.rs b/rust/kernel/ptr.rs
index 3f3e529e9f58..82acb531b17b 100644
--- a/rust/kernel/ptr.rs
+++ b/rust/kernel/ptr.rs
@@ -235,11 +235,20 @@ fn align_up(self, alignment: Alignment) -> Option<Self> {
///
/// This is a generalization of [`size_of`] that works for dynamically sized types.
pub trait KnownSize {
+ /// Minimum size of this type known at compile-time.
+ const MIN_SIZE: usize;
+
+ /// Minimum alignment of this type known at compile-time.
+ const MIN_ALIGN: Alignment;
+
/// Get the size of an object of this type in bytes, with the metadata of the given pointer.
fn size(p: *const Self) -> usize;
}
impl<T> KnownSize for T {
+ const MIN_SIZE: usize = size_of::<T>();
+ const MIN_ALIGN: Alignment = Alignment::of::<T>();
+
#[inline(always)]
fn size(_: *const Self) -> usize {
size_of::<T>()
@@ -247,6 +256,9 @@ fn size(_: *const Self) -> usize {
}
impl<T> KnownSize for [T] {
+ const MIN_SIZE: usize = 0;
+ const MIN_ALIGN: Alignment = Alignment::of::<T>();
+
#[inline(always)]
fn size(p: *const Self) -> usize {
p.len() * size_of::<T>()
--
2.54.0
^ permalink raw reply related [flat|nested] 40+ messages in thread
* [PATCH v4 02/20] rust: io: add missing safety requirement in `IoCapable` methods
2026-06-11 16:28 [PATCH v4 00/20] rust: I/O type generalization and projection Gary Guo
2026-06-11 16:28 ` [PATCH v4 01/20] rust: io: add dynamically-sized `Region` type Gary Guo
@ 2026-06-11 16:28 ` Gary Guo
2026-06-11 16:28 ` [PATCH v4 03/20] rust: io: restrict untyped IO access and `register!` to `Region` Gary Guo
` (17 subsequent siblings)
19 siblings, 0 replies; 40+ messages in thread
From: Gary Guo @ 2026-06-11 16:28 UTC (permalink / raw)
To: Alice Ryhl, Daniel Almeida, Greg Kroah-Hartman, Rafael J. Wysocki,
Miguel Ojeda, Boqun Feng, Gary Guo, Björn Roy Baron,
Benno Lossin, Andreas Hindborg, Trevor Gross, Bjorn Helgaas,
Krzysztof Wilczyński, Abdiel Janulgue, Robin Murphy,
Alexandre Courbot, David Airlie, Simona Vetter
Cc: Danilo Krummrich, driver-core, rust-for-linux, linux-kernel,
linux-pci, nova-gpu, dri-devel
The current safety comment on `io_read`/`io_write` does not cover the topic
about alignment. Add it so it can be relied on by implementor of
`IoCapable`.
Expand the check `Io` by taking `self.addr()` into consideration when
checking if `offset` is aligned. For the compile-time `io_addr_assert`
check, check using the known minimum alignment of `IO::Target` and the
accessed type.
While at it, fix the alignment check to use `align_of` instead of
`size_of`. The values match for all primitives (including u64, given that
we do not provide u64 accessor on 32-bit platforms), but are not
necessarily true for custom types.
Signed-off-by: Gary Guo <gary@garyguo.net>
---
rust/kernel/io.rs | 25 ++++++++++++++++---------
1 file changed, 16 insertions(+), 9 deletions(-)
diff --git a/rust/kernel/io.rs b/rust/kernel/io.rs
index bef571dad6eb..fa9ae39ad9d2 100644
--- a/rust/kernel/io.rs
+++ b/rust/kernel/io.rs
@@ -196,13 +196,14 @@ pub fn maxsize(&self) -> usize {
#[repr(transparent)]
pub struct Mmio<const SIZE: usize = 0>(MmioRaw<SIZE>);
-/// Checks whether an access of type `U` at the given `offset`
+/// Checks whether an access of type `U` at the given `base` and the given `offset`
/// is valid within this region.
+///
+/// The `base` is used for alignment checking only. This can be set to 0 to skip the check.
#[inline]
-const fn offset_valid<U>(offset: usize, size: usize) -> bool {
- let type_size = core::mem::size_of::<U>();
- if let Some(end) = offset.checked_add(type_size) {
- end <= size && offset % type_size == 0
+const fn offset_valid<U>(base: usize, offset: usize, size: usize) -> bool {
+ if let Some(end) = offset.checked_add(size_of::<U>()) {
+ end <= size && (base.wrapping_add(offset) % align_of::<U>() == 0)
} else {
false
}
@@ -221,14 +222,16 @@ pub trait IoCapable<T> {
///
/// # Safety
///
- /// The range `[address..address + size_of::<T>()]` must be within the bounds of `Self`.
+ /// - The range `[address..address + size_of::<T>()]` must be within the bounds of `Self`.
+ /// - `address` must be aligned.
unsafe fn io_read(&self, address: usize) -> T;
/// Performs an I/O write of `value` at `address`.
///
/// # Safety
///
- /// The range `[address..address + size_of::<T>()]` must be within the bounds of `Self`.
+ /// - The range `[address..address + size_of::<T>()]` must be within the bounds of `Self`.
+ /// - `address` must be aligned.
unsafe fn io_write(&self, value: T, address: usize);
}
@@ -310,7 +313,11 @@ pub trait Io {
// Always inline to optimize out error path of `build_assert`.
#[inline(always)]
fn io_addr_assert<U>(&self, offset: usize) -> usize {
- build_assert!(offset_valid::<U>(offset, Self::Target::MIN_SIZE));
+ // We cannot check alignment with `offset_valid` using `self.addr()`. So set 0 for it and
+ // ensure alignment by checking that the alignment of `U` is smaller or equal to the
+ // alignment of `Self::Target`.
+ const_assert!(Alignment::of::<U>().as_usize() <= Self::Target::MIN_ALIGN.as_usize());
+ build_assert!(offset_valid::<U>(0, offset, Self::Target::MIN_SIZE));
self.addr() + offset
}
@@ -319,7 +326,7 @@ fn io_addr_assert<U>(&self, offset: usize) -> usize {
/// performing runtime bound checks.
#[inline]
fn io_addr<U>(&self, offset: usize) -> Result<usize> {
- if !offset_valid::<U>(offset, self.maxsize()) {
+ if !offset_valid::<U>(self.addr(), offset, self.maxsize()) {
return Err(EINVAL);
}
--
2.54.0
^ permalink raw reply related [flat|nested] 40+ messages in thread
* [PATCH v4 03/20] rust: io: restrict untyped IO access and `register!` to `Region`
2026-06-11 16:28 [PATCH v4 00/20] rust: I/O type generalization and projection Gary Guo
2026-06-11 16:28 ` [PATCH v4 01/20] rust: io: add dynamically-sized `Region` type Gary Guo
2026-06-11 16:28 ` [PATCH v4 02/20] rust: io: add missing safety requirement in `IoCapable` methods Gary Guo
@ 2026-06-11 16:28 ` Gary Guo
2026-06-11 16:28 ` [PATCH v4 04/20] rust: io: implement `Io` on reference types instead Gary Guo
` (16 subsequent siblings)
19 siblings, 0 replies; 40+ messages in thread
From: Gary Guo @ 2026-06-11 16:28 UTC (permalink / raw)
To: Alice Ryhl, Daniel Almeida, Greg Kroah-Hartman, Rafael J. Wysocki,
Miguel Ojeda, Boqun Feng, Gary Guo, Björn Roy Baron,
Benno Lossin, Andreas Hindborg, Trevor Gross, Bjorn Helgaas,
Krzysztof Wilczyński, Abdiel Janulgue, Robin Murphy,
Alexandre Courbot, David Airlie, Simona Vetter
Cc: Danilo Krummrich, driver-core, rust-for-linux, linux-kernel,
linux-pci, nova-gpu, dri-devel
Currently the `Io` trait exposes a bunch of untyped IO accesses, but if the
`Io` region itself is typed, then it might be weird to have
let io: Mmio<u32> = /* ... */;
io.read8(1);
while not unsound, it is surely strange. Thus, restrict the untyped methods
and also the register macro to `Region` type only.
Implement it by adding a generic type to `IoLoc` indicating allowed base
types. This also paves the way to add typed register blocks in the future;
for example, we could use this mechanism to block driver A's `register!()`
generated macro from being used on driver B's MMIO. The same mechanism
could be used for relative IO registers. These are future opportunities,
and for now restrict everything to require `IoLoc<Region<SIZE>, _>`.
Suggested-by: Alexandre Courbot <acourbot@nvidia.com>
Link: https://lore.kernel.org/rust-for-linux/DHLB3RO3OSF5.2R7F27U99BKLN@nvidia.com/
Signed-off-by: Gary Guo <gary@garyguo.net>
---
rust/kernel/io.rs | 49 +++++++++++++++++++++++++++++++---------------
rust/kernel/io/register.rs | 21 +++++++++++---------
2 files changed, 45 insertions(+), 25 deletions(-)
diff --git a/rust/kernel/io.rs b/rust/kernel/io.rs
index fa9ae39ad9d2..38281636b4da 100644
--- a/rust/kernel/io.rs
+++ b/rust/kernel/io.rs
@@ -244,15 +244,16 @@ pub trait IoCapable<T> {
/// (for primitive types like [`u32`]) and typed ones (like those generated by the [`register!`]
/// macro).
///
-/// An `IoLoc<T>` carries three pieces of information:
+/// An `IoLoc<Base, T>` carries the following pieces of information:
///
+/// - The valid `Base` to operate on. For most registers, this should be [`Region`].
/// - The offset to access (returned by [`IoLoc::offset`]),
/// - The width of the access (determined by [`IoLoc::IoType`]),
/// - The type `T` in which the raw data is returned or provided.
///
/// `T` and `IoLoc::IoType` may differ: for instance, a typed register has `T` = the register type
/// with its bitfields, and `IoType` = its backing primitive (e.g. `u32`).
-pub trait IoLoc<T> {
+pub trait IoLoc<Base: ?Sized, T> {
/// Size ([`u8`], [`u16`], etc) of the I/O performed on the returned [`offset`](IoLoc::offset).
type IoType: Into<T> + From<T>;
@@ -260,12 +261,12 @@ pub trait IoLoc<T> {
fn offset(self) -> usize;
}
-/// Implements [`IoLoc<$ty>`] for [`usize`], allowing [`usize`] to be used as a parameter of
-/// [`Io::read`] and [`Io::write`].
+/// Implements [`IoLoc<Region<SIZE>, $ty>`] for [`usize`], allowing [`usize`] to be used as a
+/// parameter of [`Io::read`] and [`Io::write`].
macro_rules! impl_usize_ioloc {
($($ty:ty),*) => {
$(
- impl IoLoc<$ty> for usize {
+ impl<const SIZE: usize> IoLoc<Region<SIZE>, $ty> for usize {
type IoType = $ty;
#[inline(always)]
@@ -339,6 +340,7 @@ fn io_addr<U>(&self, offset: usize) -> Result<usize> {
#[inline(always)]
fn try_read8(&self, offset: usize) -> Result<u8>
where
+ usize: IoLoc<Self::Target, u8, IoType = u8>,
Self: IoCapable<u8>,
{
self.try_read(offset)
@@ -348,6 +350,7 @@ fn try_read8(&self, offset: usize) -> Result<u8>
#[inline(always)]
fn try_read16(&self, offset: usize) -> Result<u16>
where
+ usize: IoLoc<Self::Target, u16, IoType = u16>,
Self: IoCapable<u16>,
{
self.try_read(offset)
@@ -357,6 +360,7 @@ fn try_read16(&self, offset: usize) -> Result<u16>
#[inline(always)]
fn try_read32(&self, offset: usize) -> Result<u32>
where
+ usize: IoLoc<Self::Target, u32, IoType = u32>,
Self: IoCapable<u32>,
{
self.try_read(offset)
@@ -366,6 +370,7 @@ fn try_read32(&self, offset: usize) -> Result<u32>
#[inline(always)]
fn try_read64(&self, offset: usize) -> Result<u64>
where
+ usize: IoLoc<Self::Target, u64, IoType = u64>,
Self: IoCapable<u64>,
{
self.try_read(offset)
@@ -375,6 +380,7 @@ fn try_read64(&self, offset: usize) -> Result<u64>
#[inline(always)]
fn try_write8(&self, value: u8, offset: usize) -> Result
where
+ usize: IoLoc<Self::Target, u8, IoType = u8>,
Self: IoCapable<u8>,
{
self.try_write(offset, value)
@@ -384,6 +390,7 @@ fn try_write8(&self, value: u8, offset: usize) -> Result
#[inline(always)]
fn try_write16(&self, value: u16, offset: usize) -> Result
where
+ usize: IoLoc<Self::Target, u16, IoType = u16>,
Self: IoCapable<u16>,
{
self.try_write(offset, value)
@@ -393,6 +400,7 @@ fn try_write16(&self, value: u16, offset: usize) -> Result
#[inline(always)]
fn try_write32(&self, value: u32, offset: usize) -> Result
where
+ usize: IoLoc<Self::Target, u32, IoType = u32>,
Self: IoCapable<u32>,
{
self.try_write(offset, value)
@@ -402,6 +410,7 @@ fn try_write32(&self, value: u32, offset: usize) -> Result
#[inline(always)]
fn try_write64(&self, value: u64, offset: usize) -> Result
where
+ usize: IoLoc<Self::Target, u64, IoType = u64>,
Self: IoCapable<u64>,
{
self.try_write(offset, value)
@@ -411,6 +420,7 @@ fn try_write64(&self, value: u64, offset: usize) -> Result
#[inline(always)]
fn read8(&self, offset: usize) -> u8
where
+ usize: IoLoc<Self::Target, u8, IoType = u8>,
Self: IoCapable<u8>,
{
self.read(offset)
@@ -420,6 +430,7 @@ fn read8(&self, offset: usize) -> u8
#[inline(always)]
fn read16(&self, offset: usize) -> u16
where
+ usize: IoLoc<Self::Target, u16, IoType = u16>,
Self: IoCapable<u16>,
{
self.read(offset)
@@ -429,6 +440,7 @@ fn read16(&self, offset: usize) -> u16
#[inline(always)]
fn read32(&self, offset: usize) -> u32
where
+ usize: IoLoc<Self::Target, u32, IoType = u32>,
Self: IoCapable<u32>,
{
self.read(offset)
@@ -438,6 +450,7 @@ fn read32(&self, offset: usize) -> u32
#[inline(always)]
fn read64(&self, offset: usize) -> u64
where
+ usize: IoLoc<Self::Target, u64, IoType = u64>,
Self: IoCapable<u64>,
{
self.read(offset)
@@ -447,6 +460,7 @@ fn read64(&self, offset: usize) -> u64
#[inline(always)]
fn write8(&self, value: u8, offset: usize)
where
+ usize: IoLoc<Self::Target, u8, IoType = u8>,
Self: IoCapable<u8>,
{
self.write(offset, value)
@@ -456,6 +470,7 @@ fn write8(&self, value: u8, offset: usize)
#[inline(always)]
fn write16(&self, value: u16, offset: usize)
where
+ usize: IoLoc<Self::Target, u16, IoType = u16>,
Self: IoCapable<u16>,
{
self.write(offset, value)
@@ -465,6 +480,7 @@ fn write16(&self, value: u16, offset: usize)
#[inline(always)]
fn write32(&self, value: u32, offset: usize)
where
+ usize: IoLoc<Self::Target, u32, IoType = u32>,
Self: IoCapable<u32>,
{
self.write(offset, value)
@@ -474,6 +490,7 @@ fn write32(&self, value: u32, offset: usize)
#[inline(always)]
fn write64(&self, value: u64, offset: usize)
where
+ usize: IoLoc<Self::Target, u64, IoType = u64>,
Self: IoCapable<u64>,
{
self.write(offset, value)
@@ -504,7 +521,7 @@ fn write64(&self, value: u64, offset: usize)
#[inline(always)]
fn try_read<T, L>(&self, location: L) -> Result<T>
where
- L: IoLoc<T>,
+ L: IoLoc<Self::Target, T>,
Self: IoCapable<L::IoType>,
{
let address = self.io_addr::<L::IoType>(location.offset())?;
@@ -538,7 +555,7 @@ fn try_read<T, L>(&self, location: L) -> Result<T>
#[inline(always)]
fn try_write<T, L>(&self, location: L, value: T) -> Result
where
- L: IoLoc<T>,
+ L: IoLoc<Self::Target, T>,
Self: IoCapable<L::IoType>,
{
let address = self.io_addr::<L::IoType>(location.offset())?;
@@ -584,8 +601,8 @@ fn try_write<T, L>(&self, location: L, value: T) -> Result
#[inline(always)]
fn try_write_reg<T, L, V>(&self, value: V) -> Result
where
- L: IoLoc<T>,
- V: LocatedRegister<Location = L, Value = T>,
+ L: IoLoc<Self::Target, T>,
+ V: LocatedRegister<Self::Target, Location = L, Value = T>,
Self: IoCapable<L::IoType>,
{
let (location, value) = value.into_io_op();
@@ -617,7 +634,7 @@ fn try_write_reg<T, L, V>(&self, value: V) -> Result
#[inline(always)]
fn try_update<T, L, F>(&self, location: L, f: F) -> Result
where
- L: IoLoc<T>,
+ L: IoLoc<Self::Target, T>,
Self: IoCapable<L::IoType>,
F: FnOnce(T) -> T,
{
@@ -656,7 +673,7 @@ fn try_update<T, L, F>(&self, location: L, f: F) -> Result
#[inline(always)]
fn read<T, L>(&self, location: L) -> T
where
- L: IoLoc<T>,
+ L: IoLoc<Self::Target, T>,
Self: IoCapable<L::IoType>,
{
let address = self.io_addr_assert::<L::IoType>(location.offset());
@@ -688,7 +705,7 @@ fn read<T, L>(&self, location: L) -> T
#[inline(always)]
fn write<T, L>(&self, location: L, value: T)
where
- L: IoLoc<T>,
+ L: IoLoc<Self::Target, T>,
Self: IoCapable<L::IoType>,
{
let address = self.io_addr_assert::<L::IoType>(location.offset());
@@ -731,8 +748,8 @@ fn write<T, L>(&self, location: L, value: T)
#[inline(always)]
fn write_reg<T, L, V>(&self, value: V)
where
- L: IoLoc<T>,
- V: LocatedRegister<Location = L, Value = T>,
+ L: IoLoc<Self::Target, T>,
+ V: LocatedRegister<Self::Target, Location = L, Value = T>,
Self: IoCapable<L::IoType>,
{
let (location, value) = value.into_io_op();
@@ -764,8 +781,8 @@ fn write_reg<T, L, V>(&self, value: V)
#[inline(always)]
fn update<T, L, F>(&self, location: L, f: F)
where
- L: IoLoc<T>,
- Self: IoCapable<L::IoType> + Sized,
+ L: IoLoc<Self::Target, T>,
+ Self: IoCapable<L::IoType>,
F: FnOnce(T) -> T,
{
let address = self.io_addr_assert::<L::IoType>(location.offset());
diff --git a/rust/kernel/io/register.rs b/rust/kernel/io/register.rs
index f924c7c7c1db..64fff9193a13 100644
--- a/rust/kernel/io/register.rs
+++ b/rust/kernel/io/register.rs
@@ -113,6 +113,8 @@
io::IoLoc, //
};
+use super::Region;
+
/// Trait implemented by all registers.
pub trait Register: Sized {
/// Backing primitive type of the register.
@@ -129,7 +131,7 @@ pub trait FixedRegister: Register {}
/// Allows `()` to be used as the `location` parameter of [`Io::write`](super::Io::write) when
/// passing a [`FixedRegister`] value.
-impl<T> IoLoc<T> for ()
+impl<const SIZE: usize, T> IoLoc<Region<SIZE>, T> for ()
where
T: FixedRegister,
{
@@ -143,7 +145,7 @@ fn offset(self) -> usize {
/// A [`FixedRegister`] carries its location in its type. Thus `FixedRegister` values can be used
/// as an [`IoLoc`].
-impl<T> IoLoc<T> for T
+impl<const SIZE: usize, T> IoLoc<Region<SIZE>, T> for T
where
T: FixedRegister,
{
@@ -168,7 +170,7 @@ pub const fn new() -> Self {
}
}
-impl<T> IoLoc<T> for FixedRegisterLoc<T>
+impl<const SIZE: usize, T> IoLoc<Region<SIZE>, T> for FixedRegisterLoc<T>
where
T: FixedRegister,
{
@@ -239,7 +241,8 @@ const fn offset(self) -> usize {
}
}
-impl<T, B> IoLoc<T> for RelativeRegisterLoc<T, B>
+// FIXME: Make use of `Base` type parameter of `Region` directly.
+impl<const SIZE: usize, T, B> IoLoc<Region<SIZE>, T> for RelativeRegisterLoc<T, B>
where
T: RelativeRegister,
B: RegisterBase<T::BaseFamily> + ?Sized,
@@ -283,7 +286,7 @@ pub fn try_new(idx: usize) -> Option<Self> {
}
}
-impl<T> IoLoc<T> for RegisterArrayLoc<T>
+impl<const SIZE: usize, T> IoLoc<Region<SIZE>, T> for RegisterArrayLoc<T>
where
T: RegisterArray,
{
@@ -370,7 +373,7 @@ pub fn try_at(self, idx: usize) -> Option<RelativeRegisterArrayLoc<T, B>> {
}
}
-impl<T, B> IoLoc<T> for RelativeRegisterArrayLoc<T, B>
+impl<const SIZE: usize, T, B> IoLoc<Region<SIZE>, T> for RelativeRegisterArrayLoc<T, B>
where
T: RelativeRegisterArray,
B: RegisterBase<T::BaseFamily> + ?Sized,
@@ -387,18 +390,18 @@ fn offset(self) -> usize {
/// which to write it.
///
/// Implementors can be used with [`Io::write_reg`](super::Io::write_reg).
-pub trait LocatedRegister {
+pub trait LocatedRegister<Base: ?Sized> {
/// Register value to write.
type Value: Register;
/// Full location information at which to write the value.
- type Location: IoLoc<Self::Value>;
+ type Location: IoLoc<Base, Self::Value>;
/// Consumes `self` and returns a `(location, value)` tuple describing a valid I/O write
/// operation.
fn into_io_op(self) -> (Self::Location, Self::Value);
}
-impl<T> LocatedRegister for T
+impl<const SIZE: usize, T> LocatedRegister<Region<SIZE>> for T
where
T: FixedRegister,
{
--
2.54.0
^ permalink raw reply related [flat|nested] 40+ messages in thread
* [PATCH v4 04/20] rust: io: implement `Io` on reference types instead
2026-06-11 16:28 [PATCH v4 00/20] rust: I/O type generalization and projection Gary Guo
` (2 preceding siblings ...)
2026-06-11 16:28 ` [PATCH v4 03/20] rust: io: restrict untyped IO access and `register!` to `Region` Gary Guo
@ 2026-06-11 16:28 ` Gary Guo
2026-06-11 17:07 ` sashiko-bot
2026-06-11 16:28 ` [PATCH v4 05/20] rust: io: generalize `MmioRaw` to pointer to arbitrary type Gary Guo
` (15 subsequent siblings)
19 siblings, 1 reply; 40+ messages in thread
From: Gary Guo @ 2026-06-11 16:28 UTC (permalink / raw)
To: Alice Ryhl, Daniel Almeida, Greg Kroah-Hartman, Rafael J. Wysocki,
Miguel Ojeda, Boqun Feng, Gary Guo, Björn Roy Baron,
Benno Lossin, Andreas Hindborg, Trevor Gross, Bjorn Helgaas,
Krzysztof Wilczyński, Abdiel Janulgue, Robin Murphy,
Alexandre Courbot, David Airlie, Simona Vetter
Cc: Danilo Krummrich, driver-core, rust-for-linux, linux-kernel,
linux-pci, nova-gpu, dri-devel
Currently, `Io` is implemented on owned I/O objects (e.g. `Bar`). This is
going to change with I/O projections, as then `Io` need to work both for
owned objects and views of them. Views are themselves reference-like
(however they obviously cannot be references, because they belong to a
different address space).
To faciliate the change, change `Io` to be implemented on reference types
for the owned I/O objects, and make methods take `self` instead of `&self`.
When I/O views are implemented, we can then naturally implement `Io` for
these objects.
Signed-off-by: Gary Guo <gary@garyguo.net>
---
rust/kernel/io.rs | 80 +++++++++++++++++++++++++--------------------------
rust/kernel/pci/io.rs | 12 ++++----
2 files changed, 46 insertions(+), 46 deletions(-)
diff --git a/rust/kernel/io.rs b/rust/kernel/io.rs
index 38281636b4da..3b478dcf10f9 100644
--- a/rust/kernel/io.rs
+++ b/rust/kernel/io.rs
@@ -224,7 +224,7 @@ pub trait IoCapable<T> {
///
/// - The range `[address..address + size_of::<T>()]` must be within the bounds of `Self`.
/// - `address` must be aligned.
- unsafe fn io_read(&self, address: usize) -> T;
+ unsafe fn io_read(self, address: usize) -> T;
/// Performs an I/O write of `value` at `address`.
///
@@ -232,7 +232,7 @@ pub trait IoCapable<T> {
///
/// - The range `[address..address + size_of::<T>()]` must be within the bounds of `Self`.
/// - `address` must be aligned.
- unsafe fn io_write(&self, value: T, address: usize);
+ unsafe fn io_write(self, value: T, address: usize);
}
/// Describes a given I/O location: its offset, width, and type to convert the raw value from and
@@ -299,21 +299,21 @@ fn offset(self) -> usize {
///
/// For MMIO regions, all widths (u8, u16, u32, and u64 on 64-bit systems) are typically
/// supported. For PCI configuration space, u8, u16, and u32 are supported but u64 is not.
-pub trait Io {
+pub trait Io: Copy {
/// Type of this I/O region. For untyped regions, [`Region`] can be used.
type Target: ?Sized + KnownSize;
/// Returns the base address of this mapping.
- fn addr(&self) -> usize;
+ fn addr(self) -> usize;
/// Returns the maximum size of this mapping.
- fn maxsize(&self) -> usize;
+ fn maxsize(self) -> usize;
/// Returns the absolute I/O address for a given `offset`,
/// performing compile-time bound checks.
// Always inline to optimize out error path of `build_assert`.
#[inline(always)]
- fn io_addr_assert<U>(&self, offset: usize) -> usize {
+ fn io_addr_assert<U>(self, offset: usize) -> usize {
// We cannot check alignment with `offset_valid` using `self.addr()`. So set 0 for it and
// ensure alignment by checking that the alignment of `U` is smaller or equal to the
// alignment of `Self::Target`.
@@ -326,7 +326,7 @@ fn io_addr_assert<U>(&self, offset: usize) -> usize {
/// Returns the absolute I/O address for a given `offset`,
/// performing runtime bound checks.
#[inline]
- fn io_addr<U>(&self, offset: usize) -> Result<usize> {
+ fn io_addr<U>(self, offset: usize) -> Result<usize> {
if !offset_valid::<U>(self.addr(), offset, self.maxsize()) {
return Err(EINVAL);
}
@@ -338,7 +338,7 @@ fn io_addr<U>(&self, offset: usize) -> Result<usize> {
/// Fallible 8-bit read with runtime bounds check.
#[inline(always)]
- fn try_read8(&self, offset: usize) -> Result<u8>
+ fn try_read8(self, offset: usize) -> Result<u8>
where
usize: IoLoc<Self::Target, u8, IoType = u8>,
Self: IoCapable<u8>,
@@ -348,7 +348,7 @@ fn try_read8(&self, offset: usize) -> Result<u8>
/// Fallible 16-bit read with runtime bounds check.
#[inline(always)]
- fn try_read16(&self, offset: usize) -> Result<u16>
+ fn try_read16(self, offset: usize) -> Result<u16>
where
usize: IoLoc<Self::Target, u16, IoType = u16>,
Self: IoCapable<u16>,
@@ -358,7 +358,7 @@ fn try_read16(&self, offset: usize) -> Result<u16>
/// Fallible 32-bit read with runtime bounds check.
#[inline(always)]
- fn try_read32(&self, offset: usize) -> Result<u32>
+ fn try_read32(self, offset: usize) -> Result<u32>
where
usize: IoLoc<Self::Target, u32, IoType = u32>,
Self: IoCapable<u32>,
@@ -368,7 +368,7 @@ fn try_read32(&self, offset: usize) -> Result<u32>
/// Fallible 64-bit read with runtime bounds check.
#[inline(always)]
- fn try_read64(&self, offset: usize) -> Result<u64>
+ fn try_read64(self, offset: usize) -> Result<u64>
where
usize: IoLoc<Self::Target, u64, IoType = u64>,
Self: IoCapable<u64>,
@@ -378,7 +378,7 @@ fn try_read64(&self, offset: usize) -> Result<u64>
/// Fallible 8-bit write with runtime bounds check.
#[inline(always)]
- fn try_write8(&self, value: u8, offset: usize) -> Result
+ fn try_write8(self, value: u8, offset: usize) -> Result
where
usize: IoLoc<Self::Target, u8, IoType = u8>,
Self: IoCapable<u8>,
@@ -388,7 +388,7 @@ fn try_write8(&self, value: u8, offset: usize) -> Result
/// Fallible 16-bit write with runtime bounds check.
#[inline(always)]
- fn try_write16(&self, value: u16, offset: usize) -> Result
+ fn try_write16(self, value: u16, offset: usize) -> Result
where
usize: IoLoc<Self::Target, u16, IoType = u16>,
Self: IoCapable<u16>,
@@ -398,7 +398,7 @@ fn try_write16(&self, value: u16, offset: usize) -> Result
/// Fallible 32-bit write with runtime bounds check.
#[inline(always)]
- fn try_write32(&self, value: u32, offset: usize) -> Result
+ fn try_write32(self, value: u32, offset: usize) -> Result
where
usize: IoLoc<Self::Target, u32, IoType = u32>,
Self: IoCapable<u32>,
@@ -408,7 +408,7 @@ fn try_write32(&self, value: u32, offset: usize) -> Result
/// Fallible 64-bit write with runtime bounds check.
#[inline(always)]
- fn try_write64(&self, value: u64, offset: usize) -> Result
+ fn try_write64(self, value: u64, offset: usize) -> Result
where
usize: IoLoc<Self::Target, u64, IoType = u64>,
Self: IoCapable<u64>,
@@ -418,7 +418,7 @@ fn try_write64(&self, value: u64, offset: usize) -> Result
/// Infallible 8-bit read with compile-time bounds check.
#[inline(always)]
- fn read8(&self, offset: usize) -> u8
+ fn read8(self, offset: usize) -> u8
where
usize: IoLoc<Self::Target, u8, IoType = u8>,
Self: IoCapable<u8>,
@@ -428,7 +428,7 @@ fn read8(&self, offset: usize) -> u8
/// Infallible 16-bit read with compile-time bounds check.
#[inline(always)]
- fn read16(&self, offset: usize) -> u16
+ fn read16(self, offset: usize) -> u16
where
usize: IoLoc<Self::Target, u16, IoType = u16>,
Self: IoCapable<u16>,
@@ -438,7 +438,7 @@ fn read16(&self, offset: usize) -> u16
/// Infallible 32-bit read with compile-time bounds check.
#[inline(always)]
- fn read32(&self, offset: usize) -> u32
+ fn read32(self, offset: usize) -> u32
where
usize: IoLoc<Self::Target, u32, IoType = u32>,
Self: IoCapable<u32>,
@@ -448,7 +448,7 @@ fn read32(&self, offset: usize) -> u32
/// Infallible 64-bit read with compile-time bounds check.
#[inline(always)]
- fn read64(&self, offset: usize) -> u64
+ fn read64(self, offset: usize) -> u64
where
usize: IoLoc<Self::Target, u64, IoType = u64>,
Self: IoCapable<u64>,
@@ -458,7 +458,7 @@ fn read64(&self, offset: usize) -> u64
/// Infallible 8-bit write with compile-time bounds check.
#[inline(always)]
- fn write8(&self, value: u8, offset: usize)
+ fn write8(self, value: u8, offset: usize)
where
usize: IoLoc<Self::Target, u8, IoType = u8>,
Self: IoCapable<u8>,
@@ -468,7 +468,7 @@ fn write8(&self, value: u8, offset: usize)
/// Infallible 16-bit write with compile-time bounds check.
#[inline(always)]
- fn write16(&self, value: u16, offset: usize)
+ fn write16(self, value: u16, offset: usize)
where
usize: IoLoc<Self::Target, u16, IoType = u16>,
Self: IoCapable<u16>,
@@ -478,7 +478,7 @@ fn write16(&self, value: u16, offset: usize)
/// Infallible 32-bit write with compile-time bounds check.
#[inline(always)]
- fn write32(&self, value: u32, offset: usize)
+ fn write32(self, value: u32, offset: usize)
where
usize: IoLoc<Self::Target, u32, IoType = u32>,
Self: IoCapable<u32>,
@@ -488,7 +488,7 @@ fn write32(&self, value: u32, offset: usize)
/// Infallible 64-bit write with compile-time bounds check.
#[inline(always)]
- fn write64(&self, value: u64, offset: usize)
+ fn write64(self, value: u64, offset: usize)
where
usize: IoLoc<Self::Target, u64, IoType = u64>,
Self: IoCapable<u64>,
@@ -519,7 +519,7 @@ fn write64(&self, value: u64, offset: usize)
/// }
/// ```
#[inline(always)]
- fn try_read<T, L>(&self, location: L) -> Result<T>
+ fn try_read<T, L>(self, location: L) -> Result<T>
where
L: IoLoc<Self::Target, T>,
Self: IoCapable<L::IoType>,
@@ -553,7 +553,7 @@ fn try_read<T, L>(&self, location: L) -> Result<T>
/// }
/// ```
#[inline(always)]
- fn try_write<T, L>(&self, location: L, value: T) -> Result
+ fn try_write<T, L>(self, location: L, value: T) -> Result
where
L: IoLoc<Self::Target, T>,
Self: IoCapable<L::IoType>,
@@ -599,7 +599,7 @@ fn try_write<T, L>(&self, location: L, value: T) -> Result
/// }
/// ```
#[inline(always)]
- fn try_write_reg<T, L, V>(&self, value: V) -> Result
+ fn try_write_reg<T, L, V>(self, value: V) -> Result
where
L: IoLoc<Self::Target, T>,
V: LocatedRegister<Self::Target, Location = L, Value = T>,
@@ -632,7 +632,7 @@ fn try_write_reg<T, L, V>(&self, value: V) -> Result
/// }
/// ```
#[inline(always)]
- fn try_update<T, L, F>(&self, location: L, f: F) -> Result
+ fn try_update<T, L, F>(self, location: L, f: F) -> Result
where
L: IoLoc<Self::Target, T>,
Self: IoCapable<L::IoType>,
@@ -671,7 +671,7 @@ fn try_update<T, L, F>(&self, location: L, f: F) -> Result
/// }
/// ```
#[inline(always)]
- fn read<T, L>(&self, location: L) -> T
+ fn read<T, L>(self, location: L) -> T
where
L: IoLoc<Self::Target, T>,
Self: IoCapable<L::IoType>,
@@ -703,7 +703,7 @@ fn read<T, L>(&self, location: L) -> T
/// }
/// ```
#[inline(always)]
- fn write<T, L>(&self, location: L, value: T)
+ fn write<T, L>(self, location: L, value: T)
where
L: IoLoc<Self::Target, T>,
Self: IoCapable<L::IoType>,
@@ -746,7 +746,7 @@ fn write<T, L>(&self, location: L, value: T)
/// }
/// ```
#[inline(always)]
- fn write_reg<T, L, V>(&self, value: V)
+ fn write_reg<T, L, V>(self, value: V)
where
L: IoLoc<Self::Target, T>,
V: LocatedRegister<Self::Target, Location = L, Value = T>,
@@ -779,7 +779,7 @@ fn write_reg<T, L, V>(&self, value: V)
/// }
/// ```
#[inline(always)]
- fn update<T, L, F>(&self, location: L, f: F)
+ fn update<T, L, F>(self, location: L, f: F)
where
L: IoLoc<Self::Target, T>,
Self: IoCapable<L::IoType>,
@@ -800,13 +800,13 @@ fn update<T, L, F>(&self, location: L, f: F)
macro_rules! impl_mmio_io_capable {
($mmio:ident, $(#[$attr:meta])* $ty:ty, $read_fn:ident, $write_fn:ident) => {
$(#[$attr])*
- impl<const SIZE: usize> IoCapable<$ty> for $mmio<SIZE> {
- unsafe fn io_read(&self, address: usize) -> $ty {
+ impl<const SIZE: usize> IoCapable<$ty> for &$mmio<SIZE> {
+ unsafe fn io_read(self, address: usize) -> $ty {
// SAFETY: By the trait invariant `address` is a valid address for MMIO operations.
unsafe { bindings::$read_fn(address as *const c_void) }
}
- unsafe fn io_write(&self, value: $ty, address: usize) {
+ unsafe fn io_write(self, value: $ty, address: usize) {
// SAFETY: By the trait invariant `address` is a valid address for MMIO operations.
unsafe { bindings::$write_fn(value, address as *mut c_void) }
}
@@ -827,18 +827,18 @@ unsafe fn io_write(&self, value: $ty, address: usize) {
writeq
);
-impl<const SIZE: usize> Io for Mmio<SIZE> {
+impl<'a, const SIZE: usize> Io for &'a Mmio<SIZE> {
type Target = Region<SIZE>;
/// Returns the base address of this mapping.
