* [PATCH v4 00/20] rust: I/O type generalization and projection
@ 2026-06-11 16:28 Gary Guo
2026-06-11 16:28 ` [PATCH v4 01/20] rust: io: add dynamically-sized `Region` type Gary Guo
` (19 more replies)
0 siblings, 20 replies; 36+ messages in thread
From: Gary Guo @ 2026-06-11 16:28 UTC (permalink / raw)
To: Alice Ryhl, Daniel Almeida, Greg Kroah-Hartman, Rafael J. Wysocki,
Miguel Ojeda, Boqun Feng, Gary Guo, Björn Roy Baron,
Benno Lossin, Andreas Hindborg, Trevor Gross, Bjorn Helgaas,
Krzysztof Wilczyński, Abdiel Janulgue, Robin Murphy,
Alexandre Courbot, David Airlie, Simona Vetter
Cc: Danilo Krummrich, driver-core, rust-for-linux, linux-kernel,
linux-pci, nova-gpu, dri-devel, Laura Nao
This series presents a major rework of I/O types, as a summary:
- Make I/O regions typed. The existing untyped region still exists
with a dynamically sized `Region` type.
- Create I/O view types to represent subregion of a full I/O region mapped.
A projection macro is added to allow safely create such subviews.
- Split I/O traits, make I/O views play a central role, avoid
duplicate monomorphization and less `unsafe` code.
- Add a `SysMem` backend, and make `Coherent` implement `Io`.
- Add copying methods (memcpy_{from,to}io and friends).
This series generalize `Mmio` type from just an untyped region to typed
representations (so `MmioRaw<T>` is `__iomem *T`). This allows us to remove
the `IoKnownSize` trait; the information is sourced from just the pointer
from the `KnownSize` trait instead.
Building on top of that, `Mmio` and `ConfigSpace` have been converted to
typed views of I/O regions rather than just a big chunk of untyped I/O
memory. These changes made it possible to implement `Io` trait for
`Coherent<T>`.
Shared system memory, `SysMem` is also added to the series, given it
similarity in implementation compared to `Coherent`. In fact, the series
use `SysMem` to implement `Coherent`'s I/O methods.
Built on these generalization, this series add `io_project!()`.
`io_project!()` performs a safe way to project a bigger view to a small
subviews, and some Nova code has been converted in this series to
demonstrate cleanups possible with this addition.
New `io_read!()`, `io_write!()` has been added that supersedes
`dma_read!()`, `dma_write!()` macro. Although, they work for primitives
only (to be exact, types that the backend is `IoCapable` of).
One feature that was lost from the old `dma_read!()` and `dma_write!()`
series was the ability to read/write a large structs. However, the
semantics was unclear to begin with, as there was no guarantee about their
atomicity even for structs that were small enough to fit in u32.
For completeness, I've also included the support for copying methods,
although this does not need to be taken together and can become a follow
up.
The last commit in the series is a reference on how you'd implement
`iosys_map` using an enum type. It automatically gains all the methods via
`Io` trait and can be projected with the macros.
Suggested-by: Danilo Krummrich <dakr@kernel.org>
Link: https://rust-for-linux.zulipchat.com/#narrow/channel/288089-General/topic/Generic.20I.2FO.20backends/near/571198078
---
Changes in v4:
- Added `Send` and `Sync` for types that internally uses raw pointers. (Sashiko)
- Make `Region` always 4-byte aligned. (Sashiko)
- Removed `copy_from_io_slice` method due to unsoundness when regions
overlap. (Sashiko) This means that `is_mapped` hack is not needed anymore
so I've also cleaned up.
- Switch `FromBytes`/`IntoBytes` to zerocopy from kernel::transmute.
- Changed `Either` to specific-purpose `IoSysMap` enum (Miguel).
- Link to v3: https://patch.msgid.link/20260608-io_projection-v3-0-c5cde13a5ec4@garyguo.net
Changes in v3:
- This version presents a major rework from the last version, mostly inspired
by discussions that happen during RustWeek. Notably, the new individual
view types are now the central piece of `Io` traits rather than an ad-hoc
addon using the `View` type. They also benefit from type-erasure; the
original type of `Mmio` or `Coherent` doesn't matter anymore for subviews.
This removes the need of specifying generics on types that take
`CoherentView` on Nova code, which is something that I'm not fully happy
with in the last version.
- Add `SysMem` backend and use it for `Coherent` (Laura Nao).
- Add examples to copying methods and read_val/write_val (Andreas).
- Add a reference patch on `Either` implementation.
- Link to v2: https://patch.msgid.link/20260421-io_projection-v2-0-4c251c692ef4@garyguo.net
Changes in v2:
- Rebased on projection syntax rework
- Added a new patch to forbid use of untyped I/O accessors and register
macros on typed I/O structs (Alex).
- Fixed a few safety comments (Andreas).
- Added a new patch that implements copying methods (see above).
- Link to v1: https://lore.kernel.org/rust-for-linux/20260323153807.1360705-1-gary@kernel.org/
To: Danilo Krummrich <dakr@kernel.org>
To: Alice Ryhl <aliceryhl@google.com>
To: Daniel Almeida <daniel.almeida@collabora.com>
To: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: "Rafael J. Wysocki" <rafael@kernel.org>
To: Miguel Ojeda <ojeda@kernel.org>
To: Boqun Feng <boqun@kernel.org>
To: Gary Guo <gary@garyguo.net>
To: Björn Roy Baron <bjorn3_gh@protonmail.com>
To: Benno Lossin <lossin@kernel.org>
To: Andreas Hindborg <a.hindborg@kernel.org>
To: Trevor Gross <tmgross@umich.edu>
To: Bjorn Helgaas <bhelgaas@google.com>
To: Krzysztof Wilczyński <kwilczynski@kernel.org>
To: Abdiel Janulgue <abdiel.janulgue@gmail.com>
To: Robin Murphy <robin.murphy@arm.com>
To: Alexandre Courbot <acourbot@nvidia.com>
To: David Airlie <airlied@gmail.com>
To: Simona Vetter <simona@ffwll.ch>
Cc: driver-core@lists.linux.dev
Cc: rust-for-linux@vger.kernel.org
Cc: linux-kernel@vger.kernel.org
Cc: linux-pci@vger.kernel.org
Cc: nova-gpu@lists.linux.dev
Cc: dri-devel@lists.freedesktop.org
---
Gary Guo (19):
rust: io: add dynamically-sized `Region` type
rust: io: add missing safety requirement in `IoCapable` methods
rust: io: restrict untyped IO access and `register!` to `Region`
rust: io: implement `Io` on reference types instead
rust: io: generalize `MmioRaw` to pointer to arbitrary type
rust: io: rename `Mmio` to `MmioOwned`
rust: io: implement `Mmio` as view type
rust: pci: io: make `ConfigSpace` a view
rust: io: use view types instead of addresses for `Io`
rust: io: remove `MmioOwned`
rust: io: move `Io` methods to extension trait
rust: prelude: add `zerocopy{,_derive}::IntoBytes`
rust: io: add projection macro and methods
rust: io: implement a view type for `Coherent`
rust: io: add `read_val` and `write_val` functions on `Io`
gpu: nova-core: use I/O projection for cleaner encapsulation
rust: dma: drop `dma_read!` and `dma_write!` API
rust: io: add copying methods
rust: io: implement `IoSysMap`
Laura Nao (1):
rust: io: add I/O backend for system memory with volatile access
drivers/gpu/nova-core/gsp.rs | 53 +-
drivers/gpu/nova-core/gsp/cmdq.rs | 66 +-
drivers/gpu/nova-core/gsp/fw.rs | 82 +--
rust/helpers/io.c | 13 +
rust/kernel/devres.rs | 24 +-
rust/kernel/dma.rs | 280 +++----
rust/kernel/io.rs | 1472 +++++++++++++++++++++++++++++--------
rust/kernel/io/mem.rs | 29 +-
rust/kernel/io/poll.rs | 6 +-
rust/kernel/io/register.rs | 45 +-
rust/kernel/lib.rs | 3 +
rust/kernel/pci.rs | 1 -
rust/kernel/pci/io.rs | 168 +++--
rust/kernel/prelude.rs | 10 +-
rust/kernel/ptr.rs | 12 +
samples/rust/rust_dma.rs | 12 +-
16 files changed, 1604 insertions(+), 672 deletions(-)
---
base-commit: abe651837cb394f76d738a7a747322fca3bf17ba
change-id: 20260421-io_projection-16e7dc5ba7e4
Best regards,
--
Gary Guo <gary@garyguo.net>
^ permalink raw reply [flat|nested] 36+ messages in thread
* [PATCH v4 01/20] rust: io: add dynamically-sized `Region` type
2026-06-11 16:28 [PATCH v4 00/20] rust: I/O type generalization and projection Gary Guo
@ 2026-06-11 16:28 ` Gary Guo
2026-06-13 10:05 ` Miguel Ojeda
2026-06-15 4:03 ` Alexandre Courbot
2026-06-11 16:28 ` [PATCH v4 02/20] rust: io: add missing safety requirement in `IoCapable` methods Gary Guo
` (18 subsequent siblings)
19 siblings, 2 replies; 36+ messages in thread
From: Gary Guo @ 2026-06-11 16:28 UTC (permalink / raw)
To: Alice Ryhl, Daniel Almeida, Greg Kroah-Hartman, Rafael J. Wysocki,
Miguel Ojeda, Boqun Feng, Gary Guo, Björn Roy Baron,
Benno Lossin, Andreas Hindborg, Trevor Gross, Bjorn Helgaas,
Krzysztof Wilczyński, Abdiel Janulgue, Robin Murphy,
Alexandre Courbot, David Airlie, Simona Vetter
Cc: Danilo Krummrich, driver-core, rust-for-linux, linux-kernel,
linux-pci, nova-gpu, dri-devel
Currently many I/O related structs carry a `SIZE` parameter to denote the
minimum size of the I/O region, while they also carry a field indicating
the actual size. Proliferation of the pattern creates a lot of duplicated
code, and makes it hard to create typed views of I/O.
Introduce a `Region` type that carries the `SIZE` parameter. It is a
wrapper of `[u8]`, which makes it dynamically sized with a metadata of
`usize`. This way, pointers to `Region` naturally carry size information.
This type is required to be 4-byte aligned.
Expose the minimum size information via `MIN_SIZE` constant of the
`KnownSize` trait. Similarly, expose the minimum alignment information via
`KnownSize::MIN_ALIGN`.
With these changes, it is possible to add an associated type to `Io` trait
to represent the type of I/O region. For untyped regions, this is the newly
added `Region` type. Remove `IoKnownSize` as it is no longer necessary. Use
the same mechanism to indicate minimum size of PCI config spaces.
Signed-off-by: Gary Guo <gary@garyguo.net>
---
rust/kernel/devres.rs | 6 +--
rust/kernel/io.rs | 130 +++++++++++++++++++++++++++++++++-----------------
rust/kernel/lib.rs | 3 ++
rust/kernel/pci.rs | 1 -
rust/kernel/pci/io.rs | 40 +++++++---------
rust/kernel/ptr.rs | 12 +++++
6 files changed, 118 insertions(+), 74 deletions(-)
diff --git a/rust/kernel/devres.rs b/rust/kernel/devres.rs
index 11ce500e9b76..ed30ccc6e68e 100644
--- a/rust/kernel/devres.rs
+++ b/rust/kernel/devres.rs
@@ -68,7 +68,6 @@ struct Inner<T> {
/// devres::Devres,
/// io::{
/// Io,
-/// IoKnownSize,
/// Mmio,
/// MmioRaw,
/// PhysAddr, //
@@ -297,10 +296,7 @@ pub fn device(&self) -> &Device {
/// use kernel::{
/// device::Core,
/// devres::Devres,
- /// io::{
- /// Io,
- /// IoKnownSize, //
- /// },
+ /// io::Io,
/// pci, //
/// };
///
diff --git a/rust/kernel/io.rs b/rust/kernel/io.rs
index fcc7678fd9e3..bef571dad6eb 100644
--- a/rust/kernel/io.rs
+++ b/rust/kernel/io.rs
@@ -6,7 +6,11 @@
use crate::{
bindings,
- prelude::*, //
+ prelude::*,
+ ptr::{
+ Alignment,
+ KnownSize, //
+ }, //
};
pub mod mem;
@@ -31,6 +35,58 @@
/// `CONFIG_PHYS_ADDR_T_64BIT`, and it can be a u64 even on 32-bit architectures.
pub type ResourceSize = bindings::resource_size_t;
+/// Untyped I/O region.
+///
+/// This type can be used when an I/O region without known type information has a compile-time known
+/// minimum size (and a runtime known actual size).
+///
+/// This must be 4-byte aligned.
+///
+/// # Invariants
+///
+/// Size of the region is at least as large as the `SIZE` generic parameter.
+#[repr(C, align(4))]
+pub struct Region<const SIZE: usize = 0> {
+ inner: [u8],
+}
+
+impl<const SIZE: usize> Region<SIZE> {
+ /// Create a raw mutable pointer from given base address and size.
+ ///
+ /// `size` should be at least as large as the minimum size `SIZE`, and `base` and `size` should
+ /// be 4-byte aligned to uphold the type invariant.
+ ///
+ /// Just like other methods on raw pointers, it is not unsafe to create a raw pointer
+ /// that does not uphold the type invariants. However such pointers are not valid.
+ #[inline]
+ pub fn ptr_from_raw_parts_mut(base: *mut u8, size: usize) -> *mut Self {
+ core::ptr::slice_from_raw_parts_mut(base, size) as *mut Region<SIZE>
+ }
+
+ /// Create a raw mutable pointer from given base address and size.
+ ///
+ /// The alignment of `base` is checked, and `size` is checked against the minimum size specified
+ /// via const generics.