#[inline]
- fn addr(&self) -> usize {
+ fn addr(self) -> usize {
self.0.addr()
}
/// Returns the maximum size of this mapping.
#[inline]
- fn maxsize(&self) -> usize {
+ fn maxsize(self) -> usize {
self.0.maxsize()
}
}
@@ -865,16 +865,16 @@ pub unsafe fn from_raw(raw: &MmioRaw<SIZE>) -> &Self {
#[repr(transparent)]
pub struct RelaxedMmio<const SIZE: usize = 0>(Mmio<SIZE>);
-impl<const SIZE: usize> Io for RelaxedMmio<SIZE> {
+impl<'a, const SIZE: usize> Io for &'a RelaxedMmio<SIZE> {
type Target = Region<SIZE>;
#[inline]
- fn addr(&self) -> usize {
+ fn addr(self) -> usize {
self.0.addr()
}
#[inline]
- fn maxsize(&self) -> usize {
+ fn maxsize(self) -> usize {
self.0.maxsize()
}
}
diff --git a/rust/kernel/pci/io.rs b/rust/kernel/pci/io.rs
index b4996aa059d8..505305cd9b86 100644
--- a/rust/kernel/pci/io.rs
+++ b/rust/kernel/pci/io.rs
@@ -79,8 +79,8 @@ pub struct ConfigSpace<'a, S: ?Sized + ConfigSpaceKind = Extended> {
/// Implements [`IoCapable`] on [`ConfigSpace`] for `$ty` using `$read_fn` and `$write_fn`.
macro_rules! impl_config_space_io_capable {
($ty:ty, $read_fn:ident, $write_fn:ident) => {
- impl<'a, S: ?Sized + ConfigSpaceKind> IoCapable<$ty> for ConfigSpace<'a, S> {
- unsafe fn io_read(&self, address: usize) -> $ty {
+ impl<'a, S: ?Sized + ConfigSpaceKind> IoCapable<$ty> for &ConfigSpace<'a, S> {
+ unsafe fn io_read(self, address: usize) -> $ty {
let mut val: $ty = 0;
// Return value from C function is ignored in infallible accessors.
@@ -94,7 +94,7 @@ unsafe fn io_read(&self, address: usize) -> $ty {
val
}
- unsafe fn io_write(&self, value: $ty, address: usize) {
+ unsafe fn io_write(self, value: $ty, address: usize) {
// Return value from C function is ignored in infallible accessors.
let _ret =
// SAFETY: By the type invariant `self.pdev` is a valid address.
@@ -112,18 +112,18 @@ unsafe fn io_write(&self, value: $ty, address: usize) {
impl_config_space_io_capable!(u16, pci_read_config_word, pci_write_config_word);
impl_config_space_io_capable!(u32, pci_read_config_dword, pci_write_config_dword);
-impl<'a, S: ?Sized + ConfigSpaceKind> Io for ConfigSpace<'a, S> {
+impl<'a, S: ?Sized + ConfigSpaceKind> Io for &ConfigSpace<'a, S> {
type Target = S;
/// Returns the base address of the I/O region. It is always 0 for configuration space.
#[inline]
- fn addr(&self) -> usize {
+ fn addr(self) -> usize {
0
}
/// Returns the maximum size of the configuration space.
#[inline]
- fn maxsize(&self) -> usize {
+ fn maxsize(self) -> usize {
self.pdev.cfg_size().into_raw()
}
}
--
2.54.0
^ permalink raw reply related [flat|nested] 40+ messages in thread
* [PATCH v4 05/20] rust: io: generalize `MmioRaw` to pointer to arbitrary type
2026-06-11 16:28 [PATCH v4 00/20] rust: I/O type generalization and projection Gary Guo
` (3 preceding siblings ...)
2026-06-11 16:28 ` [PATCH v4 04/20] rust: io: implement `Io` on reference types instead Gary Guo
@ 2026-06-11 16:28 ` Gary Guo
2026-06-11 17:15 ` sashiko-bot
2026-06-11 16:28 ` [PATCH v4 06/20] rust: io: rename `Mmio` to `MmioOwned` Gary Guo
` (14 subsequent siblings)
19 siblings, 1 reply; 40+ messages in thread
From: Gary Guo @ 2026-06-11 16:28 UTC (permalink / raw)
To: Alice Ryhl, Daniel Almeida, Greg Kroah-Hartman, Rafael J. Wysocki,
Miguel Ojeda, Boqun Feng, Gary Guo, Björn Roy Baron,
Benno Lossin, Andreas Hindborg, Trevor Gross, Bjorn Helgaas,
Krzysztof Wilczyński, Abdiel Janulgue, Robin Murphy,
Alexandre Courbot, David Airlie, Simona Vetter
Cc: Danilo Krummrich, driver-core, rust-for-linux, linux-kernel,
linux-pci, nova-gpu, dri-devel
Conceptually, `MmioRaw` is just `__iomem *`, so it should work for any
types. Update the existing use case where it represents a region of
compile-time known minimum size and run-time known actual size to use the
dynamic-sized type `Region<SIZE>` instead. Rename `maxsize` method to
reflect that it is the actual size (not a bound) of the region.
Implement `Clone` and `Copy` manually, which cannot be derived due to the
generic parameter. The use of raw pointers also cause the `Send` and `Sync`
auto trait implementation to be lost, so add them back by manual
implementation.
Signed-off-by: Gary Guo <gary@garyguo.net>
---
rust/kernel/devres.rs | 7 +++---
rust/kernel/io.rs | 67 +++++++++++++++++++++++++++++++++++++--------------
rust/kernel/io/mem.rs | 5 ++--
rust/kernel/pci/io.rs | 4 +--
4 files changed, 57 insertions(+), 26 deletions(-)
diff --git a/rust/kernel/devres.rs b/rust/kernel/devres.rs
index ed30ccc6e68e..d0c677fd7932 100644
--- a/rust/kernel/devres.rs
+++ b/rust/kernel/devres.rs
@@ -70,14 +70,15 @@ struct Inner<T> {
/// Io,
/// Mmio,
/// MmioRaw,
-/// PhysAddr, //
+/// PhysAddr,
+/// Region, //
/// },
/// prelude::*,
/// };
/// use core::ops::Deref;
///
/// // See also [`pci::Bar`] for a real example.
-/// struct IoMem<const SIZE: usize>(MmioRaw<SIZE>);
+/// struct IoMem<const SIZE: usize>(MmioRaw<Region<SIZE>>);
///
/// impl<const SIZE: usize> IoMem<SIZE> {
/// /// # Safety
@@ -92,7 +93,7 @@ struct Inner<T> {
/// return Err(ENOMEM);
/// }
///
-/// Ok(IoMem(MmioRaw::new(addr as usize, SIZE)?))
+/// Ok(IoMem(MmioRaw::new_region(addr as usize, SIZE)?))
/// }
/// }
///
diff --git a/rust/kernel/io.rs b/rust/kernel/io.rs
index 3b478dcf10f9..c64b12ade123 100644
--- a/rust/kernel/io.rs
+++ b/rust/kernel/io.rs
@@ -89,37 +89,67 @@ fn size(p: *const Self) -> usize {
/// Raw representation of an MMIO region.
///
+/// `MmioRaw<T>` is equivalent to `T __iomem *` in C.
+///
/// By itself, the existence of an instance of this structure does not provide any guarantees that
/// the represented MMIO region does exist or is properly mapped.
///
/// Instead, the bus specific MMIO implementation must convert this raw representation into an
/// `Mmio` instance providing the actual memory accessors. Only by the conversion into an `Mmio`
/// structure any guarantees are given.
-pub struct MmioRaw<const SIZE: usize = 0> {
- addr: usize,
- maxsize: usize,
+pub struct MmioRaw<T: ?Sized> {
+ /// Pointer is in I/O address space.
+ ///
+ /// The provenance does not matter, only the address and metadata do.
+ ptr: *mut T,
}
-impl<const SIZE: usize> MmioRaw<SIZE> {
- /// Returns a new `MmioRaw` instance on success, an error otherwise.
- pub fn new(addr: usize, maxsize: usize) -> Result<Self> {
- if maxsize < SIZE {
- return Err(EINVAL);
+impl<T: ?Sized> Copy for MmioRaw<T> {}
+impl<T: ?Sized> Clone for MmioRaw<T> {
+ #[inline]
+ fn clone(&self) -> Self {
+ *self
+ }
+}
+
+// SAFETY: `MmioRaw` is just an address, so is thread-safe.
+unsafe impl<T: ?Sized> Send for MmioRaw<T> {}
+// SAFETY: `MmioRaw` is just an address, so is thread-safe.
+unsafe impl<T: ?Sized> Sync for MmioRaw<T> {}
+
+impl<T> MmioRaw<T> {
+ /// Create a `MmioRaw` from address.
+ #[inline]
+ pub fn new(addr: usize) -> Self {
+ Self {
+ ptr: core::ptr::without_provenance_mut(addr),
}
+ }
+}
- Ok(Self { addr, maxsize })
+impl<const SIZE: usize> MmioRaw<Region<SIZE>> {
+ /// Create a `MmioRaw` representing a I/O region with given size.
+ ///
+ /// The size is checked against the minimum size specified via const generics.
+ #[inline]
+ pub fn new_region(addr: usize, size: usize) -> Result<Self> {
+ Ok(Self {
+ ptr: Region::ptr_try_from_raw_parts_mut(core::ptr::without_provenance_mut(addr), size)?,
+ })
}
+}
+impl<T: ?Sized + KnownSize> MmioRaw<T> {
/// Returns the base address of the MMIO region.
#[inline]
pub fn addr(&self) -> usize {
- self.addr
+ self.ptr.addr()
}
- /// Returns the maximum size of the MMIO region.
+ /// Returns the size of the MMIO region.
#[inline]
- pub fn maxsize(&self) -> usize {
- self.maxsize
+ pub fn size(&self) -> usize {
+ KnownSize::size(self.ptr)
}
}
@@ -144,12 +174,13 @@ pub fn maxsize(&self) -> usize {
/// Mmio,
/// MmioRaw,
/// PhysAddr,
+/// Region,
/// },
/// };
/// use core::ops::Deref;
///
/// // See also `pci::Bar` for a real example.
-/// struct IoMem<const SIZE: usize>(MmioRaw<SIZE>);
+/// struct IoMem<const SIZE: usize>(MmioRaw<Region<SIZE>>);
///
/// impl<const SIZE: usize> IoMem<SIZE> {
/// /// # Safety
@@ -164,7 +195,7 @@ pub fn maxsize(&self) -> usize {
/// return Err(ENOMEM);
/// }
///
-/// Ok(IoMem(MmioRaw::new(addr as usize, SIZE)?))
+/// Ok(IoMem(MmioRaw::new_region(addr as usize, SIZE)?))
/// }
/// }
///
@@ -194,7 +225,7 @@ pub fn maxsize(&self) -> usize {
/// # }
/// ```
#[repr(transparent)]
-pub struct Mmio<const SIZE: usize = 0>(MmioRaw<SIZE>);
+pub struct Mmio<const SIZE: usize = 0>(MmioRaw<Region<SIZE>>);
/// Checks whether an access of type `U` at the given `base` and the given `offset`
/// is valid within this region.
@@ -839,7 +870,7 @@ fn addr(self) -> usize {
/// Returns the maximum size of this mapping.
#[inline]
fn maxsize(self) -> usize {
- self.0.maxsize()
+ self.0.size()
}
}
@@ -850,7 +881,7 @@ impl<const SIZE: usize> Mmio<SIZE> {
///
/// Callers must ensure that `addr` is the start of a valid I/O mapped memory region of size
/// `maxsize`.
- pub unsafe fn from_raw(raw: &MmioRaw<SIZE>) -> &Self {
+ pub unsafe fn from_raw(raw: &MmioRaw<Region<SIZE>>) -> &Self {
// SAFETY: `Mmio` is a transparent wrapper around `MmioRaw`.
unsafe { &*core::ptr::from_ref(raw).cast() }
}
diff --git a/rust/kernel/io/mem.rs b/rust/kernel/io/mem.rs
index fc2a3e24f8d5..9e15bc8fde78 100644
--- a/rust/kernel/io/mem.rs
+++ b/rust/kernel/io/mem.rs
@@ -229,7 +229,7 @@ fn deref(&self) -> &Self::Target {
/// start of the I/O memory mapped region.
pub struct IoMem<'a, const SIZE: usize = 0> {
dev: &'a Device<Bound>,
- io: MmioRaw<SIZE>,
+ io: MmioRaw<super::Region<SIZE>>,
}
impl<'a, const SIZE: usize> IoMem<'a, SIZE> {
@@ -264,8 +264,7 @@ fn ioremap(dev: &'a Device<Bound>, resource: &Resource) -> Result<Self> {
return Err(ENOMEM);
}
- let io = MmioRaw::new(addr as usize, size)?;
-
+ let io = MmioRaw::new_region(addr as usize, size)?;
Ok(IoMem { dev, io })
}
diff --git a/rust/kernel/pci/io.rs b/rust/kernel/pci/io.rs
index 505305cd9b86..42f840d64a6f 100644
--- a/rust/kernel/pci/io.rs
+++ b/rust/kernel/pci/io.rs
@@ -139,7 +139,7 @@ fn maxsize(self) -> usize {
/// memory mapped PCI BAR and its size.
pub struct Bar<'a, const SIZE: usize = 0> {
pdev: &'a Device<device::Bound>,
- io: MmioRaw<SIZE>,
+ io: MmioRaw<crate::io::Region<SIZE>>,
num: i32,
}
@@ -179,7 +179,7 @@ pub(super) fn new(
return Err(ENOMEM);
}
- let io = match MmioRaw::new(ioptr, len as usize) {
+ let io = match MmioRaw::new_region(ioptr, len as usize) {
Ok(io) => io,
Err(err) => {
// SAFETY:
--
2.54.0
^ permalink raw reply related [flat|nested] 40+ messages in thread
* [PATCH v4 06/20] rust: io: rename `Mmio` to `MmioOwned`
2026-06-11 16:28 [PATCH v4 00/20] rust: I/O type generalization and projection Gary Guo
` (4 preceding siblings ...)
2026-06-11 16:28 ` [PATCH v4 05/20] rust: io: generalize `MmioRaw` to pointer to arbitrary type Gary Guo
@ 2026-06-11 16:28 ` Gary Guo
2026-06-11 17:21 ` sashiko-bot
2026-06-11 16:28 ` [PATCH v4 07/20] rust: io: implement `Mmio` as view type Gary Guo
` (13 subsequent siblings)
19 siblings, 1 reply; 40+ messages in thread
From: Gary Guo @ 2026-06-11 16:28 UTC (permalink / raw)
To: Alice Ryhl, Daniel Almeida, Greg Kroah-Hartman, Rafael J. Wysocki,
Miguel Ojeda, Boqun Feng, Gary Guo, Björn Roy Baron,
Benno Lossin, Andreas Hindborg, Trevor Gross, Bjorn Helgaas,
Krzysztof Wilczyński, Abdiel Janulgue, Robin Murphy,
Alexandre Courbot, David Airlie, Simona Vetter
Cc: Danilo Krummrich, driver-core, rust-for-linux, linux-kernel,
linux-pci, nova-gpu, dri-devel
Most users would more commonly reach out to a view of `Mmio` rather than an
owned instance of `Mmio`. Only implementor of `Io` like `Bar` or `IoMem`
would need the owned version. Thus, rename `Mmio` to `MmioOwned` so that
the name `Mmio` can be used for the view type instead.
Signed-off-by: Gary Guo <gary@garyguo.net>
---
rust/kernel/devres.rs | 6 ++--
rust/kernel/io.rs | 77 +++++++++++++++++++++++-----------------------
rust/kernel/io/mem.rs | 8 ++---
rust/kernel/io/poll.rs | 8 ++---
rust/kernel/io/register.rs | 24 +++++++--------
rust/kernel/pci/io.rs | 6 ++--
6 files changed, 65 insertions(+), 64 deletions(-)
diff --git a/rust/kernel/devres.rs b/rust/kernel/devres.rs
index d0c677fd7932..aed0c994fd30 100644
--- a/rust/kernel/devres.rs
+++ b/rust/kernel/devres.rs
@@ -68,7 +68,7 @@ struct Inner<T> {
/// devres::Devres,
/// io::{
/// Io,
-/// Mmio,
+/// MmioOwned,
/// MmioRaw,
/// PhysAddr,
/// Region, //
@@ -105,11 +105,11 @@ struct Inner<T> {
/// }
///
/// impl<const SIZE: usize> Deref for IoMem<SIZE> {
-/// type Target = Mmio<SIZE>;
+/// type Target = MmioOwned<SIZE>;
///
/// fn deref(&self) -> &Self::Target {
/// // SAFETY: The memory range stored in `self` has been properly mapped in `Self::new`.
-/// unsafe { Mmio::from_raw(&self.0) }
+/// unsafe { MmioOwned::from_raw(&self.0) }
/// }
/// }
/// # fn no_run(dev: &Device<Bound>) -> Result<(), Error> {
diff --git a/rust/kernel/io.rs b/rust/kernel/io.rs
index c64b12ade123..9ca0d325da50 100644
--- a/rust/kernel/io.rs
+++ b/rust/kernel/io.rs
@@ -95,8 +95,8 @@ fn size(p: *const Self) -> usize {
/// the represented MMIO region does exist or is properly mapped.
///
/// Instead, the bus specific MMIO implementation must convert this raw representation into an
-/// `Mmio` instance providing the actual memory accessors. Only by the conversion into an `Mmio`
-/// structure any guarantees are given.
+/// `MmioOwned` instance providing the actual memory accessors. Only by the conversion into an
+/// `MmioOwned` structure any guarantees are given.
pub struct MmioRaw<T: ?Sized> {
/// Pointer is in I/O address space.
///
@@ -171,7 +171,7 @@ pub fn size(&self) -> usize {
/// ffi::c_void,
/// io::{
/// Io,
-/// Mmio,
+/// MmioOwned,
/// MmioRaw,
/// PhysAddr,
/// Region,
@@ -207,11 +207,11 @@ pub fn size(&self) -> usize {
/// }
///
/// impl<const SIZE: usize> Deref for IoMem<SIZE> {
-/// type Target = Mmio<SIZE>;
+/// type Target = MmioOwned<SIZE>;
///
/// fn deref(&self) -> &Self::Target {
/// // SAFETY: The memory range stored in `self` has been properly mapped in `Self::new`.
-/// unsafe { Mmio::from_raw(&self.0) }
+/// unsafe { MmioOwned::from_raw(&self.0) }
/// }
/// }
///
@@ -225,7 +225,7 @@ pub fn size(&self) -> usize {
/// # }
/// ```
#[repr(transparent)]
-pub struct Mmio<const SIZE: usize = 0>(MmioRaw<Region<SIZE>>);
+pub struct MmioOwned<const SIZE: usize = 0>(MmioRaw<Region<SIZE>>);
/// Checks whether an access of type `U` at the given `base` and the given `offset`
/// is valid within this region.
@@ -536,10 +536,10 @@ fn write64(self, value: u64, offset: usize)
/// ```no_run
/// use kernel::io::{
/// Io,
- /// Mmio,
+ /// MmioOwned,
/// };
///
- /// fn do_reads(io: &Mmio) -> Result {
+ /// fn do_reads(io: &MmioOwned) -> Result {
/// // 32-bit read from address `0x10`.
/// let v: u32 = io.try_read(0x10)?;
///
@@ -570,10 +570,10 @@ fn try_read<T, L>(self, location: L) -> Result<T>
/// ```no_run
/// use kernel::io::{
/// Io,
- /// Mmio,
+ /// MmioOwned,
/// };
///
- /// fn do_writes(io: &Mmio) -> Result {
+ /// fn do_writes(io: &MmioOwned) -> Result {
/// // 32-bit write of value `1` at address `0x10`.
/// io.try_write(0x10, 1u32)?;
///
@@ -608,7 +608,7 @@ fn try_write<T, L>(self, location: L, value: T) -> Result
/// use kernel::io::{
/// register,
/// Io,
- /// Mmio,
+ /// MmioOwned,
/// };
///
/// register! {
@@ -624,7 +624,7 @@ fn try_write<T, L>(self, location: L, value: T) -> Result
/// }
/// }
///
- /// fn do_write_reg(io: &Mmio) -> Result {
+ /// fn do_write_reg(io: &MmioOwned) -> Result {
///
/// io.try_write_reg(VERSION::new(1, 0))
/// }
@@ -653,10 +653,10 @@ fn try_write_reg<T, L, V>(self, value: V) -> Result
/// ```no_run
/// use kernel::io::{
/// Io,
- /// Mmio,
+ /// MmioOwned,
/// };
///
- /// fn do_update(io: &Mmio<0x1000>) -> Result {
+ /// fn do_update(io: &MmioOwned<0x1000>) -> Result {
/// io.try_update(0x10, |v: u32| {
/// v + 1
/// })
@@ -690,10 +690,10 @@ fn try_update<T, L, F>(self, location: L, f: F) -> Result
/// ```no_run
/// use kernel::io::{
/// Io,
- /// Mmio,
+ /// MmioOwned,
/// };
///
- /// fn do_reads(io: &Mmio<0x1000>) {
+ /// fn do_reads(io: &MmioOwned<0x1000>) {
/// // 32-bit read from address `0x10`.
/// let v: u32 = io.read(0x10);
///
@@ -722,10 +722,10 @@ fn read<T, L>(self, location: L) -> T
/// ```no_run
/// use kernel::io::{
/// Io,
- /// Mmio,
+ /// MmioOwned,
/// };
///
- /// fn do_writes(io: &Mmio<0x1000>) {
+ /// fn do_writes(io: &MmioOwned<0x1000>) {
/// // 32-bit write of value `1` at address `0x10`.
/// io.write(0x10, 1u32);
///
@@ -756,7 +756,7 @@ fn write<T, L>(self, location: L, value: T)
/// use kernel::io::{
/// register,
/// Io,
- /// Mmio,
+ /// MmioOwned,
/// };
///
/// register! {
@@ -772,7 +772,7 @@ fn write<T, L>(self, location: L, value: T)
/// }
/// }
///
- /// fn do_write_reg(io: &Mmio<0x1000>) {
+ /// fn do_write_reg(io: &MmioOwned<0x1000>) {
/// io.write_reg(VERSION::new(1, 0));
/// }
/// ```
@@ -800,10 +800,10 @@ fn write_reg<T, L, V>(self, value: V)
/// ```no_run
/// use kernel::io::{
/// Io,
- /// Mmio,
+ /// MmioOwned,
/// };
///
- /// fn do_update(io: &Mmio<0x1000>) {
+ /// fn do_update(io: &MmioOwned<0x1000>) {
/// io.update(0x10, |v: u32| {
/// v + 1
/// })
@@ -846,19 +846,19 @@ unsafe fn io_write(self, value: $ty, address: usize) {
}
// MMIO regions support 8, 16, and 32-bit accesses.
-impl_mmio_io_capable!(Mmio, u8, readb, writeb);
-impl_mmio_io_capable!(Mmio, u16, readw, writew);
-impl_mmio_io_capable!(Mmio, u32, readl, writel);
+impl_mmio_io_capable!(MmioOwned, u8, readb, writeb);
+impl_mmio_io_capable!(MmioOwned, u16, readw, writew);
+impl_mmio_io_capable!(MmioOwned, u32, readl, writel);
// MMIO regions on 64-bit systems also support 64-bit accesses.
impl_mmio_io_capable!(
- Mmio,
+ MmioOwned,
#[cfg(CONFIG_64BIT)]
u64,
readq,
writeq
);
-impl<'a, const SIZE: usize> Io for &'a Mmio<SIZE> {
+impl<'a, const SIZE: usize> Io for &'a MmioOwned<SIZE> {
type Target = Region<SIZE>;
/// Returns the base address of this mapping.
@@ -874,27 +874,28 @@ fn maxsize(self) -> usize {
}
}
-impl<const SIZE: usize> Mmio<SIZE> {
- /// Converts an `MmioRaw` into an `Mmio` instance, providing the accessors to the MMIO mapping.
+impl<const SIZE: usize> MmioOwned<SIZE> {
+ /// Converts an `MmioRaw` into an `MmioOwned` instance, providing the accessors to the MMIO
+ /// mapping.
///
/// # Safety
///
/// Callers must ensure that `addr` is the start of a valid I/O mapped memory region of size
/// `maxsize`.
pub unsafe fn from_raw(raw: &MmioRaw<Region<SIZE>>) -> &Self {
- // SAFETY: `Mmio` is a transparent wrapper around `MmioRaw`.
+ // SAFETY: `MmioOwned` is a transparent wrapper around `MmioRaw`.
unsafe { &*core::ptr::from_ref(raw).cast() }
}
}
-/// [`Mmio`] wrapper using relaxed accessors.
+/// [`MmioOwned`] wrapper using relaxed accessors.
///
/// This type provides an implementation of [`Io`] that uses relaxed I/O MMIO operands instead of
/// the regular ones.
///
-/// See [`Mmio::relaxed`] for a usage example.
+/// See [`MmioOwned::relaxed`] for a usage example.
#[repr(transparent)]
-pub struct RelaxedMmio<const SIZE: usize = 0>(Mmio<SIZE>);
+pub struct RelaxedMmio<const SIZE: usize = 0>(MmioOwned<SIZE>);
impl<'a, const SIZE: usize> Io for &'a RelaxedMmio<SIZE> {
type Target = Region<SIZE>;
@@ -910,7 +911,7 @@ fn maxsize(self) -> usize {
}
}
-impl<const SIZE: usize> Mmio<SIZE> {
+impl<const SIZE: usize> MmioOwned<SIZE> {
/// Returns a [`RelaxedMmio`] reference that performs relaxed I/O operations.
///
/// Relaxed accessors do not provide ordering guarantees with respect to DMA or memory accesses
@@ -921,19 +922,19 @@ impl<const SIZE: usize> Mmio<SIZE> {
/// ```no_run
/// use kernel::io::{
/// Io,
- /// Mmio,
+ /// MmioOwned,
/// RelaxedMmio,
/// };
///
- /// fn do_io(io: &Mmio<0x100>) {
+ /// fn do_io(io: &MmioOwned<0x100>) {
/// // The access is performed using `readl_relaxed` instead of `readl`.
/// let v = io.relaxed().read32(0x10);
/// }
///
/// ```
pub fn relaxed(&self) -> &RelaxedMmio<SIZE> {
- // SAFETY: `RelaxedMmio` is `#[repr(transparent)]` over `Mmio`, so `Mmio<SIZE>` and
- // `RelaxedMmio<SIZE>` have identical layout.
+ // SAFETY: `RelaxedMmio` is `#[repr(transparent)]` over `MmioOwned`, so `MmioOwned<SIZE>`
+ // and `RelaxedMmio<SIZE>` have identical layout.
unsafe { core::mem::transmute(self) }
}
}
diff --git a/rust/kernel/io/mem.rs b/rust/kernel/io/mem.rs
index 9e15bc8fde78..8f6c257c5b8e 100644
--- a/rust/kernel/io/mem.rs
+++ b/rust/kernel/io/mem.rs
@@ -16,7 +16,7 @@
Region,
Resource, //
},
- Mmio,
+ MmioOwned,
MmioRaw, //
},
prelude::*,
@@ -211,7 +211,7 @@ pub fn into_devres(self) -> Result<Devres<ExclusiveIoMem<'static, SIZE>>> {
}
impl<const SIZE: usize> Deref for ExclusiveIoMem<'_, SIZE> {
- type Target = Mmio<SIZE>;
+ type Target = MmioOwned<SIZE>;
fn deref(&self) -> &Self::Target {
&self.iomem
@@ -291,10 +291,10 @@ fn drop(&mut self) {
}
impl<const SIZE: usize> Deref for IoMem<'_, SIZE> {
- type Target = Mmio<SIZE>;
+ type Target = MmioOwned<SIZE>;
fn deref(&self) -> &Self::Target {
// SAFETY: Safe as by the invariant of `IoMem`.
- unsafe { Mmio::from_raw(&self.io) }
+ unsafe { MmioOwned::from_raw(&self.io) }
}
}
diff --git a/rust/kernel/io/poll.rs b/rust/kernel/io/poll.rs
index 75d1b3e8596c..79828a8006b5 100644
--- a/rust/kernel/io/poll.rs
+++ b/rust/kernel/io/poll.rs
@@ -47,14 +47,14 @@
/// ```no_run
/// use kernel::io::{
/// Io,
-/// Mmio,
+/// MmioOwned,
/// poll::read_poll_timeout, //
/// };
/// use kernel::time::Delta;
///
/// const HW_READY: u16 = 0x01;
///
-/// fn wait_for_hardware<const SIZE: usize>(io: &Mmio<SIZE>) -> Result {
+/// fn wait_for_hardware<const SIZE: usize>(io: &MmioOwned<SIZE>) -> Result {
/// read_poll_timeout(
/// // The `op` closure reads the value of a specific status register.
/// || io.try_read16(0x1000),
@@ -134,14 +134,14 @@ pub fn read_poll_timeout<Op, Cond, T>(
/// ```no_run
/// use kernel::io::{
/// Io,
-/// Mmio,
+/// MmioOwned,
/// poll::read_poll_timeout_atomic, //
/// };
/// use kernel::time::Delta;
///
/// const HW_READY: u16 = 0x01;
///
-/// fn wait_for_hardware<const SIZE: usize>(io: &Mmio<SIZE>) -> Result {
+/// fn wait_for_hardware<const SIZE: usize>(io: &MmioOwned<SIZE>) -> Result {
/// read_poll_timeout_atomic(
/// // The `op` closure reads the value of a specific status register.
/// || io.try_read16(0x1000),
diff --git a/rust/kernel/io/register.rs b/rust/kernel/io/register.rs
index 64fff9193a13..242ad96ac805 100644
--- a/rust/kernel/io/register.rs
+++ b/rust/kernel/io/register.rs
@@ -58,7 +58,7 @@
//! },
//! num::Bounded,
//! };
-//! # use kernel::io::Mmio;
+//! # use kernel::io::MmioOwned;
//! # register! {
//! # pub BOOT_0(u32) @ 0x00000100 {
//! # 15:8 vendor_id;
@@ -66,7 +66,7 @@
//! # 3:0 minor_revision;
//! # }
//! # }
-//! # fn test(io: &Mmio<0x1000>) {
+//! # fn test(io: &MmioOwned<0x1000>) {
//! # fn obtain_vendor_id() -> u8 { 0xff }
//!
//! // Read from the register's defined offset (0x100).
@@ -447,7 +447,7 @@ fn into_io_op(self) -> (FixedRegisterLoc<T>, T) {
/// Io,
/// },
/// };
-/// # use kernel::io::Mmio;
+/// # use kernel::io::MmioOwned;
///
/// register! {
/// FIXED_REG(u32) @ 0x100 {
@@ -456,7 +456,7 @@ fn into_io_op(self) -> (FixedRegisterLoc<T>, T) {
/// }
/// }
///
-/// # fn test(io: &Mmio<0x1000>) {
+/// # fn test(io: &MmioOwned<0x1000>) {
/// let val = io.read(FIXED_REG);
///
/// // Write from an already-existing value.
@@ -560,7 +560,7 @@ fn into_io_op(self) -> (FixedRegisterLoc<T>, T) {
/// Io,
/// },
/// };
-/// # use kernel::io::Mmio;
+/// # use kernel::io::MmioOwned;
///
/// // Type used to identify the base.
/// pub struct CpuCtlBase;
@@ -585,7 +585,7 @@ fn into_io_op(self) -> (FixedRegisterLoc<T>, T) {
/// }
/// }
///
-/// # fn test(io: Mmio<0x1000>) {
+/// # fn test(io: MmioOwned<0x1000>) {
/// // Read the status of `Cpu0`.
/// let cpu0_started = io.read(CPU_CTL::of::<Cpu0>());
///
@@ -602,7 +602,7 @@ fn into_io_op(self) -> (FixedRegisterLoc<T>, T) {
/// }
/// }
///
-/// # fn test2(io: Mmio<0x1000>) {
+/// # fn test2(io: MmioOwned<0x1000>) {
/// // Start the aliased `CPU0`, leaving its other fields untouched.
/// io.update(CPU_CTL_ALIAS::of::<Cpu0>(), |r| r.with_alias_start(true));
/// # }
@@ -639,7 +639,7 @@ fn into_io_op(self) -> (FixedRegisterLoc<T>, T) {
/// Io,
/// },
/// };
-/// # use kernel::io::Mmio;
+/// # use kernel::io::MmioOwned;
/// # fn get_scratch_idx() -> usize {
/// # 0x15
/// # }
@@ -652,7 +652,7 @@ fn into_io_op(self) -> (FixedRegisterLoc<T>, T) {
/// }
/// }
///
-/// # fn test(io: &Mmio<0x1000>)
+/// # fn test(io: &MmioOwned<0x1000>)
/// # -> Result<(), Error>{
/// // Read scratch register 0, i.e. I/O address `0x80`.
/// let scratch_0 = io.read(SCRATCH::at(0)).value();
@@ -725,7 +725,7 @@ fn into_io_op(self) -> (FixedRegisterLoc<T>, T) {
/// Io,
/// },
/// };
-/// # use kernel::io::Mmio;
+/// # use kernel::io::MmioOwned;
/// # fn get_scratch_idx() -> usize {
/// # 0x15
/// # }
@@ -753,7 +753,7 @@ fn into_io_op(self) -> (FixedRegisterLoc<T>, T) {
/// }
/// }
///
-/// # fn test(io: &Mmio<0x1000>) -> Result<(), Error> {
+/// # fn test(io: &MmioOwned<0x1000>) -> Result<(), Error> {
/// // Read scratch register 0 of CPU0.
/// let scratch = io.read(CPU_SCRATCH::of::<Cpu0>().at(0));
///
@@ -795,7 +795,7 @@ fn into_io_op(self) -> (FixedRegisterLoc<T>, T) {
/// }
/// }
///
-/// # fn test2(io: &Mmio<0x1000>) -> Result<(), Error> {
+/// # fn test2(io: &MmioOwned<0x1000>) -> Result<(), Error> {
/// let cpu0_status = io.read(CPU_FIRMWARE_STATUS::of::<Cpu0>()).status();
/// # Ok(())
/// # }
diff --git a/rust/kernel/pci/io.rs b/rust/kernel/pci/io.rs
index 42f840d64a6f..e0acb62f58a2 100644
--- a/rust/kernel/pci/io.rs
+++ b/rust/kernel/pci/io.rs
@@ -10,7 +10,7 @@
io::{
Io,
IoCapable,
- Mmio,
+ MmioOwned,
MmioRaw,
Region, //
},
@@ -242,11 +242,11 @@ fn drop(&mut self) {
}
impl<const SIZE: usize> Deref for Bar<'_, SIZE> {
- type Target = Mmio<SIZE>;
+ type Target = MmioOwned<SIZE>;
fn deref(&self) -> &Self::Target {
// SAFETY: By the type invariant of `Self`, the MMIO range in `self.io` is properly mapped.
- unsafe { Mmio::from_raw(&self.io) }
+ unsafe { MmioOwned::from_raw(&self.io) }
}
}
--
2.54.0
^ permalink raw reply related [flat|nested] 40+ messages in thread
* [PATCH v4 07/20] rust: io: implement `Mmio` as view type
2026-06-11 16:28 [PATCH v4 00/20] rust: I/O type generalization and projection Gary Guo
` (5 preceding siblings ...)
2026-06-11 16:28 ` [PATCH v4 06/20] rust: io: rename `Mmio` to `MmioOwned` Gary Guo
@ 2026-06-11 16:28 ` Gary Guo
2026-06-11 17:31 ` sashiko-bot
2026-06-11 16:28 ` [PATCH v4 08/20] rust: pci: io: make `ConfigSpace` a view Gary Guo
` (12 subsequent siblings)
19 siblings, 1 reply; 40+ messages in thread
From: Gary Guo @ 2026-06-11 16:28 UTC (permalink / raw)
To: Alice Ryhl, Daniel Almeida, Greg Kroah-Hartman, Rafael J. Wysocki,
Miguel Ojeda, Boqun Feng, Gary Guo, Björn Roy Baron,
Benno Lossin, Andreas Hindborg, Trevor Gross, Bjorn Helgaas,
Krzysztof Wilczyński, Abdiel Janulgue, Robin Murphy,
Alexandre Courbot, David Airlie, Simona Vetter
Cc: Danilo Krummrich, driver-core, rust-for-linux, linux-kernel,
linux-pci, nova-gpu, dri-devel
Implement `Mmio` as view type and convert `RelaxedMmio` to view type as
well. I/O implementations of `MmioOwned` are changed to delegate to the
`Mmio` view type.
All existing users of `MmioOwned` in the documentation which do not
actually reflect the owning semantics is converted.
Signed-off-by: Gary Guo <gary@garyguo.net>
---
rust/kernel/io.rs | 195 +++++++++++++++++++++++++++++++++++----------
rust/kernel/io/poll.rs | 10 ++-
rust/kernel/io/register.rs | 24 +++---
3 files changed, 171 insertions(+), 58 deletions(-)
diff --git a/rust/kernel/io.rs b/rust/kernel/io.rs
index 9ca0d325da50..3ac8b396f5a7 100644
--- a/rust/kernel/io.rs
+++ b/rust/kernel/io.rs
@@ -4,6 +4,10 @@
//!
//! C header: [`include/asm-generic/io.h`](srctree/include/asm-generic/io.h)
+use core::{
+ marker::PhantomData, //
+};
+
use crate::{
bindings,
prelude::*,
@@ -536,10 +540,11 @@ fn write64(self, value: u64, offset: usize)
/// ```no_run
/// use kernel::io::{
/// Io,
- /// MmioOwned,
+ /// Mmio,
+ /// Region,
/// };
///
- /// fn do_reads(io: &MmioOwned) -> Result {
+ /// fn do_reads(io: Mmio<'_, Region>) -> Result {
/// // 32-bit read from address `0x10`.
/// let v: u32 = io.try_read(0x10)?;
///
@@ -570,10 +575,11 @@ fn try_read<T, L>(self, location: L) -> Result<T>
/// ```no_run
/// use kernel::io::{
/// Io,
- /// MmioOwned,
+ /// Mmio,
+ /// Region,
/// };
///
- /// fn do_writes(io: &MmioOwned) -> Result {
+ /// fn do_writes(io: Mmio<'_, Region>) -> Result {
/// // 32-bit write of value `1` at address `0x10`.
/// io.try_write(0x10, 1u32)?;
///
@@ -608,7 +614,8 @@ fn try_write<T, L>(self, location: L, value: T) -> Result
/// use kernel::io::{
/// register,
/// Io,
- /// MmioOwned,
+ /// Mmio,
+ /// Region,
/// };
///
/// register! {
@@ -624,7 +631,7 @@ fn try_write<T, L>(self, location: L, value: T) -> Result
/// }
/// }
///
- /// fn do_write_reg(io: &MmioOwned) -> Result {
+ /// fn do_write_reg(io: Mmio<'_, Region>) -> Result {
///
/// io.try_write_reg(VERSION::new(1, 0))
/// }
@@ -653,10 +660,11 @@ fn try_write_reg<T, L, V>(self, value: V) -> Result
/// ```no_run
/// use kernel::io::{
/// Io,
- /// MmioOwned,
+ /// Mmio,
+ /// Region,
/// };
///
- /// fn do_update(io: &MmioOwned<0x1000>) -> Result {
+ /// fn do_update(io: Mmio<'_, Region<0x1000>>) -> Result {
/// io.try_update(0x10, |v: u32| {
/// v + 1
/// })
@@ -690,10 +698,11 @@ fn try_update<T, L, F>(self, location: L, f: F) -> Result
/// ```no_run
/// use kernel::io::{
/// Io,
- /// MmioOwned,
+ /// Mmio,
+ /// Region,
/// };
///
- /// fn do_reads(io: &MmioOwned<0x1000>) {
+ /// fn do_reads(io: Mmio<'_, Region<0x1000>>) {
/// // 32-bit read from address `0x10`.
/// let v: u32 = io.read(0x10);
///
@@ -722,10 +731,11 @@ fn read<T, L>(self, location: L) -> T
/// ```no_run
/// use kernel::io::{
/// Io,
- /// MmioOwned,
+ /// Mmio,
+ /// Region,
/// };
///
- /// fn do_writes(io: &MmioOwned<0x1000>) {
+ /// fn do_writes(io: Mmio<'_, Region<0x1000>>) {
/// // 32-bit write of value `1` at address `0x10`.
/// io.write(0x10, 1u32);
///
@@ -756,7 +766,8 @@ fn write<T, L>(self, location: L, value: T)
/// use kernel::io::{
/// register,
/// Io,
- /// MmioOwned,
+ /// Mmio,
+ /// Region,
/// };
///
/// register! {
@@ -772,7 +783,7 @@ fn write<T, L>(self, location: L, value: T)
/// }
/// }
///
- /// fn do_write_reg(io: &MmioOwned<0x1000>) {
+ /// fn do_write_reg(io: Mmio<'_, Region<0x1000>>) {
/// io.write_reg(VERSION::new(1, 0));
/// }
/// ```
@@ -800,10 +811,11 @@ fn write_reg<T, L, V>(self, value: V)
/// ```no_run
/// use kernel::io::{
/// Io,
- /// MmioOwned,
+ /// Mmio,
+ /// Region,
/// };
///
- /// fn do_update(io: &MmioOwned<0x1000>) {
+ /// fn do_update(io: Mmio<'_, Region<0x1000>>) {
/// io.update(0x10, |v: u32| {
/// v + 1
/// })
@@ -827,16 +839,72 @@ fn update<T, L, F>(self, location: L, f: F)
}
}
+/// A view of memory-mapped I/O region.
+///
+/// # Invariant
+///
+/// `ptr` points to a valid and aligned memory-mapped I/O region for the duration lifetime `'a`.
+pub struct Mmio<'a, T: ?Sized> {
+ ptr: *mut T,
+ phantom: PhantomData<&'a ()>,
+}
+
+impl<T: ?Sized> Copy for Mmio<'_, T> {}
+impl<T: ?Sized> Clone for Mmio<'_, T> {
+ #[inline]
+ fn clone(&self) -> Self {
+ *self
+ }
+}
+
+impl<'a, T: ?Sized> Mmio<'a, T> {
+ /// Create a `Mmio`, providing the accessors to the MMIO mapping.
+ ///
+ /// # Safety
+ ///
+ /// `raw` represents an valid and aligned memory-mapped I/O region while `'a` is alive.
+ #[inline]
+ pub unsafe fn from_raw(raw: MmioRaw<T>) -> Self {
+ // INVARIANT: Per safety requirement.
+ Self {
+ ptr: raw.ptr,
+ phantom: PhantomData,
+ }
+ }
+}
+
+// SAFETY: `Mmio<'_, T>` is conceptually `&T` but in I/O memory.
+unsafe impl<T: ?Sized + Sync> Send for Mmio<'_, T> {}
+
+// SAFETY: `Mmio<'_, T>` is conceptually `&T` but in I/O memory.
+unsafe impl<T: ?Sized + Sync> Sync for Mmio<'_, T> {}
+
+impl<T: ?Sized + KnownSize> Io for Mmio<'_, T> {
+ type Target = T;
+
+ #[inline]
+ fn addr(self) -> usize {
+ self.ptr.addr()
+ }
+
+ #[inline]
+ fn maxsize(self) -> usize {
+ KnownSize::size(self.ptr)
+ }
+}
+
/// Implements [`IoCapable`] on `$mmio` for `$ty` using `$read_fn` and `$write_fn`.
macro_rules! impl_mmio_io_capable {
($mmio:ident, $(#[$attr:meta])* $ty:ty, $read_fn:ident, $write_fn:ident) => {
$(#[$attr])*
- impl<const SIZE: usize> IoCapable<$ty> for &$mmio<SIZE> {
+ impl<T: ?Sized> IoCapable<$ty> for $mmio<'_, T> {
+ #[inline]
unsafe fn io_read(self, address: usize) -> $ty {
// SAFETY: By the trait invariant `address` is a valid address for MMIO operations.
unsafe { bindings::$read_fn(address as *const c_void) }
}
+ #[inline]
unsafe fn io_write(self, value: $ty, address: usize) {
// SAFETY: By the trait invariant `address` is a valid address for MMIO operations.
unsafe { bindings::$write_fn(value, address as *mut c_void) }
@@ -846,17 +914,12 @@ unsafe fn io_write(self, value: $ty, address: usize) {
}
// MMIO regions support 8, 16, and 32-bit accesses.
-impl_mmio_io_capable!(MmioOwned, u8, readb, writeb);
-impl_mmio_io_capable!(MmioOwned, u16, readw, writew);
-impl_mmio_io_capable!(MmioOwned, u32, readl, writel);
+impl_mmio_io_capable!(Mmio, u8, readb, writeb);
+impl_mmio_io_capable!(Mmio, u16, readw, writew);
+impl_mmio_io_capable!(Mmio, u32, readl, writel);
// MMIO regions on 64-bit systems also support 64-bit accesses.
-impl_mmio_io_capable!(
- MmioOwned,
- #[cfg(CONFIG_64BIT)]
- u64,
- readq,
- writeq
-);
+#[cfg(CONFIG_64BIT)]
+impl_mmio_io_capable!(Mmio, u64, readq, writeq);
impl<'a, const SIZE: usize> Io for &'a MmioOwned<SIZE> {
type Target = Region<SIZE>;
@@ -874,6 +937,23 @@ fn maxsize(self) -> usize {
}
}
+impl<'a, const SIZE: usize, T> IoCapable<T> for &'a MmioOwned<SIZE>
+where
+ Mmio<'a, Region<SIZE>>: IoCapable<T>,
+{
+ #[inline]
+ unsafe fn io_read(self, address: usize) -> T {
+ // SAFETY: Per safety requirement.
+ unsafe { self.as_view().io_read(address) }
+ }
+
+ #[inline]
+ unsafe fn io_write(self, value: T, address: usize) {
+ // SAFETY: Per safety requirement.
+ unsafe { self.as_view().io_write(value, address) }
+ }
+}
+
impl<const SIZE: usize> MmioOwned<SIZE> {
/// Converts an `MmioRaw` into an `MmioOwned` instance, providing the accessors to the MMIO
/// mapping.
@@ -886,32 +966,59 @@ pub unsafe fn from_raw(raw: &MmioRaw<Region<SIZE>>) -> &Self {
// SAFETY: `MmioOwned` is a transparent wrapper around `MmioRaw`.
unsafe { &*core::ptr::from_ref(raw).cast() }
}
+
+ /// Return a view that covers the full region.
+ #[inline]
+ pub fn as_view(&self) -> Mmio<'_, Region<SIZE>> {
+ // SAFETY: `Mmio` has same invariant as `MmioOwned`.
+ unsafe { Mmio::from_raw(self.0) }
+ }
}
-/// [`MmioOwned`] wrapper using relaxed accessors.
+/// [`Mmio`] but using relaxed accessors.
///
/// This type provides an implementation of [`Io`] that uses relaxed I/O MMIO operands instead of
/// the regular ones.
///
-/// See [`MmioOwned::relaxed`] for a usage example.
-#[repr(transparent)]
-pub struct RelaxedMmio<const SIZE: usize = 0>(MmioOwned<SIZE>);
+/// See [`Mmio::relaxed`] for a usage example.
+///
+/// # Invariant
+///
+/// `ptr` points to a valid and aligned memory-mapped I/O region for the duration lifetime `'a`.
+pub struct RelaxedMmio<'a, T: ?Sized> {
+ ptr: *mut T,
+ phantom: PhantomData<&'a ()>,
+}
-impl<'a, const SIZE: usize> Io for &'a RelaxedMmio<SIZE> {
- type Target = Region<SIZE>;
+impl<T: ?Sized> Copy for RelaxedMmio<'_, T> {}
+impl<T: ?Sized> Clone for RelaxedMmio<'_, T> {
+ #[inline]
+ fn clone(&self) -> Self {
+ *self
+ }
+}
+
+// SAFETY: `RelaxedMmio<'_, T>` is conceptually `&T` but in I/O memory.
+unsafe impl<T: ?Sized + Sync> Send for RelaxedMmio<'_, T> {}
+
+// SAFETY: `RelaxedMmio<'_, T>` is conceptually `&T` but in I/O memory.
+unsafe impl<T: ?Sized + Sync> Sync for RelaxedMmio<'_, T> {}
+
+impl<T: ?Sized + KnownSize> Io for RelaxedMmio<'_, T> {
+ type Target = T;
#[inline]
fn addr(self) -> usize {
- self.0.addr()
+ self.ptr.addr()
}
#[inline]
fn maxsize(self) -> usize {
- self.0.maxsize()
+ KnownSize::size(self.ptr)
}
}
-impl<const SIZE: usize> MmioOwned<SIZE> {
+impl<'a, T: ?Sized> Mmio<'a, T> {
/// Returns a [`RelaxedMmio`] reference that performs relaxed I/O operations.
///
/// Relaxed accessors do not provide ordering guarantees with respect to DMA or memory accesses
@@ -922,20 +1029,24 @@ impl<const SIZE: usize> MmioOwned<SIZE> {
/// ```no_run
/// use kernel::io::{
/// Io,
- /// MmioOwned,
+ /// Mmio,
+ /// Region,
/// RelaxedMmio,
/// };
///
- /// fn do_io(io: &MmioOwned<0x100>) {
+ /// fn do_io(io: Mmio<'_, Region<0x100>>) {
/// // The access is performed using `readl_relaxed` instead of `readl`.
/// let v = io.relaxed().read32(0x10);
/// }
///
/// ```
- pub fn relaxed(&self) -> &RelaxedMmio<SIZE> {
- // SAFETY: `RelaxedMmio` is `#[repr(transparent)]` over `MmioOwned`, so `MmioOwned<SIZE>`
- // and `RelaxedMmio<SIZE>` have identical layout.
- unsafe { core::mem::transmute(self) }
+ #[inline]
+ pub fn relaxed(self) -> RelaxedMmio<'a, T> {
+ // INVARIANT: `RelaxedMmio` has the same invariant as `Mmio`.
+ RelaxedMmio {
+ ptr: self.ptr,
+ phantom: PhantomData,
+ }
}
}
diff --git a/rust/kernel/io/poll.rs b/rust/kernel/io/poll.rs
index 79828a8006b5..d75f2fcf46f2 100644
--- a/rust/kernel/io/poll.rs
+++ b/rust/kernel/io/poll.rs
@@ -47,14 +47,15 @@
/// ```no_run
/// use kernel::io::{
/// Io,
-/// MmioOwned,
+/// Mmio,
+/// Region,
/// poll::read_poll_timeout, //
/// };
/// use kernel::time::Delta;
///
/// const HW_READY: u16 = 0x01;
///
-/// fn wait_for_hardware<const SIZE: usize>(io: &MmioOwned<SIZE>) -> Result {
+/// fn wait_for_hardware<const SIZE: usize>(io: Mmio<'_, Region<SIZE>>) -> Result {
/// read_poll_timeout(
/// // The `op` closure reads the value of a specific status register.
/// || io.try_read16(0x1000),
@@ -134,14 +135,15 @@ pub fn read_poll_timeout<Op, Cond, T>(
/// ```no_run
/// use kernel::io::{
/// Io,
-/// MmioOwned,
+/// Mmio,
+/// Region,
/// poll::read_poll_timeout_atomic, //
/// };
/// use kernel::time::Delta;
///
/// const HW_READY: u16 = 0x01;
///
-/// fn wait_for_hardware<const SIZE: usize>(io: &MmioOwned<SIZE>) -> Result {
+/// fn wait_for_hardware<const SIZE: usize>(io: Mmio<'_, Region<SIZE>>) -> Result {
/// read_poll_timeout_atomic(
/// // The `op` closure reads the value of a specific status register.
/// || io.try_read16(0x1000),
diff --git a/rust/kernel/io/register.rs b/rust/kernel/io/register.rs
index 242ad96ac805..d0feaf7c8736 100644
--- a/rust/kernel/io/register.rs
+++ b/rust/kernel/io/register.rs
@@ -58,7 +58,7 @@
//! },
//! num::Bounded,
//! };
-//! # use kernel::io::MmioOwned;
+//! # use kernel::io::{Mmio, Region};
//! # register! {
//! # pub BOOT_0(u32) @ 0x00000100 {
//! # 15:8 vendor_id;
@@ -66,7 +66,7 @@
//! # 3:0 minor_revision;
//! # }
//! # }
-//! # fn test(io: &MmioOwned<0x1000>) {
+//! # fn test(io: Mmio<'_, Region<0x1000>>) {
//! # fn obtain_vendor_id() -> u8 { 0xff }
//!
//! // Read from the register's defined offset (0x100).
@@ -447,7 +447,7 @@ fn into_io_op(self) -> (FixedRegisterLoc<T>, T) {
/// Io,
/// },
/// };
-/// # use kernel::io::MmioOwned;
+/// # use kernel::io::{Mmio, Region};
///
/// register! {
/// FIXED_REG(u32) @ 0x100 {
@@ -456,7 +456,7 @@ fn into_io_op(self) -> (FixedRegisterLoc<T>, T) {
/// }
/// }
///
-/// # fn test(io: &MmioOwned<0x1000>) {
+/// # fn test(io: Mmio<'_, Region<0x1000>>) {
/// let val = io.read(FIXED_REG);
///
/// // Write from an already-existing value.
@@ -560,7 +560,7 @@ fn into_io_op(self) -> (FixedRegisterLoc<T>, T) {
/// Io,
/// },
/// };
-/// # use kernel::io::MmioOwned;
+/// # use kernel::io::{Mmio, Region};
///
/// // Type used to identify the base.
/// pub struct CpuCtlBase;
@@ -585,7 +585,7 @@ fn into_io_op(self) -> (FixedRegisterLoc<T>, T) {
/// }
/// }
///
-/// # fn test(io: MmioOwned<0x1000>) {
+/// # fn test(io: Mmio<'_, Region<0x1000>>) {
/// // Read the status of `Cpu0`.
/// let cpu0_started = io.read(CPU_CTL::of::<Cpu0>());
///
@@ -602,7 +602,7 @@ fn into_io_op(self) -> (FixedRegisterLoc<T>, T) {
/// }
/// }
///
-/// # fn test2(io: MmioOwned<0x1000>) {
+/// # fn test2(io: Mmio<'_, Region<0x1000>>) {
/// // Start the aliased `CPU0`, leaving its other fields untouched.
/// io.update(CPU_CTL_ALIAS::of::<Cpu0>(), |r| r.with_alias_start(true));
/// # }
@@ -639,7 +639,7 @@ fn into_io_op(self) -> (FixedRegisterLoc<T>, T) {
/// Io,
/// },
/// };
-/// # use kernel::io::MmioOwned;
+/// # use kernel::io::{Mmio, Region};
/// # fn get_scratch_idx() -> usize {
/// # 0x15
/// # }
@@ -652,7 +652,7 @@ fn into_io_op(self) -> (FixedRegisterLoc<T>, T) {
/// }
/// }
///
-/// # fn test(io: &MmioOwned<0x1000>)
+/// # fn test(io: Mmio<'_, Region<0x1000>>)
/// # -> Result<(), Error>{
/// // Read scratch register 0, i.e. I/O address `0x80`.
/// let scratch_0 = io.read(SCRATCH::at(0)).value();
@@ -725,7 +725,7 @@ fn into_io_op(self) -> (FixedRegisterLoc<T>, T) {
/// Io,
/// },
/// };
-/// # use kernel::io::MmioOwned;
+/// # use kernel::io::{Mmio, Region};
/// # fn get_scratch_idx() -> usize {
/// # 0x15
/// # }
@@ -753,7 +753,7 @@ fn into_io_op(self) -> (FixedRegisterLoc<T>, T) {
/// }
/// }
///
-/// # fn test(io: &MmioOwned<0x1000>) -> Result<(), Error> {
+/// # fn test(io: Mmio<'_, Region<0x1000>>) -> Result<(), Error> {
/// // Read scratch register 0 of CPU0.
/// let scratch = io.read(CPU_SCRATCH::of::<Cpu0>().at(0));
///
@@ -795,7 +795,7 @@ fn into_io_op(self) -> (FixedRegisterLoc<T>, T) {
/// }
/// }
///
-/// # fn test2(io: &MmioOwned<0x1000>) -> Result<(), Error> {
+/// # fn test2(io: Mmio<'_, Region<0x1000>>) -> Result<(), Error> {
/// let cpu0_status = io.read(CPU_FIRMWARE_STATUS::of::<Cpu0>()).status();
/// # Ok(())
/// # }
--
2.54.0
^ permalink raw reply related [flat|nested] 40+ messages in thread
* [PATCH v4 08/20] rust: pci: io: make `ConfigSpace` a view
2026-06-11 16:28 [PATCH v4 00/20] rust: I/O type generalization and projection Gary Guo
` (6 preceding siblings ...)
2026-06-11 16:28 ` [PATCH v4 07/20] rust: io: implement `Mmio` as view type Gary Guo
@ 2026-06-11 16:28 ` Gary Guo
2026-06-11 17:37 ` sashiko-bot
2026-06-11 16:28 ` [PATCH v4 09/20] rust: io: use view types instead of addresses for `Io` Gary Guo
` (11 subsequent siblings)
19 siblings, 1 reply; 40+ messages in thread
From: Gary Guo @ 2026-06-11 16:28 UTC (permalink / raw)
To: Alice Ryhl, Daniel Almeida, Greg Kroah-Hartman, Rafael J. Wysocki,
Miguel Ojeda, Boqun Feng, Gary Guo, Björn Roy Baron,
Benno Lossin, Andreas Hindborg, Trevor Gross, Bjorn Helgaas,
Krzysztof Wilczyński, Abdiel Janulgue, Robin Murphy,
Alexandre Courbot, David Airlie, Simona Vetter
Cc: Danilo Krummrich, driver-core, rust-for-linux, linux-kernel,
linux-pci, nova-gpu, dri-devel
In order to support I/O projection, we are splitting I/O types into two
categories: owned objects and views. Owned objects have a specific type
that is related to setting up and tearing down, while views can have their
type changed with I/O projection.
Things like `IoMem` or `Bar` are owned objects, which requires setting up
mapping and cleaning up on drop. On the other side, `ConfigSpace` is really
just a view, as the resource is associated with the `pci::Device`.
Remove the `ConfigSpaceKind` bound on `ConfigSpace` and make it a generic
view. This means that `ConfigSpace` object now represents a subregion and
therefore encodes offset (as address of pointers) and size (as metadata of
pointers) itself. The full region case is still supported with offset 0 and
size of `cfg_size`.
Signed-off-by: Gary Guo <gary@garyguo.net>
---
rust/kernel/pci/io.rs | 64 +++++++++++++++++++++++++++++----------------------
1 file changed, 36 insertions(+), 28 deletions(-)
diff --git a/rust/kernel/pci/io.rs b/rust/kernel/pci/io.rs
index e0acb62f58a2..89f4bb483a7f 100644
--- a/rust/kernel/pci/io.rs
+++ b/rust/kernel/pci/io.rs
@@ -18,7 +18,6 @@
ptr::KnownSize, //
};
use core::{
- marker::PhantomData,
ops::Deref, //
};
@@ -53,33 +52,42 @@ pub const fn into_raw(self) -> usize {
/// Alias for extended (4096-byte) PCIe configuration space.
pub type Extended = Region<4096>;
-/// Trait for PCI configuration space size markers.
-///
-/// This trait is implemented by [`Normal`] and [`Extended`] to provide
-/// compile-time knowledge of the configuration space size.
-pub trait ConfigSpaceKind: KnownSize {}
-
-impl ConfigSpaceKind for Normal {}
-
-impl ConfigSpaceKind for Extended {}
-
-/// The PCI configuration space of a device.
+/// A view of PCI configuration space of a device.
///
/// Provides typed read and write accessors for configuration registers
/// using the standard `pci_read_config_*` and `pci_write_config_*` helpers.
///
-/// The generic parameter `S` indicates the maximum size of the configuration space.
-/// Use [`Normal`] for 256-byte legacy configuration space or [`Extended`] for
-/// 4096-byte PCIe extended configuration space (default).
-pub struct ConfigSpace<'a, S: ?Sized + ConfigSpaceKind = Extended> {
+/// The generic parameter `T` is the type of the view. The full configuration space is also a
+/// special type of view; in such cases, `T` can be [`Normal`] for 256-byte legacy configuration
+/// space or [`Extended`] for 4096-byte PCIe extended configuration space (default).
+///
+/// # Invariants
+///
+/// `ptr` is aligned and range `ptr..ptr + KnownSize::size(ptr)` is within
+/// `0..pdev.cfg_size().into_raw()`.
+pub struct ConfigSpace<'a, T: ?Sized = Extended> {
pub(crate) pdev: &'a Device<device::Bound>,
- _marker: PhantomData<S>,
+ ptr: *mut T,
}
+impl<T: ?Sized> Copy for ConfigSpace<'_, T> {}
+impl<T: ?Sized> Clone for ConfigSpace<'_, T> {
+ #[inline]
+ fn clone(&self) -> Self {
+ *self
+ }
+}
+
+// SAFETY: `ConfigSpace<'_, T>` is conceptually `&T` but in I/O memory.
+unsafe impl<T: ?Sized + Sync> Send for ConfigSpace<'_, T> {}
+
+// SAFETY: `ConfigSpace<'_, T>` is conceptually `&T` but in I/O memory.
+unsafe impl<T: ?Sized + Sync> Sync for ConfigSpace<'_, T> {}
+
/// Implements [`IoCapable`] on [`ConfigSpace`] for `$ty` using `$read_fn` and `$write_fn`.
macro_rules! impl_config_space_io_capable {
($ty:ty, $read_fn:ident, $write_fn:ident) => {
- impl<'a, S: ?Sized + ConfigSpaceKind> IoCapable<$ty> for &ConfigSpace<'a, S> {
+ impl<'a, T: ?Sized> IoCapable<$ty> for ConfigSpace<'a, T> {
unsafe fn io_read(self, address: usize) -> $ty {
let mut val: $ty = 0;
@@ -112,19 +120,17 @@ unsafe fn io_write(self, value: $ty, address: usize) {
impl_config_space_io_capable!(u16, pci_read_config_word, pci_write_config_word);
impl_config_space_io_capable!(u32, pci_read_config_dword, pci_write_config_dword);
-impl<'a, S: ?Sized + ConfigSpaceKind> Io for &ConfigSpace<'a, S> {
- type Target = S;
+impl<'a, T: ?Sized + KnownSize> Io for ConfigSpace<'a, T> {
+ type Target = T;
- /// Returns the base address of the I/O region. It is always 0 for configuration space.
#[inline]
fn addr(self) -> usize {
- 0
+ self.ptr.addr()
}
- /// Returns the maximum size of the configuration space.
#[inline]
fn maxsize(self) -> usize {
- self.pdev.cfg_size().into_raw()
+ KnownSize::size(self.ptr)
}
}
@@ -281,23 +287,25 @@ pub fn cfg_size(&self) -> ConfigSpaceSize {
}
}
- /// Return an initialized normal (256-byte) config space object.
+ /// Return a view of the normal (256-byte) config space.
pub fn config_space<'a>(&'a self) -> ConfigSpace<'a, Normal> {
+ // INVARIANT: null is aligned and the range is within config space.
ConfigSpace {
pdev: self,
- _marker: PhantomData,
+ ptr: Normal::ptr_from_raw_parts_mut(core::ptr::null_mut(), self.cfg_size().into_raw()),
}
}
- /// Return an initialized extended (4096-byte) config space object.
+ /// Return a view of the extended (4096-byte) config space.
pub fn config_space_extended<'a>(&'a self) -> Result<ConfigSpace<'a, Extended>> {
if self.cfg_size() != ConfigSpaceSize::Extended {
return Err(EINVAL);
}
+ // INVARIANT: null is aligned and we just checked the `cfg_size`.
Ok(ConfigSpace {
pdev: self,
- _marker: PhantomData,
+ ptr: Extended::ptr_from_raw_parts_mut(core::ptr::null_mut(), 4096),
})
}
}
--
2.54.0
^ permalink raw reply related [flat|nested] 40+ messages in thread
* [PATCH v4 09/20] rust: io: use view types instead of addresses for `Io`
2026-06-11 16:28 [PATCH v4 00/20] rust: I/O type generalization and projection Gary Guo
` (7 preceding siblings ...)
2026-06-11 16:28 ` [PATCH v4 08/20] rust: pci: io: make `ConfigSpace` a view Gary Guo
@ 2026-06-11 16:28 ` Gary Guo
2026-06-11 17:46 ` sashiko-bot
2026-06-11 16:28 ` [PATCH v4 10/20] rust: io: remove `MmioOwned` Gary Guo
` (10 subsequent siblings)
19 siblings, 1 reply; 40+ messages in thread
From: Gary Guo @ 2026-06-11 16:28 UTC (permalink / raw)
To: Alice Ryhl, Daniel Almeida, Greg Kroah-Hartman, Rafael J. Wysocki,
Miguel Ojeda, Boqun Feng, Gary Guo, Björn Roy Baron,
Benno Lossin, Andreas Hindborg, Trevor Gross, Bjorn Helgaas,
Krzysztof Wilczyński, Abdiel Janulgue, Robin Murphy,
Alexandre Courbot, David Airlie, Simona Vetter
Cc: Danilo Krummrich, driver-core, rust-for-linux, linux-kernel,
linux-pci, nova-gpu, dri-devel
Currently, `io_read` and `io_write` methods require the exact type of `Io`
plus an address. This means that they need to be monomorphized for each
different `Io` instance. This also means that multiple I/O implementors for
the same I/O kind needs to duplicate implementation (e.g. `Mmio` and
`MmioOwned`).
Create a new `IoBackend` trait and define these operations on it instead.
The operations are just going to receive a view type and operate on them.
This has the additional advantage that the invariants can be moved from the
trait (and guaranteed via `unsafe`) to type invariants on the canonical
view types of the backends, so `io_read` and `io_write` can be safe.
Note that view type is needed; addresses are insufficient in this
designk, as they do not carry sufficient information. For example,
`ConfigSpace` needs `&pci::Device` in addition to the address.
Signed-off-by: Gary Guo <gary@garyguo.net>
---
rust/kernel/io.rs | 345 ++++++++++++++++++++++++++------------------------
rust/kernel/pci/io.rs | 70 ++++++----
2 files changed, 224 insertions(+), 191 deletions(-)
diff --git a/rust/kernel/io.rs b/rust/kernel/io.rs
index 3ac8b396f5a7..e422a5ff2a5e 100644
--- a/rust/kernel/io.rs
+++ b/rust/kernel/io.rs
@@ -244,6 +244,38 @@ const fn offset_valid<U>(base: usize, offset: usize, size: usize) -> bool {
}
}
+/// I/O backends.
+///
+/// This is an abstract representation to be implemented by arbitrary I/O
+/// backends (e.g. MMIO, PCI config space, etc.).
+///
+/// The base trait only defines the projection operations; which I/O methods are available depends
+/// on which [`IoCapable<T>`] traits are implemented for the type. For example, for MMIO regions,
+/// all widths (u8, u16, u32, and u64 on 64-bit systems) are typically supported. For PCI
+/// configuration space, u8, u16, and u32 are supported but u64 is not.
+///
+/// This trait is separate from the `Io` trait as multiple different I/O types may share the same
+/// operation.
+pub trait IoBackend {
+ /// View type for this I/O backend.
+ type View<'a, T: ?Sized + KnownSize>: Io<'a, Backend = Self, Target = T>;
+
+ /// Convert a `view` to a raw pointer for projection.
+ fn as_ptr<'a, T: ?Sized + KnownSize>(view: Self::View<'a, T>) -> *mut T;
+
+ /// Project `view` to its subregion indicated by `ptr`.
+ ///
+ /// If input `view` is valid, returned view must also be valid.
+ ///
+ /// # Safety
+ ///
+ /// `ptr` must be a projection of `Self::as_ptr(view)`.
+ unsafe fn project_view<'a, T: ?Sized + KnownSize, U: ?Sized + KnownSize>(
+ view: Self::View<'a, T>,
+ ptr: *mut U,
+ ) -> Self::View<'a, U>;
+}
+
/// Trait indicating that an I/O backend supports operations of a certain type and providing an
/// implementation for these operations.
///
@@ -252,22 +284,12 @@ const fn offset_valid<U>(base: usize, offset: usize, size: usize) -> bool {
/// For example, a PCI configuration space may implement `IoCapable<u8>`, `IoCapable<u16>`,
/// and `IoCapable<u32>`, but not `IoCapable<u64>`, while an MMIO region on a 64-bit
/// system might implement all four.
-pub trait IoCapable<T> {
- /// Performs an I/O read of type `T` at `address` and returns the result.
- ///
- /// # Safety
- ///
- /// - The range `[address..address + size_of::<T>()]` must be within the bounds of `Self`.
- /// - `address` must be aligned.
- unsafe fn io_read(self, address: usize) -> T;
+pub trait IoCapable<T>: IoBackend {
+ /// Performs an I/O read of type `T` at `view` and returns the result.
+ fn io_read<'a>(view: Self::View<'a, T>) -> T;
- /// Performs an I/O write of `value` at `address`.
- ///
- /// # Safety
- ///
- /// - The range `[address..address + size_of::<T>()]` must be within the bounds of `Self`.
- /// - `address` must be aligned.
- unsafe fn io_write(self, value: T, address: usize);
+ /// Performs an I/O write of `value` at `view`.
+ fn io_write<'a>(view: Self::View<'a, T>, value: T);
}
/// Describes a given I/O location: its offset, width, and type to convert the raw value from and
@@ -319,56 +341,54 @@ fn offset(self) -> usize {
/// Types implementing this trait (e.g. MMIO BARs or PCI config regions)
/// can perform I/O operations on regions of memory.
///
-/// This is an abstract representation to be implemented by arbitrary I/O
-/// backends (e.g. MMIO, PCI config space, etc.).
-///
/// The [`Io`] trait provides:
-/// - Base address and size information
+/// - Method to convert into [`IoBackend::View`].
/// - Helper methods for offset validation and address calculation
/// - Fallible (runtime checked) accessors for different data widths
///
-/// Which I/O methods are available depends on which [`IoCapable<T>`] traits
-/// are implemented for the type.
-///
-/// # Examples
-///
-/// For MMIO regions, all widths (u8, u16, u32, and u64 on 64-bit systems) are typically
-/// supported. For PCI configuration space, u8, u16, and u32 are supported but u64 is not.
-pub trait Io: Copy {
+/// Which I/O methods are available depends on the associated [`IoBackend`] implementation.
+pub trait Io<'a>: Copy {
+ /// Type that defines all I/O operations.
+ type Backend: IoBackend;
+
/// Type of this I/O region. For untyped regions, [`Region`] can be used.
type Target: ?Sized + KnownSize;
- /// Returns the base address of this mapping.
- fn addr(self) -> usize;
-
- /// Returns the maximum size of this mapping.
- fn maxsize(self) -> usize;
+ /// Return a view that covers the full region.
+ fn as_view(self) -> <Self::Backend as IoBackend>::View<'a, Self::Target>;
- /// Returns the absolute I/O address for a given `offset`,
- /// performing compile-time bound checks.
+ /// Returns a view for a given `offset`, performing compile-time bound checks.
// Always inline to optimize out error path of `build_assert`.
#[inline(always)]
- fn io_addr_assert<U>(self, offset: usize) -> usize {
- // We cannot check alignment with `offset_valid` using `self.addr()`. So set 0 for it and
+ fn io_addr_assert<U>(self, offset: usize) -> <Self::Backend as IoBackend>::View<'a, U> {
+ // We cannot check alignment with `offset_valid` using `ptr.addr()`. So set 0 for it and
// ensure alignment by checking that the alignment of `U` is smaller or equal to the
// alignment of `Self::Target`.
const_assert!(Alignment::of::<U>().as_usize() <= Self::Target::MIN_ALIGN.as_usize());
build_assert!(offset_valid::<U>(0, offset, Self::Target::MIN_SIZE));
- self.addr() + offset
+ let view = self.as_view();
+ let ptr = Self::Backend::as_ptr(view);
+ let projected_ptr = ptr.cast::<U>().wrapping_byte_add(offset);
+ // SAFETY: `offset_valid` checks for size and alignment and therefore `projected_ptr` is a
+ // valid projection.
+ unsafe { Self::Backend::project_view(view, projected_ptr) }
}
- /// Returns the absolute I/O address for a given `offset`,
- /// performing runtime bound checks.
+ /// Returns a view for a given `offset`, performing runtime bound checks.
#[inline]
- fn io_addr<U>(self, offset: usize) -> Result<usize> {
- if !offset_valid::<U>(self.addr(), offset, self.maxsize()) {
+ fn io_addr<U>(self, offset: usize) -> Result<<Self::Backend as IoBackend>::View<'a, U>> {
+ let view = self.as_view();
+ let ptr = Self::Backend::as_ptr(view);
+
+ if !offset_valid::<U>(ptr.addr(), offset, KnownSize::size(ptr)) {
return Err(EINVAL);
}
- // Probably no need to check, since the safety requirements of `Self::new` guarantee that
- // this can't overflow.
- self.addr().checked_add(offset).ok_or(EINVAL)
+ let projected_ptr = ptr.cast::<U>().wrapping_byte_add(offset);
+ // SAFETY: `offset_valid` checks for size and alignment and therefore `projected_ptr` is a
+ // valid projection.
+ Ok(unsafe { Self::Backend::project_view(view, projected_ptr) })
}
/// Fallible 8-bit read with runtime bounds check.