+ #[inline]
+ pub fn ptr_try_from_raw_parts_mut(base: *mut u8, size: usize) -> Result<*mut Self> {
+ if size < SIZE || base.align_offset(4) != 0 || !size.is_multiple_of(4) {
+ return Err(EINVAL);
+ }
+
+ Ok(Self::ptr_from_raw_parts_mut(base, size))
+ }
+}
+
+impl<const SIZE: usize> KnownSize for Region<SIZE> {
+ const MIN_SIZE: usize = SIZE;
+ const MIN_ALIGN: Alignment = Alignment::new::<4>();
+
+ #[inline(always)]
+ fn size(p: *const Self) -> usize {
+ (p as *const [u8]).len()
+ }
+}
+
/// Raw representation of an MMIO region.
///
/// By itself, the existence of an instance of this structure does not provide any guarantees that
@@ -85,7 +141,6 @@ pub fn maxsize(&self) -> usize {
/// ffi::c_void,
/// io::{
/// Io,
-/// IoKnownSize,
/// Mmio,
/// MmioRaw,
/// PhysAddr,
@@ -241,12 +296,25 @@ fn offset(self) -> usize {
/// For MMIO regions, all widths (u8, u16, u32, and u64 on 64-bit systems) are typically
/// supported. For PCI configuration space, u8, u16, and u32 are supported but u64 is not.
pub trait Io {
+ /// Type of this I/O region. For untyped regions, [`Region`] can be used.
+ type Target: ?Sized + KnownSize;
+
/// Returns the base address of this mapping.
fn addr(&self) -> usize;
/// Returns the maximum size of this mapping.
fn maxsize(&self) -> usize;
+ /// Returns the absolute I/O address for a given `offset`,
+ /// performing compile-time bound checks.
+ // Always inline to optimize out error path of `build_assert`.
+ #[inline(always)]
+ fn io_addr_assert<U>(&self, offset: usize) -> usize {
+ build_assert!(offset_valid::<U>(offset, Self::Target::MIN_SIZE));
+
+ self.addr() + offset
+ }
+
/// Returns the absolute I/O address for a given `offset`,
/// performing runtime bound checks.
#[inline]
@@ -336,7 +404,7 @@ fn try_write64(&self, value: u64, offset: usize) -> Result
#[inline(always)]
fn read8(&self, offset: usize) -> u8
where
- Self: IoKnownSize + IoCapable<u8>,
+ Self: IoCapable<u8>,
{
self.read(offset)
}
@@ -345,7 +413,7 @@ fn read8(&self, offset: usize) -> u8
#[inline(always)]
fn read16(&self, offset: usize) -> u16
where
- Self: IoKnownSize + IoCapable<u16>,
+ Self: IoCapable<u16>,
{
self.read(offset)
}
@@ -354,7 +422,7 @@ fn read16(&self, offset: usize) -> u16
#[inline(always)]
fn read32(&self, offset: usize) -> u32
where
- Self: IoKnownSize + IoCapable<u32>,
+ Self: IoCapable<u32>,
{
self.read(offset)
}
@@ -363,7 +431,7 @@ fn read32(&self, offset: usize) -> u32
#[inline(always)]
fn read64(&self, offset: usize) -> u64
where
- Self: IoKnownSize + IoCapable<u64>,
+ Self: IoCapable<u64>,
{
self.read(offset)
}
@@ -372,7 +440,7 @@ fn read64(&self, offset: usize) -> u64
#[inline(always)]
fn write8(&self, value: u8, offset: usize)
where
- Self: IoKnownSize + IoCapable<u8>,
+ Self: IoCapable<u8>,
{
self.write(offset, value)
}
@@ -381,7 +449,7 @@ fn write8(&self, value: u8, offset: usize)
#[inline(always)]
fn write16(&self, value: u16, offset: usize)
where
- Self: IoKnownSize + IoCapable<u16>,
+ Self: IoCapable<u16>,
{
self.write(offset, value)
}
@@ -390,7 +458,7 @@ fn write16(&self, value: u16, offset: usize)
#[inline(always)]
fn write32(&self, value: u32, offset: usize)
where
- Self: IoKnownSize + IoCapable<u32>,
+ Self: IoCapable<u32>,
{
self.write(offset, value)
}
@@ -399,7 +467,7 @@ fn write32(&self, value: u32, offset: usize)
#[inline(always)]
fn write64(&self, value: u64, offset: usize)
where
- Self: IoKnownSize + IoCapable<u64>,
+ Self: IoCapable<u64>,
{
self.write(offset, value)
}
@@ -582,7 +650,7 @@ fn try_update<T, L, F>(&self, location: L, f: F) -> Result
fn read<T, L>(&self, location: L) -> T
where
L: IoLoc<T>,
- Self: IoKnownSize + IoCapable<L::IoType>,
+ Self: IoCapable<L::IoType>,
{
let address = self.io_addr_assert::<L::IoType>(location.offset());
@@ -614,7 +682,7 @@ fn read<T, L>(&self, location: L) -> T
fn write<T, L>(&self, location: L, value: T)
where
L: IoLoc<T>,
- Self: IoKnownSize + IoCapable<L::IoType>,
+ Self: IoCapable<L::IoType>,
{
let address = self.io_addr_assert::<L::IoType>(location.offset());
let io_value = value.into();
@@ -658,7 +726,7 @@ fn write_reg<T, L, V>(&self, value: V)
where
L: IoLoc<T>,
V: LocatedRegister<Location = L, Value = T>,
- Self: IoKnownSize + IoCapable<L::IoType>,
+ Self: IoCapable<L::IoType>,
{
let (location, value) = value.into_io_op();
@@ -690,7 +758,7 @@ fn write_reg<T, L, V>(&self, value: V)
fn update<T, L, F>(&self, location: L, f: F)
where
L: IoLoc<T>,
- Self: IoKnownSize + IoCapable<L::IoType> + Sized,
+ Self: IoCapable<L::IoType> + Sized,
F: FnOnce(T) -> T,
{
let address = self.io_addr_assert::<L::IoType>(location.offset());
@@ -704,28 +772,6 @@ fn update<T, L, F>(&self, location: L, f: F)
}
}
-/// Trait for types with a known size at compile time.
-///
-/// This trait is implemented by I/O backends that have a compile-time known size,
-/// enabling the use of infallible I/O accessors with compile-time bounds checking.
-///
-/// Types implementing this trait can use the infallible methods in [`Io`] trait
-/// (e.g., `read8`, `write32`), which require `Self: IoKnownSize` bound.
-pub trait IoKnownSize: Io {
- /// Minimum usable size of this region.
- const MIN_SIZE: usize;
-
- /// Returns the absolute I/O address for a given `offset`,
- /// performing compile-time bound checks.
- // Always inline to optimize out error path of `build_assert`.
- #[inline(always)]
- fn io_addr_assert<U>(&self, offset: usize) -> usize {
- build_assert!(offset_valid::<U>(offset, Self::MIN_SIZE));
-
- self.addr() + offset
- }
-}
-
/// Implements [`IoCapable`] on `$mmio` for `$ty` using `$read_fn` and `$write_fn`.
macro_rules! impl_mmio_io_capable {
($mmio:ident, $(#[$attr:meta])* $ty:ty, $read_fn:ident, $write_fn:ident) => {
@@ -758,6 +804,8 @@ unsafe fn io_write(&self, value: $ty, address: usize) {
);
impl<const SIZE: usize> Io for Mmio<SIZE> {
+ type Target = Region<SIZE>;
+
/// Returns the base address of this mapping.
#[inline]
fn addr(&self) -> usize {
@@ -771,10 +819,6 @@ fn maxsize(&self) -> usize {
}
}
-impl<const SIZE: usize> IoKnownSize for Mmio<SIZE> {
- const MIN_SIZE: usize = SIZE;
-}
-
impl<const SIZE: usize> Mmio<SIZE> {
/// Converts an `MmioRaw` into an `Mmio` instance, providing the accessors to the MMIO mapping.
///
@@ -798,6 +842,8 @@ pub unsafe fn from_raw(raw: &MmioRaw<SIZE>) -> &Self {
pub struct RelaxedMmio<const SIZE: usize = 0>(Mmio<SIZE>);
impl<const SIZE: usize> Io for RelaxedMmio<SIZE> {
+ type Target = Region<SIZE>;
+
#[inline]
fn addr(&self) -> usize {
self.0.addr()
@@ -809,10 +855,6 @@ fn maxsize(&self) -> usize {
}
}
-impl<const SIZE: usize> IoKnownSize for RelaxedMmio<SIZE> {
- const MIN_SIZE: usize = SIZE;
-}
-
impl<const SIZE: usize> Mmio<SIZE> {
/// Returns a [`RelaxedMmio`] reference that performs relaxed I/O operations.
///
diff --git a/rust/kernel/lib.rs b/rust/kernel/lib.rs
index 9512af7156df..68f4d9a3425d 100644
--- a/rust/kernel/lib.rs
+++ b/rust/kernel/lib.rs
@@ -16,6 +16,9 @@
// Please see https://github.com/Rust-for-Linux/linux/issues/2 for details on
// the unstable features in use.
//
+// Stable since Rust 1.87.0.
+#![feature(unsigned_is_multiple_of)]
+//
// Stable since Rust 1.89.0.
#![feature(generic_arg_infer)]
//
diff --git a/rust/kernel/pci.rs b/rust/kernel/pci.rs
index 5071cae6543f..c6d6bd8f251d 100644
--- a/rust/kernel/pci.rs
+++ b/rust/kernel/pci.rs
@@ -43,7 +43,6 @@
pub use self::io::{
Bar,
ConfigSpace,
- ConfigSpaceKind,
ConfigSpaceSize,
Extended,
Normal, //
diff --git a/rust/kernel/pci/io.rs b/rust/kernel/pci/io.rs
index 0461e01aaa20..b4996aa059d8 100644
--- a/rust/kernel/pci/io.rs
+++ b/rust/kernel/pci/io.rs
@@ -10,11 +10,12 @@
io::{
Io,
IoCapable,
- IoKnownSize,
Mmio,
- MmioRaw, //
+ MmioRaw,
+ Region, //
},
- prelude::*, //
+ prelude::*,
+ ptr::KnownSize, //
};
use core::{
marker::PhantomData,
@@ -46,28 +47,21 @@ pub const fn into_raw(self) -> usize {
}
}
-/// Marker type for normal (256-byte) PCI configuration space.
-pub struct Normal;
+/// Alias for normal (256-byte) PCI configuration space.
+pub type Normal = Region<256>;
-/// Marker type for extended (4096-byte) PCIe configuration space.
-pub struct Extended;
+/// Alias for extended (4096-byte) PCIe configuration space.
+pub type Extended = Region<4096>;
/// Trait for PCI configuration space size markers.
///
/// This trait is implemented by [`Normal`] and [`Extended`] to provide
/// compile-time knowledge of the configuration space size.
-pub trait ConfigSpaceKind {
- /// The size of this configuration space in bytes.
- const SIZE: usize;
-}
+pub trait ConfigSpaceKind: KnownSize {}
-impl ConfigSpaceKind for Normal {
- const SIZE: usize = 256;
-}
+impl ConfigSpaceKind for Normal {}
-impl ConfigSpaceKind for Extended {
- const SIZE: usize = 4096;
-}
+impl ConfigSpaceKind for Extended {}
/// The PCI configuration space of a device.
///
@@ -77,7 +71,7 @@ impl ConfigSpaceKind for Extended {
/// The generic parameter `S` indicates the maximum size of the configuration space.
/// Use [`Normal`] for 256-byte legacy configuration space or [`Extended`] for
/// 4096-byte PCIe extended configuration space (default).
-pub struct ConfigSpace<'a, S: ConfigSpaceKind = Extended> {
+pub struct ConfigSpace<'a, S: ?Sized + ConfigSpaceKind = Extended> {
pub(crate) pdev: &'a Device<device::Bound>,
_marker: PhantomData<S>,
}
@@ -85,7 +79,7 @@ pub struct ConfigSpace<'a, S: ConfigSpaceKind = Extended> {
/// Implements [`IoCapable`] on [`ConfigSpace`] for `$ty` using `$read_fn` and `$write_fn`.
macro_rules! impl_config_space_io_capable {
($ty:ty, $read_fn:ident, $write_fn:ident) => {
- impl<'a, S: ConfigSpaceKind> IoCapable<$ty> for ConfigSpace<'a, S> {
+ impl<'a, S: ?Sized + ConfigSpaceKind> IoCapable<$ty> for ConfigSpace<'a, S> {
unsafe fn io_read(&self, address: usize) -> $ty {
let mut val: $ty = 0;
@@ -118,7 +112,9 @@ unsafe fn io_write(&self, value: $ty, address: usize) {
impl_config_space_io_capable!(u16, pci_read_config_word, pci_write_config_word);
impl_config_space_io_capable!(u32, pci_read_config_dword, pci_write_config_dword);
-impl<'a, S: ConfigSpaceKind> Io for ConfigSpace<'a, S> {
+impl<'a, S: ?Sized + ConfigSpaceKind> Io for ConfigSpace<'a, S> {
+ type Target = S;
+
/// Returns the base address of the I/O region. It is always 0 for configuration space.
#[inline]
fn addr(&self) -> usize {
@@ -132,10 +128,6 @@ fn maxsize(&self) -> usize {
}
}
-impl<'a, S: ConfigSpaceKind> IoKnownSize for ConfigSpace<'a, S> {
- const MIN_SIZE: usize = S::SIZE;
-}
-
/// A PCI BAR to perform I/O-Operations on.
///
/// I/O backend assumes that the device is little-endian and will automatically
diff --git a/rust/kernel/ptr.rs b/rust/kernel/ptr.rs
index 3f3e529e9f58..82acb531b17b 100644
--- a/rust/kernel/ptr.rs
+++ b/rust/kernel/ptr.rs
@@ -235,11 +235,20 @@ fn align_up(self, alignment: Alignment) -> Option<Self> {
///
/// This is a generalization of [`size_of`] that works for dynamically sized types.
pub trait KnownSize {
+ /// Minimum size of this type known at compile-time.
+ const MIN_SIZE: usize;
+
+ /// Minimum alignment of this type known at compile-time.
+ const MIN_ALIGN: Alignment;
+
/// Get the size of an object of this type in bytes, with the metadata of the given pointer.
fn size(p: *const Self) -> usize;
}
impl<T> KnownSize for T {
+ const MIN_SIZE: usize = size_of::<T>();
+ const MIN_ALIGN: Alignment = Alignment::of::<T>();
+
#[inline(always)]
fn size(_: *const Self) -> usize {
size_of::<T>()
@@ -247,6 +256,9 @@ fn size(_: *const Self) -> usize {
}
impl<T> KnownSize for [T] {
+ const MIN_SIZE: usize = 0;
+ const MIN_ALIGN: Alignment = Alignment::of::<T>();
+
#[inline(always)]
fn size(p: *const Self) -> usize {
p.len() * size_of::<T>()
--
2.54.0
^ permalink raw reply related [flat|nested] 36+ messages in thread
* [PATCH v4 02/20] rust: io: add missing safety requirement in `IoCapable` methods
2026-06-11 16:28 [PATCH v4 00/20] rust: I/O type generalization and projection Gary Guo
2026-06-11 16:28 ` [PATCH v4 01/20] rust: io: add dynamically-sized `Region` type Gary Guo
@ 2026-06-11 16:28 ` Gary Guo
2026-06-15 4:28 ` Alexandre Courbot
2026-06-11 16:28 ` [PATCH v4 03/20] rust: io: restrict untyped IO access and `register!` to `Region` Gary Guo
` (17 subsequent siblings)
19 siblings, 1 reply; 36+ messages in thread
From: Gary Guo @ 2026-06-11 16:28 UTC (permalink / raw)
To: Alice Ryhl, Daniel Almeida, Greg Kroah-Hartman, Rafael J. Wysocki,
Miguel Ojeda, Boqun Feng, Gary Guo, Björn Roy Baron,
Benno Lossin, Andreas Hindborg, Trevor Gross, Bjorn Helgaas,
Krzysztof Wilczyński, Abdiel Janulgue, Robin Murphy,
Alexandre Courbot, David Airlie, Simona Vetter
Cc: Danilo Krummrich, driver-core, rust-for-linux, linux-kernel,
linux-pci, nova-gpu, dri-devel
The current safety comment on `io_read`/`io_write` does not cover the topic
about alignment. Add it so it can be relied on by implementor of
`IoCapable`.
Expand the check `Io` by taking `self.addr()` into consideration when
checking if `offset` is aligned. For the compile-time `io_addr_assert`
check, check using the known minimum alignment of `IO::Target` and the
accessed type.
While at it, fix the alignment check to use `align_of` instead of
`size_of`. The values match for all primitives (including u64, given that
we do not provide u64 accessor on 32-bit platforms), but are not
necessarily true for custom types.
Signed-off-by: Gary Guo <gary@garyguo.net>
---
rust/kernel/io.rs | 25 ++++++++++++++++---------
1 file changed, 16 insertions(+), 9 deletions(-)
diff --git a/rust/kernel/io.rs b/rust/kernel/io.rs
index bef571dad6eb..fa9ae39ad9d2 100644
--- a/rust/kernel/io.rs
+++ b/rust/kernel/io.rs
@@ -196,13 +196,14 @@ pub fn maxsize(&self) -> usize {
#[repr(transparent)]
pub struct Mmio<const SIZE: usize = 0>(MmioRaw<SIZE>);
-/// Checks whether an access of type `U` at the given `offset`
+/// Checks whether an access of type `U` at the given `base` and the given `offset`
/// is valid within this region.
+///
+/// The `base` is used for alignment checking only. This can be set to 0 to skip the check.
#[inline]
-const fn offset_valid<U>(offset: usize, size: usize) -> bool {
- let type_size = core::mem::size_of::<U>();
- if let Some(end) = offset.checked_add(type_size) {
- end <= size && offset % type_size == 0
+const fn offset_valid<U>(base: usize, offset: usize, size: usize) -> bool {
+ if let Some(end) = offset.checked_add(size_of::<U>()) {
+ end <= size && (base.wrapping_add(offset) % align_of::<U>() == 0)
} else {
false
}
@@ -221,14 +222,16 @@ pub trait IoCapable<T> {
///
/// # Safety
///
- /// The range `[address..address + size_of::<T>()]` must be within the bounds of `Self`.
+ /// - The range `[address..address + size_of::<T>()]` must be within the bounds of `Self`.
+ /// - `address` must be aligned.
unsafe fn io_read(&self, address: usize) -> T;
/// Performs an I/O write of `value` at `address`.
///
/// # Safety
///
- /// The range `[address..address + size_of::<T>()]` must be within the bounds of `Self`.
+ /// - The range `[address..address + size_of::<T>()]` must be within the bounds of `Self`.
+ /// - `address` must be aligned.
unsafe fn io_write(&self, value: T, address: usize);
}
@@ -310,7 +313,11 @@ pub trait Io {
// Always inline to optimize out error path of `build_assert`.
#[inline(always)]
fn io_addr_assert<U>(&self, offset: usize) -> usize {
- build_assert!(offset_valid::<U>(offset, Self::Target::MIN_SIZE));
+ // We cannot check alignment with `offset_valid` using `self.addr()`. So set 0 for it and
+ // ensure alignment by checking that the alignment of `U` is smaller or equal to the
+ // alignment of `Self::Target`.
+ const_assert!(Alignment::of::<U>().as_usize() <= Self::Target::MIN_ALIGN.as_usize());
+ build_assert!(offset_valid::<U>(0, offset, Self::Target::MIN_SIZE));
self.addr() + offset
}
@@ -319,7 +326,7 @@ fn io_addr_assert<U>(&self, offset: usize) -> usize {
/// performing runtime bound checks.
#[inline]
fn io_addr<U>(&self, offset: usize) -> Result<usize> {
- if !offset_valid::<U>(offset, self.maxsize()) {
+ if !offset_valid::<U>(self.addr(), offset, self.maxsize()) {
return Err(EINVAL);
}
--
2.54.0
^ permalink raw reply related [flat|nested] 36+ messages in thread
* [PATCH v4 03/20] rust: io: restrict untyped IO access and `register!` to `Region`
2026-06-11 16:28 [PATCH v4 00/20] rust: I/O type generalization and projection Gary Guo
2026-06-11 16:28 ` [PATCH v4 01/20] rust: io: add dynamically-sized `Region` type Gary Guo
2026-06-11 16:28 ` [PATCH v4 02/20] rust: io: add missing safety requirement in `IoCapable` methods Gary Guo
@ 2026-06-11 16:28 ` Gary Guo
2026-06-15 5:17 ` Alexandre Courbot
2026-06-11 16:28 ` [PATCH v4 04/20] rust: io: implement `Io` on reference types instead Gary Guo
` (16 subsequent siblings)
19 siblings, 1 reply; 36+ messages in thread
From: Gary Guo @ 2026-06-11 16:28 UTC (permalink / raw)
To: Alice Ryhl, Daniel Almeida, Greg Kroah-Hartman, Rafael J. Wysocki,
Miguel Ojeda, Boqun Feng, Gary Guo, Björn Roy Baron,
Benno Lossin, Andreas Hindborg, Trevor Gross, Bjorn Helgaas,
Krzysztof Wilczyński, Abdiel Janulgue, Robin Murphy,
Alexandre Courbot, David Airlie, Simona Vetter
Cc: Danilo Krummrich, driver-core, rust-for-linux, linux-kernel,
linux-pci, nova-gpu, dri-devel
Currently the `Io` trait exposes a bunch of untyped IO accesses, but if the
`Io` region itself is typed, then it might be weird to have
let io: Mmio<u32> = /* ... */;
io.read8(1);
while not unsound, it is surely strange. Thus, restrict the untyped methods
and also the register macro to `Region` type only.
Implement it by adding a generic type to `IoLoc` indicating allowed base
types. This also paves the way to add typed register blocks in the future;
for example, we could use this mechanism to block driver A's `register!()`
generated macro from being used on driver B's MMIO. The same mechanism
could be used for relative IO registers. These are future opportunities,
and for now restrict everything to require `IoLoc<Region<SIZE>, _>`.
Suggested-by: Alexandre Courbot <acourbot@nvidia.com>
Link: https://lore.kernel.org/rust-for-linux/DHLB3RO3OSF5.2R7F27U99BKLN@nvidia.com/
Signed-off-by: Gary Guo <gary@garyguo.net>
---
rust/kernel/io.rs | 49 +++++++++++++++++++++++++++++++---------------
rust/kernel/io/register.rs | 21 +++++++++++---------
2 files changed, 45 insertions(+), 25 deletions(-)
diff --git a/rust/kernel/io.rs b/rust/kernel/io.rs
index fa9ae39ad9d2..38281636b4da 100644
--- a/rust/kernel/io.rs
+++ b/rust/kernel/io.rs
@@ -244,15 +244,16 @@ pub trait IoCapable<T> {
/// (for primitive types like [`u32`]) and typed ones (like those generated by the [`register!`]
/// macro).
///
-/// An `IoLoc<T>` carries three pieces of information:
+/// An `IoLoc<Base, T>` carries the following pieces of information:
///
+/// - The valid `Base` to operate on. For most registers, this should be [`Region`].
/// - The offset to access (returned by [`IoLoc::offset`]),
/// - The width of the access (determined by [`IoLoc::IoType`]),
/// - The type `T` in which the raw data is returned or provided.
///
/// `T` and `IoLoc::IoType` may differ: for instance, a typed register has `T` = the register type
/// with its bitfields, and `IoType` = its backing primitive (e.g. `u32`).
-pub trait IoLoc<T> {
+pub trait IoLoc<Base: ?Sized, T> {
/// Size ([`u8`], [`u16`], etc) of the I/O performed on the returned [`offset`](IoLoc::offset).
type IoType: Into<T> + From<T>;
@@ -260,12 +261,12 @@ pub trait IoLoc<T> {
fn offset(self) -> usize;
}
-/// Implements [`IoLoc<$ty>`] for [`usize`], allowing [`usize`] to be used as a parameter of
-/// [`Io::read`] and [`Io::write`].
+/// Implements [`IoLoc<Region<SIZE>, $ty>`] for [`usize`], allowing [`usize`] to be used as a
+/// parameter of [`Io::read`] and [`Io::write`].