@@ -376,7 +396,7 @@ fn io_addr<U>(self, offset: usize) -> Result<usize> {
fn try_read8(self, offset: usize) -> Result<u8>
where
usize: IoLoc<Self::Target, u8, IoType = u8>,
- Self: IoCapable<u8>,
+ Self::Backend: IoCapable<u8>,
{
self.try_read(offset)
}
@@ -386,7 +406,7 @@ fn try_read8(self, offset: usize) -> Result<u8>
fn try_read16(self, offset: usize) -> Result<u16>
where
usize: IoLoc<Self::Target, u16, IoType = u16>,
- Self: IoCapable<u16>,
+ Self::Backend: IoCapable<u16>,
{
self.try_read(offset)
}
@@ -396,7 +416,7 @@ fn try_read16(self, offset: usize) -> Result<u16>
fn try_read32(self, offset: usize) -> Result<u32>
where
usize: IoLoc<Self::Target, u32, IoType = u32>,
- Self: IoCapable<u32>,
+ Self::Backend: IoCapable<u32>,
{
self.try_read(offset)
}
@@ -406,7 +426,7 @@ fn try_read32(self, offset: usize) -> Result<u32>
fn try_read64(self, offset: usize) -> Result<u64>
where
usize: IoLoc<Self::Target, u64, IoType = u64>,
- Self: IoCapable<u64>,
+ Self::Backend: IoCapable<u64>,
{
self.try_read(offset)
}
@@ -416,7 +436,7 @@ fn try_read64(self, offset: usize) -> Result<u64>
fn try_write8(self, value: u8, offset: usize) -> Result
where
usize: IoLoc<Self::Target, u8, IoType = u8>,
- Self: IoCapable<u8>,
+ Self::Backend: IoCapable<u8>,
{
self.try_write(offset, value)
}
@@ -426,7 +446,7 @@ fn try_write8(self, value: u8, offset: usize) -> Result
fn try_write16(self, value: u16, offset: usize) -> Result
where
usize: IoLoc<Self::Target, u16, IoType = u16>,
- Self: IoCapable<u16>,
+ Self::Backend: IoCapable<u16>,
{
self.try_write(offset, value)
}
@@ -436,7 +456,7 @@ fn try_write16(self, value: u16, offset: usize) -> Result
fn try_write32(self, value: u32, offset: usize) -> Result
where
usize: IoLoc<Self::Target, u32, IoType = u32>,
- Self: IoCapable<u32>,
+ Self::Backend: IoCapable<u32>,
{
self.try_write(offset, value)
}
@@ -446,7 +466,7 @@ fn try_write32(self, value: u32, offset: usize) -> Result
fn try_write64(self, value: u64, offset: usize) -> Result
where
usize: IoLoc<Self::Target, u64, IoType = u64>,
- Self: IoCapable<u64>,
+ Self::Backend: IoCapable<u64>,
{
self.try_write(offset, value)
}
@@ -456,7 +476,7 @@ fn try_write64(self, value: u64, offset: usize) -> Result
fn read8(self, offset: usize) -> u8
where
usize: IoLoc<Self::Target, u8, IoType = u8>,
- Self: IoCapable<u8>,
+ Self::Backend: IoCapable<u8>,
{
self.read(offset)
}
@@ -466,7 +486,7 @@ fn read8(self, offset: usize) -> u8
fn read16(self, offset: usize) -> u16
where
usize: IoLoc<Self::Target, u16, IoType = u16>,
- Self: IoCapable<u16>,
+ Self::Backend: IoCapable<u16>,
{
self.read(offset)
}
@@ -476,7 +496,7 @@ fn read16(self, offset: usize) -> u16
fn read32(self, offset: usize) -> u32
where
usize: IoLoc<Self::Target, u32, IoType = u32>,
- Self: IoCapable<u32>,
+ Self::Backend: IoCapable<u32>,
{
self.read(offset)
}
@@ -486,7 +506,7 @@ fn read32(self, offset: usize) -> u32
fn read64(self, offset: usize) -> u64
where
usize: IoLoc<Self::Target, u64, IoType = u64>,
- Self: IoCapable<u64>,
+ Self::Backend: IoCapable<u64>,
{
self.read(offset)
}
@@ -496,7 +516,7 @@ fn read64(self, offset: usize) -> u64
fn write8(self, value: u8, offset: usize)
where
usize: IoLoc<Self::Target, u8, IoType = u8>,
- Self: IoCapable<u8>,
+ Self::Backend: IoCapable<u8>,
{
self.write(offset, value)
}
@@ -506,7 +526,7 @@ fn write8(self, value: u8, offset: usize)
fn write16(self, value: u16, offset: usize)
where
usize: IoLoc<Self::Target, u16, IoType = u16>,
- Self: IoCapable<u16>,
+ Self::Backend: IoCapable<u16>,
{
self.write(offset, value)
}
@@ -516,7 +536,7 @@ fn write16(self, value: u16, offset: usize)
fn write32(self, value: u32, offset: usize)
where
usize: IoLoc<Self::Target, u32, IoType = u32>,
- Self: IoCapable<u32>,
+ Self::Backend: IoCapable<u32>,
{
self.write(offset, value)
}
@@ -526,7 +546,7 @@ fn write32(self, value: u32, offset: usize)
fn write64(self, value: u64, offset: usize)
where
usize: IoLoc<Self::Target, u64, IoType = u64>,
- Self: IoCapable<u64>,
+ Self::Backend: IoCapable<u64>,
{
self.write(offset, value)
}
@@ -558,12 +578,10 @@ fn write64(self, value: u64, offset: usize)
fn try_read<T, L>(self, location: L) -> Result<T>
where
L: IoLoc<Self::Target, T>,
- Self: IoCapable<L::IoType>,
+ Self::Backend: IoCapable<L::IoType>,
{
- let address = self.io_addr::<L::IoType>(location.offset())?;
-
- // SAFETY: `address` has been validated by `io_addr`.
- Ok(unsafe { self.io_read(address) }.into())
+ let view = self.io_addr::<L::IoType>(location.offset())?;
+ Ok(Self::Backend::io_read(view).into())
}
/// Generic fallible write with runtime bounds check.
@@ -593,14 +611,11 @@ fn try_read<T, L>(self, location: L) -> Result<T>
fn try_write<T, L>(self, location: L, value: T) -> Result
where
L: IoLoc<Self::Target, T>,
- Self: IoCapable<L::IoType>,
+ Self::Backend: IoCapable<L::IoType>,
{
- let address = self.io_addr::<L::IoType>(location.offset())?;
+ let view = self.io_addr::<L::IoType>(location.offset())?;
let io_value = value.into();
-
- // SAFETY: `address` has been validated by `io_addr`.
- unsafe { self.io_write(io_value, address) }
-
+ Self::Backend::io_write(view, io_value);
Ok(())
}
@@ -641,7 +656,7 @@ fn try_write_reg<T, L, V>(self, value: V) -> Result
where
L: IoLoc<Self::Target, T>,
V: LocatedRegister<Self::Target, Location = L, Value = T>,
- Self: IoCapable<L::IoType>,
+ Self::Backend: IoCapable<L::IoType>,
{
let (location, value) = value.into_io_op();
@@ -674,17 +689,14 @@ fn try_write_reg<T, L, V>(self, value: V) -> Result
fn try_update<T, L, F>(self, location: L, f: F) -> Result
where
L: IoLoc<Self::Target, T>,
- Self: IoCapable<L::IoType>,
+ Self::Backend: IoCapable<L::IoType>,
F: FnOnce(T) -> T,
{
- let address = self.io_addr::<L::IoType>(location.offset())?;
+ let view = self.io_addr::<L::IoType>(location.offset())?;
- // SAFETY: `address` has been validated by `io_addr`.
- let value: T = unsafe { self.io_read(address) }.into();
+ let value: T = Self::Backend::io_read(view).into();
let io_value = f(value).into();
-
- // SAFETY: `address` has been validated by `io_addr`.
- unsafe { self.io_write(io_value, address) }
+ Self::Backend::io_write(view, io_value);
Ok(())
}
@@ -714,12 +726,10 @@ fn try_update<T, L, F>(self, location: L, f: F) -> Result
fn read<T, L>(self, location: L) -> T
where
L: IoLoc<Self::Target, T>,
- Self: IoCapable<L::IoType>,
+ Self::Backend: IoCapable<L::IoType>,
{
- let address = self.io_addr_assert::<L::IoType>(location.offset());
-
- // SAFETY: `address` has been validated by `io_addr_assert`.
- unsafe { self.io_read(address) }.into()
+ let view = self.io_addr_assert::<L::IoType>(location.offset());
+ Self::Backend::io_read(view).into()
}
/// Generic infallible write with compile-time bounds check.
@@ -747,13 +757,11 @@ fn read<T, L>(self, location: L) -> T
fn write<T, L>(self, location: L, value: T)
where
L: IoLoc<Self::Target, T>,
- Self: IoCapable<L::IoType>,
+ Self::Backend: IoCapable<L::IoType>,
{
- let address = self.io_addr_assert::<L::IoType>(location.offset());
+ let view = self.io_addr_assert::<L::IoType>(location.offset());
let io_value = value.into();
-
- // SAFETY: `address` has been validated by `io_addr_assert`.
- unsafe { self.io_write(io_value, address) }
+ Self::Backend::io_write(view, io_value);
}
/// Generic infallible write of a fully-located register value.
@@ -792,7 +800,7 @@ fn write_reg<T, L, V>(self, value: V)
where
L: IoLoc<Self::Target, T>,
V: LocatedRegister<Self::Target, Location = L, Value = T>,
- Self: IoCapable<L::IoType>,
+ Self::Backend: IoCapable<L::IoType>,
{
let (location, value) = value.into_io_op();
@@ -825,17 +833,13 @@ fn write_reg<T, L, V>(self, value: V)
fn update<T, L, F>(self, location: L, f: F)
where
L: IoLoc<Self::Target, T>,
- Self: IoCapable<L::IoType>,
+ Self::Backend: IoCapable<L::IoType>,
F: FnOnce(T) -> T,
{
- let address = self.io_addr_assert::<L::IoType>(location.offset());
-
- // SAFETY: `address` has been validated by `io_addr_assert`.
- let value: T = unsafe { self.io_read(address) }.into();
+ let view = self.io_addr_assert::<L::IoType>(location.offset());
+ let value: T = Self::Backend::io_read(view).into();
let io_value = f(value).into();
-
- // SAFETY: `address` has been validated by `io_addr_assert`.
- unsafe { self.io_write(io_value, address) }
+ Self::Backend::io_write(view, io_value);
}
}
@@ -879,78 +883,76 @@ unsafe impl<T: ?Sized + Sync> Send for Mmio<'_, T> {}
// SAFETY: `Mmio<'_, T>` is conceptually `&T` but in I/O memory.
unsafe impl<T: ?Sized + Sync> Sync for Mmio<'_, T> {}
-impl<T: ?Sized + KnownSize> Io for Mmio<'_, T> {
+impl<'a, T: ?Sized + KnownSize> Io<'a> for Mmio<'a, T> {
+ type Backend = MmioBackend;
type Target = T;
#[inline]
- fn addr(self) -> usize {
- self.ptr.addr()
+ fn as_view(self) -> Mmio<'a, T> {
+ self
}
+}
+
+/// I/O Backend for memory-mapped I/O.
+pub struct MmioBackend;
+
+impl IoBackend for MmioBackend {
+ type View<'a, T: ?Sized + KnownSize> = Mmio<'a, T>;
#[inline]
- fn maxsize(self) -> usize {
- KnownSize::size(self.ptr)
+ fn as_ptr<'a, T: ?Sized + KnownSize>(view: Self::View<'a, T>) -> *mut T {
+ view.ptr
+ }
+
+ #[inline]
+ unsafe fn project_view<'a, T: ?Sized + KnownSize, U: ?Sized + KnownSize>(
+ _view: Self::View<'a, T>,
+ ptr: *mut U,
+ ) -> Self::View<'a, U> {
+ // INVARIANT: Per safety requirement, `ptr` is projection from `view`, so it is also a valid
+ // memory-mapped I/O region.
+ Mmio {
+ ptr,
+ phantom: PhantomData,
+ }
}
}
-/// Implements [`IoCapable`] on `$mmio` for `$ty` using `$read_fn` and `$write_fn`.
+/// Implements [`IoCapable`] on `$backend` for `$ty` using `$read_fn` and `$write_fn`.
macro_rules! impl_mmio_io_capable {
- ($mmio:ident, $(#[$attr:meta])* $ty:ty, $read_fn:ident, $write_fn:ident) => {
- $(#[$attr])*
- impl<T: ?Sized> IoCapable<$ty> for $mmio<'_, T> {
+ ($backend: ident, $ty:ty, $read_fn:ident, $write_fn:ident) => {
+ impl IoCapable<$ty> for $backend {
#[inline]
- unsafe fn io_read(self, address: usize) -> $ty {
- // SAFETY: By the trait invariant `address` is a valid address for MMIO operations.
- unsafe { bindings::$read_fn(address as *const c_void) }
+ fn io_read(view: <$backend as IoBackend>::View<'_, $ty>) -> $ty {
+ // SAFETY: By the type invariant, `view.ptr` is a valid address for MMIO operations.
+ unsafe { bindings::$read_fn(view.ptr.cast_const().cast()) }
}
#[inline]
- unsafe fn io_write(self, value: $ty, address: usize) {
- // SAFETY: By the trait invariant `address` is a valid address for MMIO operations.
- unsafe { bindings::$write_fn(value, address as *mut c_void) }
+ fn io_write(view: <$backend as IoBackend>::View<'_, $ty>, value: $ty) {
+ // SAFETY: By the type invariant, `view.ptr` is a valid address for MMIO operations.
+ unsafe { bindings::$write_fn(value, view.ptr.cast()) }
}
}
};
}
// MMIO regions support 8, 16, and 32-bit accesses.
-impl_mmio_io_capable!(Mmio, u8, readb, writeb);
-impl_mmio_io_capable!(Mmio, u16, readw, writew);
-impl_mmio_io_capable!(Mmio, u32, readl, writel);
+impl_mmio_io_capable!(MmioBackend, u8, readb, writeb);
+impl_mmio_io_capable!(MmioBackend, u16, readw, writew);
+impl_mmio_io_capable!(MmioBackend, u32, readl, writel);
// MMIO regions on 64-bit systems also support 64-bit accesses.
#[cfg(CONFIG_64BIT)]
-impl_mmio_io_capable!(Mmio, u64, readq, writeq);
+impl_mmio_io_capable!(MmioBackend, u64, readq, writeq);
-impl<'a, const SIZE: usize> Io for &'a MmioOwned<SIZE> {
+impl<'a, const SIZE: usize> Io<'a> for &'a MmioOwned<SIZE> {
+ type Backend = MmioBackend;
type Target = Region<SIZE>;
- /// Returns the base address of this mapping.
#[inline]
- fn addr(self) -> usize {
- self.0.addr()
- }
-
- /// Returns the maximum size of this mapping.
- #[inline]
- fn maxsize(self) -> usize {
- self.0.size()
- }
-}
-
-impl<'a, const SIZE: usize, T> IoCapable<T> for &'a MmioOwned<SIZE>
-where
- Mmio<'a, Region<SIZE>>: IoCapable<T>,
-{
- #[inline]
- unsafe fn io_read(self, address: usize) -> T {
- // SAFETY: Per safety requirement.
- unsafe { self.as_view().io_read(address) }
- }
-
- #[inline]
- unsafe fn io_write(self, value: T, address: usize) {
- // SAFETY: Per safety requirement.
- unsafe { self.as_view().io_write(value, address) }
+ fn as_view(self) -> Mmio<'a, Self::Target> {
+ // SAFETY: `Mmio` has same invariant as `MmioOwned`
+ unsafe { Mmio::from_raw(self.0) }
}
}
@@ -966,13 +968,6 @@ pub unsafe fn from_raw(raw: &MmioRaw<Region<SIZE>>) -> &Self {
// SAFETY: `MmioOwned` is a transparent wrapper around `MmioRaw`.
unsafe { &*core::ptr::from_ref(raw).cast() }
}
-
- /// Return a view that covers the full region.
- #[inline]
- pub fn as_view(&self) -> Mmio<'_, Region<SIZE>> {
- // SAFETY: `Mmio` has same invariant as `MmioOwned`.
- unsafe { Mmio::from_raw(self.0) }
- }
}
/// [`Mmio`] but using relaxed accessors.
@@ -1004,17 +999,38 @@ unsafe impl<T: ?Sized + Sync> Send for RelaxedMmio<'_, T> {}
// SAFETY: `RelaxedMmio<'_, T>` is conceptually `&T` but in I/O memory.
unsafe impl<T: ?Sized + Sync> Sync for RelaxedMmio<'_, T> {}
-impl<T: ?Sized + KnownSize> Io for RelaxedMmio<'_, T> {
- type Target = T;
+/// I/O Backend for memory-mapped I/O, with relaxed access semantics.
+pub struct RelaxedMmioBackend;
+
+impl IoBackend for RelaxedMmioBackend {
+ type View<'a, T: ?Sized + KnownSize> = RelaxedMmio<'a, T>;
#[inline]
- fn addr(self) -> usize {
- self.ptr.addr()
+ fn as_ptr<'a, T: ?Sized + KnownSize>(view: Self::View<'a, T>) -> *mut T {
+ view.ptr
}
#[inline]
- fn maxsize(self) -> usize {
- KnownSize::size(self.ptr)
+ unsafe fn project_view<'a, T: ?Sized + KnownSize, U: ?Sized + KnownSize>(
+ _view: Self::View<'a, T>,
+ ptr: *mut U,
+ ) -> Self::View<'a, U> {
+ // INVARIANT: Per safety requirement, `ptr` is projection from `view`, so it is also a valid
+ // memory-mapped I/O region.
+ RelaxedMmio {
+ ptr,
+ phantom: PhantomData,
+ }
+ }
+}
+
+impl<'a, T: ?Sized + KnownSize> Io<'a> for RelaxedMmio<'a, T> {
+ type Backend = RelaxedMmioBackend;
+ type Target = T;
+
+ #[inline]
+ fn as_view(self) -> RelaxedMmio<'a, T> {
+ self
}
}
@@ -1051,14 +1067,9 @@ pub fn relaxed(self) -> RelaxedMmio<'a, T> {
}
// MMIO regions support 8, 16, and 32-bit accesses.
-impl_mmio_io_capable!(RelaxedMmio, u8, readb_relaxed, writeb_relaxed);
-impl_mmio_io_capable!(RelaxedMmio, u16, readw_relaxed, writew_relaxed);
-impl_mmio_io_capable!(RelaxedMmio, u32, readl_relaxed, writel_relaxed);
+impl_mmio_io_capable!(RelaxedMmioBackend, u8, readb_relaxed, writeb_relaxed);
+impl_mmio_io_capable!(RelaxedMmioBackend, u16, readw_relaxed, writew_relaxed);
+impl_mmio_io_capable!(RelaxedMmioBackend, u32, readl_relaxed, writel_relaxed);
// MMIO regions on 64-bit systems also support 64-bit accesses.
-impl_mmio_io_capable!(
- RelaxedMmio,
- #[cfg(CONFIG_64BIT)]
- u64,
- readq_relaxed,
- writeq_relaxed
-);
+#[cfg(CONFIG_64BIT)]
+impl_mmio_io_capable!(RelaxedMmioBackend, u64, readq_relaxed, writeq_relaxed);
diff --git a/rust/kernel/pci/io.rs b/rust/kernel/pci/io.rs
index 89f4bb483a7f..e67c1e3694fb 100644
--- a/rust/kernel/pci/io.rs
+++ b/rust/kernel/pci/io.rs
@@ -9,6 +9,7 @@
devres::Devres,
io::{
Io,
+ IoBackend,
IoCapable,
MmioOwned,
MmioRaw,
@@ -84,32 +85,57 @@ unsafe impl<T: ?Sized + Sync> Send for ConfigSpace<'_, T> {}
// SAFETY: `ConfigSpace<'_, T>` is conceptually `&T` but in I/O memory.
unsafe impl<T: ?Sized + Sync> Sync for ConfigSpace<'_, T> {}
+/// I/O Backend for PCI configuration space.
+pub struct ConfigSpaceBackend;
+
+impl IoBackend for ConfigSpaceBackend {
+ type View<'a, T: ?Sized + KnownSize> = ConfigSpace<'a, T>;
+
+ #[inline]
+ fn as_ptr<'a, T: ?Sized + KnownSize>(view: ConfigSpace<'a, T>) -> *mut T {
+ view.ptr
+ }
+
+ #[inline]
+ unsafe fn project_view<'a, T: ?Sized + KnownSize, U: ?Sized + KnownSize>(
+ view: Self::View<'a, T>,
+ ptr: *mut U,
+ ) -> Self::View<'a, U> {
+ // INVARIANT: Per safety requirement.
+ ConfigSpace {
+ pdev: view.pdev,
+ ptr,
+ }
+ }
+}
+
/// Implements [`IoCapable`] on [`ConfigSpace`] for `$ty` using `$read_fn` and `$write_fn`.
macro_rules! impl_config_space_io_capable {
($ty:ty, $read_fn:ident, $write_fn:ident) => {
- impl<'a, T: ?Sized> IoCapable<$ty> for ConfigSpace<'a, T> {
- unsafe fn io_read(self, address: usize) -> $ty {
+ impl IoCapable<$ty> for ConfigSpaceBackend {
+ fn io_read(view: ConfigSpace<'_, $ty>) -> $ty {
+ // CAST: The offset is cast to `i32` because the C functions expect a 32-bit
+ // signed offset parameter. PCI configuration space size is at most 4096 bytes,
+ // so the value always fits within `i32` without truncation or sign change.
+ let addr = view.ptr.addr() as i32;
+
let mut val: $ty = 0;
// Return value from C function is ignored in infallible accessors.
- let _ret =
- // SAFETY: By the type invariant `self.pdev` is a valid address.
- // CAST: The offset is cast to `i32` because the C functions expect a 32-bit
- // signed offset parameter. PCI configuration space size is at most 4096 bytes,
- // so the value always fits within `i32` without truncation or sign change.
- unsafe { bindings::$read_fn(self.pdev.as_raw(), address as i32, &mut val) };
-
+ // SAFETY: By the type invariant `pdev` is a valid address.
+ let _ = unsafe { bindings::$read_fn(view.pdev.as_raw(), addr, &mut val) };
val
}
- unsafe fn io_write(self, value: $ty, address: usize) {
+ fn io_write(view: ConfigSpace<'_, $ty>, value: $ty) {
+ // CAST: The offset is cast to `i32` because the C functions expect a 32-bit
+ // signed offset parameter. PCI configuration space size is at most 4096 bytes,
+ // so the value always fits within `i32` without truncation or sign change.
+ let addr = view.ptr.addr() as i32;
+
// Return value from C function is ignored in infallible accessors.
- let _ret =
- // SAFETY: By the type invariant `self.pdev` is a valid address.
- // CAST: The offset is cast to `i32` because the C functions expect a 32-bit
- // signed offset parameter. PCI configuration space size is at most 4096 bytes,
- // so the value always fits within `i32` without truncation or sign change.
- unsafe { bindings::$write_fn(self.pdev.as_raw(), address as i32, value) };
+ // SAFETY: By the type invariant `pdev` is a valid address.
+ let _ = unsafe { bindings::$write_fn(view.pdev.as_raw(), addr, value) };
}
}
};
@@ -120,17 +146,13 @@ unsafe fn io_write(self, value: $ty, address: usize) {
impl_config_space_io_capable!(u16, pci_read_config_word, pci_write_config_word);
impl_config_space_io_capable!(u32, pci_read_config_dword, pci_write_config_dword);
-impl<'a, T: ?Sized + KnownSize> Io for ConfigSpace<'a, T> {
+impl<'a, T: ?Sized + KnownSize> Io<'a> for ConfigSpace<'a, T> {
+ type Backend = ConfigSpaceBackend;
type Target = T;
#[inline]
- fn addr(self) -> usize {
- self.ptr.addr()
- }
-
- #[inline]
- fn maxsize(self) -> usize {
- KnownSize::size(self.ptr)
+ fn as_view(self) -> ConfigSpace<'a, T> {
+ self
}
}
--
2.54.0
^ permalink raw reply related [flat|nested] 40+ messages in thread
* [PATCH v4 10/20] rust: io: remove `MmioOwned`
2026-06-11 16:28 [PATCH v4 00/20] rust: I/O type generalization and projection Gary Guo
` (8 preceding siblings ...)
2026-06-11 16:28 ` [PATCH v4 09/20] rust: io: use view types instead of addresses for `Io` Gary Guo
@ 2026-06-11 16:28 ` Gary Guo
2026-06-11 17:54 ` sashiko-bot
2026-06-11 16:28 ` [PATCH v4 11/20] rust: io: move `Io` methods to extension trait Gary Guo
` (9 subsequent siblings)
19 siblings, 1 reply; 40+ messages in thread
From: Gary Guo @ 2026-06-11 16:28 UTC (permalink / raw)
To: Alice Ryhl, Daniel Almeida, Greg Kroah-Hartman, Rafael J. Wysocki,
Miguel Ojeda, Boqun Feng, Gary Guo, Björn Roy Baron,
Benno Lossin, Andreas Hindborg, Trevor Gross, Bjorn Helgaas,
Krzysztof Wilczyński, Abdiel Janulgue, Robin Murphy,
Alexandre Courbot, David Airlie, Simona Vetter
Cc: Danilo Krummrich, driver-core, rust-for-linux, linux-kernel,
linux-pci, nova-gpu, dri-devel
`Io` trait is now very easy to implement. Thus, implement it on `Bar` and
`IoMem` directly and remove the `MmioOwned` struct.
Signed-off-by: Gary Guo <gary@garyguo.net>
---
rust/kernel/devres.rs | 12 +++---
rust/kernel/io.rs | 103 +-------------------------------------------------
rust/kernel/io/mem.rs | 26 +++++++------
rust/kernel/pci/io.rs | 16 ++++----
4 files changed, 32 insertions(+), 125 deletions(-)
diff --git a/rust/kernel/devres.rs b/rust/kernel/devres.rs
index aed0c994fd30..3545ffc5345d 100644
--- a/rust/kernel/devres.rs
+++ b/rust/kernel/devres.rs
@@ -68,8 +68,9 @@ struct Inner<T> {
/// devres::Devres,
/// io::{
/// Io,
-/// MmioOwned,
+/// Mmio,
/// MmioRaw,
+/// MmioBackend,
/// PhysAddr,
/// Region, //
/// },
@@ -104,12 +105,13 @@ struct Inner<T> {
/// }
/// }
///
-/// impl<const SIZE: usize> Deref for IoMem<SIZE> {
-/// type Target = MmioOwned<SIZE>;
+/// impl<'a, const SIZE: usize> Io<'a> for &'a IoMem<SIZE> {
+/// type Backend = MmioBackend;
+/// type Target = Region<SIZE>;
///
-/// fn deref(&self) -> &Self::Target {
+/// fn as_view(self) -> Mmio<'a, Region<SIZE>> {
/// // SAFETY: The memory range stored in `self` has been properly mapped in `Self::new`.
-/// unsafe { MmioOwned::from_raw(&self.0) }
+/// unsafe { Mmio::from_raw(self.0) }
/// }
/// }
/// # fn no_run(dev: &Device<Bound>) -> Result<(), Error> {
diff --git a/rust/kernel/io.rs b/rust/kernel/io.rs
index e422a5ff2a5e..132454a38d64 100644
--- a/rust/kernel/io.rs
+++ b/rust/kernel/io.rs
@@ -99,8 +99,8 @@ fn size(p: *const Self) -> usize {
/// the represented MMIO region does exist or is properly mapped.
///
/// Instead, the bus specific MMIO implementation must convert this raw representation into an
-/// `MmioOwned` instance providing the actual memory accessors. Only by the conversion into an
-/// `MmioOwned` structure any guarantees are given.
+/// `Mmio` instance providing the actual memory accessors. Only by the conversion into an `Mmio`
+/// structure any guarantees are given.
pub struct MmioRaw<T: ?Sized> {
/// Pointer is in I/O address space.
///
@@ -157,80 +157,6 @@ pub fn size(&self) -> usize {
}
}
-/// IO-mapped memory region.
-///
-/// The creator (usually a subsystem / bus such as PCI) is responsible for creating the
-/// mapping, performing an additional region request etc.
-///
-/// # Invariant
-///
-/// `addr` is the start and `maxsize` the length of valid I/O mapped memory region of size
-/// `maxsize`.
-///
-/// # Examples
-///
-/// ```no_run
-/// use kernel::{
-/// bindings,
-/// ffi::c_void,
-/// io::{
-/// Io,
-/// MmioOwned,
-/// MmioRaw,
-/// PhysAddr,
-/// Region,
-/// },
-/// };
-/// use core::ops::Deref;
-///
-/// // See also `pci::Bar` for a real example.
-/// struct IoMem<const SIZE: usize>(MmioRaw<Region<SIZE>>);
-///
-/// impl<const SIZE: usize> IoMem<SIZE> {
-/// /// # Safety
-/// ///
-/// /// [`paddr`, `paddr` + `SIZE`) must be a valid MMIO region that is mappable into the CPUs
-/// /// virtual address space.
-/// unsafe fn new(paddr: usize) -> Result<Self>{
-/// // SAFETY: By the safety requirements of this function [`paddr`, `paddr` + `SIZE`) is
-/// // valid for `ioremap`.
-/// let addr = unsafe { bindings::ioremap(paddr as PhysAddr, SIZE) };
-/// if addr.is_null() {
-/// return Err(ENOMEM);
-/// }
-///
-/// Ok(IoMem(MmioRaw::new_region(addr as usize, SIZE)?))
-/// }
-/// }
-///
-/// impl<const SIZE: usize> Drop for IoMem<SIZE> {
-/// fn drop(&mut self) {
-/// // SAFETY: `self.0.addr()` is guaranteed to be properly mapped by `Self::new`.
-/// unsafe { bindings::iounmap(self.0.addr() as *mut c_void); };
-/// }
-/// }
-///
-/// impl<const SIZE: usize> Deref for IoMem<SIZE> {
-/// type Target = MmioOwned<SIZE>;
-///
-/// fn deref(&self) -> &Self::Target {
-/// // SAFETY: The memory range stored in `self` has been properly mapped in `Self::new`.
-/// unsafe { MmioOwned::from_raw(&self.0) }
-/// }
-/// }
-///
-///# fn no_run() -> Result<(), Error> {
-/// // SAFETY: Invalid usage for example purposes.
-/// let iomem = unsafe { IoMem::<{ core::mem::size_of::<u32>() }>::new(0xBAAAAAAD)? };
-/// iomem.write32(0x42, 0x0);
-/// assert!(iomem.try_write32(0x42, 0x0).is_ok());
-/// assert!(iomem.try_write32(0x42, 0x4).is_err());
-/// # Ok(())
-/// # }
-/// ```
-#[repr(transparent)]
-pub struct MmioOwned<const SIZE: usize = 0>(MmioRaw<Region<SIZE>>);
-
/// Checks whether an access of type `U` at the given `base` and the given `offset`
/// is valid within this region.
///
@@ -945,31 +871,6 @@ fn io_write(view: <$backend as IoBackend>::View<'_, $ty>, value: $ty) {
#[cfg(CONFIG_64BIT)]
impl_mmio_io_capable!(MmioBackend, u64, readq, writeq);
-impl<'a, const SIZE: usize> Io<'a> for &'a MmioOwned<SIZE> {
- type Backend = MmioBackend;
- type Target = Region<SIZE>;
-
- #[inline]
- fn as_view(self) -> Mmio<'a, Self::Target> {
- // SAFETY: `Mmio` has same invariant as `MmioOwned`
- unsafe { Mmio::from_raw(self.0) }
- }
-}
-
-impl<const SIZE: usize> MmioOwned<SIZE> {
- /// Converts an `MmioRaw` into an `MmioOwned` instance, providing the accessors to the MMIO
- /// mapping.
- ///
- /// # Safety
- ///
- /// Callers must ensure that `addr` is the start of a valid I/O mapped memory region of size
- /// `maxsize`.
- pub unsafe fn from_raw(raw: &MmioRaw<Region<SIZE>>) -> &Self {
- // SAFETY: `MmioOwned` is a transparent wrapper around `MmioRaw`.
- unsafe { &*core::ptr::from_ref(raw).cast() }
- }
-}
-
/// [`Mmio`] but using relaxed accessors.
///
/// This type provides an implementation of [`Io`] that uses relaxed I/O MMIO operands instead of
diff --git a/rust/kernel/io/mem.rs b/rust/kernel/io/mem.rs
index 8f6c257c5b8e..d9b3189d09b4 100644
--- a/rust/kernel/io/mem.rs
+++ b/rust/kernel/io/mem.rs
@@ -2,8 +2,6 @@
//! Generic memory-mapped IO.
-use core::ops::Deref;
-
use crate::{
device::{
Bound,
@@ -16,7 +14,9 @@
Region,
Resource, //
},
- MmioOwned,
+ Io,
+ Mmio,
+ MmioBackend,
MmioRaw, //
},
prelude::*,
@@ -210,11 +210,13 @@ pub fn into_devres(self) -> Result<Devres<ExclusiveIoMem<'static, SIZE>>> {
}
}
-impl<const SIZE: usize> Deref for ExclusiveIoMem<'_, SIZE> {
- type Target = MmioOwned<SIZE>;
+impl<'a, const SIZE: usize> Io<'a> for &'a ExclusiveIoMem<'_, SIZE> {
+ type Backend = MmioBackend;
+ type Target = super::Region<SIZE>;
- fn deref(&self) -> &Self::Target {
- &self.iomem
+ #[inline]
+ fn as_view(self) -> Mmio<'a, Self::Target> {
+ self.iomem.as_view()
}
}
@@ -290,11 +292,13 @@ fn drop(&mut self) {
}
}
-impl<const SIZE: usize> Deref for IoMem<'_, SIZE> {
- type Target = MmioOwned<SIZE>;
+impl<'a, const SIZE: usize> Io<'a> for &'a IoMem<'_, SIZE> {
+ type Backend = MmioBackend;
+ type Target = super::Region<SIZE>;
- fn deref(&self) -> &Self::Target {
+ #[inline]
+ fn as_view(self) -> Mmio<'a, Self::Target> {
// SAFETY: Safe as by the invariant of `IoMem`.
- unsafe { MmioOwned::from_raw(&self.io) }
+ unsafe { Mmio::from_raw(self.io) }
}
}
diff --git a/rust/kernel/pci/io.rs b/rust/kernel/pci/io.rs
index e67c1e3694fb..4be33ecb4192 100644
--- a/rust/kernel/pci/io.rs
+++ b/rust/kernel/pci/io.rs
@@ -11,16 +11,14 @@
Io,
IoBackend,
IoCapable,
- MmioOwned,
+ Mmio,
+ MmioBackend,
MmioRaw,
Region, //
},
prelude::*,
ptr::KnownSize, //
};
-use core::{
- ops::Deref, //
-};
/// Represents the size of a PCI configuration space.
///
@@ -269,12 +267,14 @@ fn drop(&mut self) {
}
}
-impl<const SIZE: usize> Deref for Bar<'_, SIZE> {
- type Target = MmioOwned<SIZE>;
+impl<'a, const SIZE: usize> Io<'a> for &'a Bar<'_, SIZE> {
+ type Backend = MmioBackend;
+ type Target = crate::io::Region<SIZE>;
- fn deref(&self) -> &Self::Target {
+ #[inline]
+ fn as_view(self) -> Mmio<'a, Self::Target> {
// SAFETY: By the type invariant of `Self`, the MMIO range in `self.io` is properly mapped.
- unsafe { MmioOwned::from_raw(&self.io) }
+ unsafe { Mmio::from_raw(self.io) }
}
}
--
2.54.0
^ permalink raw reply related [flat|nested] 40+ messages in thread
* [PATCH v4 11/20] rust: io: move `Io` methods to extension trait
2026-06-11 16:28 [PATCH v4 00/20] rust: I/O type generalization and projection Gary Guo
` (9 preceding siblings ...)
2026-06-11 16:28 ` [PATCH v4 10/20] rust: io: remove `MmioOwned` Gary Guo
@ 2026-06-11 16:28 ` Gary Guo
2026-06-11 18:00 ` sashiko-bot
2026-06-11 16:28 ` [PATCH v4 12/20] rust: prelude: add `zerocopy{,_derive}::IntoBytes` Gary Guo
` (8 subsequent siblings)
19 siblings, 1 reply; 40+ messages in thread
From: Gary Guo @ 2026-06-11 16:28 UTC (permalink / raw)
To: Alice Ryhl, Daniel Almeida, Greg Kroah-Hartman, Rafael J. Wysocki,
Miguel Ojeda, Boqun Feng, Gary Guo, Björn Roy Baron,
Benno Lossin, Andreas Hindborg, Trevor Gross, Bjorn Helgaas,
Krzysztof Wilczyński, Abdiel Janulgue, Robin Murphy,
Alexandre Courbot, David Airlie, Simona Vetter
Cc: Danilo Krummrich, driver-core, rust-for-linux, linux-kernel,
linux-pci, nova-gpu, dri-devel
`Io` trait now has a single required methods with many more provided
methods. Provided methods may want to rely on their implementations to not
be arbitrarily overridden by implementers for correctness or soundness.
Thus, extract these methods to a new trait and provide a blanket
implementation. This pattern is used extensively in userspace Rust
libraries e.g. `tokio` where `AsyncRead` has minimum methods and
`AsyncReadExt` is what users mostly interact with.
To avoid changing all user imports, the base trait is renamed to `IoBase`
and the newly added trait takes the existing `Io` name.
A `size` method is added as an example of methods that users should not
override.
Suggested-by: Danilo Krummrich <dakr@kernel.org>
Signed-off-by: Gary Guo <gary@garyguo.net>
---
rust/kernel/devres.rs | 3 ++-
rust/kernel/io.rs | 34 ++++++++++++++++++++++++----------
rust/kernel/io/mem.rs | 6 +++---
rust/kernel/pci/io.rs | 6 +++---
4 files changed, 32 insertions(+), 17 deletions(-)
diff --git a/rust/kernel/devres.rs b/rust/kernel/devres.rs
index 3545ffc5345d..6e0b845b229b 100644
--- a/rust/kernel/devres.rs
+++ b/rust/kernel/devres.rs
@@ -68,6 +68,7 @@ struct Inner<T> {
/// devres::Devres,
/// io::{
/// Io,
+/// IoBase,
/// Mmio,
/// MmioRaw,
/// MmioBackend,
@@ -105,7 +106,7 @@ struct Inner<T> {
/// }
/// }
///
-/// impl<'a, const SIZE: usize> Io<'a> for &'a IoMem<SIZE> {
+/// impl<'a, const SIZE: usize> IoBase<'a> for &'a IoMem<SIZE> {
/// type Backend = MmioBackend;
/// type Target = Region<SIZE>;
///
diff --git a/rust/kernel/io.rs b/rust/kernel/io.rs
index 132454a38d64..470ee2ed9849 100644
--- a/rust/kernel/io.rs
+++ b/rust/kernel/io.rs
@@ -184,7 +184,7 @@ const fn offset_valid<U>(base: usize, offset: usize, size: usize) -> bool {
/// operation.
pub trait IoBackend {
/// View type for this I/O backend.
- type View<'a, T: ?Sized + KnownSize>: Io<'a, Backend = Self, Target = T>;
+ type View<'a, T: ?Sized + KnownSize>: IoBase<'a, Backend = Self, Target = T>;
/// Convert a `view` to a raw pointer for projection.
fn as_ptr<'a, T: ?Sized + KnownSize>(view: Self::View<'a, T>) -> *mut T;
@@ -267,13 +267,10 @@ fn offset(self) -> usize {
/// Types implementing this trait (e.g. MMIO BARs or PCI config regions)
/// can perform I/O operations on regions of memory.
///
-/// The [`Io`] trait provides:
-/// - Method to convert into [`IoBackend::View`].
-/// - Helper methods for offset validation and address calculation
-/// - Fallible (runtime checked) accessors for different data widths
-///
-/// Which I/O methods are available depends on the associated [`IoBackend`] implementation.
-pub trait Io<'a>: Copy {
+/// This trait defines which backend shall be used for I/O operations and provides a method to
+/// convert into [`IoBackend::View`]. Users should use the [`Io`] trait which provides the actual
+/// methods to perform I/O operations.
+pub trait IoBase<'a>: Copy {
/// Type that defines all I/O operations.
type Backend: IoBackend;
@@ -282,6 +279,21 @@ pub trait Io<'a>: Copy {
/// Return a view that covers the full region.
fn as_view(self) -> <Self::Backend as IoBackend>::View<'a, Self::Target>;
+}
+
+/// Extension trait to provide I/O operation methods to types that implement [`IoBase`].
+///
+/// This trait provides:
+/// - Helper methods for offset validation and address calculation
+/// - Fallible (runtime checked) accessors for different data widths
+///
+/// Which I/O methods are available depends on the associated [`IoBackend`] implementation.
+pub trait Io<'a>: IoBase<'a> {
+ /// Returns the size of this I/O region.
+ #[inline]
+ fn size(self) -> usize {
+ KnownSize::size(Self::Backend::as_ptr(self.as_view()))
+ }
/// Returns a view for a given `offset`, performing compile-time bound checks.
// Always inline to optimize out error path of `build_assert`.
@@ -769,6 +781,8 @@ fn update<T, L, F>(self, location: L, f: F)
}
}
+impl<'a, T: IoBase<'a>> Io<'a> for T {}
+
/// A view of memory-mapped I/O region.
///
/// # Invariant
@@ -809,7 +823,7 @@ unsafe impl<T: ?Sized + Sync> Send for Mmio<'_, T> {}
// SAFETY: `Mmio<'_, T>` is conceptually `&T` but in I/O memory.
unsafe impl<T: ?Sized + Sync> Sync for Mmio<'_, T> {}
-impl<'a, T: ?Sized + KnownSize> Io<'a> for Mmio<'a, T> {
+impl<'a, T: ?Sized + KnownSize> IoBase<'a> for Mmio<'a, T> {
type Backend = MmioBackend;
type Target = T;
@@ -925,7 +939,7 @@ unsafe fn project_view<'a, T: ?Sized + KnownSize, U: ?Sized + KnownSize>(
}
}
-impl<'a, T: ?Sized + KnownSize> Io<'a> for RelaxedMmio<'a, T> {
+impl<'a, T: ?Sized + KnownSize> IoBase<'a> for RelaxedMmio<'a, T> {
type Backend = RelaxedMmioBackend;
type Target = T;
diff --git a/rust/kernel/io/mem.rs b/rust/kernel/io/mem.rs
index d9b3189d09b4..e95b769ebe47 100644
--- a/rust/kernel/io/mem.rs
+++ b/rust/kernel/io/mem.rs
@@ -14,7 +14,7 @@
Region,
Resource, //
},
- Io,
+ IoBase,
Mmio,
MmioBackend,
MmioRaw, //
@@ -210,7 +210,7 @@ pub fn into_devres(self) -> Result<Devres<ExclusiveIoMem<'static, SIZE>>> {
}
}
-impl<'a, const SIZE: usize> Io<'a> for &'a ExclusiveIoMem<'_, SIZE> {
+impl<'a, const SIZE: usize> IoBase<'a> for &'a ExclusiveIoMem<'_, SIZE> {
type Backend = MmioBackend;
type Target = super::Region<SIZE>;
@@ -292,7 +292,7 @@ fn drop(&mut self) {
}
}
-impl<'a, const SIZE: usize> Io<'a> for &'a IoMem<'_, SIZE> {
+impl<'a, const SIZE: usize> IoBase<'a> for &'a IoMem<'_, SIZE> {
type Backend = MmioBackend;
type Target = super::Region<SIZE>;
diff --git a/rust/kernel/pci/io.rs b/rust/kernel/pci/io.rs
index 4be33ecb4192..4d1d0afdc491 100644
--- a/rust/kernel/pci/io.rs
+++ b/rust/kernel/pci/io.rs
@@ -8,8 +8,8 @@
device,
devres::Devres,
io::{
- Io,
IoBackend,
+ IoBase,
IoCapable,
Mmio,
MmioBackend,
@@ -144,7 +144,7 @@ fn io_write(view: ConfigSpace<'_, $ty>, value: $ty) {
impl_config_space_io_capable!(u16, pci_read_config_word, pci_write_config_word);
impl_config_space_io_capable!(u32, pci_read_config_dword, pci_write_config_dword);
-impl<'a, T: ?Sized + KnownSize> Io<'a> for ConfigSpace<'a, T> {
+impl<'a, T: ?Sized + KnownSize> IoBase<'a> for ConfigSpace<'a, T> {
type Backend = ConfigSpaceBackend;
type Target = T;
@@ -267,7 +267,7 @@ fn drop(&mut self) {
}
}
-impl<'a, const SIZE: usize> Io<'a> for &'a Bar<'_, SIZE> {
+impl<'a, const SIZE: usize> IoBase<'a> for &'a Bar<'_, SIZE> {
type Backend = MmioBackend;
type Target = crate::io::Region<SIZE>;
--
2.54.0
^ permalink raw reply related [flat|nested] 40+ messages in thread
* [PATCH v4 12/20] rust: prelude: add `zerocopy{,_derive}::IntoBytes`
2026-06-11 16:28 [PATCH v4 00/20] rust: I/O type generalization and projection Gary Guo
` (10 preceding siblings ...)
2026-06-11 16:28 ` [PATCH v4 11/20] rust: io: move `Io` methods to extension trait Gary Guo
@ 2026-06-11 16:28 ` Gary Guo
2026-06-11 18:01 ` sashiko-bot
2026-06-11 16:28 ` [PATCH v4 13/20] rust: io: add projection macro and methods Gary Guo
` (7 subsequent siblings)
19 siblings, 1 reply; 40+ messages in thread
From: Gary Guo @ 2026-06-11 16:28 UTC (permalink / raw)
To: Alice Ryhl, Daniel Almeida, Greg Kroah-Hartman, Rafael J. Wysocki,
Miguel Ojeda, Boqun Feng, Gary Guo, Björn Roy Baron,
Benno Lossin, Andreas Hindborg, Trevor Gross, Bjorn Helgaas,
Krzysztof Wilczyński, Abdiel Janulgue, Robin Murphy,
Alexandre Courbot, David Airlie, Simona Vetter
Cc: Danilo Krummrich, driver-core, rust-for-linux, linux-kernel,
linux-pci, nova-gpu, dri-devel
In order to easily use `IntoBytes`, add it to the prelude.
This adds both the trait (`zerocopy::IntoBytes`) as well as the derive
macro (`zerocopy_derive::IntoBytes`).
Signed-off-by: Gary Guo <gary@garyguo.net>
---
This is wanted because I want to convert the upcoming I/O projection series
to use `zerocopy` traits rather than keep using transmute module.
It is most helpful for derives in doc tests; I do not want to explicitly use
`#[derive(zerocopy_derive::IntoBytes)]` in the doc tests.
---
rust/kernel/prelude.rs | 10 ++++++++--
1 file changed, 8 insertions(+), 2 deletions(-)
diff --git a/rust/kernel/prelude.rs b/rust/kernel/prelude.rs
index 8a6da92e8da6..ca396f1f78a6 100644
--- a/rust/kernel/prelude.rs
+++ b/rust/kernel/prelude.rs
@@ -61,10 +61,16 @@
};
#[doc(no_inline)]
-pub use zerocopy::FromBytes;
+pub use zerocopy::{
+ FromBytes,
+ IntoBytes, //
+};
#[doc(no_inline)]
-pub use zerocopy_derive::FromBytes;
+pub use zerocopy_derive::{
+ FromBytes,
+ IntoBytes, //
+};
#[doc(no_inline)]
pub use super::{
--
2.54.0
^ permalink raw reply related [flat|nested] 40+ messages in thread
* [PATCH v4 13/20] rust: io: add projection macro and methods
2026-06-11 16:28 [PATCH v4 00/20] rust: I/O type generalization and projection Gary Guo
` (11 preceding siblings ...)
2026-06-11 16:28 ` [PATCH v4 12/20] rust: prelude: add `zerocopy{,_derive}::IntoBytes` Gary Guo
@ 2026-06-11 16:28 ` Gary Guo
2026-06-11 18:14 ` sashiko-bot
2026-06-11 16:28 ` [PATCH v4 14/20] rust: io: add I/O backend for system memory with volatile access Gary Guo
` (6 subsequent siblings)
19 siblings, 1 reply; 40+ messages in thread
From: Gary Guo @ 2026-06-11 16:28 UTC (permalink / raw)
To: Alice Ryhl, Daniel Almeida, Greg Kroah-Hartman, Rafael J. Wysocki,
Miguel Ojeda, Boqun Feng, Gary Guo, Björn Roy Baron,
Benno Lossin, Andreas Hindborg, Trevor Gross, Bjorn Helgaas,
Krzysztof Wilczyński, Abdiel Janulgue, Robin Murphy,
Alexandre Courbot, David Airlie, Simona Vetter
Cc: Danilo Krummrich, driver-core, rust-for-linux, linux-kernel,
linux-pci, nova-gpu, dri-devel
Add an `io_project!()` macro allows projection from `Io` to a subview of
it, using the pointer projection mechanism to perform compile-time checks.
For cases where type-casting is required, the `try_cast()` function may be
used where the size and alignment checks are performed at runtime.
Signed-off-by: Gary Guo <gary@garyguo.net>
---
rust/kernel/io.rs | 130 ++++++++++++++++++++++++++++++++++++++++++++++++++++--
1 file changed, 126 insertions(+), 4 deletions(-)
diff --git a/rust/kernel/io.rs b/rust/kernel/io.rs
index 470ee2ed9849..c7a9952af995 100644
--- a/rust/kernel/io.rs
+++ b/rust/kernel/io.rs
@@ -14,7 +14,7 @@
ptr::{
Alignment,
KnownSize, //
- }, //
+ },
};
pub mod mem;
@@ -44,12 +44,12 @@
/// This type can be used when an I/O region without known type information has a compile-time known
/// minimum size (and a runtime known actual size).
///
-/// This must be 4-byte aligned.
-///
/// # Invariants
///
-/// Size of the region is at least as large as the `SIZE` generic parameter.
+/// - Size of the region is at least as large as the `SIZE` generic parameter.
+/// - Size of the region is multiple of 4.
#[repr(C, align(4))]
+#[derive(FromBytes)]
pub struct Region<const SIZE: usize = 0> {
inner: [u8],
}
@@ -91,6 +91,15 @@ fn size(p: *const Self) -> usize {
}
}
+// SAFETY: Values read from I/O are always treated as initialized.
+//
+// This cannot be derived as `derive(IntoBytes)` does not know that this type is padding free (given
+// `repr(align(4))`).
+unsafe impl<const SIZE: usize> IntoBytes for Region<SIZE> {
+ #[inline]
+ fn only_derive_is_allowed_to_implement_this_trait() {}
+}
+
/// Raw representation of an MMIO region.
///
/// `MmioRaw<T>` is equivalent to `T __iomem *` in C.
@@ -295,6 +304,49 @@ fn size(self) -> usize {
KnownSize::size(Self::Backend::as_ptr(self.as_view()))
}
+ /// Try to convert into a different typed I/O view.
+ ///
+ /// The target type must be of same or smaller size to current type, and the current view must
+ /// be properly aligned for the target type.
+ ///
+ /// # Examples
+ ///
+ /// ```no_run
+ /// use kernel::io::{
+ /// io_project,
+ /// Mmio,
+ /// Io,
+ /// Region,
+ /// };
+ /// #[derive(FromBytes, IntoBytes)]
+ /// struct MyStruct { field: u32, }
+ ///
+ /// # fn test(mmio: &Mmio<'_, Region>) -> Result {
+ /// // let mmio: Mmio<'_, Region>;
+ /// let whole: Mmio<'_, MyStruct> = mmio.try_cast()?;
+ /// # Ok::<(), Error>(()) }
+ /// ```
+ #[inline]
+ fn try_cast<U>(self) -> Result<<Self::Backend as IoBackend>::View<'a, U>>
+ where
+ Self::Target: FromBytes + IntoBytes,
+ U: FromBytes + IntoBytes,
+ {
+ let view = self.as_view();
+ let ptr = Self::Backend::as_ptr(view);
+
+ if size_of::<U>() > KnownSize::size(ptr) {
+ return Err(EINVAL);
+ }
+
+ if ptr.addr() % align_of::<U>() != 0 {
+ return Err(EINVAL);
+ }
+
+ // SAFETY: We have checked bounds and alignment, so this is a valid projection.
+ Ok(unsafe { Self::Backend::project_view(view, ptr.cast()) })
+ }
+
/// Returns a view for a given `offset`, performing compile-time bound checks.
// Always inline to optimize out error path of `build_assert`.
#[inline(always)]
@@ -988,3 +1040,73 @@ pub fn relaxed(self) -> RelaxedMmio<'a, T> {
// MMIO regions on 64-bit systems also support 64-bit accesses.
#[cfg(CONFIG_64BIT)]
impl_mmio_io_capable!(RelaxedMmioBackend, u64, readq_relaxed, writeq_relaxed);
+
+// This helper turns associated functions to methods so it can be invoked in macro.
+// Used by `io_project!()` only.
+#[doc(hidden)]
+#[derive(Clone, Copy)]
+pub struct ProjectHelper<T>(pub T);
+
+impl<'a, T> ProjectHelper<T>
+where
+ T: Io<'a, Backend: IoBackend<View<'a, T::Target> = T>>,
+{
+ // These helper methods must not have symbols present in binary to avoid confusion.
+ #[inline(always)]
+ pub fn as_ptr(self) -> *mut T::Target {
+ T::Backend::as_ptr(self.0)
+ }
+
+ /// # Safety
+ ///
+ /// Same as `IoBackend::project_view`
+ #[inline(always)]
+ pub unsafe fn project_view<U: ?Sized + KnownSize>(
+ self,
+ ptr: *mut U,
+ ) -> <T::Backend as IoBackend>::View<'a, U> {
+ // SAFETY: Per safety requirement.
+ unsafe { T::Backend::project_view::<T::Target, _>(self.0, ptr) }
+ }
+}
+
+/// Project an I/O type to a subview of it.
+///
+/// The syntax is of form `io_project!(io, proj)` where `io` is an expression to a type that
+/// implements [`Io`] and `proj` is a [projection specification](kernel::ptr::project!).
+///
+/// In addition to projecting from [`Io`], you may also project from a [`View`] of an [`Io`].
+///
+/// # Examples
+///
+/// ```
+/// use kernel::io::{
+/// io_project,
+/// Mmio,
+/// };
+/// struct MyStruct { field: u32, }
+///
+/// # fn test(mmio: Mmio<'_, [MyStruct]>) -> Result {
+/// // let mmio: Mmio<[MyStruct]>;
+/// let field: Mmio<'_, u32> = io_project!(mmio, [try: 1].field);
+/// let whole: Mmio<'_, MyStruct> = io_project!(mmio, [try: 2]);
+/// let nested: Mmio<'_, u32> = io_project!(whole, .field);
+/// # Ok::<(), Error>(()) }
+/// ```
+#[macro_export]
+#[doc(hidden)]
+macro_rules! io_project {
+ ($io:expr, $($proj:tt)*) => {{
+ #[allow(unused)]
+ use $crate::io::IoBase as _;
+ let view = $crate::io::ProjectHelper($io.as_view());
+ let ptr = $crate::ptr::project!(
+ mut view.as_ptr(), $($proj)*
+ );
+ #[allow(unused_unsafe)]
+ // SAFETY: `ptr` is a projection.
+ unsafe { view.project_view(ptr) }
+ }};
+}
+#[doc(inline)]
+pub use crate::io_project;
--
2.54.0
^ permalink raw reply related [flat|nested] 40+ messages in thread
* [PATCH v4 14/20] rust: io: add I/O backend for system memory with volatile access
2026-06-11 16:28 [PATCH v4 00/20] rust: I/O type generalization and projection Gary Guo
` (12 preceding siblings ...)
2026-06-11 16:28 ` [PATCH v4 13/20] rust: io: add projection macro and methods Gary Guo
@ 2026-06-11 16:28 ` Gary Guo
2026-06-11 18:23 ` sashiko-bot
2026-06-11 16:28 ` [PATCH v4 15/20] rust: io: implement a view type for `Coherent` Gary Guo
` (5 subsequent siblings)
19 siblings, 1 reply; 40+ messages in thread
From: Gary Guo @ 2026-06-11 16:28 UTC (permalink / raw)
To: Alice Ryhl, Daniel Almeida, Greg Kroah-Hartman, Rafael J. Wysocki,
Miguel Ojeda, Boqun Feng, Gary Guo, Björn Roy Baron,
Benno Lossin, Andreas Hindborg, Trevor Gross, Bjorn Helgaas,
Krzysztof Wilczyński, Abdiel Janulgue, Robin Murphy,
Alexandre Courbot, David Airlie, Simona Vetter
Cc: Danilo Krummrich, driver-core, rust-for-linux, linux-kernel,
linux-pci, nova-gpu, dri-devel, Laura Nao
From: Laura Nao <laura.nao@collabora.com>
Add `SysMem`, an `Io` trait implementation for kernel virtual address
ranges. It uses volatile accessors to provide safe access to shared
memory that may be concurrently accessed by external hardware. Implement
`IoCapable` for `u8`, `u16`, `u32`, and `u64` (for 64-bit system).
This can be used for instead of `Coherent` for cases where a different
layer takes care of mapping the system memory to the device (e.g. dma-buf
or GPUVM).
Signed-off-by: Laura Nao <laura.nao@collabora.com>
[ Rebased and adapted on top of I/O rework. - Gary ]
Co-developed-by: Gary Guo <gary@garyguo.net>
Signed-off-by: Gary Guo <gary@garyguo.net>
---
rust/kernel/io.rs | 122 ++++++++++++++++++++++++++++++++++++++++++++++++++++++
1 file changed, 122 insertions(+)
diff --git a/rust/kernel/io.rs b/rust/kernel/io.rs
index c7a9952af995..a418c8cbb031 100644
--- a/rust/kernel/io.rs
+++ b/rust/kernel/io.rs
@@ -1041,6 +1041,128 @@ pub fn relaxed(self) -> RelaxedMmio<'a, T> {
#[cfg(CONFIG_64BIT)]
impl_mmio_io_capable!(RelaxedMmioBackend, u64, readq_relaxed, writeq_relaxed);
+/// I/O Backend for system memory.
+pub struct SysMemBackend;
+
+impl IoBackend for SysMemBackend {
+ type View<'a, T: ?Sized + KnownSize> = SysMem<'a, T>;
+
+ #[inline]
+ fn as_ptr<'a, T: ?Sized + KnownSize>(view: Self::View<'a, T>) -> *mut T {
+ view.ptr
+ }
+
+ #[inline]
+ unsafe fn project_view<'a, T: ?Sized + KnownSize, U: ?Sized + KnownSize>(
+ _view: Self::View<'a, T>,
+ ptr: *mut U,
+ ) -> Self::View<'a, U> {
+ // INVARIANT: Per safety requirement, `ptr` is projection from `view`, so it is also a valid
+ // kernel accessible memory region.
+ SysMem {
+ ptr,
+ phantom: PhantomData,
+ }
+ }
+}
+
+/// Implements [`IoCapable`] on `SysMemBackend` for `$ty` using `read_volatile` and
+/// `write_volatile`.
+macro_rules! impl_sysmem_io_capable {
+ ($ty:ty) => {
+ impl IoCapable<$ty> for SysMemBackend {
+ #[inline]
+ fn io_read(view: SysMem<'_, $ty>) -> $ty {
+ // SAFETY:
+ // - Per type invariant, `ptr` is valid and aligned.
+ // - Using read_volatile() here so that race with hardware is well-defined.
+ // - Using read_volatile() here is not sound if it races with other CPU per Rust
+ // rules, but this is allowed per LKMM.
+ // - The macro is only used on primitives so all bit patterns are valid.
+ unsafe { view.ptr.read_volatile() }
+ }
+
+ #[inline]
+ fn io_write(view: SysMem<'_, $ty>, value: $ty) {
+ // SAFETY:
+ // - Per type invariant, `ptr` is valid and aligned.
+ // - Using write_volatile() here so that race with hardware is well-defined.
+ // - Using write_volatile() here is not sound if it races with other CPU per Rust
+ // rules, but this is allowed per LKMM.
+ unsafe { view.ptr.write_volatile(value) }
+ }
+ }
+ };
+}
+
+impl_sysmem_io_capable!(u8);
+impl_sysmem_io_capable!(u16);
+impl_sysmem_io_capable!(u32);
+#[cfg(CONFIG_64BIT)]
+impl_sysmem_io_capable!(u64);
+
+/// System memory region.
+///
+/// Provides `Io` trait implementation for kernel virtual address ranges,
+/// using volatile read/write to safely access shared memory that may be
+/// concurrently accessed by external hardware.
+///
+/// # Invariants
+///
+/// `self.ptr.addr() .. self.ptr.addr() + KnownSize::size(self.ptr)` is valid and aligned kernel
+/// accessible memory region for the lifetime `'a`.
+pub struct SysMem<'a, T: ?Sized> {
+ ptr: *mut T,
+ phantom: PhantomData<&'a ()>,
+}
+
+impl<T: ?Sized> Copy for SysMem<'_, T> {}
+impl<T: ?Sized> Clone for SysMem<'_, T> {
+ #[inline]
+ fn clone(&self) -> Self {
+ *self
+ }
+}
+
+// SAFETY: `SysMem<'_, T>` is conceptually `&T` but in I/O memory.
+unsafe impl<T: ?Sized + Sync> Send for SysMem<'_, T> {}
+
+// SAFETY: `SysMem<'_, T>` is conceptually `&T` but in I/O memory.
+unsafe impl<T: ?Sized + Sync> Sync for SysMem<'_, T> {}
+
+impl<'a, T: ?Sized> SysMem<'a, T> {
+ /// Create a `SysMem` from a raw pointer.
+ ///
+ /// # Safety
+ ///
+ /// `ptr.addr() .. ptr.addr() + KnownSize::size(ptr)` must be valid and aligned kernel
+ /// accessible memory region for the lifetime `'a`.
+ #[inline]
+ pub unsafe fn new(ptr: *mut T) -> Self {
+ // INVARIANT: Per safety requirement.
+ Self {
+ ptr,
+ phantom: PhantomData,
+ }
+ }
+
+ /// Obtain the raw pointer to the memory.
+ #[inline]
+ pub fn as_ptr(self) -> *mut T {
+ self.ptr
+ }
+}
+
+impl<'a, T: ?Sized + KnownSize> IoBase<'a> for SysMem<'a, T> {
+ type Backend = SysMemBackend;
+ type Target = T;
+
+ #[inline]
+ fn as_view(self) -> <Self::Backend as IoBackend>::View<'a, Self::Target> {
+ self
+ }
+}
+
// This helper turns associated functions to methods so it can be invoked in macro.
// Used by `io_project!()` only.
#[doc(hidden)]
--
2.54.0
^ permalink raw reply related [flat|nested] 40+ messages in thread
* [PATCH v4 15/20] rust: io: implement a view type for `Coherent`
2026-06-11 16:28 [PATCH v4 00/20] rust: I/O type generalization and projection Gary Guo
` (13 preceding siblings ...)
2026-06-11 16:28 ` [PATCH v4 14/20] rust: io: add I/O backend for system memory with volatile access Gary Guo
@ 2026-06-11 16:28 ` Gary Guo
2026-06-11 18:30 ` sashiko-bot
2026-06-11 16:28 ` [PATCH v4 16/20] rust: io: add `read_val` and `write_val` functions on `Io` Gary Guo
` (4 subsequent siblings)
19 siblings, 1 reply; 40+ messages in thread
From: Gary Guo @ 2026-06-11 16:28 UTC (permalink / raw)
To: Alice Ryhl, Daniel Almeida, Greg Kroah-Hartman, Rafael J. Wysocki,
Miguel Ojeda, Boqun Feng, Gary Guo, Björn Roy Baron,
Benno Lossin, Andreas Hindborg, Trevor Gross, Bjorn Helgaas,
Krzysztof Wilczyński, Abdiel Janulgue, Robin Murphy,
Alexandre Courbot, David Airlie, Simona Vetter
Cc: Danilo Krummrich, driver-core, rust-for-linux, linux-kernel,
linux-pci, nova-gpu, dri-devel
Implement a `CoherentView` type which is a view of `Coherent`. To be able
to give out DMA handles, the view type contains both CPU and DMA pointers,
and the projection method projects both at once.
Delegate most of the `Io` implementation to `SysMemBackend`. Provide a
method to erase the DMA handle and give out a `SysMem` view, if the user
does not need the `dma_handle`.
Signed-off-by: Gary Guo <gary@garyguo.net>
---
rust/kernel/dma.rs | 137 ++++++++++++++++++++++++++++++++++++++++++++++++++++-
1 file changed, 135 insertions(+), 2 deletions(-)
diff --git a/rust/kernel/dma.rs b/rust/kernel/dma.rs
index 200def84fb69..ab6504910e4f 100644
--- a/rust/kernel/dma.rs
+++ b/rust/kernel/dma.rs
@@ -14,14 +14,21 @@
},
error::to_result,
fs::file,
+ io::{
+ IoBackend,
+ IoBase,
+ IoCapable,
+ SysMem,
+ SysMemBackend, //
+ },
prelude::*,
ptr::KnownSize,
sync::aref::ARef,
transmute::{
AsBytes,
FromBytes, //
- }, //
- uaccess::UserSliceWriter,
+ },
+ uaccess::UserSliceWriter, //
};
use core::{
ops::{
@@ -1133,6 +1140,132 @@ unsafe impl Send for CoherentHandle {}
// plain `Copy` values.
unsafe impl Sync for CoherentHandle {}
+/// View type for `Coherent`.
+///
+/// This is same as [`SysMem`] but with additional information that allows handing out a DMA handle.
+pub struct CoherentView<'a, T: ?Sized> {
+ cpu_addr: SysMem<'a, T>,
+ dma_handle: DmaAddress,
+}
+
+impl<T: ?Sized> Copy for CoherentView<'_, T> {}
+impl<T: ?Sized> Clone for CoherentView<'_, T> {
+ #[inline]
+ fn clone(&self) -> Self {
+ *self
+ }
+}
+
+impl<'a, T: ?Sized> CoherentView<'a, T> {
+ /// Erase the DMA handle information and obtain a [`SysMem`] view of the same memory region.
+ #[inline]
+ pub fn as_sys_mem(self) -> SysMem<'a, T> {
+ self.cpu_addr
+ }
+
+ /// Returns a DMA handle which may be given to the device as the DMA address base of the region.
+ #[inline]
+ pub fn dma_handle(self) -> DmaAddress {
+ self.dma_handle
+ }
+
+ /// Returns a reference to the data in the region.
+ ///
+ /// # Safety
+ ///
+ /// * Callers must ensure that the device does not read/write to/from memory while the returned
+ /// reference is live.
+ /// * Callers must ensure that this call does not race with a write to the same region while
+ /// the returned reference is live.
+ #[inline]
+ pub unsafe fn as_ref(self) -> &'a T {
+ // SAFETY: pointer is aligned and valid per type invariant. Aliasing rule is satisfied per
+ // safety requirement.
+ unsafe { &*self.cpu_addr.as_ptr() }
+ }
+
+ /// Returns a mutable reference to the data in the region.
+ ///
+ /// # Safety
+ ///
+ /// * Callers must ensure that the device does not read/write to/from memory while the returned
+ /// reference is live.
+ /// * Callers must ensure that this call does not race with a read or write to the same region
+ /// while the returned reference is live.
+ #[inline]
+ pub unsafe fn as_mut(self) -> &'a mut T {
+ // SAFETY: pointer is aligned and valid per type invariant. Aliasing rule is satisfied per
+ // safety requirement.
+ unsafe { &mut *self.cpu_addr.as_ptr() }
+ }
+}
+
+/// `IoBackend` implementation for `Coherent`.
+pub struct CoherentBackend;
+
+impl IoBackend for CoherentBackend {
+ type View<'a, T: ?Sized + KnownSize> = CoherentView<'a, T>;
+
+ #[inline]
+ fn as_ptr<'a, T: ?Sized + KnownSize>(view: Self::View<'a, T>) -> *mut T {
+ SysMemBackend::as_ptr(view.cpu_addr)
+ }
+
+ #[inline]
+ unsafe fn project_view<'a, T: ?Sized + KnownSize, U: ?Sized + KnownSize>(
+ view: Self::View<'a, T>,
+ ptr: *mut U,
+ ) -> Self::View<'a, U> {
+ let offset = ptr.addr() - view.cpu_addr.as_ptr().addr();
+ // CAST: The offset DMA address can never overflow.
+ let dma_handle = view.dma_handle + offset as DmaAddress;
+ CoherentView {
+ dma_handle,
+ // SAFETY: Per safety requirement.
+ cpu_addr: unsafe { SysMemBackend::project_view(view.cpu_addr, ptr) },
+ }
+ }
+}
+
+impl<T> IoCapable<T> for CoherentBackend
+where
+ SysMemBackend: IoCapable<T>,
+{
+ #[inline]
+ fn io_read<'a>(view: Self::View<'a, T>) -> T {
+ SysMemBackend::io_read(view.cpu_addr)
+ }
+
+ #[inline]
+ fn io_write<'a>(view: Self::View<'a, T>, value: T) {
+ SysMemBackend::io_write(view.cpu_addr, value)
+ }
+}
+
+impl<'a, T: ?Sized + KnownSize> IoBase<'a> for CoherentView<'a, T> {
+ type Backend = CoherentBackend;
+ type Target = T;
+
+ #[inline]
+ fn as_view(self) -> CoherentView<'a, Self::Target> {
+ self
+ }
+}
+
+impl<'a, T: ?Sized + KnownSize> IoBase<'a> for &'a Coherent<T> {
+ type Backend = CoherentBackend;
+ type Target = T;
+
+ #[inline]
+ fn as_view(self) -> CoherentView<'a, Self::Target> {
+ CoherentView {
+ // SAFETY: `cpu_addr` is valid and aligned kernel accessible memory.
+ cpu_addr: unsafe { SysMem::new(self.cpu_addr.as_ptr()) },
+ dma_handle: self.dma_handle,
+ }
+ }
+}
+
/// Reads a field of an item from an allocated region of structs.
///
/// The syntax is of the form `kernel::dma_read!(dma, proj)` where `dma` is an expression evaluating
--
2.54.0
^ permalink raw reply related [flat|nested] 40+ messages in thread
* [PATCH v4 16/20] rust: io: add `read_val` and `write_val` functions on `Io`
2026-06-11 16:28 [PATCH v4 00/20] rust: I/O type generalization and projection Gary Guo
` (14 preceding siblings ...)
2026-06-11 16:28 ` [PATCH v4 15/20] rust: io: implement a view type for `Coherent` Gary Guo
@ 2026-06-11 16:28 ` Gary Guo
2026-06-11 18:37 ` sashiko-bot
2026-06-11 16:28 ` [PATCH v4 17/20] gpu: nova-core: use I/O projection for cleaner encapsulation Gary Guo
` (3 subsequent siblings)
19 siblings, 1 reply; 40+ messages in thread
From: Gary Guo @ 2026-06-11 16:28 UTC (permalink / raw)
To: Alice Ryhl, Daniel Almeida, Greg Kroah-Hartman, Rafael J. Wysocki,
Miguel Ojeda, Boqun Feng, Gary Guo, Björn Roy Baron,
Benno Lossin, Andreas Hindborg, Trevor Gross, Bjorn Helgaas,
Krzysztof Wilczyński, Abdiel Janulgue, Robin Murphy,
Alexandre Courbot, David Airlie, Simona Vetter
Cc: Danilo Krummrich, driver-core, rust-for-linux, linux-kernel,
linux-pci, nova-gpu, dri-devel
Provide `read_val` and `write_val` that allow I/O views to be accessed when
they're narrowed down to just views of primitives.
This is used to provide `io_read!` and `io_write!` macros, which are
generalized version of current `dma_read!` and `dma_write!` macro that work
for all types that implement `Io`.
Note though `io_read!` and `io_write!` only works if backend implements
`IoCapable` for the type; which is typically only implemented for
atomically accessible primitives. `dma_read!` and `dma_write!` currently
supports them via `read_volatile` and `write_volatile`; this can be
undesirable for aggregates as LLVM may turn them to multiple instructions
to access parts and re-assemble, even if they could be combined to a single
instruction. Thus, `io_read!()` and `io_write!()` does not fully replace
`dma_read!()` and `dma_write!()` in this scenario. The ability to
read/write aggregates (when atomicity is of no concern) is better served
with copying primitives (e.g. memcpy_{from,to}io).
Signed-off-by: Gary Guo <gary@garyguo.net>
---
rust/kernel/io.rs | 104 ++++++++++++++++++++++++++++++++++++++++++++++++++++++
1 file changed, 104 insertions(+)
diff --git a/rust/kernel/io.rs b/rust/kernel/io.rs
index a418c8cbb031..f64ca2202ff2 100644
--- a/rust/kernel/io.rs
+++ b/rust/kernel/io.rs
@@ -347,6 +347,50 @@ fn try_cast<U>(self) -> Result<<Self::Backend as IoBackend>::View<'a, U>>
Ok(unsafe { Self::Backend::project_view(view, ptr.cast()) })
}
+ /// Read a value from I/O.
+ ///
+ /// This only works for primitives supported by the I/O backend.
+ ///
+ /// # Examples
+ ///
+ /// ```no_run
+ /// # use kernel::io::*;
+ /// # fn test_read_val(mmio: Mmio<'_, u32>) {
+ /// // let mmio: Mmio<'_, u32>;
+ /// let val: u32 = mmio.read_val();
+ /// # }
+ /// ```
+ #[inline]
+ fn read_val(self) -> Self::Target
+ where
+ Self::Backend: IoCapable<Self::Target>,
+ Self::Target: Sized,
+ {
+ Self::Backend::io_read(self.as_view())
+ }
+
+ /// Write a value to I/O.