macro_rules! impl_usize_ioloc {
($($ty:ty),*) => {
$(
- impl IoLoc<$ty> for usize {
+ impl<const SIZE: usize> IoLoc<Region<SIZE>, $ty> for usize {
type IoType = $ty;
#[inline(always)]
@@ -339,6 +340,7 @@ fn io_addr<U>(&self, offset: usize) -> Result<usize> {
#[inline(always)]
fn try_read8(&self, offset: usize) -> Result<u8>
where
+ usize: IoLoc<Self::Target, u8, IoType = u8>,
Self: IoCapable<u8>,
{
self.try_read(offset)
@@ -348,6 +350,7 @@ fn try_read8(&self, offset: usize) -> Result<u8>
#[inline(always)]
fn try_read16(&self, offset: usize) -> Result<u16>
where
+ usize: IoLoc<Self::Target, u16, IoType = u16>,
Self: IoCapable<u16>,
{
self.try_read(offset)
@@ -357,6 +360,7 @@ fn try_read16(&self, offset: usize) -> Result<u16>
#[inline(always)]
fn try_read32(&self, offset: usize) -> Result<u32>
where
+ usize: IoLoc<Self::Target, u32, IoType = u32>,
Self: IoCapable<u32>,
{
self.try_read(offset)
@@ -366,6 +370,7 @@ fn try_read32(&self, offset: usize) -> Result<u32>
#[inline(always)]
fn try_read64(&self, offset: usize) -> Result<u64>
where
+ usize: IoLoc<Self::Target, u64, IoType = u64>,
Self: IoCapable<u64>,
{
self.try_read(offset)
@@ -375,6 +380,7 @@ fn try_read64(&self, offset: usize) -> Result<u64>
#[inline(always)]
fn try_write8(&self, value: u8, offset: usize) -> Result
where
+ usize: IoLoc<Self::Target, u8, IoType = u8>,
Self: IoCapable<u8>,
{
self.try_write(offset, value)
@@ -384,6 +390,7 @@ fn try_write8(&self, value: u8, offset: usize) -> Result
#[inline(always)]
fn try_write16(&self, value: u16, offset: usize) -> Result
where
+ usize: IoLoc<Self::Target, u16, IoType = u16>,
Self: IoCapable<u16>,
{
self.try_write(offset, value)
@@ -393,6 +400,7 @@ fn try_write16(&self, value: u16, offset: usize) -> Result
#[inline(always)]
fn try_write32(&self, value: u32, offset: usize) -> Result
where
+ usize: IoLoc<Self::Target, u32, IoType = u32>,
Self: IoCapable<u32>,
{
self.try_write(offset, value)
@@ -402,6 +410,7 @@ fn try_write32(&self, value: u32, offset: usize) -> Result
#[inline(always)]
fn try_write64(&self, value: u64, offset: usize) -> Result
where
+ usize: IoLoc<Self::Target, u64, IoType = u64>,
Self: IoCapable<u64>,
{
self.try_write(offset, value)
@@ -411,6 +420,7 @@ fn try_write64(&self, value: u64, offset: usize) -> Result
#[inline(always)]
fn read8(&self, offset: usize) -> u8
where
+ usize: IoLoc<Self::Target, u8, IoType = u8>,
Self: IoCapable<u8>,
{
self.read(offset)
@@ -420,6 +430,7 @@ fn read8(&self, offset: usize) -> u8
#[inline(always)]
fn read16(&self, offset: usize) -> u16
where
+ usize: IoLoc<Self::Target, u16, IoType = u16>,
Self: IoCapable<u16>,
{
self.read(offset)
@@ -429,6 +440,7 @@ fn read16(&self, offset: usize) -> u16
#[inline(always)]
fn read32(&self, offset: usize) -> u32
where
+ usize: IoLoc<Self::Target, u32, IoType = u32>,
Self: IoCapable<u32>,
{
self.read(offset)
@@ -438,6 +450,7 @@ fn read32(&self, offset: usize) -> u32
#[inline(always)]
fn read64(&self, offset: usize) -> u64
where
+ usize: IoLoc<Self::Target, u64, IoType = u64>,
Self: IoCapable<u64>,
{
self.read(offset)
@@ -447,6 +460,7 @@ fn read64(&self, offset: usize) -> u64
#[inline(always)]
fn write8(&self, value: u8, offset: usize)
where
+ usize: IoLoc<Self::Target, u8, IoType = u8>,
Self: IoCapable<u8>,
{
self.write(offset, value)
@@ -456,6 +470,7 @@ fn write8(&self, value: u8, offset: usize)
#[inline(always)]
fn write16(&self, value: u16, offset: usize)
where
+ usize: IoLoc<Self::Target, u16, IoType = u16>,
Self: IoCapable<u16>,
{
self.write(offset, value)
@@ -465,6 +480,7 @@ fn write16(&self, value: u16, offset: usize)
#[inline(always)]
fn write32(&self, value: u32, offset: usize)
where
+ usize: IoLoc<Self::Target, u32, IoType = u32>,
Self: IoCapable<u32>,
{
self.write(offset, value)
@@ -474,6 +490,7 @@ fn write32(&self, value: u32, offset: usize)
#[inline(always)]
fn write64(&self, value: u64, offset: usize)
where
+ usize: IoLoc<Self::Target, u64, IoType = u64>,
Self: IoCapable<u64>,
{
self.write(offset, value)
@@ -504,7 +521,7 @@ fn write64(&self, value: u64, offset: usize)
#[inline(always)]
fn try_read<T, L>(&self, location: L) -> Result<T>
where
- L: IoLoc<T>,
+ L: IoLoc<Self::Target, T>,
Self: IoCapable<L::IoType>,
{
let address = self.io_addr::<L::IoType>(location.offset())?;
@@ -538,7 +555,7 @@ fn try_read<T, L>(&self, location: L) -> Result<T>
#[inline(always)]
fn try_write<T, L>(&self, location: L, value: T) -> Result
where
- L: IoLoc<T>,
+ L: IoLoc<Self::Target, T>,
Self: IoCapable<L::IoType>,
{
let address = self.io_addr::<L::IoType>(location.offset())?;
@@ -584,8 +601,8 @@ fn try_write<T, L>(&self, location: L, value: T) -> Result
#[inline(always)]
fn try_write_reg<T, L, V>(&self, value: V) -> Result
where
- L: IoLoc<T>,
- V: LocatedRegister<Location = L, Value = T>,
+ L: IoLoc<Self::Target, T>,
+ V: LocatedRegister<Self::Target, Location = L, Value = T>,
Self: IoCapable<L::IoType>,
{
let (location, value) = value.into_io_op();
@@ -617,7 +634,7 @@ fn try_write_reg<T, L, V>(&self, value: V) -> Result
#[inline(always)]
fn try_update<T, L, F>(&self, location: L, f: F) -> Result
where
- L: IoLoc<T>,
+ L: IoLoc<Self::Target, T>,
Self: IoCapable<L::IoType>,
F: FnOnce(T) -> T,
{
@@ -656,7 +673,7 @@ fn try_update<T, L, F>(&self, location: L, f: F) -> Result
#[inline(always)]
fn read<T, L>(&self, location: L) -> T
where
- L: IoLoc<T>,
+ L: IoLoc<Self::Target, T>,
Self: IoCapable<L::IoType>,
{
let address = self.io_addr_assert::<L::IoType>(location.offset());
@@ -688,7 +705,7 @@ fn read<T, L>(&self, location: L) -> T
#[inline(always)]
fn write<T, L>(&self, location: L, value: T)
where
- L: IoLoc<T>,
+ L: IoLoc<Self::Target, T>,
Self: IoCapable<L::IoType>,
{
let address = self.io_addr_assert::<L::IoType>(location.offset());
@@ -731,8 +748,8 @@ fn write<T, L>(&self, location: L, value: T)
#[inline(always)]
fn write_reg<T, L, V>(&self, value: V)
where
- L: IoLoc<T>,
- V: LocatedRegister<Location = L, Value = T>,
+ L: IoLoc<Self::Target, T>,
+ V: LocatedRegister<Self::Target, Location = L, Value = T>,
Self: IoCapable<L::IoType>,
{
let (location, value) = value.into_io_op();
@@ -764,8 +781,8 @@ fn write_reg<T, L, V>(&self, value: V)
#[inline(always)]
fn update<T, L, F>(&self, location: L, f: F)
where
- L: IoLoc<T>,
- Self: IoCapable<L::IoType> + Sized,
+ L: IoLoc<Self::Target, T>,
+ Self: IoCapable<L::IoType>,
F: FnOnce(T) -> T,
{
let address = self.io_addr_assert::<L::IoType>(location.offset());
diff --git a/rust/kernel/io/register.rs b/rust/kernel/io/register.rs
index f924c7c7c1db..64fff9193a13 100644
--- a/rust/kernel/io/register.rs
+++ b/rust/kernel/io/register.rs
@@ -113,6 +113,8 @@
io::IoLoc, //
};
+use super::Region;
+
/// Trait implemented by all registers.
pub trait Register: Sized {
/// Backing primitive type of the register.
@@ -129,7 +131,7 @@ pub trait FixedRegister: Register {}
/// Allows `()` to be used as the `location` parameter of [`Io::write`](super::Io::write) when
/// passing a [`FixedRegister`] value.
-impl<T> IoLoc<T> for ()
+impl<const SIZE: usize, T> IoLoc<Region<SIZE>, T> for ()
where
T: FixedRegister,
{
@@ -143,7 +145,7 @@ fn offset(self) -> usize {
/// A [`FixedRegister`] carries its location in its type. Thus `FixedRegister` values can be used
/// as an [`IoLoc`].
-impl<T> IoLoc<T> for T
+impl<const SIZE: usize, T> IoLoc<Region<SIZE>, T> for T
where
T: FixedRegister,
{
@@ -168,7 +170,7 @@ pub const fn new() -> Self {
}
}
-impl<T> IoLoc<T> for FixedRegisterLoc<T>
+impl<const SIZE: usize, T> IoLoc<Region<SIZE>, T> for FixedRegisterLoc<T>
where
T: FixedRegister,
{
@@ -239,7 +241,8 @@ const fn offset(self) -> usize {
}
}
-impl<T, B> IoLoc<T> for RelativeRegisterLoc<T, B>
+// FIXME: Make use of `Base` type parameter of `Region` directly.
+impl<const SIZE: usize, T, B> IoLoc<Region<SIZE>, T> for RelativeRegisterLoc<T, B>
where
T: RelativeRegister,
B: RegisterBase<T::BaseFamily> + ?Sized,
@@ -283,7 +286,7 @@ pub fn try_new(idx: usize) -> Option<Self> {
}
}
-impl<T> IoLoc<T> for RegisterArrayLoc<T>
+impl<const SIZE: usize, T> IoLoc<Region<SIZE>, T> for RegisterArrayLoc<T>
where
T: RegisterArray,
{
@@ -370,7 +373,7 @@ pub fn try_at(self, idx: usize) -> Option<RelativeRegisterArrayLoc<T, B>> {
}
}
-impl<T, B> IoLoc<T> for RelativeRegisterArrayLoc<T, B>
+impl<const SIZE: usize, T, B> IoLoc<Region<SIZE>, T> for RelativeRegisterArrayLoc<T, B>
where
T: RelativeRegisterArray,
B: RegisterBase<T::BaseFamily> + ?Sized,
@@ -387,18 +390,18 @@ fn offset(self) -> usize {
/// which to write it.
///
/// Implementors can be used with [`Io::write_reg`](super::Io::write_reg).
-pub trait LocatedRegister {
+pub trait LocatedRegister<Base: ?Sized> {
/// Register value to write.
type Value: Register;
/// Full location information at which to write the value.
- type Location: IoLoc<Self::Value>;
+ type Location: IoLoc<Base, Self::Value>;
/// Consumes `self` and returns a `(location, value)` tuple describing a valid I/O write
/// operation.
fn into_io_op(self) -> (Self::Location, Self::Value);
}
-impl<T> LocatedRegister for T
+impl<const SIZE: usize, T> LocatedRegister<Region<SIZE>> for T
where
T: FixedRegister,
{
--
2.54.0
^ permalink raw reply related [flat|nested] 36+ messages in thread
* [PATCH v4 04/20] rust: io: implement `Io` on reference types instead
2026-06-11 16:28 [PATCH v4 00/20] rust: I/O type generalization and projection Gary Guo
` (2 preceding siblings ...)
2026-06-11 16:28 ` [PATCH v4 03/20] rust: io: restrict untyped IO access and `register!` to `Region` Gary Guo
@ 2026-06-11 16:28 ` Gary Guo
2026-06-15 5:29 ` Alexandre Courbot
2026-06-11 16:28 ` [PATCH v4 05/20] rust: io: generalize `MmioRaw` to pointer to arbitrary type Gary Guo
` (15 subsequent siblings)
19 siblings, 1 reply; 36+ messages in thread
From: Gary Guo @ 2026-06-11 16:28 UTC (permalink / raw)
To: Alice Ryhl, Daniel Almeida, Greg Kroah-Hartman, Rafael J. Wysocki,
Miguel Ojeda, Boqun Feng, Gary Guo, Björn Roy Baron,
Benno Lossin, Andreas Hindborg, Trevor Gross, Bjorn Helgaas,
Krzysztof Wilczyński, Abdiel Janulgue, Robin Murphy,
Alexandre Courbot, David Airlie, Simona Vetter
Cc: Danilo Krummrich, driver-core, rust-for-linux, linux-kernel,
linux-pci, nova-gpu, dri-devel
Currently, `Io` is implemented on owned I/O objects (e.g. `Bar`). This is
going to change with I/O projections, as then `Io` need to work both for
owned objects and views of them. Views are themselves reference-like
(however they obviously cannot be references, because they belong to a
different address space).
To faciliate the change, change `Io` to be implemented on reference types
for the owned I/O objects, and make methods take `self` instead of `&self`.
When I/O views are implemented, we can then naturally implement `Io` for
these objects.
Signed-off-by: Gary Guo <gary@garyguo.net>
---
rust/kernel/io.rs | 80 +++++++++++++++++++++++++--------------------------
rust/kernel/pci/io.rs | 12 ++++----
2 files changed, 46 insertions(+), 46 deletions(-)
diff --git a/rust/kernel/io.rs b/rust/kernel/io.rs
index 38281636b4da..3b478dcf10f9 100644
--- a/rust/kernel/io.rs
+++ b/rust/kernel/io.rs
@@ -224,7 +224,7 @@ pub trait IoCapable<T> {
///
/// - The range `[address..address + size_of::<T>()]` must be within the bounds of `Self`.
/// - `address` must be aligned.
- unsafe fn io_read(&self, address: usize) -> T;
+ unsafe fn io_read(self, address: usize) -> T;
/// Performs an I/O write of `value` at `address`.
///
@@ -232,7 +232,7 @@ pub trait IoCapable<T> {
///
/// - The range `[address..address + size_of::<T>()]` must be within the bounds of `Self`.
/// - `address` must be aligned.
- unsafe fn io_write(&self, value: T, address: usize);
+ unsafe fn io_write(self, value: T, address: usize);
}
/// Describes a given I/O location: its offset, width, and type to convert the raw value from and
@@ -299,21 +299,21 @@ fn offset(self) -> usize {
///
/// For MMIO regions, all widths (u8, u16, u32, and u64 on 64-bit systems) are typically
/// supported. For PCI configuration space, u8, u16, and u32 are supported but u64 is not.
-pub trait Io {
+pub trait Io: Copy {
/// Type of this I/O region. For untyped regions, [`Region`] can be used.
type Target: ?Sized + KnownSize;
/// Returns the base address of this mapping.
- fn addr(&self) -> usize;
+ fn addr(self) -> usize;
/// Returns the maximum size of this mapping.
- fn maxsize(&self) -> usize;
+ fn maxsize(self) -> usize;
/// Returns the absolute I/O address for a given `offset`,
/// performing compile-time bound checks.
// Always inline to optimize out error path of `build_assert`.
#[inline(always)]
- fn io_addr_assert<U>(&self, offset: usize) -> usize {
+ fn io_addr_assert<U>(self, offset: usize) -> usize {
// We cannot check alignment with `offset_valid` using `self.addr()`. So set 0 for it and
// ensure alignment by checking that the alignment of `U` is smaller or equal to the
// alignment of `Self::Target`.
@@ -326,7 +326,7 @@ fn io_addr_assert<U>(&self, offset: usize) -> usize {
/// Returns the absolute I/O address for a given `offset`,
/// performing runtime bound checks.
#[inline]
- fn io_addr<U>(&self, offset: usize) -> Result<usize> {
+ fn io_addr<U>(self, offset: usize) -> Result<usize> {
if !offset_valid::<U>(self.addr(), offset, self.maxsize()) {
return Err(EINVAL);
}
@@ -338,7 +338,7 @@ fn io_addr<U>(&self, offset: usize) -> Result<usize> {
/// Fallible 8-bit read with runtime bounds check.
#[inline(always)]
- fn try_read8(&self, offset: usize) -> Result<u8>
+ fn try_read8(self, offset: usize) -> Result<u8>
where
usize: IoLoc<Self::Target, u8, IoType = u8>,
Self: IoCapable<u8>,
@@ -348,7 +348,7 @@ fn try_read8(&self, offset: usize) -> Result<u8>
/// Fallible 16-bit read with runtime bounds check.
#[inline(always)]
- fn try_read16(&self, offset: usize) -> Result<u16>
+ fn try_read16(self, offset: usize) -> Result<u16>
where
usize: IoLoc<Self::Target, u16, IoType = u16>,
Self: IoCapable<u16>,
@@ -358,7 +358,7 @@ fn try_read16(&self, offset: usize) -> Result<u16>
/// Fallible 32-bit read with runtime bounds check.
#[inline(always)]
- fn try_read32(&self, offset: usize) -> Result<u32>
+ fn try_read32(self, offset: usize) -> Result<u32>
where
usize: IoLoc<Self::Target, u32, IoType = u32>,
Self: IoCapable<u32>,
@@ -368,7 +368,7 @@ fn try_read32(&self, offset: usize) -> Result<u32>
/// Fallible 64-bit read with runtime bounds check.