+ ///
+ /// This only works for primitives supported by the I/O backend.
+ ///
+ /// # Examples
+ ///
+ /// ```no_run
+ /// # use kernel::io::*;
+ /// # fn test_write_val(mmio: Mmio<'_, u32>) {
+ /// // let mmio: Mmio<'_, u32>;
+ /// mmio.write_val(1u32);
+ /// # }
+ /// ```
+ #[inline]
+ fn write_val(self, value: Self::Target)
+ where
+ Self::Backend: IoCapable<Self::Target>,
+ Self::Target: Sized,
+ {
+ Self::Backend::io_write(self.as_view(), value)
+ }
+
/// Returns a view for a given `offset`, performing compile-time bound checks.
// Always inline to optimize out error path of `build_assert`.
#[inline(always)]
@@ -1232,3 +1276,63 @@ macro_rules! io_project {
}
#[doc(inline)]
pub use crate::io_project;
+
+/// Read from I/O memory.
+///
+/// The syntax is of form `io_read!(io, proj)` where `io` is an expression to a type that
+/// implements [`Io`] and `proj` is a [projection specification](kernel::ptr::project!).
+///
+/// # Examples
+///
+/// ```
+/// struct MyStruct { field: u32, }
+///
+/// # fn test(mmio: kernel::io::Mmio<'_, [MyStruct]>) -> Result {
+/// // let mmio: Mmio<'_, [MyStruct]>;
+/// let field: u32 = kernel::io::io_read!(mmio, [try: 2].field);
+/// # Ok::<(), Error>(()) }
+/// ```
+#[macro_export]
+#[doc(hidden)]
+macro_rules! io_read {
+ ($io:expr, $($proj:tt)*) => {
+ $crate::io::Io::read_val($crate::io_project!($io, $($proj)*))
+ };
+}
+#[doc(inline)]
+pub use crate::io_read;
+
+/// Writes to I/O memory.
+///
+/// The syntax is of form `io_write!(io, proj, val)` where `io` is an expression to a type that
+/// implements [`Io`] and `proj` is a [projection specification](kernel::ptr::project!),
+/// and `val` is the value to be written to the projected location.
+///
+/// # Examples
+///
+/// ```
+/// struct MyStruct { field: u32, }
+///
+/// # fn test(mmio: kernel::io::Mmio<'_, [MyStruct]>) -> Result {
+/// // let mmio: Mmio<'_, [MyStruct]>;
+/// kernel::io::io_write!(mmio, [try: 2].field, 10);
+/// # Ok::<(), Error>(()) }
+/// ```
+#[macro_export]
+#[doc(hidden)]
+macro_rules! io_write {
+ (@parse [$io:expr] [$($proj:tt)*] [, $val:expr]) => {
+ $crate::io::Io::write_val($crate::io_project!($io, $($proj)*), $val)
+ };
+ (@parse [$io:expr] [$($proj:tt)*] [.$field:tt $($rest:tt)*]) => {
+ $crate::io_write!(@parse [$io] [$($proj)* .$field] [$($rest)*])
+ };
+ (@parse [$io:expr] [$($proj:tt)*] [[$flavor:ident: $index:expr] $($rest:tt)*]) => {
+ $crate::io_write!(@parse [$io] [$($proj)* [$flavor: $index]] [$($rest)*])
+ };
+ ($io:expr, $($rest:tt)*) => {
+ $crate::io_write!(@parse [$io] [] [$($rest)*])
+ };
+}
+#[doc(inline)]
+pub use crate::io_write;
--
2.54.0
^ permalink raw reply related [flat|nested] 40+ messages in thread
* [PATCH v4 17/20] gpu: nova-core: use I/O projection for cleaner encapsulation
2026-06-11 16:28 [PATCH v4 00/20] rust: I/O type generalization and projection Gary Guo
` (15 preceding siblings ...)
2026-06-11 16:28 ` [PATCH v4 16/20] rust: io: add `read_val` and `write_val` functions on `Io` Gary Guo
@ 2026-06-11 16:28 ` Gary Guo
2026-06-11 18:47 ` sashiko-bot
2026-06-11 16:28 ` [PATCH v4 18/20] rust: dma: drop `dma_read!` and `dma_write!` API Gary Guo
` (2 subsequent siblings)
19 siblings, 1 reply; 40+ messages in thread
From: Gary Guo @ 2026-06-11 16:28 UTC (permalink / raw)
To: Alice Ryhl, Daniel Almeida, Greg Kroah-Hartman, Rafael J. Wysocki,
Miguel Ojeda, Boqun Feng, Gary Guo, Björn Roy Baron,
Benno Lossin, Andreas Hindborg, Trevor Gross, Bjorn Helgaas,
Krzysztof Wilczyński, Abdiel Janulgue, Robin Murphy,
Alexandre Courbot, David Airlie, Simona Vetter
Cc: Danilo Krummrich, driver-core, rust-for-linux, linux-kernel,
linux-pci, nova-gpu, dri-devel
Use `io_project!` for PTE array and message queues to restore the proper
encapsulation.
The remaining `dma_read!` and `dma_write!` is now only acting on
primitives; thus replace by `io_read!` and `io_write!`.
Signed-off-by: Gary Guo <gary@garyguo.net>
---
drivers/gpu/nova-core/gsp.rs | 53 ++++++++++++-------------
drivers/gpu/nova-core/gsp/cmdq.rs | 66 +++++++++++++++++--------------
drivers/gpu/nova-core/gsp/fw.rs | 82 +++++++++++++--------------------------
3 files changed, 90 insertions(+), 111 deletions(-)
diff --git a/drivers/gpu/nova-core/gsp.rs b/drivers/gpu/nova-core/gsp.rs
index 69175ca3315c..cfa7553cd820 100644
--- a/drivers/gpu/nova-core/gsp.rs
+++ b/drivers/gpu/nova-core/gsp.rs
@@ -9,14 +9,16 @@
dma::{
Coherent,
CoherentBox,
+ CoherentView,
DmaAddress, //
},
+ io::{
+ io_project,
+ io_write,
+ Io, //
+ },
pci,
- prelude::*,
- transmute::{
- AsBytes,
- FromBytes, //
- }, //
+ prelude::*, //
};
pub(crate) mod cmdq;
@@ -48,21 +50,21 @@
/// Array of page table entries, as understood by the GSP bootloader.
#[repr(C)]
+#[derive(FromBytes, IntoBytes)]
struct PteArray<const NUM_ENTRIES: usize>([u64; NUM_ENTRIES]);
-/// SAFETY: arrays of `u64` implement `FromBytes` and we are but a wrapper around one.
-unsafe impl<const NUM_ENTRIES: usize> FromBytes for PteArray<NUM_ENTRIES> {}
-
-/// SAFETY: arrays of `u64` implement `AsBytes` and we are but a wrapper around one.
-unsafe impl<const NUM_ENTRIES: usize> AsBytes for PteArray<NUM_ENTRIES> {}
-
impl<const NUM_PAGES: usize> PteArray<NUM_PAGES> {
- /// Returns the page table entry for `index`, for a mapping starting at `start`.
- // TODO: Replace with `IoView` projection once available.
- fn entry(start: DmaAddress, index: usize) -> Result<u64> {
- start
- .checked_add(num::usize_as_u64(index) << GSP_PAGE_SHIFT)
- .ok_or(EOVERFLOW)
+ /// Initialize a new page table array mapping `NUM_PAGES` GSP pages starting at address `start`.
+ fn init(view: CoherentView<'_, Self>, start: DmaAddress) -> Result<()> {
+ for i in 0..NUM_PAGES {
+ io_write!(view, .0[build: i],
+ start
+ .checked_add(num::usize_as_u64(i) << GSP_PAGE_SHIFT)
+ .ok_or(EOVERFLOW)?
+ );
+ }
+
+ Ok(())
}
}
@@ -89,17 +91,12 @@ fn new(dev: &device::Device<device::Bound>) -> Result<Self> {
let start_addr = obj.0.dma_handle();
- // SAFETY: `obj` has just been created and we are its sole user.
- let pte_region = unsafe {
- &mut obj.0.as_mut()[size_of::<u64>()..][..RM_LOG_BUFFER_NUM_PAGES * size_of::<u64>()]
- };
-
- // Write values one by one to avoid an on-stack instance of `PteArray`.
- for (i, chunk) in pte_region.chunks_exact_mut(size_of::<u64>()).enumerate() {
- let pte_value = PteArray::<0>::entry(start_addr, i)?;
-
- chunk.copy_from_slice(&pte_value.to_ne_bytes());
- }
+ let pte_view = io_project!(
+ obj.0,
+ [build: size_of::<u64>()..][build: ..RM_LOG_BUFFER_NUM_PAGES * size_of::<u64>()]
+ )
+ .try_cast::<PteArray<RM_LOG_BUFFER_NUM_PAGES>>()?;
+ PteArray::init(pte_view, start_addr)?;
Ok(obj)
}
diff --git a/drivers/gpu/nova-core/gsp/cmdq.rs b/drivers/gpu/nova-core/gsp/cmdq.rs
index 070de0731e95..c34b48961496 100644
--- a/drivers/gpu/nova-core/gsp/cmdq.rs
+++ b/drivers/gpu/nova-core/gsp/cmdq.rs
@@ -2,16 +2,23 @@
mod continuation;
-use core::mem;
+use core::{
+ mem,
+ sync::atomic::{
+ fence,
+ Ordering, //
+ },
+};
use kernel::{
device,
dma::{
Coherent,
+ CoherentBox,
DmaAddress, //
},
- dma_write,
io::{
+ io_project,
poll::read_poll_timeout,
Io, //
},
@@ -171,20 +178,18 @@ struct MsgqData {
#[repr(C)]
// There is no struct defined for this in the open-gpu-kernel-source headers.
// Instead it is defined by code in `GspMsgQueuesInit()`.
-// TODO: Revert to private once `IoView` projections replace the `gsp_mem` module.
-pub(super) struct Msgq {
+struct Msgq {
/// Header for sending messages, including the write pointer.
- pub(super) tx: MsgqTxHeader,
+ tx: MsgqTxHeader,
/// Header for receiving messages, including the read pointer.
- pub(super) rx: MsgqRxHeader,
+ rx: MsgqRxHeader,
/// The message queue proper.
msgq: MsgqData,
}
/// Structure shared between the driver and the GSP and containing the command and message queues.
#[repr(C)]
-// TODO: Revert to private once `IoView` projections replace the `gsp_mem` module.
-pub(super) struct GspMem {
+struct GspMem {
/// Self-mapping page table entries.
ptes: PteArray<{ Self::PTE_ARRAY_SIZE }>,
/// CPU queue: the driver writes commands here, and the GSP reads them. It also contains the
@@ -192,13 +197,13 @@ pub(super) struct GspMem {
/// index into the GSP queue.
///
/// This member is read-only for the GSP.
- pub(super) cpuq: Msgq,
+ cpuq: Msgq,
/// GSP queue: the GSP writes messages here, and the driver reads them. It also contains the
/// write and read pointers that the GSP updates. This means that the read pointer here is an
/// index into the CPU queue.
///
/// This member is read-only for the driver.
- pub(super) gspq: Msgq,
+ gspq: Msgq,
}
impl GspMem {
@@ -232,20 +237,12 @@ fn new(dev: &device::Device<device::Bound>) -> Result<Self> {
const MSGQ_SIZE: u32 = num::usize_into_u32::<{ size_of::<Msgq>() }>();
const RX_HDR_OFF: u32 = num::usize_into_u32::<{ mem::offset_of!(Msgq, rx) }>();
- let gsp_mem = Coherent::<GspMem>::zeroed(dev, GFP_KERNEL)?;
-
- let start = gsp_mem.dma_handle();
- // Write values one by one to avoid an on-stack instance of `PteArray`.
- for i in 0..GspMem::PTE_ARRAY_SIZE {
- dma_write!(gsp_mem, .ptes.0[build: i], PteArray::<0>::entry(start, i)?);
- }
+ let mut gsp_mem = CoherentBox::<GspMem>::zeroed(dev, GFP_KERNEL)?;
+ gsp_mem.cpuq.tx = MsgqTxHeader::new(MSGQ_SIZE, RX_HDR_OFF, MSGQ_NUM_PAGES);
+ gsp_mem.cpuq.rx = MsgqRxHeader::new();
- dma_write!(
- gsp_mem,
- .cpuq.tx,
- MsgqTxHeader::new(MSGQ_SIZE, RX_HDR_OFF, MSGQ_NUM_PAGES)
- );
- dma_write!(gsp_mem, .cpuq.rx, MsgqRxHeader::new());
+ let gsp_mem: Coherent<_> = gsp_mem.into();
+ PteArray::init(io_project!(gsp_mem, .ptes), gsp_mem.dma_handle())?;
Ok(Self(gsp_mem))
}
@@ -406,7 +403,7 @@ fn allocate_command(&mut self, size: usize, timeout: Delta) -> Result<GspCommand
//
// - The returned value is within `0..MSGQ_NUM_PAGES`.
fn gsp_write_ptr(&self) -> u32 {
- super::fw::gsp_mem::gsp_write_ptr(&self.0)
+ MsgqTxHeader::write_ptr(io_project!(self.0, .gspq.tx)) % MSGQ_NUM_PAGES
}
// Returns the index of the memory page the GSP will read the next command from.
@@ -415,7 +412,7 @@ fn gsp_write_ptr(&self) -> u32 {
//
// - The returned value is within `0..MSGQ_NUM_PAGES`.
fn gsp_read_ptr(&self) -> u32 {
- super::fw::gsp_mem::gsp_read_ptr(&self.0)
+ MsgqRxHeader::read_ptr(io_project!(self.0, .gspq.rx)) % MSGQ_NUM_PAGES
}
// Returns the index of the memory page the CPU can read the next message from.
@@ -424,12 +421,18 @@ fn gsp_read_ptr(&self) -> u32 {
//
// - The returned value is within `0..MSGQ_NUM_PAGES`.
fn cpu_read_ptr(&self) -> u32 {
- super::fw::gsp_mem::cpu_read_ptr(&self.0)
+ MsgqRxHeader::read_ptr(io_project!(self.0, .cpuq.rx)) % MSGQ_NUM_PAGES
}
// Informs the GSP that it can send `elem_count` new pages into the message queue.
fn advance_cpu_read_ptr(&mut self, elem_count: u32) {
- super::fw::gsp_mem::advance_cpu_read_ptr(&self.0, elem_count)
+ let rx = io_project!(self.0, .cpuq.rx);
+ let rptr = MsgqRxHeader::read_ptr(rx).wrapping_add(elem_count) % MSGQ_NUM_PAGES;
+
+ // Ensure read pointer is properly ordered.
+ fence(Ordering::SeqCst);
+
+ MsgqRxHeader::set_read_ptr(rx, rptr)
}
// Returns the index of the memory page the CPU can write the next command to.
@@ -438,12 +441,17 @@ fn advance_cpu_read_ptr(&mut self, elem_count: u32) {
//
// - The returned value is within `0..MSGQ_NUM_PAGES`.
fn cpu_write_ptr(&self) -> u32 {
- super::fw::gsp_mem::cpu_write_ptr(&self.0)
+ MsgqTxHeader::write_ptr(io_project!(self.0, .cpuq.tx)) % MSGQ_NUM_PAGES
}
// Informs the GSP that it can process `elem_count` new pages from the command queue.
fn advance_cpu_write_ptr(&mut self, elem_count: u32) {
- super::fw::gsp_mem::advance_cpu_write_ptr(&self.0, elem_count)
+ let tx = io_project!(self.0, .cpuq.tx);
+ let wptr = MsgqTxHeader::write_ptr(tx).wrapping_add(elem_count) % MSGQ_NUM_PAGES;
+ MsgqTxHeader::set_write_ptr(tx, wptr);
+
+ // Ensure all command data is visible before triggering the GSP read.
+ fence(Ordering::SeqCst);
}
}
diff --git a/drivers/gpu/nova-core/gsp/fw.rs b/drivers/gpu/nova-core/gsp/fw.rs
index 4db0cfa4dc4d..b0e7de328eaf 100644
--- a/drivers/gpu/nova-core/gsp/fw.rs
+++ b/drivers/gpu/nova-core/gsp/fw.rs
@@ -10,7 +10,14 @@
use core::ops::Range;
use kernel::{
- dma::Coherent,
+ dma::{
+ Coherent,
+ CoherentView, //
+ },
+ io::{
+ io_read,
+ io_write, //
+ },
prelude::*,
ptr::{
Alignable,
@@ -44,59 +51,6 @@
},
};
-// TODO: Replace with `IoView` projections once available.
-pub(super) mod gsp_mem {
- use core::sync::atomic::{
- fence,
- Ordering, //
- };
-
- use kernel::{
- dma::Coherent,
- dma_read,
- dma_write, //
- };
-
- use crate::gsp::cmdq::{
- GspMem,
- MSGQ_NUM_PAGES, //
- };
-
- pub(in crate::gsp) fn gsp_write_ptr(qs: &Coherent<GspMem>) -> u32 {
- dma_read!(qs, .gspq.tx.0.writePtr) % MSGQ_NUM_PAGES
- }
-
- pub(in crate::gsp) fn gsp_read_ptr(qs: &Coherent<GspMem>) -> u32 {
- dma_read!(qs, .gspq.rx.0.readPtr) % MSGQ_NUM_PAGES
- }
-
- pub(in crate::gsp) fn cpu_read_ptr(qs: &Coherent<GspMem>) -> u32 {
- dma_read!(qs, .cpuq.rx.0.readPtr) % MSGQ_NUM_PAGES
- }
-
- pub(in crate::gsp) fn advance_cpu_read_ptr(qs: &Coherent<GspMem>, count: u32) {
- let rptr = cpu_read_ptr(qs).wrapping_add(count) % MSGQ_NUM_PAGES;
-
- // Ensure read pointer is properly ordered.
- fence(Ordering::SeqCst);
-
- dma_write!(qs, .cpuq.rx.0.readPtr, rptr);
- }
-
- pub(in crate::gsp) fn cpu_write_ptr(qs: &Coherent<GspMem>) -> u32 {
- dma_read!(qs, .cpuq.tx.0.writePtr) % MSGQ_NUM_PAGES
- }
-
- pub(in crate::gsp) fn advance_cpu_write_ptr(qs: &Coherent<GspMem>, count: u32) {
- let wptr = cpu_write_ptr(qs).wrapping_add(count) % MSGQ_NUM_PAGES;
-
- dma_write!(qs, .cpuq.tx.0.writePtr, wptr);
-
- // Ensure all command data is visible before triggering the GSP read.
- fence(Ordering::SeqCst);
- }
-}
-
/// Maximum size of a single GSP message queue element in bytes.
pub(crate) const GSP_MSG_QUEUE_ELEMENT_SIZE_MAX: usize =
num::u32_as_usize(bindings::GSP_MSG_QUEUE_ELEMENT_SIZE_MAX);
@@ -720,6 +674,16 @@ pub(crate) fn new(msgq_size: u32, rx_hdr_offset: u32, msg_count: u32) -> Self {
entryOff: num::usize_into_u32::<GSP_PAGE_SIZE>(),
})
}
+
+ /// Returns the value of the write pointer for this queue.
+ pub(crate) fn write_ptr(this: CoherentView<'_, Self>) -> u32 {
+ io_read!(this, .0.writePtr)
+ }
+
+ /// Sets the value of the write pointer for this queue.
+ pub(crate) fn set_write_ptr(this: CoherentView<'_, Self>, val: u32) {
+ io_write!(this, .0.writePtr, val)
+ }
}
// SAFETY: Padding is explicit and does not contain uninitialized data.
@@ -735,6 +699,16 @@ impl MsgqRxHeader {
pub(crate) fn new() -> Self {
Self(Default::default())
}
+
+ /// Returns the value of the read pointer for this queue.
+ pub(crate) fn read_ptr(this: CoherentView<'_, Self>) -> u32 {
+ io_read!(this, .0.readPtr)
+ }
+
+ /// Sets the value of the read pointer for this queue.
+ pub(crate) fn set_read_ptr(this: CoherentView<'_, Self>, val: u32) {
+ io_write!(this, .0.readPtr, val)
+ }
}
// SAFETY: Padding is explicit and does not contain uninitialized data.
--
2.54.0
^ permalink raw reply related [flat|nested] 40+ messages in thread
* [PATCH v4 18/20] rust: dma: drop `dma_read!` and `dma_write!` API
2026-06-11 16:28 [PATCH v4 00/20] rust: I/O type generalization and projection Gary Guo
` (16 preceding siblings ...)
2026-06-11 16:28 ` [PATCH v4 17/20] gpu: nova-core: use I/O projection for cleaner encapsulation Gary Guo
@ 2026-06-11 16:28 ` Gary Guo
2026-06-11 19:01 ` sashiko-bot
2026-06-11 16:28 ` [PATCH v4 19/20] rust: io: add copying methods Gary Guo
2026-06-11 16:28 ` [PATCH v4 20/20] rust: io: implement `IoSysMap` Gary Guo
19 siblings, 1 reply; 40+ messages in thread
From: Gary Guo @ 2026-06-11 16:28 UTC (permalink / raw)
To: Alice Ryhl, Daniel Almeida, Greg Kroah-Hartman, Rafael J. Wysocki,
Miguel Ojeda, Boqun Feng, Gary Guo, Björn Roy Baron,
Benno Lossin, Andreas Hindborg, Trevor Gross, Bjorn Helgaas,
Krzysztof Wilczyński, Abdiel Janulgue, Robin Murphy,
Alexandre Courbot, David Airlie, Simona Vetter
Cc: Danilo Krummrich, driver-core, rust-for-linux, linux-kernel,
linux-pci, nova-gpu, dri-devel
The primitive read/write use case is covered by the `io_read!` and
`io_write!` macro. The non-primitive use case was finicky; they should
either be achieved using `CoherentBox` or `as_ref()/as_mut()` to assert the
lack of concurrent access, or should be using memcpy-like APIs to express
the non-atomic and tearable nature.
Reviewed-by: Andreas Hindborg <a.hindborg@kernel.org>
Signed-off-by: Gary Guo <gary@garyguo.net>
---
rust/kernel/dma.rs | 128 -----------------------------------------------
samples/rust/rust_dma.rs | 13 ++---
2 files changed, 7 insertions(+), 134 deletions(-)
diff --git a/rust/kernel/dma.rs b/rust/kernel/dma.rs
index ab6504910e4f..0ff4cce8e809 100644
--- a/rust/kernel/dma.rs
+++ b/rust/kernel/dma.rs
@@ -661,52 +661,6 @@ pub unsafe fn as_mut(&self) -> &mut T {
// SAFETY: per safety requirement.
unsafe { &mut *self.as_mut_ptr() }
}
-
- /// Reads the value of `field` and ensures that its type is [`FromBytes`].
- ///
- /// # Safety
- ///
- /// This must be called from the [`dma_read`] macro which ensures that the `field` pointer is
- /// validated beforehand.
- ///
- /// Public but hidden since it should only be used from [`dma_read`] macro.
- #[doc(hidden)]
- pub unsafe fn field_read<F: FromBytes>(&self, field: *const F) -> F {
- // SAFETY:
- // - By the safety requirements field is valid.
- // - Using read_volatile() here is not sound as per the usual rules, the usage here is
- // a special exception with the following notes in place. When dealing with a potential
- // race from a hardware or code outside kernel (e.g. user-space program), we need that
- // read on a valid memory is not UB. Currently read_volatile() is used for this, and the
- // rationale behind is that it should generate the same code as READ_ONCE() which the
- // kernel already relies on to avoid UB on data races. Note that the usage of
- // read_volatile() is limited to this particular case, it cannot be used to prevent
- // the UB caused by racing between two kernel functions nor do they provide atomicity.
- unsafe { field.read_volatile() }
- }
-
- /// Writes a value to `field` and ensures that its type is [`AsBytes`].
- ///
- /// # Safety
- ///
- /// This must be called from the [`dma_write`] macro which ensures that the `field` pointer is
- /// validated beforehand.
- ///
- /// Public but hidden since it should only be used from [`dma_write`] macro.
- #[doc(hidden)]
- pub unsafe fn field_write<F: AsBytes>(&self, field: *mut F, val: F) {
- // SAFETY:
- // - By the safety requirements field is valid.
- // - Using write_volatile() here is not sound as per the usual rules, the usage here is
- // a special exception with the following notes in place. When dealing with a potential
- // race from a hardware or code outside kernel (e.g. user-space program), we need that
- // write on a valid memory is not UB. Currently write_volatile() is used for this, and the
- // rationale behind is that it should generate the same code as WRITE_ONCE() which the
- // kernel already relies on to avoid UB on data races. Note that the usage of
- // write_volatile() is limited to this particular case, it cannot be used to prevent
- // the UB caused by racing between two kernel functions nor do they provide atomicity.
- unsafe { field.write_volatile(val) }
- }
}
impl<T: AsBytes + FromBytes> Coherent<T> {
@@ -1265,85 +1219,3 @@ fn as_view(self) -> CoherentView<'a, Self::Target> {
}
}
}
-
-/// Reads a field of an item from an allocated region of structs.
-///
-/// The syntax is of the form `kernel::dma_read!(dma, proj)` where `dma` is an expression evaluating
-/// to a [`Coherent`] and `proj` is a [projection specification](kernel::ptr::project!).
-///
-/// # Examples
-///
-/// ```
-/// use kernel::device::Device;
-/// use kernel::dma::{attrs::*, Coherent};
-///
-/// struct MyStruct { field: u32, }
-///
-/// // SAFETY: All bit patterns are acceptable values for `MyStruct`.
-/// unsafe impl kernel::transmute::FromBytes for MyStruct{};
-/// // SAFETY: Instances of `MyStruct` have no uninitialized portions.
-/// unsafe impl kernel::transmute::AsBytes for MyStruct{};
-///
-/// # fn test(alloc: &kernel::dma::Coherent<[MyStruct]>) -> Result {
-/// let whole = kernel::dma_read!(alloc, [try: 2]);
-/// let field = kernel::dma_read!(alloc, [panic: 1].field);
-/// # Ok::<(), Error>(()) }
-/// ```
-#[macro_export]
-macro_rules! dma_read {
- ($dma:expr, $($proj:tt)*) => {{
- let dma = &$dma;
- let ptr = $crate::ptr::project!(
- $crate::dma::Coherent::as_ptr(dma), $($proj)*
- );
- // SAFETY: The pointer created by the projection is within the DMA region.
- unsafe { $crate::dma::Coherent::field_read(dma, ptr) }
- }};
-}
-
-/// Writes to a field of an item from an allocated region of structs.
-///
-/// The syntax is of the form `kernel::dma_write!(dma, proj, val)` where `dma` is an expression
-/// evaluating to a [`Coherent`], `proj` is a
-/// [projection specification](kernel::ptr::project!), and `val` is the value to be written to the
-/// projected location.
-///
-/// # Examples
-///
-/// ```
-/// use kernel::device::Device;
-/// use kernel::dma::{attrs::*, Coherent};
-///
-/// struct MyStruct { member: u32, }
-///
-/// // SAFETY: All bit patterns are acceptable values for `MyStruct`.
-/// unsafe impl kernel::transmute::FromBytes for MyStruct{};
-/// // SAFETY: Instances of `MyStruct` have no uninitialized portions.
-/// unsafe impl kernel::transmute::AsBytes for MyStruct{};
-///
-/// # fn test(alloc: &kernel::dma::Coherent<[MyStruct]>) -> Result {
-/// kernel::dma_write!(alloc, [try: 2].member, 0xf);
-/// kernel::dma_write!(alloc, [panic: 1], MyStruct { member: 0xf });
-/// # Ok::<(), Error>(()) }
-/// ```
-#[macro_export]
-macro_rules! dma_write {
- (@parse [$dma:expr] [$($proj:tt)*] [, $val:expr]) => {{
- let dma = &$dma;
- let ptr = $crate::ptr::project!(
- mut $crate::dma::Coherent::as_mut_ptr(dma), $($proj)*
- );
- let val = $val;
- // SAFETY: The pointer created by the projection is within the DMA region.
- unsafe { $crate::dma::Coherent::field_write(dma, ptr, val) }
- }};
- (@parse [$dma:expr] [$($proj:tt)*] [.$field:tt $($rest:tt)*]) => {
- $crate::dma_write!(@parse [$dma] [$($proj)* .$field] [$($rest)*])
- };
- (@parse [$dma:expr] [$($proj:tt)*] [[$flavor:ident: $index:expr] $($rest:tt)*]) => {
- $crate::dma_write!(@parse [$dma] [$($proj)* [$flavor: $index]] [$($rest)*])
- };
- ($dma:expr, $($rest:tt)*) => {
- $crate::dma_write!(@parse [$dma] [] [$($rest)*])
- };
-}
diff --git a/samples/rust/rust_dma.rs b/samples/rust/rust_dma.rs
index 5046b4628d0e..6727c441658a 100644
--- a/samples/rust/rust_dma.rs
+++ b/samples/rust/rust_dma.rs
@@ -12,6 +12,7 @@
Device,
DmaMask, //
},
+ io::io_read,
page, pci,
prelude::*,
scatterlist::{Owned, SGTable},
@@ -73,11 +74,11 @@ fn probe<'bound>(
// SAFETY: There are no concurrent calls to DMA allocation and mapping primitives.
unsafe { pdev.dma_set_mask_and_coherent(mask)? };
- let ca: Coherent<[MyStruct]> =
- Coherent::zeroed_slice(pdev.as_ref(), TEST_VALUES.len(), GFP_KERNEL)?;
+ let mut ca: CoherentBox<[MyStruct]> =
+ CoherentBox::zeroed_slice(pdev.as_ref(), TEST_VALUES.len(), GFP_KERNEL)?;
for (i, value) in TEST_VALUES.into_iter().enumerate() {
- kernel::dma_write!(ca, [try: i], MyStruct::new(value.0, value.1));
+ ca.init_at(i, MyStruct::new(value.0, value.1))?;
}
let size = 4 * page::PAGE_SIZE;
@@ -87,7 +88,7 @@ fn probe<'bound>(
Ok(try_pin_init!(Self {
pdev: pdev.into(),
- ca,
+ ca: ca.into(),
sgt <- sgt,
}))
})
@@ -97,8 +98,8 @@ fn probe<'bound>(
impl DmaSampleDriver {
fn check_dma(&self) {
for (i, value) in TEST_VALUES.into_iter().enumerate() {
- let val0 = kernel::dma_read!(self.ca, [panic: i].h);
- let val1 = kernel::dma_read!(self.ca, [panic: i].b);
+ let val0 = io_read!(self.ca, [panic: i].h);
+ let val1 = io_read!(self.ca, [panic: i].b);
assert_eq!(val0, value.0);
assert_eq!(val1, value.1);
--
2.54.0
^ permalink raw reply related [flat|nested] 40+ messages in thread
* [PATCH v4 19/20] rust: io: add copying methods
2026-06-11 16:28 [PATCH v4 00/20] rust: I/O type generalization and projection Gary Guo
` (17 preceding siblings ...)
2026-06-11 16:28 ` [PATCH v4 18/20] rust: dma: drop `dma_read!` and `dma_write!` API Gary Guo
@ 2026-06-11 16:28 ` Gary Guo
2026-06-11 19:11 ` sashiko-bot
2026-06-11 19:36 ` Gary Guo
2026-06-11 16:28 ` [PATCH v4 20/20] rust: io: implement `IoSysMap` Gary Guo
19 siblings, 2 replies; 40+ messages in thread
From: Gary Guo @ 2026-06-11 16:28 UTC (permalink / raw)
To: Alice Ryhl, Daniel Almeida, Greg Kroah-Hartman, Rafael J. Wysocki,
Miguel Ojeda, Boqun Feng, Gary Guo, Björn Roy Baron,
Benno Lossin, Andreas Hindborg, Trevor Gross, Bjorn Helgaas,
Krzysztof Wilczyński, Abdiel Janulgue, Robin Murphy,
Alexandre Courbot, David Airlie, Simona Vetter
Cc: Danilo Krummrich, driver-core, rust-for-linux, linux-kernel,
linux-pci, nova-gpu, dri-devel
One feature that was lost from the old `dma_read!` and `dma_write!` when
moving to `io_read!` and `io_write!` was the ability to read/write a large
structs. However, the semantics was unclear to begin with, as there was no
guarantee about their atomicity even for structs that were small enough to
fit in u32. Re-introduce the capability in the form of copying methods.
dma_read!(foo, bar) -> io_project!(foo, bar).copy_read()
dma_write!(foo, bar, baz) -> io_project!(foo, bar).copy_write(baz)
Model these semantics after memcpy so user has clear expectation of lack of
atomicity. As an additional benefit of this change, this now works for MMIO
as well by mapping them to `memcpy_{from,to}io`.
For slices which is DST so the `copy_read` and `copy_write` API above can't
work, add `copy_from_slice` and `copy_to_slice` to copy from/to normal
memory.
Signed-off-by: Gary Guo <gary@garyguo.net>
---
rust/helpers/io.c | 13 +++
rust/kernel/dma.rs | 25 +++++
rust/kernel/io.rs | 238 ++++++++++++++++++++++++++++++++++++++++++++++-
samples/rust/rust_dma.rs | 15 ++-
4 files changed, 285 insertions(+), 6 deletions(-)
diff --git a/rust/helpers/io.c b/rust/helpers/io.c
index 397810864a24..7ed9a4f77f1b 100644
--- a/rust/helpers/io.c
+++ b/rust/helpers/io.c
@@ -19,6 +19,19 @@ __rust_helper void rust_helper_iounmap(void __iomem *addr)
iounmap(addr);
}
+__rust_helper void rust_helper_memcpy_fromio(void *dst,
+ const volatile void __iomem *src,
+ size_t count)
+{
+ memcpy_fromio(dst, src, count);
+}
+
+__rust_helper void rust_helper_memcpy_toio(volatile void __iomem *dst,
+ const void *src, size_t count)
+{
+ memcpy_toio(dst, src, count);
+}
+
__rust_helper u8 rust_helper_readb(const void __iomem *addr)
{
return readb(addr);
diff --git a/rust/kernel/dma.rs b/rust/kernel/dma.rs
index 0ff4cce8e809..37bc20895803 100644
--- a/rust/kernel/dma.rs
+++ b/rust/kernel/dma.rs
@@ -18,6 +18,7 @@
IoBackend,
IoBase,
IoCapable,
+ IoCopyable,
SysMem,
SysMemBackend, //
},
@@ -1196,6 +1197,30 @@ fn io_write<'a>(view: Self::View<'a, T>, value: T) {
}
}
+impl IoCopyable for CoherentBackend {
+ #[inline]
+ unsafe fn copy_from_io(view: Self::View<'_, [u8]>, buffer: *mut u8) {
+ // SAFETY: Per safety requirement.
+ unsafe { SysMemBackend::copy_from_io(view.cpu_addr, buffer) }
+ }
+
+ #[inline]
+ unsafe fn copy_to_io(view: Self::View<'_, [u8]>, buffer: *const u8) {
+ // SAFETY: Per safety requirement.
+ unsafe { SysMemBackend::copy_to_io(view.cpu_addr, buffer) }
+ }
+
+ #[inline]
+ fn copy_read<T: zerocopy::FromBytes>(view: Self::View<'_, T>) -> T {
+ SysMemBackend::copy_read(view.cpu_addr)
+ }
+
+ #[inline]
+ fn copy_write<T: zerocopy::IntoBytes>(view: Self::View<'_, T>, value: T) {
+ SysMemBackend::copy_write(view.cpu_addr, value)
+ }
+}
+
impl<'a, T: ?Sized + KnownSize> IoBase<'a> for CoherentView<'a, T> {
type Backend = CoherentBackend;
type Target = T;
diff --git a/rust/kernel/io.rs b/rust/kernel/io.rs
index f64ca2202ff2..16f818d396bf 100644
--- a/rust/kernel/io.rs
+++ b/rust/kernel/io.rs
@@ -5,7 +5,8 @@
//! C header: [`include/asm-generic/io.h`](srctree/include/asm-generic/io.h)
use core::{
- marker::PhantomData, //
+ marker::PhantomData,
+ mem::MaybeUninit, //
};
use crate::{
@@ -227,6 +228,61 @@ pub trait IoCapable<T>: IoBackend {
fn io_write<'a>(view: Self::View<'a, T>, value: T);
}
+/// Trait indicating that an I/O backend supports memory copy operations.
+pub trait IoCopyable: IoBackend {
+ /// Copy contents of `view` to `buffer`.
+ ///
+ /// # Safety
+ ///
+ /// - `buffer` is valid for volatile write for `view.size()` bytes.
+ unsafe fn copy_from_io(view: Self::View<'_, [u8]>, buffer: *mut u8);
+
+ /// Copy `size` bytes from `buffer` to `address`.
+ ///
+ /// # Safety
+ ///
+ /// - `buffer` is valid for volatile read for `view.size()` bytes.
+ unsafe fn copy_to_io(view: Self::View<'_, [u8]>, buffer: *const u8);
+
+ /// Copy from `view` and return the value.