#[inline(always)]
- fn try_read64(&self, offset: usize) -> Result<u64>
+ fn try_read64(self, offset: usize) -> Result<u64>
where
usize: IoLoc<Self::Target, u64, IoType = u64>,
Self: IoCapable<u64>,
@@ -378,7 +378,7 @@ fn try_read64(&self, offset: usize) -> Result<u64>
/// Fallible 8-bit write with runtime bounds check.
#[inline(always)]
- fn try_write8(&self, value: u8, offset: usize) -> Result
+ fn try_write8(self, value: u8, offset: usize) -> Result
where
usize: IoLoc<Self::Target, u8, IoType = u8>,
Self: IoCapable<u8>,
@@ -388,7 +388,7 @@ fn try_write8(&self, value: u8, offset: usize) -> Result
/// Fallible 16-bit write with runtime bounds check.
#[inline(always)]
- fn try_write16(&self, value: u16, offset: usize) -> Result
+ fn try_write16(self, value: u16, offset: usize) -> Result
where
usize: IoLoc<Self::Target, u16, IoType = u16>,
Self: IoCapable<u16>,
@@ -398,7 +398,7 @@ fn try_write16(&self, value: u16, offset: usize) -> Result
/// Fallible 32-bit write with runtime bounds check.
#[inline(always)]
- fn try_write32(&self, value: u32, offset: usize) -> Result
+ fn try_write32(self, value: u32, offset: usize) -> Result
where
usize: IoLoc<Self::Target, u32, IoType = u32>,
Self: IoCapable<u32>,
@@ -408,7 +408,7 @@ fn try_write32(&self, value: u32, offset: usize) -> Result
/// Fallible 64-bit write with runtime bounds check.
#[inline(always)]
- fn try_write64(&self, value: u64, offset: usize) -> Result
+ fn try_write64(self, value: u64, offset: usize) -> Result
where
usize: IoLoc<Self::Target, u64, IoType = u64>,
Self: IoCapable<u64>,
@@ -418,7 +418,7 @@ fn try_write64(&self, value: u64, offset: usize) -> Result
/// Infallible 8-bit read with compile-time bounds check.
#[inline(always)]
- fn read8(&self, offset: usize) -> u8
+ fn read8(self, offset: usize) -> u8
where
usize: IoLoc<Self::Target, u8, IoType = u8>,
Self: IoCapable<u8>,
@@ -428,7 +428,7 @@ fn read8(&self, offset: usize) -> u8
/// Infallible 16-bit read with compile-time bounds check.
#[inline(always)]
- fn read16(&self, offset: usize) -> u16
+ fn read16(self, offset: usize) -> u16
where
usize: IoLoc<Self::Target, u16, IoType = u16>,
Self: IoCapable<u16>,
@@ -438,7 +438,7 @@ fn read16(&self, offset: usize) -> u16
/// Infallible 32-bit read with compile-time bounds check.
#[inline(always)]
- fn read32(&self, offset: usize) -> u32
+ fn read32(self, offset: usize) -> u32
where
usize: IoLoc<Self::Target, u32, IoType = u32>,
Self: IoCapable<u32>,
@@ -448,7 +448,7 @@ fn read32(&self, offset: usize) -> u32
/// Infallible 64-bit read with compile-time bounds check.
#[inline(always)]
- fn read64(&self, offset: usize) -> u64
+ fn read64(self, offset: usize) -> u64
where
usize: IoLoc<Self::Target, u64, IoType = u64>,
Self: IoCapable<u64>,
@@ -458,7 +458,7 @@ fn read64(&self, offset: usize) -> u64
/// Infallible 8-bit write with compile-time bounds check.
#[inline(always)]
- fn write8(&self, value: u8, offset: usize)
+ fn write8(self, value: u8, offset: usize)
where
usize: IoLoc<Self::Target, u8, IoType = u8>,
Self: IoCapable<u8>,
@@ -468,7 +468,7 @@ fn write8(&self, value: u8, offset: usize)
/// Infallible 16-bit write with compile-time bounds check.
#[inline(always)]
- fn write16(&self, value: u16, offset: usize)
+ fn write16(self, value: u16, offset: usize)
where
usize: IoLoc<Self::Target, u16, IoType = u16>,
Self: IoCapable<u16>,
@@ -478,7 +478,7 @@ fn write16(&self, value: u16, offset: usize)
/// Infallible 32-bit write with compile-time bounds check.
#[inline(always)]
- fn write32(&self, value: u32, offset: usize)
+ fn write32(self, value: u32, offset: usize)
where
usize: IoLoc<Self::Target, u32, IoType = u32>,
Self: IoCapable<u32>,
@@ -488,7 +488,7 @@ fn write32(&self, value: u32, offset: usize)
/// Infallible 64-bit write with compile-time bounds check.
#[inline(always)]
- fn write64(&self, value: u64, offset: usize)
+ fn write64(self, value: u64, offset: usize)
where
usize: IoLoc<Self::Target, u64, IoType = u64>,
Self: IoCapable<u64>,
@@ -519,7 +519,7 @@ fn write64(&self, value: u64, offset: usize)
/// }
/// ```
#[inline(always)]
- fn try_read<T, L>(&self, location: L) -> Result<T>
+ fn try_read<T, L>(self, location: L) -> Result<T>
where
L: IoLoc<Self::Target, T>,
Self: IoCapable<L::IoType>,
@@ -553,7 +553,7 @@ fn try_read<T, L>(&self, location: L) -> Result<T>
/// }
/// ```
#[inline(always)]
- fn try_write<T, L>(&self, location: L, value: T) -> Result
+ fn try_write<T, L>(self, location: L, value: T) -> Result
where
L: IoLoc<Self::Target, T>,
Self: IoCapable<L::IoType>,
@@ -599,7 +599,7 @@ fn try_write<T, L>(&self, location: L, value: T) -> Result
/// }
/// ```
#[inline(always)]
- fn try_write_reg<T, L, V>(&self, value: V) -> Result
+ fn try_write_reg<T, L, V>(self, value: V) -> Result
where
L: IoLoc<Self::Target, T>,
V: LocatedRegister<Self::Target, Location = L, Value = T>,
@@ -632,7 +632,7 @@ fn try_write_reg<T, L, V>(&self, value: V) -> Result
/// }
/// ```
#[inline(always)]
- fn try_update<T, L, F>(&self, location: L, f: F) -> Result
+ fn try_update<T, L, F>(self, location: L, f: F) -> Result
where
L: IoLoc<Self::Target, T>,
Self: IoCapable<L::IoType>,
@@ -671,7 +671,7 @@ fn try_update<T, L, F>(&self, location: L, f: F) -> Result
/// }
/// ```
#[inline(always)]
- fn read<T, L>(&self, location: L) -> T
+ fn read<T, L>(self, location: L) -> T
where
L: IoLoc<Self::Target, T>,
Self: IoCapable<L::IoType>,
@@ -703,7 +703,7 @@ fn read<T, L>(&self, location: L) -> T
/// }
/// ```
#[inline(always)]
- fn write<T, L>(&self, location: L, value: T)
+ fn write<T, L>(self, location: L, value: T)
where
L: IoLoc<Self::Target, T>,
Self: IoCapable<L::IoType>,
@@ -746,7 +746,7 @@ fn write<T, L>(&self, location: L, value: T)
/// }
/// ```
#[inline(always)]
- fn write_reg<T, L, V>(&self, value: V)
+ fn write_reg<T, L, V>(self, value: V)
where
L: IoLoc<Self::Target, T>,
V: LocatedRegister<Self::Target, Location = L, Value = T>,
@@ -779,7 +779,7 @@ fn write_reg<T, L, V>(&self, value: V)
/// }
/// ```
#[inline(always)]
- fn update<T, L, F>(&self, location: L, f: F)
+ fn update<T, L, F>(self, location: L, f: F)
where
L: IoLoc<Self::Target, T>,
Self: IoCapable<L::IoType>,
@@ -800,13 +800,13 @@ fn update<T, L, F>(&self, location: L, f: F)
macro_rules! impl_mmio_io_capable {
($mmio:ident, $(#[$attr:meta])* $ty:ty, $read_fn:ident, $write_fn:ident) => {
$(#[$attr])*
- impl<const SIZE: usize> IoCapable<$ty> for $mmio<SIZE> {
- unsafe fn io_read(&self, address: usize) -> $ty {
+ impl<const SIZE: usize> IoCapable<$ty> for &$mmio<SIZE> {
+ unsafe fn io_read(self, address: usize) -> $ty {
// SAFETY: By the trait invariant `address` is a valid address for MMIO operations.
unsafe { bindings::$read_fn(address as *const c_void) }
}
- unsafe fn io_write(&self, value: $ty, address: usize) {
+ unsafe fn io_write(self, value: $ty, address: usize) {
// SAFETY: By the trait invariant `address` is a valid address for MMIO operations.
unsafe { bindings::$write_fn(value, address as *mut c_void) }
}
@@ -827,18 +827,18 @@ unsafe fn io_write(&self, value: $ty, address: usize) {
writeq
);
-impl<const SIZE: usize> Io for Mmio<SIZE> {
+impl<'a, const SIZE: usize> Io for &'a Mmio<SIZE> {
type Target = Region<SIZE>;
/// Returns the base address of this mapping.
#[inline]
- fn addr(&self) -> usize {
+ fn addr(self) -> usize {
self.0.addr()
}
/// Returns the maximum size of this mapping.
#[inline]
- fn maxsize(&self) -> usize {
+ fn maxsize(self) -> usize {
self.0.maxsize()
}
}
@@ -865,16 +865,16 @@ pub unsafe fn from_raw(raw: &MmioRaw<SIZE>) -> &Self {
#[repr(transparent)]
pub struct RelaxedMmio<const SIZE: usize = 0>(Mmio<SIZE>);
-impl<const SIZE: usize> Io for RelaxedMmio<SIZE> {
+impl<'a, const SIZE: usize> Io for &'a RelaxedMmio<SIZE> {
type Target = Region<SIZE>;
#[inline]
- fn addr(&self) -> usize {
+ fn addr(self) -> usize {
self.0.addr()
}
#[inline]
- fn maxsize(&self) -> usize {
+ fn maxsize(self) -> usize {
self.0.maxsize()
}
}
diff --git a/rust/kernel/pci/io.rs b/rust/kernel/pci/io.rs
index b4996aa059d8..505305cd9b86 100644
--- a/rust/kernel/pci/io.rs
+++ b/rust/kernel/pci/io.rs
@@ -79,8 +79,8 @@ pub struct ConfigSpace<'a, S: ?Sized + ConfigSpaceKind = Extended> {
/// Implements [`IoCapable`] on [`ConfigSpace`] for `$ty` using `$read_fn` and `$write_fn`.
macro_rules! impl_config_space_io_capable {
($ty:ty, $read_fn:ident, $write_fn:ident) => {
- impl<'a, S: ?Sized + ConfigSpaceKind> IoCapable<$ty> for ConfigSpace<'a, S> {
- unsafe fn io_read(&self, address: usize) -> $ty {
+ impl<'a, S: ?Sized + ConfigSpaceKind> IoCapable<$ty> for &ConfigSpace<'a, S> {
+ unsafe fn io_read(self, address: usize) -> $ty {
let mut val: $ty = 0;
// Return value from C function is ignored in infallible accessors.
@@ -94,7 +94,7 @@ unsafe fn io_read(&self, address: usize) -> $ty {
val
}
- unsafe fn io_write(&self, value: $ty, address: usize) {
+ unsafe fn io_write(self, value: $ty, address: usize) {
// Return value from C function is ignored in infallible accessors.
let _ret =
// SAFETY: By the type invariant `self.pdev` is a valid address.
@@ -112,18 +112,18 @@ unsafe fn io_write(&self, value: $ty, address: usize) {
impl_config_space_io_capable!(u16, pci_read_config_word, pci_write_config_word);
impl_config_space_io_capable!(u32, pci_read_config_dword, pci_write_config_dword);
-impl<'a, S: ?Sized + ConfigSpaceKind> Io for ConfigSpace<'a, S> {
+impl<'a, S: ?Sized + ConfigSpaceKind> Io for &ConfigSpace<'a, S> {
type Target = S;
/// Returns the base address of the I/O region. It is always 0 for configuration space.
#[inline]
- fn addr(&self) -> usize {
+ fn addr(self) -> usize {
0
}
/// Returns the maximum size of the configuration space.
#[inline]
- fn maxsize(&self) -> usize {
+ fn maxsize(self) -> usize {
self.pdev.cfg_size().into_raw()
}
}
--
2.54.0
^ permalink raw reply related [flat|nested] 36+ messages in thread
* [PATCH v4 05/20] rust: io: generalize `MmioRaw` to pointer to arbitrary type
2026-06-11 16:28 [PATCH v4 00/20] rust: I/O type generalization and projection Gary Guo
` (3 preceding siblings ...)
2026-06-11 16:28 ` [PATCH v4 04/20] rust: io: implement `Io` on reference types instead Gary Guo
@ 2026-06-11 16:28 ` Gary Guo
2026-06-15 8:04 ` Alexandre Courbot
2026-06-11 16:28 ` [PATCH v4 06/20] rust: io: rename `Mmio` to `MmioOwned` Gary Guo
` (14 subsequent siblings)
19 siblings, 1 reply; 36+ messages in thread
From: Gary Guo @ 2026-06-11 16:28 UTC (permalink / raw)
To: Alice Ryhl, Daniel Almeida, Greg Kroah-Hartman, Rafael J. Wysocki,
Miguel Ojeda, Boqun Feng, Gary Guo, Björn Roy Baron,
Benno Lossin, Andreas Hindborg, Trevor Gross, Bjorn Helgaas,
Krzysztof Wilczyński, Abdiel Janulgue, Robin Murphy,
Alexandre Courbot, David Airlie, Simona Vetter
Cc: Danilo Krummrich, driver-core, rust-for-linux, linux-kernel,
linux-pci, nova-gpu, dri-devel
Conceptually, `MmioRaw` is just `__iomem *`, so it should work for any
types. Update the existing use case where it represents a region of
compile-time known minimum size and run-time known actual size to use the
dynamic-sized type `Region<SIZE>` instead. Rename `maxsize` method to
reflect that it is the actual size (not a bound) of the region.
Implement `Clone` and `Copy` manually, which cannot be derived due to the
generic parameter. The use of raw pointers also cause the `Send` and `Sync`
auto trait implementation to be lost, so add them back by manual
implementation.
Signed-off-by: Gary Guo <gary@garyguo.net>
---
rust/kernel/devres.rs | 7 +++---
rust/kernel/io.rs | 67 +++++++++++++++++++++++++++++++++++++--------------
rust/kernel/io/mem.rs | 5 ++--
rust/kernel/pci/io.rs | 4 +--
4 files changed, 57 insertions(+), 26 deletions(-)
diff --git a/rust/kernel/devres.rs b/rust/kernel/devres.rs
index ed30ccc6e68e..d0c677fd7932 100644
--- a/rust/kernel/devres.rs
+++ b/rust/kernel/devres.rs
@@ -70,14 +70,15 @@ struct Inner<T> {
/// Io,
/// Mmio,
/// MmioRaw,
-/// PhysAddr, //
+/// PhysAddr,
+/// Region, //
/// },
/// prelude::*,
/// };
/// use core::ops::Deref;
///
/// // See also [`pci::Bar`] for a real example.
-/// struct IoMem<const SIZE: usize>(MmioRaw<SIZE>);
+/// struct IoMem<const SIZE: usize>(MmioRaw<Region<SIZE>>);
///
/// impl<const SIZE: usize> IoMem<SIZE> {
/// /// # Safety
@@ -92,7 +93,7 @@ struct Inner<T> {
/// return Err(ENOMEM);
/// }
///
-/// Ok(IoMem(MmioRaw::new(addr as usize, SIZE)?))
+/// Ok(IoMem(MmioRaw::new_region(addr as usize, SIZE)?))
/// }
/// }
///
diff --git a/rust/kernel/io.rs b/rust/kernel/io.rs
index 3b478dcf10f9..c64b12ade123 100644
--- a/rust/kernel/io.rs
+++ b/rust/kernel/io.rs
@@ -89,37 +89,67 @@ fn size(p: *const Self) -> usize {
/// Raw representation of an MMIO region.
///
+/// `MmioRaw<T>` is equivalent to `T __iomem *` in C.
+///
/// By itself, the existence of an instance of this structure does not provide any guarantees that
/// the represented MMIO region does exist or is properly mapped.
///
/// Instead, the bus specific MMIO implementation must convert this raw representation into an
/// `Mmio` instance providing the actual memory accessors. Only by the conversion into an `Mmio`
/// structure any guarantees are given.
-pub struct MmioRaw<const SIZE: usize = 0> {
- addr: usize,
- maxsize: usize,
+pub struct MmioRaw<T: ?Sized> {
+ /// Pointer is in I/O address space.
+ ///
+ /// The provenance does not matter, only the address and metadata do.
+ ptr: *mut T,
}
-impl<const SIZE: usize> MmioRaw<SIZE> {
- /// Returns a new `MmioRaw` instance on success, an error otherwise.
- pub fn new(addr: usize, maxsize: usize) -> Result<Self> {
- if maxsize < SIZE {
- return Err(EINVAL);
+impl<T: ?Sized> Copy for MmioRaw<T> {}
+impl<T: ?Sized> Clone for MmioRaw<T> {
+ #[inline]
+ fn clone(&self) -> Self {
+ *self
+ }
+}
+
+// SAFETY: `MmioRaw` is just an address, so is thread-safe.
+unsafe impl<T: ?Sized> Send for MmioRaw<T> {}
+// SAFETY: `MmioRaw` is just an address, so is thread-safe.
+unsafe impl<T: ?Sized> Sync for MmioRaw<T> {}
+
+impl<T> MmioRaw<T> {
+ /// Create a `MmioRaw` from address.
+ #[inline]
+ pub fn new(addr: usize) -> Self {
+ Self {
+ ptr: core::ptr::without_provenance_mut(addr),
}
+ }
+}
- Ok(Self { addr, maxsize })
+impl<const SIZE: usize> MmioRaw<Region<SIZE>> {
+ /// Create a `MmioRaw` representing a I/O region with given size.
+ ///
+ /// The size is checked against the minimum size specified via const generics.
+ #[inline]
+ pub fn new_region(addr: usize, size: usize) -> Result<Self> {
+ Ok(Self {
+ ptr: Region::ptr_try_from_raw_parts_mut(core::ptr::without_provenance_mut(addr), size)?,
+ })
}
+}
+impl<T: ?Sized + KnownSize> MmioRaw<T> {
/// Returns the base address of the MMIO region.
#[inline]
pub fn addr(&self) -> usize {
- self.addr
+ self.ptr.addr()
}
- /// Returns the maximum size of the MMIO region.
+ /// Returns the size of the MMIO region.
#[inline]
- pub fn maxsize(&self) -> usize {
- self.maxsize
+ pub fn size(&self) -> usize {
+ KnownSize::size(self.ptr)
}
}
@@ -144,12 +174,13 @@ pub fn maxsize(&self) -> usize {
/// Mmio,
/// MmioRaw,
/// PhysAddr,
+/// Region,
/// },
/// };
/// use core::ops::Deref;
///
/// // See also `pci::Bar` for a real example.
-/// struct IoMem<const SIZE: usize>(MmioRaw<SIZE>);
+/// struct IoMem<const SIZE: usize>(MmioRaw<Region<SIZE>>);
///
/// impl<const SIZE: usize> IoMem<SIZE> {
/// /// # Safety
@@ -164,7 +195,7 @@ pub fn maxsize(&self) -> usize {
/// return Err(ENOMEM);
/// }
///
-/// Ok(IoMem(MmioRaw::new(addr as usize, SIZE)?))
+/// Ok(IoMem(MmioRaw::new_region(addr as usize, SIZE)?))
/// }
/// }
///
@@ -194,7 +225,7 @@ pub fn maxsize(&self) -> usize {
/// # }
/// ```
#[repr(transparent)]
-pub struct Mmio<const SIZE: usize = 0>(MmioRaw<SIZE>);
+pub struct Mmio<const SIZE: usize = 0>(MmioRaw<Region<SIZE>>);
/// Checks whether an access of type `U` at the given `base` and the given `offset`
/// is valid within this region.
@@ -839,7 +870,7 @@ fn addr(self) -> usize {
/// Returns the maximum size of this mapping.
#[inline]
fn maxsize(self) -> usize {
- self.0.maxsize()
+ self.0.size()
}
}
@@ -850,7 +881,7 @@ impl<const SIZE: usize> Mmio<SIZE> {
///
/// Callers must ensure that `addr` is the start of a valid I/O mapped memory region of size
/// `maxsize`.
- pub unsafe fn from_raw(raw: &MmioRaw<SIZE>) -> &Self {
+ pub unsafe fn from_raw(raw: &MmioRaw<Region<SIZE>>) -> &Self {
// SAFETY: `Mmio` is a transparent wrapper around `MmioRaw`.
unsafe { &*core::ptr::from_ref(raw).cast() }
}
diff --git a/rust/kernel/io/mem.rs b/rust/kernel/io/mem.rs
index fc2a3e24f8d5..9e15bc8fde78 100644
--- a/rust/kernel/io/mem.rs
+++ b/rust/kernel/io/mem.rs
@@ -229,7 +229,7 @@ fn deref(&self) -> &Self::Target {
/// start of the I/O memory mapped region.
pub struct IoMem<'a, const SIZE: usize = 0> {
dev: &'a Device<Bound>,
- io: MmioRaw<SIZE>,
+ io: MmioRaw<super::Region<SIZE>>,
}
impl<'a, const SIZE: usize> IoMem<'a, SIZE> {
@@ -264,8 +264,7 @@ fn ioremap(dev: &'a Device<Bound>, resource: &Resource) -> Result<Self> {
return Err(ENOMEM);
}
- let io = MmioRaw::new(addr as usize, size)?;
-
+ let io = MmioRaw::new_region(addr as usize, size)?;
Ok(IoMem { dev, io })
}
diff --git a/rust/kernel/pci/io.rs b/rust/kernel/pci/io.rs
index 505305cd9b86..42f840d64a6f 100644
--- a/rust/kernel/pci/io.rs
+++ b/rust/kernel/pci/io.rs
@@ -139,7 +139,7 @@ fn maxsize(self) -> usize {
/// memory mapped PCI BAR and its size.
pub struct Bar<'a, const SIZE: usize = 0> {
pdev: &'a Device<device::Bound>,
- io: MmioRaw<SIZE>,
+ io: MmioRaw<crate::io::Region<SIZE>>,
num: i32,
}
@@ -179,7 +179,7 @@ pub(super) fn new(
return Err(ENOMEM);
}
- let io = match MmioRaw::new(ioptr, len as usize) {
+ let io = match MmioRaw::new_region(ioptr, len as usize) {
Ok(io) => io,
Err(err) => {
// SAFETY:
--
2.54.0
^ permalink raw reply related [flat|nested] 36+ messages in thread
* [PATCH v4 06/20] rust: io: rename `Mmio` to `MmioOwned`
2026-06-11 16:28 [PATCH v4 00/20] rust: I/O type generalization and projection Gary Guo
` (4 preceding siblings ...)
2026-06-11 16:28 ` [PATCH v4 05/20] rust: io: generalize `MmioRaw` to pointer to arbitrary type Gary Guo
@ 2026-06-11 16:28 ` Gary Guo
2026-06-15 8:09 ` Alexandre Courbot
2026-06-11 16:28 ` [PATCH v4 07/20] rust: io: implement `Mmio` as view type Gary Guo
` (13 subsequent siblings)
19 siblings, 1 reply; 36+ messages in thread
From: Gary Guo @ 2026-06-11 16:28 UTC (permalink / raw)
To: Alice Ryhl, Daniel Almeida, Greg Kroah-Hartman, Rafael J. Wysocki,
Miguel Ojeda, Boqun Feng, Gary Guo, Björn Roy Baron,
Benno Lossin, Andreas Hindborg, Trevor Gross, Bjorn Helgaas,
Krzysztof Wilczyński, Abdiel Janulgue, Robin Murphy,
Alexandre Courbot, David Airlie, Simona Vetter
Cc: Danilo Krummrich, driver-core, rust-for-linux, linux-kernel,
linux-pci, nova-gpu, dri-devel
Most users would more commonly reach out to a view of `Mmio` rather than an
owned instance of `Mmio`. Only implementor of `Io` like `Bar` or `IoMem`
would need the owned version. Thus, rename `Mmio` to `MmioOwned` so that
the name `Mmio` can be used for the view type instead.
Signed-off-by: Gary Guo <gary@garyguo.net>
---
rust/kernel/devres.rs | 6 ++--
rust/kernel/io.rs | 77 +++++++++++++++++++++++-----------------------
rust/kernel/io/mem.rs | 8 ++---
rust/kernel/io/poll.rs | 8 ++---
rust/kernel/io/register.rs | 24 +++++++--------
rust/kernel/pci/io.rs | 6 ++--
6 files changed, 65 insertions(+), 64 deletions(-)
diff --git a/rust/kernel/devres.rs b/rust/kernel/devres.rs
index d0c677fd7932..aed0c994fd30 100644
--- a/rust/kernel/devres.rs
+++ b/rust/kernel/devres.rs
@@ -68,7 +68,7 @@ struct Inner<T> {
/// devres::Devres,
/// io::{
/// Io,
-/// Mmio,
+/// MmioOwned,
/// MmioRaw,
/// PhysAddr,
/// Region, //
@@ -105,11 +105,11 @@ struct Inner<T> {
/// }
///
/// impl<const SIZE: usize> Deref for IoMem<SIZE> {
-/// type Target = Mmio<SIZE>;
+/// type Target = MmioOwned<SIZE>;
///
/// fn deref(&self) -> &Self::Target {
/// // SAFETY: The memory range stored in `self` has been properly mapped in `Self::new`.
-/// unsafe { Mmio::from_raw(&self.0) }
+/// unsafe { MmioOwned::from_raw(&self.0) }
/// }
/// }
/// # fn no_run(dev: &Device<Bound>) -> Result<(), Error> {
diff --git a/rust/kernel/io.rs b/rust/kernel/io.rs
index c64b12ade123..9ca0d325da50 100644
--- a/rust/kernel/io.rs
+++ b/rust/kernel/io.rs
@@ -95,8 +95,8 @@ fn size(p: *const Self) -> usize {
/// the represented MMIO region does exist or is properly mapped.
///
/// Instead, the bus specific MMIO implementation must convert this raw representation into an
-/// `Mmio` instance providing the actual memory accessors. Only by the conversion into an `Mmio`
-/// structure any guarantees are given.
+/// `MmioOwned` instance providing the actual memory accessors. Only by the conversion into an
+/// `MmioOwned` structure any guarantees are given.
pub struct MmioRaw<T: ?Sized> {
/// Pointer is in I/O address space.
///
@@ -171,7 +171,7 @@ pub fn size(&self) -> usize {
/// ffi::c_void,
/// io::{
/// Io,
-/// Mmio,
+/// MmioOwned,
/// MmioRaw,
/// PhysAddr,
/// Region,
@@ -207,11 +207,11 @@ pub fn size(&self) -> usize {
/// }
///
/// impl<const SIZE: usize> Deref for IoMem<SIZE> {
-/// type Target = Mmio<SIZE>;
+/// type Target = MmioOwned<SIZE>;
///
/// fn deref(&self) -> &Self::Target {
/// // SAFETY: The memory range stored in `self` has been properly mapped in `Self::new`.
-/// unsafe { Mmio::from_raw(&self.0) }
+/// unsafe { MmioOwned::from_raw(&self.0) }
/// }
/// }
///
@@ -225,7 +225,7 @@ pub fn size(&self) -> usize {
/// # }
/// ```
#[repr(transparent)]
-pub struct Mmio<const SIZE: usize = 0>(MmioRaw<Region<SIZE>>);
+pub struct MmioOwned<const SIZE: usize = 0>(MmioRaw<Region<SIZE>>);
/// Checks whether an access of type `U` at the given `base` and the given `offset`
/// is valid within this region.
@@ -536,10 +536,10 @@ fn write64(self, value: u64, offset: usize)
/// ```no_run
/// use kernel::io::{
/// Io,
- /// Mmio,
+ /// MmioOwned,
/// };
///
- /// fn do_reads(io: &Mmio) -> Result {
+ /// fn do_reads(io: &MmioOwned) -> Result {
/// // 32-bit read from address `0x10`.
/// let v: u32 = io.try_read(0x10)?;
///
@@ -570,10 +570,10 @@ fn try_read<T, L>(self, location: L) -> Result<T>
/// ```no_run
/// use kernel::io::{
/// Io,
- /// Mmio,
+ /// MmioOwned,
/// };
///
- /// fn do_writes(io: &Mmio) -> Result {
+ /// fn do_writes(io: &MmioOwned) -> Result {
/// // 32-bit write of value `1` at address `0x10`.
/// io.try_write(0x10, 1u32)?;
///
@@ -608,7 +608,7 @@ fn try_write<T, L>(self, location: L, value: T) -> Result
/// use kernel::io::{
/// register,
/// Io,
- /// Mmio,
+ /// MmioOwned,
/// };
///
/// register! {
@@ -624,7 +624,7 @@ fn try_write<T, L>(self, location: L, value: T) -> Result
/// }
/// }
///
- /// fn do_write_reg(io: &Mmio) -> Result {
+ /// fn do_write_reg(io: &MmioOwned) -> Result {
///
/// io.try_write_reg(VERSION::new(1, 0))
/// }
@@ -653,10 +653,10 @@ fn try_write_reg<T, L, V>(self, value: V) -> Result
/// ```no_run
/// use kernel::io::{
/// Io,
- /// Mmio,
+ /// MmioOwned,
/// };
///
- /// fn do_update(io: &Mmio<0x1000>) -> Result {
+ /// fn do_update(io: &MmioOwned<0x1000>) -> Result {
/// io.try_update(0x10, |v: u32| {
/// v + 1
/// })
@@ -690,10 +690,10 @@ fn try_update<T, L, F>(self, location: L, f: F) -> Result
/// ```no_run
/// use kernel::io::{
/// Io,
- /// Mmio,
+ /// MmioOwned,
/// };
///
- /// fn do_reads(io: &Mmio<0x1000>) {
+ /// fn do_reads(io: &MmioOwned<0x1000>) {
/// // 32-bit read from address `0x10`.
/// let v: u32 = io.read(0x10);
///
@@ -722,10 +722,10 @@ fn read<T, L>(self, location: L) -> T
/// ```no_run
/// use kernel::io::{
/// Io,
- /// Mmio,
+ /// MmioOwned,
/// };
///
- /// fn do_writes(io: &Mmio<0x1000>) {
+ /// fn do_writes(io: &MmioOwned<0x1000>) {
/// // 32-bit write of value `1` at address `0x10`.
/// io.write(0x10, 1u32);
///
@@ -756,7 +756,7 @@ fn write<T, L>(self, location: L, value: T)
/// use kernel::io::{
/// register,
/// Io,
- /// Mmio,
+ /// MmioOwned,
/// };
///
/// register! {
@@ -772,7 +772,7 @@ fn write<T, L>(self, location: L, value: T)
/// }
/// }
///
- /// fn do_write_reg(io: &Mmio<0x1000>) {
+ /// fn do_write_reg(io: &MmioOwned<0x1000>) {
/// io.write_reg(VERSION::new(1, 0));
/// }
/// ```
@@ -800,10 +800,10 @@ fn write_reg<T, L, V>(self, value: V)
/// ```no_run
/// use kernel::io::{
/// Io,
- /// Mmio,
+ /// MmioOwned,
/// };
///
- /// fn do_update(io: &Mmio<0x1000>) {
+ /// fn do_update(io: &MmioOwned<0x1000>) {
/// io.update(0x10, |v: u32| {
/// v + 1
/// })
@@ -846,19 +846,19 @@ unsafe fn io_write(self, value: $ty, address: usize) {
}
// MMIO regions support 8, 16, and 32-bit accesses.
-impl_mmio_io_capable!(Mmio, u8, readb, writeb);
-impl_mmio_io_capable!(Mmio, u16, readw, writew);
-impl_mmio_io_capable!(Mmio, u32, readl, writel);
+impl_mmio_io_capable!(MmioOwned, u8, readb, writeb);
+impl_mmio_io_capable!(MmioOwned, u16, readw, writew);
+impl_mmio_io_capable!(MmioOwned, u32, readl, writel);
// MMIO regions on 64-bit systems also support 64-bit accesses.
impl_mmio_io_capable!(
- Mmio,
+ MmioOwned,
#[cfg(CONFIG_64BIT)]
u64,
readq,
writeq
);
-impl<'a, const SIZE: usize> Io for &'a Mmio<SIZE> {
+impl<'a, const SIZE: usize> Io for &'a MmioOwned<SIZE> {
type Target = Region<SIZE>;
/// Returns the base address of this mapping.
@@ -874,27 +874,28 @@ fn maxsize(self) -> usize {
}
}
-impl<const SIZE: usize> Mmio<SIZE> {
- /// Converts an `MmioRaw` into an `Mmio` instance, providing the accessors to the MMIO mapping.
+impl<const SIZE: usize> MmioOwned<SIZE> {
+ /// Converts an `MmioRaw` into an `MmioOwned` instance, providing the accessors to the MMIO
+ /// mapping.
///
/// # Safety
///
/// Callers must ensure that `addr` is the start of a valid I/O mapped memory region of size
/// `maxsize`.
pub unsafe fn from_raw(raw: &MmioRaw<Region<SIZE>>) -> &Self {
- // SAFETY: `Mmio` is a transparent wrapper around `MmioRaw`.
+ // SAFETY: `MmioOwned` is a transparent wrapper around `MmioRaw`.
unsafe { &*core::ptr::from_ref(raw).cast() }
}
}
-/// [`Mmio`] wrapper using relaxed accessors.
+/// [`MmioOwned`] wrapper using relaxed accessors.
///
/// This type provides an implementation of [`Io`] that uses relaxed I/O MMIO operands instead of
/// the regular ones.
///
-/// See [`Mmio::relaxed`] for a usage example.
+/// See [`MmioOwned::relaxed`] for a usage example.
#[repr(transparent)]
-pub struct RelaxedMmio<const SIZE: usize = 0>(Mmio<SIZE>);
+pub struct RelaxedMmio<const SIZE: usize = 0>(MmioOwned<SIZE>);
impl<'a, const SIZE: usize> Io for &'a RelaxedMmio<SIZE> {
type Target = Region<SIZE>;
@@ -910,7 +911,7 @@ fn maxsize(self) -> usize {
}
}
-impl<const SIZE: usize> Mmio<SIZE> {
+impl<const SIZE: usize> MmioOwned<SIZE> {
/// Returns a [`RelaxedMmio`] reference that performs relaxed I/O operations.
///
/// Relaxed accessors do not provide ordering guarantees with respect to DMA or memory accesses
@@ -921,19 +922,19 @@ impl<const SIZE: usize> Mmio<SIZE> {
/// ```no_run
/// use kernel::io::{
/// Io,
- /// Mmio,
+ /// MmioOwned,
/// RelaxedMmio,
/// };
///
- /// fn do_io(io: &Mmio<0x100>) {
+ /// fn do_io(io: &MmioOwned<0x100>) {
/// // The access is performed using `readl_relaxed` instead of `readl`.
/// let v = io.relaxed().read32(0x10);
/// }
///
/// ```
pub fn relaxed(&self) -> &RelaxedMmio<SIZE> {
- // SAFETY: `RelaxedMmio` is `#[repr(transparent)]` over `Mmio`, so `Mmio<SIZE>` and
- // `RelaxedMmio<SIZE>` have identical layout.
+ // SAFETY: `RelaxedMmio` is `#[repr(transparent)]` over `MmioOwned`, so `MmioOwned<SIZE>`
+ // and `RelaxedMmio<SIZE>` have identical layout.
unsafe { core::mem::transmute(self) }
}
}
diff --git a/rust/kernel/io/mem.rs b/rust/kernel/io/mem.rs
index 9e15bc8fde78..8f6c257c5b8e 100644
--- a/rust/kernel/io/mem.rs
+++ b/rust/kernel/io/mem.rs
@@ -16,7 +16,7 @@
Region,
Resource, //
},
- Mmio,
+ MmioOwned,
MmioRaw, //
},
prelude::*,
@@ -211,7 +211,7 @@ pub fn into_devres(self) -> Result<Devres<ExclusiveIoMem<'static, SIZE>>> {
}
impl<const SIZE: usize> Deref for ExclusiveIoMem<'_, SIZE> {
- type Target = Mmio<SIZE>;
+ type Target = MmioOwned<SIZE>;
fn deref(&self) -> &Self::Target {
&self.iomem
@@ -291,10 +291,10 @@ fn drop(&mut self) {
}
impl<const SIZE: usize> Deref for IoMem<'_, SIZE> {
- type Target = Mmio<SIZE>;
+ type Target = MmioOwned<SIZE>;
fn deref(&self) -> &Self::Target {
// SAFETY: Safe as by the invariant of `IoMem`.
- unsafe { Mmio::from_raw(&self.io) }
+ unsafe { MmioOwned::from_raw(&self.io) }
}
}
diff --git a/rust/kernel/io/poll.rs b/rust/kernel/io/poll.rs
index 75d1b3e8596c..79828a8006b5 100644
--- a/rust/kernel/io/poll.rs
+++ b/rust/kernel/io/poll.rs
@@ -47,14 +47,14 @@
/// ```no_run
/// use kernel::io::{
/// Io,
-/// Mmio,
+/// MmioOwned,
/// poll::read_poll_timeout, //
/// };
/// use kernel::time::Delta;
///
/// const HW_READY: u16 = 0x01;
///
-/// fn wait_for_hardware<const SIZE: usize>(io: &Mmio<SIZE>) -> Result {
+/// fn wait_for_hardware<const SIZE: usize>(io: &MmioOwned<SIZE>) -> Result {
/// read_poll_timeout(
/// // The `op` closure reads the value of a specific status register.
/// || io.try_read16(0x1000),
@@ -134,14 +134,14 @@ pub fn read_poll_timeout<Op, Cond, T>(
/// ```no_run
/// use kernel::io::{
/// Io,
-/// Mmio,
+/// MmioOwned,
/// poll::read_poll_timeout_atomic, //
/// };
/// use kernel::time::Delta;
///
/// const HW_READY: u16 = 0x01;
///
-/// fn wait_for_hardware<const SIZE: usize>(io: &Mmio<SIZE>) -> Result {
+/// fn wait_for_hardware<const SIZE: usize>(io: &MmioOwned<SIZE>) -> Result {
/// read_poll_timeout_atomic(
/// // The `op` closure reads the value of a specific status register.
/// || io.try_read16(0x1000),
diff --git a/rust/kernel/io/register.rs b/rust/kernel/io/register.rs
index 64fff9193a13..242ad96ac805 100644
--- a/rust/kernel/io/register.rs
+++ b/rust/kernel/io/register.rs
@@ -58,7 +58,7 @@
//! },
//! num::Bounded,
//! };
-//! # use kernel::io::Mmio;
+//! # use kernel::io::MmioOwned;
//! # register! {
//! # pub BOOT_0(u32) @ 0x00000100 {
//! # 15:8 vendor_id;
@@ -66,7 +66,7 @@
//! # 3:0 minor_revision;
//! # }
//! # }
-//! # fn test(io: &Mmio<0x1000>) {
+//! # fn test(io: &MmioOwned<0x1000>) {
//! # fn obtain_vendor_id() -> u8 { 0xff }
//!
//! // Read from the register's defined offset (0x100).
@@ -447,7 +447,7 @@ fn into_io_op(self) -> (FixedRegisterLoc<T>, T) {
/// Io,
/// },
/// };
-/// # use kernel::io::Mmio;
+/// # use kernel::io::MmioOwned;
///
/// register! {
/// FIXED_REG(u32) @ 0x100 {
@@ -456,7 +456,7 @@ fn into_io_op(self) -> (FixedRegisterLoc<T>, T) {
/// }
/// }
///
-/// # fn test(io: &Mmio<0x1000>) {
+/// # fn test(io: &MmioOwned<0x1000>) {
/// let val = io.read(FIXED_REG);
///
/// // Write from an already-existing value.
@@ -560,7 +560,7 @@ fn into_io_op(self) -> (FixedRegisterLoc<T>, T) {
/// Io,
/// },
/// };
-/// # use kernel::io::Mmio;
+/// # use kernel::io::MmioOwned;
///
/// // Type used to identify the base.
/// pub struct CpuCtlBase;
@@ -585,7 +585,7 @@ fn into_io_op(self) -> (FixedRegisterLoc<T>, T) {
/// }
/// }
///
-/// # fn test(io: Mmio<0x1000>) {
+/// # fn test(io: MmioOwned<0x1000>) {
/// // Read the status of `Cpu0`.
/// let cpu0_started = io.read(CPU_CTL::of::<Cpu0>());
///
@@ -602,7 +602,7 @@ fn into_io_op(self) -> (FixedRegisterLoc<T>, T) {
/// }
/// }
///
-/// # fn test2(io: Mmio<0x1000>) {
+/// # fn test2(io: MmioOwned<0x1000>) {
/// // Start the aliased `CPU0`, leaving its other fields untouched.
/// io.update(CPU_CTL_ALIAS::of::<Cpu0>(), |r| r.with_alias_start(true));
/// # }
@@ -639,7 +639,7 @@ fn into_io_op(self) -> (FixedRegisterLoc<T>, T) {
/// Io,
/// },
/// };
-/// # use kernel::io::Mmio;
+/// # use kernel::io::MmioOwned;
/// # fn get_scratch_idx() -> usize {
/// # 0x15
/// # }
@@ -652,7 +652,7 @@ fn into_io_op(self) -> (FixedRegisterLoc<T>, T) {
/// }
/// }
///
-/// # fn test(io: &Mmio<0x1000>)
+/// # fn test(io: &MmioOwned<0x1000>)
/// # -> Result<(), Error>{
/// // Read scratch register 0, i.e. I/O address `0x80`.
/// let scratch_0 = io.read(SCRATCH::at(0)).value();
@@ -725,7 +725,7 @@ fn into_io_op(self) -> (FixedRegisterLoc<T>, T) {
/// Io,
/// },
/// };
-/// # use kernel::io::Mmio;
+/// # use kernel::io::MmioOwned;
/// # fn get_scratch_idx() -> usize {
/// # 0x15
/// # }
@@ -753,7 +753,7 @@ fn into_io_op(self) -> (FixedRegisterLoc<T>, T) {
/// }
/// }
///
-/// # fn test(io: &Mmio<0x1000>) -> Result<(), Error> {
+/// # fn test(io: &MmioOwned<0x1000>) -> Result<(), Error> {
/// // Read scratch register 0 of CPU0.
/// let scratch = io.read(CPU_SCRATCH::of::<Cpu0>().at(0));
///
@@ -795,7 +795,7 @@ fn into_io_op(self) -> (FixedRegisterLoc<T>, T) {
/// }
/// }
///
-/// # fn test2(io: &Mmio<0x1000>) -> Result<(), Error> {
+/// # fn test2(io: &MmioOwned<0x1000>) -> Result<(), Error> {
/// let cpu0_status = io.read(CPU_FIRMWARE_STATUS::of::<Cpu0>()).status();
/// # Ok(())
/// # }
diff --git a/rust/kernel/pci/io.rs b/rust/kernel/pci/io.rs
index 42f840d64a6f..e0acb62f58a2 100644
--- a/rust/kernel/pci/io.rs
+++ b/rust/kernel/pci/io.rs
@@ -10,7 +10,7 @@
io::{
Io,
IoCapable,
- Mmio,
+ MmioOwned,
MmioRaw,
Region, //
},
@@ -242,11 +242,11 @@ fn drop(&mut self) {
}
impl<const SIZE: usize> Deref for Bar<'_, SIZE> {
- type Target = Mmio<SIZE>;
+ type Target = MmioOwned<SIZE>;
fn deref(&self) -> &Self::Target {
// SAFETY: By the type invariant of `Self`, the MMIO range in `self.io` is properly mapped.
- unsafe { Mmio::from_raw(&self.io) }
+ unsafe { MmioOwned::from_raw(&self.io) }
}
}
--
2.54.0
^ permalink raw reply related [flat|nested] 36+ messages in thread
* [PATCH v4 07/20] rust: io: implement `Mmio` as view type
2026-06-11 16:28 [PATCH v4 00/20] rust: I/O type generalization and projection Gary Guo
` (5 preceding siblings ...)
2026-06-11 16:28 ` [PATCH v4 06/20] rust: io: rename `Mmio` to `MmioOwned` Gary Guo
@ 2026-06-11 16:28 ` Gary Guo
2026-06-15 14:52 ` Alexandre Courbot
2026-06-11 16:28 ` [PATCH v4 08/20] rust: pci: io: make `ConfigSpace` a view Gary Guo
` (12 subsequent siblings)
19 siblings, 1 reply; 36+ messages in thread
From: Gary Guo @ 2026-06-11 16:28 UTC (permalink / raw)
To: Alice Ryhl, Daniel Almeida, Greg Kroah-Hartman, Rafael J. Wysocki,
Miguel Ojeda, Boqun Feng, Gary Guo, Björn Roy Baron,
Benno Lossin, Andreas Hindborg, Trevor Gross, Bjorn Helgaas,
Krzysztof Wilczyński, Abdiel Janulgue, Robin Murphy,
Alexandre Courbot, David Airlie, Simona Vetter
Cc: Danilo Krummrich, driver-core, rust-for-linux, linux-kernel,
linux-pci, nova-gpu, dri-devel
Implement `Mmio` as view type and convert `RelaxedMmio` to view type as
well. I/O implementations of `MmioOwned` are changed to delegate to the
`Mmio` view type.
All existing users of `MmioOwned` in the documentation which do not
actually reflect the owning semantics is converted.
Signed-off-by: Gary Guo <gary@garyguo.net>
---
rust/kernel/io.rs | 195 +++++++++++++++++++++++++++++++++++----------
rust/kernel/io/poll.rs | 10 ++-
rust/kernel/io/register.rs | 24 +++---
3 files changed, 171 insertions(+), 58 deletions(-)
diff --git a/rust/kernel/io.rs b/rust/kernel/io.rs
index 9ca0d325da50..3ac8b396f5a7 100644
--- a/rust/kernel/io.rs
+++ b/rust/kernel/io.rs
@@ -4,6 +4,10 @@
//!
//! C header: [`include/asm-generic/io.h`](srctree/include/asm-generic/io.h)
+use core::{
+ marker::PhantomData, //
+};
+
use crate::{
bindings,
prelude::*,
@@ -536,10 +540,11 @@ fn write64(self, value: u64, offset: usize)
/// ```no_run
/// use kernel::io::{
/// Io,
- /// MmioOwned,
+ /// Mmio,
+ /// Region,
/// };
///
- /// fn do_reads(io: &MmioOwned) -> Result {
+ /// fn do_reads(io: Mmio<'_, Region>) -> Result {
/// // 32-bit read from address `0x10`.
/// let v: u32 = io.try_read(0x10)?;
///
@@ -570,10 +575,11 @@ fn try_read<T, L>(self, location: L) -> Result<T>
/// ```no_run
/// use kernel::io::{
/// Io,
- /// MmioOwned,
+ /// Mmio,
+ /// Region,
/// };
///
- /// fn do_writes(io: &MmioOwned) -> Result {
+ /// fn do_writes(io: Mmio<'_, Region>) -> Result {
/// // 32-bit write of value `1` at address `0x10`.
/// io.try_write(0x10, 1u32)?;
///
@@ -608,7 +614,8 @@ fn try_write<T, L>(self, location: L, value: T) -> Result
/// use kernel::io::{
/// register,
/// Io,
- /// MmioOwned,
+ /// Mmio,
+ /// Region,
/// };
///
/// register! {
@@ -624,7 +631,7 @@ fn try_write<T, L>(self, location: L, value: T) -> Result
/// }
/// }
///
- /// fn do_write_reg(io: &MmioOwned) -> Result {
+ /// fn do_write_reg(io: Mmio<'_, Region>) -> Result {
///
/// io.try_write_reg(VERSION::new(1, 0))
/// }
@@ -653,10 +660,11 @@ fn try_write_reg<T, L, V>(self, value: V) -> Result
/// ```no_run
/// use kernel::io::{
/// Io,
- /// MmioOwned,
+ /// Mmio,
+ /// Region,
/// };
///
- /// fn do_update(io: &MmioOwned<0x1000>) -> Result {
+ /// fn do_update(io: Mmio<'_, Region<0x1000>>) -> Result {
/// io.try_update(0x10, |v: u32| {
/// v + 1
/// })
@@ -690,10 +698,11 @@ fn try_update<T, L, F>(self, location: L, f: F) -> Result
/// ```no_run
/// use kernel::io::{
/// Io,
- /// MmioOwned,
+ /// Mmio,
+ /// Region,
/// };
///
- /// fn do_reads(io: &MmioOwned<0x1000>) {
+ /// fn do_reads(io: Mmio<'_, Region<0x1000>>) {
/// // 32-bit read from address `0x10`.
/// let v: u32 = io.read(0x10);
///
@@ -722,10 +731,11 @@ fn read<T, L>(self, location: L) -> T
/// ```no_run
/// use kernel::io::{
/// Io,
- /// MmioOwned,
+ /// Mmio,
+ /// Region,
/// };
///
- /// fn do_writes(io: &MmioOwned<0x1000>) {
+ /// fn do_writes(io: Mmio<'_, Region<0x1000>>) {
/// // 32-bit write of value `1` at address `0x10`.
/// io.write(0x10, 1u32);
///
@@ -756,7 +766,8 @@ fn write<T, L>(self, location: L, value: T)
/// use kernel::io::{
/// register,
/// Io,
- /// MmioOwned,
+ /// Mmio,
+ /// Region,
/// };
///
/// register! {
@@ -772,7 +783,7 @@ fn write<T, L>(self, location: L, value: T)
/// }
/// }
///
- /// fn do_write_reg(io: &MmioOwned<0x1000>) {
+ /// fn do_write_reg(io: Mmio<'_, Region<0x1000>>) {
/// io.write_reg(VERSION::new(1, 0));
/// }
/// ```
@@ -800,10 +811,11 @@ fn write_reg<T, L, V>(self, value: V)
/// ```no_run
/// use kernel::io::{
/// Io,
- /// MmioOwned,
+ /// Mmio,
+ /// Region,
/// };
///
- /// fn do_update(io: &MmioOwned<0x1000>) {
+ /// fn do_update(io: Mmio<'_, Region<0x1000>>) {
/// io.update(0x10, |v: u32| {
/// v + 1
/// })
@@ -827,16 +839,72 @@ fn update<T, L, F>(self, location: L, f: F)
}
}
+/// A view of memory-mapped I/O region.
+///
+/// # Invariant
+///
+/// `ptr` points to a valid and aligned memory-mapped I/O region for the duration lifetime `'a`.
+pub struct Mmio<'a, T: ?Sized> {
+ ptr: *mut T,
+ phantom: PhantomData<&'a ()>,
+}
+
+impl<T: ?Sized> Copy for Mmio<'_, T> {}
+impl<T: ?Sized> Clone for Mmio<'_, T> {
+ #[inline]
+ fn clone(&self) -> Self {
+ *self
+ }
+}
+
+impl<'a, T: ?Sized> Mmio<'a, T> {
+ /// Create a `Mmio`, providing the accessors to the MMIO mapping.
+ ///
+ /// # Safety
+ ///
+ /// `raw` represents an valid and aligned memory-mapped I/O region while `'a` is alive.
+ #[inline]
+ pub unsafe fn from_raw(raw: MmioRaw<T>) -> Self {
+ // INVARIANT: Per safety requirement.
+ Self {
+ ptr: raw.ptr,
+ phantom: PhantomData,
+ }
+ }
+}
+
+// SAFETY: `Mmio<'_, T>` is conceptually `&T` but in I/O memory.
+unsafe impl<T: ?Sized + Sync> Send for Mmio<'_, T> {}
+
+// SAFETY: `Mmio<'_, T>` is conceptually `&T` but in I/O memory.
+unsafe impl<T: ?Sized + Sync> Sync for Mmio<'_, T> {}
+
+impl<T: ?Sized + KnownSize> Io for Mmio<'_, T> {
+ type Target = T;
+
+ #[inline]
+ fn addr(self) -> usize {
+ self.ptr.addr()
+ }
+
+ #[inline]
+ fn maxsize(self) -> usize {
+ KnownSize::size(self.ptr)
+ }
+}
+
/// Implements [`IoCapable`] on `$mmio` for `$ty` using `$read_fn` and `$write_fn`.
macro_rules! impl_mmio_io_capable {
($mmio:ident, $(#[$attr:meta])* $ty:ty, $read_fn:ident, $write_fn:ident) => {
$(#[$attr])*
- impl<const SIZE: usize> IoCapable<$ty> for &$mmio<SIZE> {
+ impl<T: ?Sized> IoCapable<$ty> for $mmio<'_, T> {
+ #[inline]
unsafe fn io_read(self, address: usize) -> $ty {
// SAFETY: By the trait invariant `address` is a valid address for MMIO operations.
unsafe { bindings::$read_fn(address as *const c_void) }
}
+ #[inline]
unsafe fn io_write(self, value: $ty, address: usize) {
// SAFETY: By the trait invariant `address` is a valid address for MMIO operations.
unsafe { bindings::$write_fn(value, address as *mut c_void) }
@@ -846,17 +914,12 @@ unsafe fn io_write(self, value: $ty, address: usize) {
}
// MMIO regions support 8, 16, and 32-bit accesses.
-impl_mmio_io_capable!(MmioOwned, u8, readb, writeb);
-impl_mmio_io_capable!(MmioOwned, u16, readw, writew);
-impl_mmio_io_capable!(MmioOwned, u32, readl, writel);
+impl_mmio_io_capable!(Mmio, u8, readb, writeb);
+impl_mmio_io_capable!(Mmio, u16, readw, writew);
+impl_mmio_io_capable!(Mmio, u32, readl, writel);
// MMIO regions on 64-bit systems also support 64-bit accesses.
-impl_mmio_io_capable!(
- MmioOwned,
- #[cfg(CONFIG_64BIT)]
- u64,
- readq,
- writeq
-);
+#[cfg(CONFIG_64BIT)]
+impl_mmio_io_capable!(Mmio, u64, readq, writeq);
impl<'a, const SIZE: usize> Io for &'a MmioOwned<SIZE> {
type Target = Region<SIZE>;
@@ -874,6 +937,23 @@ fn maxsize(self) -> usize {
}
}
+impl<'a, const SIZE: usize, T> IoCapable<T> for &'a MmioOwned<SIZE>
+where
+ Mmio<'a, Region<SIZE>>: IoCapable<T>,
+{
+ #[inline]
+ unsafe fn io_read(self, address: usize) -> T {
+ // SAFETY: Per safety requirement.
+ unsafe { self.as_view().io_read(address) }
+ }
+
+ #[inline]
+ unsafe fn io_write(self, value: T, address: usize) {
+ // SAFETY: Per safety requirement.
+ unsafe { self.as_view().io_write(value, address) }
+ }
+}
+
impl<const SIZE: usize> MmioOwned<SIZE> {
/// Converts an `MmioRaw` into an `MmioOwned` instance, providing the accessors to the MMIO
/// mapping.
@@ -886,32 +966,59 @@ pub unsafe fn from_raw(raw: &MmioRaw<Region<SIZE>>) -> &Self {
// SAFETY: `MmioOwned` is a transparent wrapper around `MmioRaw`.
unsafe { &*core::ptr::from_ref(raw).cast() }
}
+
+