+ #[inline]
+ fn copy_read<T: FromBytes>(view: Self::View<'_, T>) -> T {
+ // Project `self` to `[u8]`.
+ let ptr = Self::as_ptr(view);
+ // SAFETY: This is a identity projection.
+ let slice_view = unsafe {
+ Self::project_view(
+ view,
+ core::ptr::slice_from_raw_parts_mut::<u8>(ptr.cast(), size_of::<T>()),
+ )
+ };
+
+ let mut buf = MaybeUninit::<T>::uninit();
+ // SAFETY: `buf.as_mut_ptr()` is valid for write for `size_of::<T>()` bytes.
+ unsafe { Self::copy_from_io(slice_view, buf.as_mut_ptr().cast()) };
+ // SAFETY: T: FromBytes` guarantee that all bit patterns are valid.
+ unsafe { buf.assume_init() }
+ }
+
+ /// Copy `value` to `view`.
+ #[inline]
+ fn copy_write<T: IntoBytes>(view: Self::View<'_, T>, value: T) {
+ // Project `self` to `[u8]`.
+ let ptr = Self::as_ptr(view);
+ // SAFETY: This is a identity projection.
+ let slice_view = unsafe {
+ Self::project_view(
+ view,
+ core::ptr::slice_from_raw_parts_mut::<u8>(ptr.cast(), size_of::<T>()),
+ )
+ };
+
+ // SAFETY: `&raw const value` is valid for read for `size_of::<T>()` bytes.
+ unsafe { Self::copy_to_io(slice_view, (&raw const value).cast()) };
+ core::mem::forget(value);
+ }
+}
+
/// Describes a given I/O location: its offset, width, and type to convert the raw value from and
/// into.
///
@@ -304,6 +360,24 @@ fn size(self) -> usize {
KnownSize::size(Self::Backend::as_ptr(self.as_view()))
}
+ /// Returns the length of the slice in number of elements.
+ #[inline]
+ fn len<T>(self) -> usize
+ where
+ Self: Io<'a, Target = [T]>,
+ {
+ Self::Backend::as_ptr(self.as_view()).len()
+ }
+
+ /// Returns `true` if the slice has a length of 0.
+ #[inline]
+ fn is_empty<T>(self) -> bool
+ where
+ Self: Io<'a, Target = [T]>,
+ {
+ self.len() == 0
+ }
+
/// Try to convert into a different typed I/O view.
///
/// The target type must be of same or smaller size to current type, and the current view must
@@ -391,6 +465,105 @@ fn write_val(self, value: Self::Target)
Self::Backend::io_write(self.as_view(), value)
}
+ /// Copy-read from I/O memory.
+ ///
+ /// There is no atomicity guarantee.
+ ///
+ /// # Examples
+ ///
+ /// ```no_run
+ /// # use kernel::io::*;
+ /// # fn test_copy_read(mmio: Mmio<'_, [u8; 6]>) {
+ /// // let mmio: Mmio<'_, [u8; 6]>;
+ /// let val: [u8; 6] = mmio.copy_read();
+ /// # }
+ /// ```
+ #[inline]
+ fn copy_read(self) -> Self::Target
+ where
+ Self::Backend: IoCopyable,
+ Self::Target: Sized + FromBytes,
+ {
+ Self::Backend::copy_read(self.as_view())
+ }
+
+ /// Copy-write to I/O memory.
+ ///
+ /// There is no atomicity guarantee.
+ ///
+ /// # Examples
+ ///
+ /// ```no_run
+ /// # use kernel::io::*;
+ /// # fn test_copy_write(mmio: Mmio<'_, [u8; 6]>) {
+ /// // let mmio: Mmio<'_, [u8; 6]>;
+ /// mmio.copy_write([0xAA, 0xBB, 0xCC, 0xDD, 0xEE, 0xFF]);
+ /// # }
+ /// ```
+ #[inline]
+ fn copy_write(self, value: Self::Target)
+ where
+ Self::Backend: IoCopyable,
+ Self::Target: Sized + IntoBytes,
+ {
+ Self::Backend::copy_write(self.as_view(), value);
+ }
+
+ /// Copy bytes from slice to I/O memory.
+ ///
+ /// The length of `self` must be the same as `data`, similar to [`[u8]::copy_from_slice`].
+ ///
+ /// # Examples
+ ///
+ /// ```no_run
+ /// # use kernel::io::*;
+ /// # fn test_copy_write(mmio: Mmio<'_, [u8]>) {
+ /// // let mmio: Mmio<'_, [u8]>;
+ /// mmio.copy_from_slice(&[0xAA, 0xBB, 0xCC, 0xDD, 0xEE, 0xFF]);
+ /// # }
+ /// ```
+ #[inline]
+ fn copy_from_slice(self, data: &[u8])
+ where
+ Self::Backend: IoCopyable,
+ Self: Io<'a, Target = [u8]>,
+ {
+ assert_eq!(self.len(), data.len());
+
+ // SAFETY: `data.as_ptr()` is valid for read for `self.size()` bytes.
+ unsafe {
+ Self::Backend::copy_to_io(self.as_view(), data.as_ptr());
+ }
+ }
+
+ /// Copy bytes from I/O memory to slice.
+ ///
+ /// The length of `self` must be the same as `data`, similar to [`[u8]::copy_from_slice`].
+ ///
+ /// # Examples
+ ///
+ /// ```no_run
+ /// # use kernel::io::*;
+ /// # fn test_copy_write(mmio: Mmio<'_, [u8]>) {
+ /// // let mmio: Mmio<'_, [u8]>;
+ /// let mut buf = [0; 6];
+ /// mmio.copy_to_slice(&mut buf);
+ /// # }
+ /// ```
+ #[inline]
+ fn copy_to_slice(self, data: &mut [u8])
+ where
+ Self::Backend: IoCopyable,
+ Self: Io<'a, Target = [u8]>,
+ {
+ assert_eq!(self.len(), data.len());
+
+ // SAFETY: `data.as_ptr()` is valid for write for `self.size()` bytes.
+ unsafe {
+ Self::Backend::copy_from_io(self.as_view(), data.as_mut_ptr());
+ }
+ }
+
/// Returns a view for a given `offset`, performing compile-time bound checks.
// Always inline to optimize out error path of `build_assert`.
#[inline(always)]
@@ -981,6 +1154,28 @@ fn io_write(view: <$backend as IoBackend>::View<'_, $ty>, value: $ty) {
#[cfg(CONFIG_64BIT)]
impl_mmio_io_capable!(MmioBackend, u64, readq, writeq);
+impl IoCopyable for MmioBackend {
+ #[inline]
+ unsafe fn copy_from_io(view: Self::View<'_, [u8]>, buffer: *mut u8) {
+ // SAFETY:
+ // - `view.ptr` is valid MMIO memory for `view.size()` bytes.
+ // - `buffer` is valid for write for `view.size()` bytes.
+ unsafe {
+ bindings::memcpy_fromio(buffer.cast(), view.ptr.cast(), view.size());
+ }
+ }
+
+ #[inline]
+ unsafe fn copy_to_io(view: Self::View<'_, [u8]>, buffer: *const u8) {
+ // SAFETY:
+ // - `view.ptr` is valid MMIO memory for `view.size()` bytes.
+ // - `buffer` is valid for read for `view.size()` bytes.
+ unsafe {
+ bindings::memcpy_toio(view.ptr.cast(), buffer.cast(), view.size());
+ }
+ }
+}
+
/// [`Mmio`] but using relaxed accessors.
///
/// This type provides an implementation of [`Io`] that uses relaxed I/O MMIO operands instead of
@@ -1145,6 +1340,47 @@ fn io_write(view: SysMem<'_, $ty>, value: $ty) {
#[cfg(CONFIG_64BIT)]
impl_sysmem_io_capable!(u64);
+impl IoCopyable for SysMemBackend {
+ #[inline]
+ unsafe fn copy_from_io(view: Self::View<'_, [u8]>, buffer: *mut u8) {
+ // Use `bindings::memcpy` instead of copy_nonoverlapping for volatile.
+ // SAFETY:
+ // - `view.ptr` is in CPU address space and valid for read.
+ // - `buffer` is valid for write for `view.size()` bytes which is equal to `view.ptr.len()`.
+ unsafe { bindings::memcpy(buffer.cast(), view.ptr.cast(), view.ptr.len()) };
+ }
+
+ #[inline]
+ unsafe fn copy_to_io(view: Self::View<'_, [u8]>, buffer: *const u8) {
+ // Use `bindings::memcpy` instead of copy_nonoverlapping for volatile.
+ // SAFETY:
+ // - `view.ptr` is in CPU address space and valid for write.
+ // - `buffer` is valid for read for `view.size()` bytes which is equal to `view.ptr.len()`.
+ unsafe { bindings::memcpy(view.ptr.cast(), buffer.cast(), view.ptr.len()) };
+ }
+
+ #[inline]
+ fn copy_read<T: FromBytes>(view: Self::View<'_, T>) -> T {
+ // SAFETY:
+ // - Per type invariant, `ptr` is valid and aligned.
+ // - Using read_volatile() here so that race with hardware is well-defined.
+ // - Using read_volatile() here is not sound if it races with other CPU per Rust
+ // rules, but this is allowed per LKMM.
+ // - The macro is only used on primitives so all bit patterns are valid.
+ unsafe { view.ptr.read_volatile() }
+ }
+
+ #[inline]
+ fn copy_write<T: IntoBytes>(view: Self::View<'_, T>, value: T) {
+ // SAFETY:
+ // - Per type invariant, `ptr` is valid and aligned.
+ // - Using write_volatile() here so that race with hardware is well-defined.
+ // - Using write_volatile() here is not sound if it races with other CPU per Rust
+ // rules, but this is allowed per LKMM.
+ unsafe { view.ptr.write_volatile(value) }
+ }
+}
+
/// System memory region.
///
/// Provides `Io` trait implementation for kernel virtual address ranges,
diff --git a/samples/rust/rust_dma.rs b/samples/rust/rust_dma.rs
index 6727c441658a..b629acc6d915 100644
--- a/samples/rust/rust_dma.rs
+++ b/samples/rust/rust_dma.rs
@@ -12,7 +12,11 @@
Device,
DmaMask, //
},
- io::io_read,
+ io::{
+ io_project,
+ io_read,
+ Io, //
+ },
page, pci,
prelude::*,
scatterlist::{Owned, SGTable},
@@ -35,6 +39,7 @@ struct DmaSampleDriver {
(0xcd, 0xef),
];
+#[derive(FromBytes, IntoBytes)]
struct MyStruct {
h: u32,
b: u32,
@@ -74,11 +79,11 @@ fn probe<'bound>(
// SAFETY: There are no concurrent calls to DMA allocation and mapping primitives.
unsafe { pdev.dma_set_mask_and_coherent(mask)? };
- let mut ca: CoherentBox<[MyStruct]> =
- CoherentBox::zeroed_slice(pdev.as_ref(), TEST_VALUES.len(), GFP_KERNEL)?;
+ let ca: Coherent<[MyStruct]> =
+ Coherent::zeroed_slice(pdev.as_ref(), TEST_VALUES.len(), GFP_KERNEL)?;
for (i, value) in TEST_VALUES.into_iter().enumerate() {
- ca.init_at(i, MyStruct::new(value.0, value.1))?;
+ io_project!(ca, [panic: i]).copy_write(MyStruct::new(value.0, value.1));
}
let size = 4 * page::PAGE_SIZE;
@@ -88,7 +93,7 @@ fn probe<'bound>(
Ok(try_pin_init!(Self {
pdev: pdev.into(),
- ca: ca.into(),
+ ca,
sgt <- sgt,
}))
})
--
2.54.0
^ permalink raw reply related [flat|nested] 40+ messages in thread
* [PATCH v4 20/20] rust: io: implement `IoSysMap`
2026-06-11 16:28 [PATCH v4 00/20] rust: I/O type generalization and projection Gary Guo
` (18 preceding siblings ...)
2026-06-11 16:28 ` [PATCH v4 19/20] rust: io: add copying methods Gary Guo
@ 2026-06-11 16:28 ` Gary Guo
2026-06-11 19:13 ` sashiko-bot
19 siblings, 1 reply; 40+ messages in thread
From: Gary Guo @ 2026-06-11 16:28 UTC (permalink / raw)
To: Alice Ryhl, Daniel Almeida, Greg Kroah-Hartman, Rafael J. Wysocki,
Miguel Ojeda, Boqun Feng, Gary Guo, Björn Roy Baron,
Benno Lossin, Andreas Hindborg, Trevor Gross, Bjorn Helgaas,
Krzysztof Wilczyński, Abdiel Janulgue, Robin Murphy,
Alexandre Courbot, David Airlie, Simona Vetter
Cc: Danilo Krummrich, driver-core, rust-for-linux, linux-kernel,
linux-pci, nova-gpu, dri-devel
Add an enum as sum type for `Mmio` and `SysMem`. This serves similar
purpose of `iosys_map`. Thanks to Rust's type system, all of projection and
struct read/write can be handled by the generic I/O projection mechanism
(i.e. `io_project!`, `io_read!, `io_write!`) for free, and there is no need
to provide things like `iosys_map_rd_field` or `iosys_map_wr_field`. An
enum type also makes it very easy to construct or destruct.
This could be made more generic by implementing on a general purpose sum
type like `Either`; however this is kept specific unless a need arises that
warrants this to be generic over other I/O backends.
Signed-off-by: Gary Guo <gary@garyguo.net>
---
rust/kernel/io.rs | 135 ++++++++++++++++++++++++++++++++++++++++++++++++++++++
1 file changed, 135 insertions(+)
diff --git a/rust/kernel/io.rs b/rust/kernel/io.rs
index 16f818d396bf..5cd4756cf237 100644
--- a/rust/kernel/io.rs
+++ b/rust/kernel/io.rs
@@ -1443,6 +1443,141 @@ fn as_view(self) -> <Self::Backend as IoBackend>::View<'a, Self::Target> {
}
}
+/// I/O Backend for [`IoSysMap`].
+pub struct IoSysMapBackend;
+
+/// Either [`Mmio`] or [`SysMem`].
+///
+/// This can be used when a piece of logic may wish to handle both MMIO or system memory but does
+/// not want or cannot be generic over I/O backends. This serves a similar purpose to
+/// [`include/linux/iosys-map.h`] in C.
+///
+/// This type can be used like any other types that implements [`Io`]; this also include
+/// [`io_project!`], [`io_read!`], [`io_write!`].
+///
+/// [`include/linux/iosys-map.h`](srctree/include/linux/iosys-map.h)
+pub enum IoSysMap<'a, T: ?Sized> {
+ Io(Mmio<'a, T>),
+ Sys(SysMem<'a, T>),
+}
+
+impl<T: ?Sized> Copy for IoSysMap<'_, T> {}
+impl<T: ?Sized> Clone for IoSysMap<'_, T> {
+ #[inline]
+ fn clone(&self) -> Self {
+ *self
+ }
+}
+
+impl<'a, T: ?Sized> From<Mmio<'a, T>> for IoSysMap<'a, T> {
+ #[inline]
+ fn from(value: Mmio<'a, T>) -> Self {
+ IoSysMap::Io(value)
+ }
+}
+
+impl<'a, T: ?Sized> From<SysMem<'a, T>> for IoSysMap<'a, T> {
+ #[inline]
+ fn from(value: SysMem<'a, T>) -> Self {
+ IoSysMap::Sys(value)
+ }
+}
+
+impl IoBackend for IoSysMapBackend {
+ type View<'a, T: ?Sized + KnownSize> = IoSysMap<'a, T>;
+
+ #[inline]
+ fn as_ptr<'a, T: ?Sized + KnownSize>(view: Self::View<'a, T>) -> *mut T {
+ match view {
+ IoSysMap::Io(l) => MmioBackend::as_ptr(l),
+ IoSysMap::Sys(r) => SysMemBackend::as_ptr(r),
+ }
+ }
+
+ #[inline]
+ unsafe fn project_view<'a, T: ?Sized + KnownSize, U: ?Sized + KnownSize>(
+ view: Self::View<'a, T>,
+ ptr: *mut U,
+ ) -> Self::View<'a, U> {
+ match view {
+ // SAFETY: Per safety requirement.
+ IoSysMap::Io(l) => IoSysMap::Io(unsafe { MmioBackend::project_view(l, ptr) }),
+ // SAFETY: Per safety requirement.
+ IoSysMap::Sys(r) => IoSysMap::Sys(unsafe { SysMemBackend::project_view(r, ptr) }),
+ }
+ }
+}
+
+impl<T> IoCapable<T> for IoSysMapBackend
+where
+ MmioBackend: IoCapable<T>,
+ SysMemBackend: IoCapable<T>,
+{
+ #[inline]
+ fn io_read(view: Self::View<'_, T>) -> T {
+ match view {
+ IoSysMap::Io(l) => MmioBackend::io_read(l),
+ IoSysMap::Sys(r) => SysMemBackend::io_read(r),
+ }
+ }
+
+ #[inline]
+ fn io_write<'a>(view: Self::View<'a, T>, value: T) {
+ match view {
+ IoSysMap::Io(l) => MmioBackend::io_write(l, value),
+ IoSysMap::Sys(r) => SysMemBackend::io_write(r, value),
+ }
+ }
+}
+
+impl IoCopyable for IoSysMapBackend {
+ #[inline]
+ unsafe fn copy_from_io(view: Self::View<'_, [u8]>, buffer: *mut u8) {
+ match view {
+ // SAFETY: Per safety requirement.
+ IoSysMap::Io(l) => unsafe { MmioBackend::copy_from_io(l, buffer) },
+ // SAFETY: Per safety requirement.
+ IoSysMap::Sys(r) => unsafe { SysMemBackend::copy_from_io(r, buffer) },
+ }
+ }
+
+ #[inline]
+ unsafe fn copy_to_io(view: Self::View<'_, [u8]>, buffer: *const u8) {
+ match view {
+ // SAFETY: Per safety requirement.
+ IoSysMap::Io(l) => unsafe { MmioBackend::copy_to_io(l, buffer) },
+ // SAFETY: Per safety requirement.
+ IoSysMap::Sys(r) => unsafe { SysMemBackend::copy_to_io(r, buffer) },
+ }
+ }
+
+ #[inline]
+ fn copy_read<T: FromBytes>(view: Self::View<'_, T>) -> T {
+ match view {
+ IoSysMap::Io(l) => MmioBackend::copy_read(l),
+ IoSysMap::Sys(r) => SysMemBackend::copy_read(r),
+ }
+ }
+
+ #[inline]
+ fn copy_write<T: IntoBytes>(view: Self::View<'_, T>, value: T) {
+ match view {
+ IoSysMap::Io(l) => MmioBackend::copy_write(l, value),
+ IoSysMap::Sys(r) => SysMemBackend::copy_write(r, value),
+ }
+ }
+}
+
+impl<'a, T: ?Sized + KnownSize> IoBase<'a> for IoSysMap<'a, T> {
+ type Backend = IoSysMapBackend;
+ type Target = T;
+
+ #[inline]
+ fn as_view(self) -> IoSysMap<'a, T> {
+ self
+ }
+}
+
// This helper turns associated functions to methods so it can be invoked in macro.
// Used by `io_project!()` only.
#[doc(hidden)]
--
2.54.0
^ permalink raw reply related [flat|nested] 40+ messages in thread
* Re: [PATCH v4 04/20] rust: io: implement `Io` on reference types instead
2026-06-11 16:28 ` [PATCH v4 04/20] rust: io: implement `Io` on reference types instead Gary Guo
@ 2026-06-11 17:07 ` sashiko-bot
0 siblings, 0 replies; 40+ messages in thread
From: sashiko-bot @ 2026-06-11 17:07 UTC (permalink / raw)
To: Gary Guo; +Cc: Danilo Krummrich, ojeda, linux-pci, Alexandre Courbot, dri-devel
Thank you for your contribution! Sashiko AI review found 2 potential issue(s) to consider:
New issues:
- [Low] Missing lifetime specifiers in trait implementations for reference types.
Pre-existing issues:
- [High] The safe trait `Io` provides safe methods that perform unchecked `unsafe` operations relying on safe, overridable methods, violating Rust's soundness guarantees.
--
commit d5084ac7c26ce79e46d5cb18b40703205bee53dd
Author: Gary Guo <gary@garyguo.net>
rust: io: implement Io on reference types instead
Currently, Io is implemented on owned I/O objects (e.g. Bar). This is
going to change with I/O projections, as then Io need to work both for
owned objects and views of them. Views are themselves reference-like
(however they obviously cannot be references, because they belong to a
different address space).
To faciliate the change, change Io to be implemented on reference types
for the owned I/O objects, and make methods take self instead of &self.
When I/O views are implemented, we can then naturally implement Io for
these objects.
> diff --git a/rust/kernel/io.rs b/rust/kernel/io.rs
> index 38281636b4da3..3b478dcf10f95 100644
> --- a/rust/kernel/io.rs
> +++ b/rust/kernel/io.rs
[ ... ]
> @@ -338,7 +338,7 @@ fn io_addr<U>(&self, offset: usize) -> Result<usize> {
>
> /// Fallible 8-bit read with runtime bounds check.
> #[inline(always)]
> - fn try_read8(&self, offset: usize) -> Result<u8>
> + fn try_read8(self, offset: usize) -> Result<u8>
[Severity: High]
This is a pre-existing issue, but does the Io trait need to be marked as
unsafe?
The safe trait Io provides safe methods like try_read8() which contain an
unsafe block calling self.io_read(). The safety of this block assumes
that self.io_addr() always returns a valid memory address.
However, since Io is a safe trait, any safe Rust code can implement it
and arbitrarily override methods like io_addr(), addr(), or maxsize()
to return invalid addresses. If this occurs, calling the safe try_read8()
function will result in undefined behavior.
Should Io or IoCapable be an unsafe trait so that the implementor is
held formally responsible for upholding the invariants required by the
unsafe blocks in the default methods?
[ ... ]
> @@ -800,13 +800,13 @@ fn update<T, L, F>(&self, location: L, f: F)
> macro_rules! impl_mmio_io_capable {
> ($mmio:ident, $(#[$attr:meta])* $ty:ty, $read_fn:ident, $write_fn:ident) => {
> $(#[$attr])*
> - impl<const SIZE: usize> IoCapable<$ty> for $mmio<SIZE> {
> - unsafe fn io_read(&self, address: usize) -> $ty {
> + impl<const SIZE: usize> IoCapable<$ty> for &$mmio<SIZE> {
[Severity: Low]
Does this implementation cause a compile error due to a missing lifetime
specifier?
Implementing a trait for a reference type requires an explicit lifetime
parameter for that reference. Should this be updated to include the
lifetime? For example:
impl<'a, const SIZE: usize> IoCapable<$ty> for &'a $mmio<SIZE>?
[ ... ]
> diff --git a/rust/kernel/pci/io.rs b/rust/kernel/pci/io.rs
> index b4996aa059d81..505305cd9b86c 100644
> --- a/rust/kernel/pci/io.rs
> +++ b/rust/kernel/pci/io.rs
> @@ -79,8 +79,8 @@ pub struct ConfigSpace<'a, S: ?Sized + ConfigSpaceKind = Extended> {
> /// Implements [`IoCapable`] on [`ConfigSpace`] for `$ty` using `$read_fn` and `$write_fn`.
> macro_rules! impl_config_space_io_capable {
> ($ty:ty, $read_fn:ident, $write_fn:ident) => {
> - impl<'a, S: ?Sized + ConfigSpaceKind> IoCapable<$ty> for ConfigSpace<'a, S> {
> - unsafe fn io_read(&self, address: usize) -> $ty {
> + impl<'a, S: ?Sized + ConfigSpaceKind> IoCapable<$ty> for &ConfigSpace<'a, S> {
[Severity: Low]
Similar to the regression in io.rs, is an outer lifetime specifier required
for this reference type to compile?
For example:
impl<'a, 'b, S: ?Sized + ConfigSpaceKind> IoCapable<$ty>
for &'b ConfigSpace<'a, S>?
[ ... ]
> @@ -112,18 +112,18 @@ unsafe fn io_write(&self, value: $ty, address: usize) {
> impl_config_space_io_capable!(u16, pci_read_config_word, pci_write_config_word);
> impl_config_space_io_capable!(u32, pci_read_config_dword, pci_write_config_dword);
>
> -impl<'a, S: ?Sized + ConfigSpaceKind> Io for ConfigSpace<'a, S> {
> +impl<'a, S: ?Sized + ConfigSpaceKind> Io for &ConfigSpace<'a, S> {
[Severity: Low]
As with the previous implementation, does this also need an outer lifetime
specifier for the reference itself?
> type Target = S;
>
> /// Returns the base address of the I/O region. It is always 0 for configuration space.
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260611-io_projection-v4-0-1f7224b02dcb@garyguo.net?part=4
^ permalink raw reply [flat|nested] 40+ messages in thread
* Re: [PATCH v4 05/20] rust: io: generalize `MmioRaw` to pointer to arbitrary type
2026-06-11 16:28 ` [PATCH v4 05/20] rust: io: generalize `MmioRaw` to pointer to arbitrary type Gary Guo
@ 2026-06-11 17:15 ` sashiko-bot
0 siblings, 0 replies; 40+ messages in thread
From: sashiko-bot @ 2026-06-11 17:15 UTC (permalink / raw)
To: Gary Guo; +Cc: Alexandre Courbot, linux-pci, ojeda, Danilo Krummrich, dri-devel
Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:
Pre-existing issues:
- [High] Resource leak of I/O mapped virtual memory in `IoMem::ioremap` upon `MmioRaw::new_region` failure.
--
commit 341339f8ea263586994f368a12f84cd531475a2a
Author: Gary Guo <gary@garyguo.net>
Update MmioRaw to use the dynamic-sized type Region<SIZE> instead of
representing compile-time known minimum sizes directly. Implement Clone,
Copy, Send, and Sync manually due to raw pointer usage.
> diff --git a/rust/kernel/io/mem.rs b/rust/kernel/io/mem.rs
> index fc2a3e24f8d5..9e15bc8fde78 100644
> --- a/rust/kernel/io/mem.rs
> +++ b/rust/kernel/io/mem.rs
[ ... ]
> @@ -264,8 +264,7 @@ fn ioremap(dev: &'a Device<Bound>, resource: &Resource) -> Result<Self> {
> return Err(ENOMEM);
> }
>
> - let io = MmioRaw::new(addr as usize, size)?;
> -
> + let io = MmioRaw::new_region(addr as usize, size)?;
[Severity: High]
This is a pre-existing issue, but does this early return via the ? operator
leak the mapped I/O virtual memory in IoMem::ioremap()?
If MmioRaw::new_region() fails (for example, if the device's hardware size
is smaller than the statically requested SIZE), the ? operator causes an
early return with an error.
Because the IoMem structure is not yet fully constructed, its Drop
implementation is never invoked. This means bindings::iounmap is bypassed,
abandoning the raw addr pointer and leading to an unrecoverable leak of
vmalloc space.
> Ok(IoMem { dev, io })
> }
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260611-io_projection-v4-0-1f7224b02dcb@garyguo.net?part=5
^ permalink raw reply [flat|nested] 40+ messages in thread
* Re: [PATCH v4 06/20] rust: io: rename `Mmio` to `MmioOwned`
2026-06-11 16:28 ` [PATCH v4 06/20] rust: io: rename `Mmio` to `MmioOwned` Gary Guo
@ 2026-06-11 17:21 ` sashiko-bot
0 siblings, 0 replies; 40+ messages in thread
From: sashiko-bot @ 2026-06-11 17:21 UTC (permalink / raw)
To: Gary Guo; +Cc: dri-devel, ojeda, Alexandre Courbot, linux-pci, Danilo Krummrich
> Most users would more commonly reach out to a view of `Mmio` rather than an
> owned instance of `Mmio`. Only implementor of `Io` like `Bar` or `IoMem`
> would need the owned version. Thus, rename `Mmio` to `MmioOwned` so that
> the name `Mmio` can be used for the view type instead.
>
> Signed-off-by: Gary Guo <gary@garyguo.net>
Sashiko has reviewed this patch and found no issues. It looks great!
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260611-io_projection-v4-0-1f7224b02dcb@garyguo.net?part=6
^ permalink raw reply [flat|nested] 40+ messages in thread
* Re: [PATCH v4 07/20] rust: io: implement `Mmio` as view type
2026-06-11 16:28 ` [PATCH v4 07/20] rust: io: implement `Mmio` as view type Gary Guo
@ 2026-06-11 17:31 ` sashiko-bot
0 siblings, 0 replies; 40+ messages in thread
From: sashiko-bot @ 2026-06-11 17:31 UTC (permalink / raw)
To: Gary Guo; +Cc: dri-devel, Alexandre Courbot, linux-pci, Danilo Krummrich, ojeda
> Implement `Mmio` as view type and convert `RelaxedMmio` to view type as
> well. I/O implementations of `MmioOwned` are changed to delegate to the
> `Mmio` view type.
>
> All existing users of `MmioOwned` in the documentation which do not
> actually reflect the owning semantics is converted.
>
> Signed-off-by: Gary Guo <gary@garyguo.net>
Sashiko has reviewed this patch and found no issues. It looks great!
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260611-io_projection-v4-0-1f7224b02dcb@garyguo.net?part=7
^ permalink raw reply [flat|nested] 40+ messages in thread
* Re: [PATCH v4 08/20] rust: pci: io: make `ConfigSpace` a view
2026-06-11 16:28 ` [PATCH v4 08/20] rust: pci: io: make `ConfigSpace` a view Gary Guo
@ 2026-06-11 17:37 ` sashiko-bot
0 siblings, 0 replies; 40+ messages in thread
From: sashiko-bot @ 2026-06-11 17:37 UTC (permalink / raw)
To: Gary Guo; +Cc: linux-pci, ojeda, Danilo Krummrich, dri-devel, Alexandre Courbot
> In order to support I/O projection, we are splitting I/O types into two
> categories: owned objects and views. Owned objects have a specific type
> that is related to setting up and tearing down, while views can have their
> type changed with I/O projection.
>
> Things like `IoMem` or `Bar` are owned objects, which requires setting up
> mapping and cleaning up on drop. On the other side, `ConfigSpace` is really
> just a view, as the resource is associated with the `pci::Device`.
>
> Remove the `ConfigSpaceKind` bound on `ConfigSpace` and make it a generic
> view. This means that `ConfigSpace` object now represents a subregion and
> therefore encodes offset (as address of pointers) and size (as metadata of
> pointers) itself. The full region case is still supported with offset 0 and
> size of `cfg_size`.
>
> Signed-off-by: Gary Guo <gary@garyguo.net>
Sashiko has reviewed this patch and found no issues. It looks great!
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260611-io_projection-v4-0-1f7224b02dcb@garyguo.net?part=8
^ permalink raw reply [flat|nested] 40+ messages in thread
* Re: [PATCH v4 09/20] rust: io: use view types instead of addresses for `Io`
2026-06-11 16:28 ` [PATCH v4 09/20] rust: io: use view types instead of addresses for `Io` Gary Guo
@ 2026-06-11 17:46 ` sashiko-bot
0 siblings, 0 replies; 40+ messages in thread
From: sashiko-bot @ 2026-06-11 17:46 UTC (permalink / raw)
To: Gary Guo; +Cc: Alexandre Courbot, dri-devel, ojeda, Danilo Krummrich, linux-pci
> Currently, `io_read` and `io_write` methods require the exact type of `Io`
> plus an address. This means that they need to be monomorphized for each
> different `Io` instance. This also means that multiple I/O implementors for
> the same I/O kind needs to duplicate implementation (e.g. `Mmio` and
> `MmioOwned`).
>
> Create a new `IoBackend` trait and define these operations on it instead.
> The operations are just going to receive a view type and operate on them.
> This has the additional advantage that the invariants can be moved from the
> trait (and guaranteed via `unsafe`) to type invariants on the canonical
> view types of the backends, so `io_read` and `io_write` can be safe.
>
> Note that view type is needed; addresses are insufficient in this
> designk, as they do not carry sufficient information. For example,
> `ConfigSpace` needs `&pci::Device` in addition to the address.
>
> Signed-off-by: Gary Guo <gary@garyguo.net>
Sashiko has reviewed this patch and found no issues. It looks great!
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260611-io_projection-v4-0-1f7224b02dcb@garyguo.net?part=9
^ permalink raw reply [flat|nested] 40+ messages in thread
* Re: [PATCH v4 10/20] rust: io: remove `MmioOwned`
2026-06-11 16:28 ` [PATCH v4 10/20] rust: io: remove `MmioOwned` Gary Guo
@ 2026-06-11 17:54 ` sashiko-bot
0 siblings, 0 replies; 40+ messages in thread
From: sashiko-bot @ 2026-06-11 17:54 UTC (permalink / raw)
To: Gary Guo; +Cc: ojeda, linux-pci, dri-devel, Danilo Krummrich, Alexandre Courbot
Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:
- [Low] Incorrect vertical import sorting in the `devres.rs` doc-comment.
--
commit 44ae5967f8fb0af22e020970c5e4e5cc392db95a
Author: Gary Guo <gary@garyguo.net>
Io trait is now very easy to implement. Thus, implement it on Bar and IoMem directly and remove the MmioOwned struct.
This commit simplifies the Io trait usage by implementing it directly
on Bar and IoMem. It removes the intermediate MmioOwned struct and
updates the relevant device resource documentation and examples to
reflect these changes.
> diff --git a/rust/kernel/devres.rs b/rust/kernel/devres.rs
> index aed0c994fd30..3545ffc5345d 100644
> --- a/rust/kernel/devres.rs
> +++ b/rust/kernel/devres.rs
> @@ -68,8 +68,9 @@ struct Inner<T> {
> /// devres::Devres,
> /// io::{
> /// Io,
> -/// MmioOwned,
> +/// Mmio,
> /// MmioRaw,
> +/// MmioBackend,
[Severity: Low]
This isn't a bug, but the imports in this documentation block appear to be
out of alphabetical order. According to the Rust kernel coding guidelines
for vertical imports, shouldn't MmioBackend be placed before MmioRaw?
> /// PhysAddr,
> /// Region, //
> /// },
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260611-io_projection-v4-0-1f7224b02dcb@garyguo.net?part=10
^ permalink raw reply [flat|nested] 40+ messages in thread
* Re: [PATCH v4 11/20] rust: io: move `Io` methods to extension trait
2026-06-11 16:28 ` [PATCH v4 11/20] rust: io: move `Io` methods to extension trait Gary Guo
@ 2026-06-11 18:00 ` sashiko-bot
0 siblings, 0 replies; 40+ messages in thread
From: sashiko-bot @ 2026-06-11 18:00 UTC (permalink / raw)
To: Gary Guo; +Cc: Alexandre Courbot, dri-devel, Danilo Krummrich, ojeda, linux-pci
> `Io` trait now has a single required methods with many more provided
> methods. Provided methods may want to rely on their implementations to not
> be arbitrarily overridden by implementers for correctness or soundness.
>
> Thus, extract these methods to a new trait and provide a blanket
> implementation. This pattern is used extensively in userspace Rust
> libraries e.g. `tokio` where `AsyncRead` has minimum methods and
> `AsyncReadExt` is what users mostly interact with.
>
> To avoid changing all user imports, the base trait is renamed to `IoBase`
> and the newly added trait takes the existing `Io` name.
>
> A `size` method is added as an example of methods that users should not
> override.
>
> Suggested-by: Danilo Krummrich <dakr@kernel.org>
> Signed-off-by: Gary Guo <gary@garyguo.net>
Sashiko has reviewed this patch and found no issues. It looks great!
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260611-io_projection-v4-0-1f7224b02dcb@garyguo.net?part=11
^ permalink raw reply [flat|nested] 40+ messages in thread
* Re: [PATCH v4 12/20] rust: prelude: add `zerocopy{,_derive}::IntoBytes`
2026-06-11 16:28 ` [PATCH v4 12/20] rust: prelude: add `zerocopy{,_derive}::IntoBytes` Gary Guo
@ 2026-06-11 18:01 ` sashiko-bot
0 siblings, 0 replies; 40+ messages in thread
From: sashiko-bot @ 2026-06-11 18:01 UTC (permalink / raw)
To: Gary Guo; +Cc: linux-pci, ojeda, Danilo Krummrich, Alexandre Courbot, dri-devel
> In order to easily use `IntoBytes`, add it to the prelude.
>
> This adds both the trait (`zerocopy::IntoBytes`) as well as the derive
> macro (`zerocopy_derive::IntoBytes`).
>
> Signed-off-by: Gary Guo <gary@garyguo.net>
Sashiko has reviewed this patch and found no issues. It looks great!
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260611-io_projection-v4-0-1f7224b02dcb@garyguo.net?part=12
^ permalink raw reply [flat|nested] 40+ messages in thread
* Re: [PATCH v4 13/20] rust: io: add projection macro and methods
2026-06-11 16:28 ` [PATCH v4 13/20] rust: io: add projection macro and methods Gary Guo
@ 2026-06-11 18:14 ` sashiko-bot
2026-06-11 18:34 ` Gary Guo
0 siblings, 1 reply; 40+ messages in thread
From: sashiko-bot @ 2026-06-11 18:14 UTC (permalink / raw)
To: Gary Guo; +Cc: dri-devel, Alexandre Courbot, ojeda, linux-pci, Danilo Krummrich
Thank you for your contribution! Sashiko AI review found 2 potential issue(s) to consider:
- [High] Deriving `FromBytes` on `Region<const SIZE: usize>` allows safe code to bypass the struct's documented `SIZE` invariant.
- [Low] Removal of trailing `//` on the vertical import block closing brace violates kernel Rust formatting rules.
--
commit 0616e76ffd1d8525b38835ead9f29afeae45c2ed
Author: Gary Guo <gary@garyguo.net>
Subject: Add an io_project!() macro allows projection from Io to a subview
This commit introduces an io_project!() macro that allows projection from Io
to a subview using compile-time checks. It also adds a try_cast() function
to perform size and alignment checks at runtime when type-casting is needed.
> diff --git a/rust/kernel/io.rs b/rust/kernel/io.rs
> index 470ee2ed9849..c7a9952af995 100644
> --- a/rust/kernel/io.rs
> +++ b/rust/kernel/io.rs
> @@ -14,7 +14,7 @@
> ptr::{
> Alignment,
> KnownSize, //
> - }, //
> + },
[Severity: Low]
This isn't a bug, but does removing the trailing // on the closing brace
violate the kernel Rust vertical import formatting rules? The coding
guidelines require this marker to prevent rustfmt from collapsing the
multi-line imports.
> };
>
> pub mod mem;
[ ... ]
> @@ -44,12 +44,12 @@
> /// This type can be used when an I/O region without known type information has a compile-time known
> /// minimum size (and a runtime known actual size).
> ///
> -/// This must be 4-byte aligned.
> -///
> /// # Invariants
> ///
> -/// Size of the region is at least as large as the `SIZE` generic parameter.
> +/// - Size of the region is at least as large as the `SIZE` generic parameter.
> +/// - Size of the region is multiple of 4.
> #[repr(C, align(4))]
> +#[derive(FromBytes)]
> pub struct Region<const SIZE: usize = 0> {
> inner: [u8],
> }
[Severity: High]
Does deriving FromBytes on Region allow safe code to bypass the documented
SIZE invariant?
By implementing zerocopy::FromBytes, safe code could use ref_from() to cast
any 4-byte aligned byte slice into a &Region. Since zerocopy only checks
that the slice length matches the dynamically computed layout size, which
for inner: [u8] is just the length of the slice, it appears safe code could
cast a 4-byte slice into a &Region<1024>.
Could this lead to out-of-bounds reads or writes if unsafe code
subsequently relies on the SIZE parameter for bounds checking?
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260611-io_projection-v4-0-1f7224b02dcb@garyguo.net?part=13
^ permalink raw reply [flat|nested] 40+ messages in thread
* Re: [PATCH v4 14/20] rust: io: add I/O backend for system memory with volatile access
2026-06-11 16:28 ` [PATCH v4 14/20] rust: io: add I/O backend for system memory with volatile access Gary Guo
@ 2026-06-11 18:23 ` sashiko-bot
0 siblings, 0 replies; 40+ messages in thread
From: sashiko-bot @ 2026-06-11 18:23 UTC (permalink / raw)
To: Gary Guo; +Cc: Danilo Krummrich, linux-pci, ojeda, dri-devel, Alexandre Courbot
Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:
- [High] SysMem allows unaligned volatile reads and writes because it fails to enforce base pointer alignment for the types accessed via the Io trait.
--
commit ab556784fb75f6ee7bad0986c5ef780c29189dc2
Author: Laura Nao <laura.nao@collabora.com>
Add SysMem, an Io trait implementation for kernel virtual address ranges.
This commit introduces SysMem to provide safe access to shared memory
that may be concurrently accessed by external hardware. It uses volatile
accessors and implements IoCapable for standard primitive types. This
provides an alternative to Coherent when other layers handle mapping
the system memory to the device.
> diff --git a/rust/kernel/io.rs b/rust/kernel/io.rs
> index c7a9952af995..a418c8cbb031 100644
> --- a/rust/kernel/io.rs
> +++ b/rust/kernel/io.rs
[ ... ]
> +/// Implements [`IoCapable`] on `SysMemBackend` for `$ty` using `read_volatile` and
> +/// `write_volatile`.
> +macro_rules! impl_sysmem_io_capable {
> + ($ty:ty) => {
> + impl IoCapable<$ty> for SysMemBackend {
> + #[inline]
> + fn io_read(view: SysMem<'_, $ty>) -> $ty {
> + // SAFETY:
> + // - Per type invariant, `ptr` is valid and aligned.
> + // - Using read_volatile() here so that race with hardware is well-defined.
> + // - Using read_volatile() here is not sound if it races with other CPU per Rust
> + // rules, but this is allowed per LKMM.
> + // - The macro is only used on primitives so all bit patterns are valid.
> + unsafe { view.ptr.read_volatile() }
[Severity: High]
If the original type T is something with a 1-byte alignment like [u8], does
SysMem::new() allow the base pointer to also be 1-byte aligned?
The offset checks in the Io framework only guarantee that the offset is
aligned for the target type, not the absolute resulting pointer. When
SysMemBackend::project_view() creates a view for a larger type like u32, the
resulting pointer could be unaligned.
Could this lead to undefined behavior and kernel panics on architectures like
ARM or RISC-V when read_volatile() is executed here on an unaligned pointer?
> + }
> +
> + #[inline]
> + fn io_write(view: SysMem<'_, $ty>, value: $ty) {
> + // SAFETY:
> + // - Per type invariant, `ptr` is valid and aligned.
> + // - Using write_volatile() here so that race with hardware is well-defined.
> + // - Using write_volatile() here is not sound if it races with other CPU per Rust
> + // rules, but this is allowed per LKMM.
> + unsafe { view.ptr.write_volatile(value) }
> + }
> + }
> + };
> +}
[ ... ]
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260611-io_projection-v4-0-1f7224b02dcb@garyguo.net?part=14
^ permalink raw reply [flat|nested] 40+ messages in thread
* Re: [PATCH v4 15/20] rust: io: implement a view type for `Coherent`
2026-06-11 16:28 ` [PATCH v4 15/20] rust: io: implement a view type for `Coherent` Gary Guo
@ 2026-06-11 18:30 ` sashiko-bot
0 siblings, 0 replies; 40+ messages in thread
From: sashiko-bot @ 2026-06-11 18:30 UTC (permalink / raw)
To: Gary Guo; +Cc: ojeda, linux-pci, dri-devel, Danilo Krummrich, Alexandre Courbot
Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:
- [High] The safety documentation for `CoherentView::as_mut` and `as_ref` fails to demand Rust's reference aliasing exclusivity, allowing Undefined Behavior.
--
commit 20e5ba166044275ffb7dbced6b142a0a7c1c896e
Author: Gary Guo <gary@garyguo.net>
Implement a CoherentView type which is a view of Coherent.
To be able to give out DMA handles, the view type contains both CPU and DMA
pointers, and the projection method projects both at once. Delegate most of
the Io implementation to SysMemBackend. Provide a method to erase the DMA
handle and give out a SysMem view, if the user does not need the dma_handle.
> diff --git a/rust/kernel/dma.rs b/rust/kernel/dma.rs
> index 200def84fb69..ab6504910e4f 100644
> --- a/rust/kernel/dma.rs
> +++ b/rust/kernel/dma.rs
[ ... ]
> +impl<T: ?Sized> Copy for CoherentView<'_, T> {}
> +impl<T: ?Sized> Clone for CoherentView<'_, T> {
> + #[inline]
> + fn clone(&self) -> Self {
> + *self
> + }
> +}
> +
> +impl<'a, T: ?Sized> CoherentView<'a, T> {
[ ... ]
> + /// Returns a reference to the data in the region.
> + ///
> + /// # Safety
> + ///
> + /// * Callers must ensure that the device does not read/write to/from memory while the returned
> + /// reference is live.
> + /// * Callers must ensure that this call does not race with a write to the same region while
> + /// the returned reference is live.
> + #[inline]
> + pub unsafe fn as_ref(self) -> &'a T {
[Severity: High]
Since CoherentView implements Copy, callers can duplicate the view and call
this method multiple times. Does this safety contract adequately protect
against creating overlapping shared and mutable references?
Rust's aliasing rules consider it undefined behavior to create aliasing
mutable and shared references, even in single-threaded code without a data
race.
It seems the preconditions should explicitly require callers to ensure no
mutable references to the same memory region exist while the returned
reference is live.
> + // SAFETY: pointer is aligned and valid per type invariant. Aliasing rule is satisfied per
> + // safety requirement.
> + unsafe { &*self.cpu_addr.as_ptr() }
> + }
> +
> + /// Returns a mutable reference to the data in the region.
> + ///
> + /// # Safety
> + ///
> + /// * Callers must ensure that the device does not read/write to/from memory while the returned
> + /// reference is live.
> + /// * Callers must ensure that this call does not race with a read or write to the same region
> + /// while the returned reference is live.
> + #[inline]
> + pub unsafe fn as_mut(self) -> &'a mut T {
[Severity: High]
Similar to as_ref() above, does this safety contract prevent the creation of
aliasing mutable references?
Because the struct implements Copy and this method takes self by value returning
&'a mut T, a caller could copy the view and call as_mut() sequentially. The
safety contract only forbids racing with a read or write, which does not prevent
the immediate undefined behavior of having multiple overlapping &'a mut T
references.
Should the documentation be updated to demand Rust's reference aliasing
exclusivity?
> + // SAFETY: pointer is aligned and valid per type invariant. Aliasing rule is satisfied per
> + // safety requirement.
> + unsafe { &mut *self.cpu_addr.as_ptr() }
> + }
> +}
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260611-io_projection-v4-0-1f7224b02dcb@garyguo.net?part=15
^ permalink raw reply [flat|nested] 40+ messages in thread
* Re: [PATCH v4 13/20] rust: io: add projection macro and methods
2026-06-11 18:14 ` sashiko-bot
@ 2026-06-11 18:34 ` Gary Guo
0 siblings, 0 replies; 40+ messages in thread
From: Gary Guo @ 2026-06-11 18:34 UTC (permalink / raw)
To: sashiko-reviews, Gary Guo
Cc: dri-devel, Alexandre Courbot, ojeda, linux-pci, Danilo Krummrich,
rust-for-linux
(Cc list)
On Thu Jun 11, 2026 at 7:14 PM BST, sashiko-bot wrote:
> Thank you for your contribution! Sashiko AI review found 2 potential issue(s) to consider:
> - [High] Deriving `FromBytes` on `Region<const SIZE: usize>` allows safe code to bypass the struct's documented `SIZE` invariant.
> - [Low] Removal of trailing `//` on the vertical import block closing brace violates kernel Rust formatting rules.
> --
>
> commit 0616e76ffd1d8525b38835ead9f29afeae45c2ed
> Author: Gary Guo <gary@garyguo.net>
> Subject: Add an io_project!() macro allows projection from Io to a subview
>
> This commit introduces an io_project!() macro that allows projection from Io
> to a subview using compile-time checks. It also adds a try_cast() function
> to perform size and alignment checks at runtime when type-casting is needed.
>
>> diff --git a/rust/kernel/io.rs b/rust/kernel/io.rs
>> index 470ee2ed9849..c7a9952af995 100644
>> --- a/rust/kernel/io.rs
>> +++ b/rust/kernel/io.rs
>> @@ -44,12 +44,12 @@
>> /// This type can be used when an I/O region without known type information has a compile-time known
>> /// minimum size (and a runtime known actual size).
>> ///
>> -/// This must be 4-byte aligned.
>> -///
>> /// # Invariants
>> ///
>> -/// Size of the region is at least as large as the `SIZE` generic parameter.
>> +/// - Size of the region is at least as large as the `SIZE` generic parameter.
>> +/// - Size of the region is multiple of 4.
>> #[repr(C, align(4))]
>> +#[derive(FromBytes)]
>> pub struct Region<const SIZE: usize = 0> {
>> inner: [u8],
>> }
>
> [Severity: High]
> Does deriving FromBytes on Region allow safe code to bypass the documented
> SIZE invariant?
>
> By implementing zerocopy::FromBytes, safe code could use ref_from() to cast
> any 4-byte aligned byte slice into a &Region. Since zerocopy only checks
> that the slice length matches the dynamically computed layout size, which
> for inner: [u8] is just the length of the slice, it appears safe code could
> cast a 4-byte slice into a &Region<1024>.
>
> Could this lead to out-of-bounds reads or writes if unsafe code
> subsequently relies on the SIZE parameter for bounds checking?
It looks like the model is using background knowledge on v0.7 of zerocopy.
ref_from in v0.7 has `Self: Sized` bound, so it doesn't apply to `Region` which
is guaranteed DST.
This is similar for v0.8, ref_from_* methods would require `KnownLayout` which
is not true for `Region`. So everything is sound here.
Technically, we *could* derive `KnownLayout` for `Region` by doing this:
pub struct Region<const SIZE: usize = 0> {
fixed: [u8; SIZE],
additional: [u8],
}
but this means that the size computation actually needs to perform an additional
arithmetic operation rather than just the metadata. This is also the reason why
I didn't change the `inner` to be `[u32]` but rather make it an invariant to
guarantee size alignment, because it would otherwise require a shift to get the
size.
Best,
Gary
^ permalink raw reply [flat|nested] 40+ messages in thread
* Re: [PATCH v4 16/20] rust: io: add `read_val` and `write_val` functions on `Io`
2026-06-11 16:28 ` [PATCH v4 16/20] rust: io: add `read_val` and `write_val` functions on `Io` Gary Guo
@ 2026-06-11 18:37 ` sashiko-bot
0 siblings, 0 replies; 40+ messages in thread
From: sashiko-bot @ 2026-06-11 18:37 UTC (permalink / raw)
To: Gary Guo; +Cc: linux-pci, dri-devel, ojeda, Danilo Krummrich, Alexandre Courbot
> Provide `read_val` and `write_val` that allow I/O views to be accessed when
> they're narrowed down to just views of primitives.
>
> This is used to provide `io_read!` and `io_write!` macros, which are
> generalized version of current `dma_read!` and `dma_write!` macro that work
> for all types that implement `Io`.
>
> Note though `io_read!` and `io_write!` only works if backend implements
> `IoCapable` for the type; which is typically only implemented for
> atomically accessible primitives. `dma_read!` and `dma_write!` currently
> supports them via `read_volatile` and `write_volatile`; this can be
> undesirable for aggregates as LLVM may turn them to multiple instructions
> to access parts and re-assemble, even if they could be combined to a single
> instruction. Thus, `io_read!()` and `io_write!()` does not fully replace
> `dma_read!()` and `dma_write!()` in this scenario. The ability to
> read/write aggregates (when atomicity is of no concern) is better served
> with copying primitives (e.g. memcpy_{from,to}io).
>
> Signed-off-by: Gary Guo <gary@garyguo.net>
Sashiko has reviewed this patch and found no issues. It looks great!
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260611-io_projection-v4-0-1f7224b02dcb@garyguo.net?part=16
^ permalink raw reply [flat|nested] 40+ messages in thread
* Re: [PATCH v4 17/20] gpu: nova-core: use I/O projection for cleaner encapsulation
2026-06-11 16:28 ` [PATCH v4 17/20] gpu: nova-core: use I/O projection for cleaner encapsulation Gary Guo
@ 2026-06-11 18:47 ` sashiko-bot
0 siblings, 0 replies; 40+ messages in thread
From: sashiko-bot @ 2026-06-11 18:47 UTC (permalink / raw)
To: Gary Guo; +Cc: Danilo Krummrich, Alexandre Courbot, linux-pci, ojeda, dri-devel
Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:
Pre-existing issues:
- [High] The memory barrier in `advance_cpu_write_ptr` is incorrectly placed after the write pointer update, potentially allowing the GSP to read stale command data.
--
commit 6cc25fbdd45cd6420a6e1ed539f7745066511455
Author: Gary Guo <gary@garyguo.net>
Use io_project! for PTE array and message queues to restore the proper encapsulation.
This commit migrates the nova-core GSP driver to use the io_project!,
io_read!, and io_write! macros for accessing the PTE array and message queues.
The previous dma_read! and dma_write! macros are replaced to properly
encapsulate IO memory operations on primitives.
> diff --git a/drivers/gpu/nova-core/gsp/cmdq.rs b/drivers/gpu/nova-core/gsp/cmdq.rs
> index 070de0731e95..c34b48961496 100644
> --- a/drivers/gpu/nova-core/gsp/cmdq.rs
> +++ b/drivers/gpu/nova-core/gsp/cmdq.rs
[ ... ]
> @@ -438,12 +441,17 @@ fn advance_cpu_read_ptr(&mut self, elem_count: u32) {
> //
> // - The returned value is within `0..MSGQ_NUM_PAGES`.
> fn cpu_write_ptr(&self) -> u32 {
> - super::fw::gsp_mem::cpu_write_ptr(&self.0)
> + MsgqTxHeader::write_ptr(io_project!(self.0, .cpuq.tx)) % MSGQ_NUM_PAGES
> }
>
> // Informs the GSP that it can process `elem_count` new pages from the command queue.
> fn advance_cpu_write_ptr(&mut self, elem_count: u32) {
> - super::fw::gsp_mem::advance_cpu_write_ptr(&self.0, elem_count)
> + let tx = io_project!(self.0, .cpuq.tx);
> + let wptr = MsgqTxHeader::write_ptr(tx).wrapping_add(elem_count) % MSGQ_NUM_PAGES;
> + MsgqTxHeader::set_write_ptr(tx, wptr);
> +
> + // Ensure all command data is visible before triggering the GSP read.
> + fence(Ordering::SeqCst);
[Severity: High]
This is a pre-existing issue, but is the memory barrier placed incorrectly
here?
Because fence(Ordering::SeqCst) happens after MsgqTxHeader::set_write_ptr()
updates the write pointer, could the CPU reorder the preceding command data
writes with the write pointer update itself?
If the updated write pointer becomes visible to the GSP before the actual
command data is fully written to memory, it seems the GSP might read
uninitialized or stale commands.
Should the fence be moved to immediately before set_write_ptr() to prevent
this reordering, similar to how the read pointer is handled in
advance_cpu_read_ptr()?
> }
> }
[ ... ]
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260611-io_projection-v4-0-1f7224b02dcb@garyguo.net?part=17
^ permalink raw reply [flat|nested] 40+ messages in thread
* Re: [PATCH v4 18/20] rust: dma: drop `dma_read!` and `dma_write!` API
2026-06-11 16:28 ` [PATCH v4 18/20] rust: dma: drop `dma_read!` and `dma_write!` API Gary Guo
@ 2026-06-11 19:01 ` sashiko-bot
0 siblings, 0 replies; 40+ messages in thread
From: sashiko-bot @ 2026-06-11 19:01 UTC (permalink / raw)
To: Gary Guo; +Cc: dri-devel, Danilo Krummrich, ojeda, Alexandre Courbot, linux-pci
Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:
- [Low] Removal of `dma_read!` and `dma_write!` breaks compilation for `drivers/gpu/nova-core`.
--
commit 144cedc7de039fdec7f07bf6a514886b83913697
Author: Gary Guo <gary@garyguo.net>
rust: dma: remove dma_read! and dma_write!
The primitive read/write use case is covered by the io_read! and
io_write! macro. The non-primitive use case was finicky; they should
either be achieved using CoherentBox or as_ref()/as_mut() to assert the
lack of concurrent access, or should be using memcpy-like APIs to express
the non-atomic and tearable nature.
> diff --git a/rust/kernel/dma.rs b/rust/kernel/dma.rs
> index ab6504910e4f..0ff4cce8e809 100644
> --- a/rust/kernel/dma.rs
> +++ b/rust/kernel/dma.rs
[ ... ]
> @@ -1265,85 +1219,3 @@ fn as_view(self) -> CoherentView<'a, Self::Target> {
> }
> }
> }
> -
> -/// Reads a field of an item from an allocated region of structs.
[Severity: Low]
Does removing these macros break the build for drivers/gpu/nova-core?
Looking at drivers/gpu/nova-core/gsp/cmdq.rs:DmaGspMem::new(), it appears to
still rely on dma_write!:
dma_write!(gsp_mem, .ptes.0[build: i], PteArray::<0>::entry(start, i)?);
Similarly, in drivers/gpu/nova-core/gsp/fw.rs:gsp_write_ptr():
dma_read!(qs, .gspq.tx.0.writePtr) % MSGQ_NUM_PAGES
Could these users in nova-core be migrated to io_read! and io_write! in this
patch to prevent bisect breakage?
> -///
> -/// The syntax is of the form `kernel::dma_read!(dma, proj)` where `dma` is an expression evaluating
> -/// to a [`Coherent`] and `proj` is a [projection specification](kernel::ptr::project!).
> -///
> -/// # Examples
> -///
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260611-io_projection-v4-0-1f7224b02dcb@garyguo.net?part=18
^ permalink raw reply [flat|nested] 40+ messages in thread
* Re: [PATCH v4 19/20] rust: io: add copying methods
2026-06-11 16:28 ` [PATCH v4 19/20] rust: io: add copying methods Gary Guo
@ 2026-06-11 19:11 ` sashiko-bot
2026-06-11 19:36 ` Gary Guo
1 sibling, 0 replies; 40+ messages in thread
From: sashiko-bot @ 2026-06-11 19:11 UTC (permalink / raw)
To: Gary Guo; +Cc: linux-pci, Alexandre Courbot, Danilo Krummrich, dri-devel, ojeda
Thank you for your contribution! Sashiko AI review found 3 potential issue(s) to consider:
- [High] SysMemBackend::copy_read and copy_write use read_volatile and write_volatile on arbitrary generic types T, violating LKMM and LLVM constraints.
- [High] MmioBackend::copy_from_io and copy_to_io map bulk copies to memcpy_fromio/memcpy_toio, violating endianness subsystem guidelines.
- [High] SysMemBackend::copy_from_io and copy_to_io rely on bindings::memcpy for volatile semantics, leading to TOCTOU and data races.
--
commit 8004726b3c24d7011df864d4b9595e8a500deac8
Author: Gary Guo <gary@garyguo.net>
rust: io: re-introduce copy methods
This commit re-introduces the ability to read and write large structs that
was lost when migrating to the io_read and io_write macros. It adds copying
methods that model memcpy semantics to ensure users expect a lack of
atomicity. It also extends these methods for MMIO via memcpy_fromio and
memcpy_toio.
diff --git a/rust/kernel/io.rs b/rust/kernel/io.rs
index f64ca2202ff2..16f818d396bf 100644
--- a/rust/kernel/io.rs
+++ b/rust/kernel/io.rs
[ ... ]
> @@ -981,6 +1154,28 @@ fn io_write(view: <$backend as IoBackend>::View<'_, $ty>, value: $ty) {
> #[cfg(CONFIG_64BIT)]
> impl_mmio_io_capable!(MmioBackend, u64, readq, writeq);
>
> +impl IoCopyable for MmioBackend {
> + #[inline]
> + unsafe fn copy_from_io(view: Self::View<'_, [u8]>, buffer: *mut u8) {
> + // SAFETY:
> + // - `view.ptr` is valid MMIO memory for `view.size()` bytes.
> + // - `buffer` is valid for write for `view.size()` bytes.
> + unsafe {
> + bindings::memcpy_fromio(buffer.cast(), view.ptr.cast(), view.size());
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
[Severity: High]
Will this implementation violate the endianness subsystem guidelines for
MmioBackend?
The MmioBackend implements copy_from_io using memcpy_fromio, which is a
stream accessor that copies memory byte-for-byte without performing
CPU-to-device endianness byteswapping.
In contrast, scalar MMIO accessors (like io_read/io_write using
readl/writel) perform implicit byteswapping. If a user reads a hardware
struct using copy_read, multi-byte integer fields will retain the device's
byte order on big-endian systems, whereas reading them individually via
io_read would swap them to native CPU endianness.
Mixing stream and register accessors for the same memory region can lead
to silent data corruption on big-endian architectures.
> + }
> + }
> +
> + #[inline]
> + unsafe fn copy_to_io(view: Self::View<'_, [u8]>, buffer: *const u8) {
> + // SAFETY:
> + // - `view.ptr` is valid MMIO memory for `view.size()` bytes.
> + // - `buffer` is valid for read for `view.size()` bytes.
> + unsafe {
> + bindings::memcpy_toio(view.ptr.cast(), buffer.cast(), view.size());
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
[Severity: High]
Could using memcpy_toio here also bypass endianness byteswapping?
Using a stream accessor for a generic bulk copy instead of scalar register
accessors might lead to endianness portability bugs when used alongside
io_write on the same memory region.
> + }
> + }
> +}
[ ... ]
> @@ -1145,6 +1340,47 @@ fn io_write(view: SysMem<'_, $ty>, value: $ty) {
> #[cfg(CONFIG_64BIT)]
> impl_sysmem_io_capable!(u64);
>
> +impl IoCopyable for SysMemBackend {
> + #[inline]
> + unsafe fn copy_from_io(view: Self::View<'_, [u8]>, buffer: *mut u8) {
> + // Use bindings::memcpy instead of copy_nonoverlapping for volatile.
> + // SAFETY:
> + // - `view.ptr` is in CPU address space and valid for read.
> + // - `buffer` is valid for write for `view.size()` bytes which is equal to `view.ptr.len()`.
> + unsafe { bindings::memcpy(buffer.cast(), view.ptr.cast(), view.ptr.len()) };
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
[Severity: High]
Is it safe to assume bindings::memcpy provides volatile access guarantees?
The comment states it uses bindings::memcpy instead of copy_nonoverlapping
for volatile, but bindings::memcpy provides no volatile guarantees in C or
LLVM.
Because memcpy is a standard memory operation, LLVM can aggressively
optimize it, potentially eliding the copy if the destination is unread
locally, reordering accesses, or tearing reads and writes to DMA coherent
memory.
This could strip the required volatile semantics and cause hardware
desynchronization or TOCTOU vulnerabilities.
> + }
> +
> + #[inline]
> + unsafe fn copy_to_io(view: Self::View<'_, [u8]>, buffer: *const u8) {
> + // Use bindings::memcpy instead of copy_nonoverlapping for volatile.
> + // SAFETY:
> + // - `view.ptr` is in CPU address space and valid for write.
> + // - `buffer` is valid for read for `view.size()` bytes which is equal to `view.ptr.len()`.
> + unsafe { bindings::memcpy(view.ptr.cast(), buffer.cast(), view.ptr.len()) };
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
[Severity: High]
Might this copy also lack volatile guarantees for the same reason?
Calling bindings::memcpy does not ensure volatile memory access semantics,
which could lead to LLVM optimizing away the copy or reordering it.
> + }
> +
> + #[inline]
> + fn copy_read<T: FromBytes>(view: Self::View<'_, T>) -> T {
> + // SAFETY:
> + // - Per type invariant, ptr is valid and aligned.
> + // - Using read_volatile() here so that race with hardware is well-defined.
> + // - Using read_volatile() here is not sound if it races with other CPU per Rust
> + // rules, but this is allowed per LKMM.
> + // - The macro is only used on primitives so all bit patterns are valid.
> + unsafe { view.ptr.read_volatile() }
^^^^^^^^^^^^^^^^^^^^^^^^^^^^
[Severity: High]
Can calling read_volatile() on a generic type T violate LKMM and LLVM
constraints?
Since copy_read is generic over T: FromBytes, T can be an arbitrarily
large structure. The Linux Kernel Memory Model (LKMM) restricts volatile
accesses to machine-word sizes or smaller.
Using read_volatile on large structures can lead to unpredictable LLVM
codegen, including non-volatile block copies or compiler crashes. The
safety comment mentions that the macro is only used on primitives, which
seems incorrectly copied from primitive accessors.
> + }
> +
> + #[inline]
> + fn copy_write<T: IntoBytes>(view: Self::View<'_, T>, value: T) {
> + // SAFETY:
> + // - Per type invariant, ptr is valid and aligned.
> + // - Using write_volatile() here so that race with hardware is well-defined.
> + // - Using write_volatile() here is not sound if it races with other CPU per Rust
> + // rules, but this is allowed per LKMM.
> + unsafe { view.ptr.write_volatile(value) }
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
[Severity: High]
Are there similar LKMM constraint violations when using write_volatile()
on generic type T?
Similar to copy_read, T could be larger than a machine word, which is not
supported by LKMM for volatile writes and may cause unpredictable compiler
behavior.
> + }
> +}
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260611-io_projection-v4-0-1f7224b02dcb@garyguo.net?part=19
^ permalink raw reply [flat|nested] 40+ messages in thread
* Re: [PATCH v4 20/20] rust: io: implement `IoSysMap`
2026-06-11 16:28 ` [PATCH v4 20/20] rust: io: implement `IoSysMap` Gary Guo
@ 2026-06-11 19:13 ` sashiko-bot
0 siblings, 0 replies; 40+ messages in thread
From: sashiko-bot @ 2026-06-11 19:13 UTC (permalink / raw)
To: Gary Guo; +Cc: linux-pci, ojeda, dri-devel, Alexandre Courbot, Danilo Krummrich
> Add an enum as sum type for `Mmio` and `SysMem`. This serves similar
> purpose of `iosys_map`. Thanks to Rust's type system, all of projection and
> struct read/write can be handled by the generic I/O projection mechanism
> (i.e. `io_project!`, `io_read!, `io_write!`) for free, and there is no need
> to provide things like `iosys_map_rd_field` or `iosys_map_wr_field`. An
> enum type also makes it very easy to construct or destruct.
>
> This could be made more generic by implementing on a general purpose sum
> type like `Either`; however this is kept specific unless a need arises that
> warrants this to be generic over other I/O backends.
>
> Signed-off-by: Gary Guo <gary@garyguo.net>
Sashiko has reviewed this patch and found no issues. It looks great!
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260611-io_projection-v4-0-1f7224b02dcb@garyguo.net?part=20
^ permalink raw reply [flat|nested] 40+ messages in thread
* Re: [PATCH v4 19/20] rust: io: add copying methods
2026-06-11 16:28 ` [PATCH v4 19/20] rust: io: add copying methods Gary Guo
2026-06-11 19:11 ` sashiko-bot
@ 2026-06-11 19:36 ` Gary Guo
1 sibling, 0 replies; 40+ messages in thread
From: Gary Guo @ 2026-06-11 19:36 UTC (permalink / raw)
To: Gary Guo, Alice Ryhl, Daniel Almeida, Greg Kroah-Hartman,
Rafael J. Wysocki, Miguel Ojeda, Boqun Feng, Björn Roy Baron,
Benno Lossin, Andreas Hindborg, Trevor Gross, Bjorn Helgaas,
Krzysztof Wilczyński, Abdiel Janulgue, Robin Murphy,
Alexandre Courbot, David Airlie, Simona Vetter
Cc: Danilo Krummrich, driver-core, rust-for-linux, linux-kernel,
linux-pci, nova-gpu, dri-devel
On Thu Jun 11, 2026 at 5:28 PM BST, Gary Guo wrote:
> One feature that was lost from the old `dma_read!` and `dma_write!` when
> moving to `io_read!` and `io_write!` was the ability to read/write a large
> structs. However, the semantics was unclear to begin with, as there was no
> guarantee about their atomicity even for structs that were small enough to
> fit in u32. Re-introduce the capability in the form of copying methods.
>
> dma_read!(foo, bar) -> io_project!(foo, bar).copy_read()
> dma_write!(foo, bar, baz) -> io_project!(foo, bar).copy_write(baz)
>
> Model these semantics after memcpy so user has clear expectation of lack of
> atomicity. As an additional benefit of this change, this now works for MMIO
> as well by mapping them to `memcpy_{from,to}io`.
>
> For slices which is DST so the `copy_read` and `copy_write` API above can't
> work, add `copy_from_slice` and `copy_to_slice` to copy from/to normal
> memory.
>
> Signed-off-by: Gary Guo <gary@garyguo.net>
> ---
> rust/helpers/io.c | 13 +++
> rust/kernel/dma.rs | 25 +++++
> rust/kernel/io.rs | 238 ++++++++++++++++++++++++++++++++++++++++++++++-
> samples/rust/rust_dma.rs | 15 ++-
> 4 files changed, 285 insertions(+), 6 deletions(-)
>
> [snip]
>
> +
> + #[inline]
> + fn copy_read<T: FromBytes>(view: Self::View<'_, T>) -> T {
> + // SAFETY:
> + // - Per type invariant, `ptr` is valid and aligned.
> + // - Using read_volatile() here so that race with hardware is well-defined.
> + // - Using read_volatile() here is not sound if it races with other CPU per Rust
> + // rules, but this is allowed per LKMM.
> + // - The macro is only used on primitives so all bit patterns are valid.
This line should read "`T: FromBytes` so all bit patterns are valid.". I copied
from `IoCapable` impl and forgot to update the comment.
Best,
Gary
> + unsafe { view.ptr.read_volatile() }
> + }
> +
> + #[inline]
> + fn copy_write<T: IntoBytes>(view: Self::View<'_, T>, value: T) {
> + // SAFETY:
> + // - Per type invariant, `ptr` is valid and aligned.
> + // - Using write_volatile() here so that race with hardware is well-defined.
> + // - Using write_volatile() here is not sound if it races with other CPU per Rust
> + // rules, but this is allowed per LKMM.
> + unsafe { view.ptr.write_volatile(value) }
> + }
> +}
> +
> /// System memory region.
> ///
> /// Provides `Io` trait implementation for kernel virtual address ranges,
^ permalink raw reply [flat|nested] 40+ messages in thread
end of thread, other threads:[~2026-06-11 19:36 UTC | newest]
Thread overview: 40+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-06-11 16:28 [PATCH v4 00/20] rust: I/O type generalization and projection Gary Guo
2026-06-11 16:28 ` [PATCH v4 01/20] rust: io: add dynamically-sized `Region` type Gary Guo
2026-06-11 16:28 ` [PATCH v4 02/20] rust: io: add missing safety requirement in `IoCapable` methods Gary Guo
2026-06-11 16:28 ` [PATCH v4 03/20] rust: io: restrict untyped IO access and `register!` to `Region` Gary Guo
2026-06-11 16:28 ` [PATCH v4 04/20] rust: io: implement `Io` on reference types instead Gary Guo
2026-06-11 17:07 ` sashiko-bot
2026-06-11 16:28 ` [PATCH v4 05/20] rust: io: generalize `MmioRaw` to pointer to arbitrary type Gary Guo
2026-06-11 17:15 ` sashiko-bot
2026-06-11 16:28 ` [PATCH v4 06/20] rust: io: rename `Mmio` to `MmioOwned` Gary Guo
2026-06-11 17:21 ` sashiko-bot
2026-06-11 16:28 ` [PATCH v4 07/20] rust: io: implement `Mmio` as view type Gary Guo
2026-06-11 17:31 ` sashiko-bot
2026-06-11 16:28 ` [PATCH v4 08/20] rust: pci: io: make `ConfigSpace` a view Gary Guo
2026-06-11 17:37 ` sashiko-bot
2026-06-11 16:28 ` [PATCH v4 09/20] rust: io: use view types instead of addresses for `Io` Gary Guo
2026-06-11 17:46 ` sashiko-bot
2026-06-11 16:28 ` [PATCH v4 10/20] rust: io: remove `MmioOwned` Gary Guo
2026-06-11 17:54 ` sashiko-bot
2026-06-11 16:28 ` [PATCH v4 11/20] rust: io: move `Io` methods to extension trait Gary Guo
2026-06-11 18:00 ` sashiko-bot
2026-06-11 16:28 ` [PATCH v4 12/20] rust: prelude: add `zerocopy{,_derive}::IntoBytes` Gary Guo
2026-06-11 18:01 ` sashiko-bot
2026-06-11 16:28 ` [PATCH v4 13/20] rust: io: add projection macro and methods Gary Guo
2026-06-11 18:14 ` sashiko-bot
2026-06-11 18:34 ` Gary Guo
2026-06-11 16:28 ` [PATCH v4 14/20] rust: io: add I/O backend for system memory with volatile access Gary Guo
2026-06-11 18:23 ` sashiko-bot
2026-06-11 16:28 ` [PATCH v4 15/20] rust: io: implement a view type for `Coherent` Gary Guo
2026-06-11 18:30 ` sashiko-bot
2026-06-11 16:28 ` [PATCH v4 16/20] rust: io: add `read_val` and `write_val` functions on `Io` Gary Guo
2026-06-11 18:37 ` sashiko-bot
2026-06-11 16:28 ` [PATCH v4 17/20] gpu: nova-core: use I/O projection for cleaner encapsulation Gary Guo
2026-06-11 18:47 ` sashiko-bot
2026-06-11 16:28 ` [PATCH v4 18/20] rust: dma: drop `dma_read!` and `dma_write!` API Gary Guo
2026-06-11 19:01 ` sashiko-bot
2026-06-11 16:28 ` [PATCH v4 19/20] rust: io: add copying methods Gary Guo
2026-06-11 19:11 ` sashiko-bot
2026-06-11 19:36 ` Gary Guo
2026-06-11 16:28 ` [PATCH v4 20/20] rust: io: implement `IoSysMap` Gary Guo
2026-06-11 19:13 ` sashiko-bot
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox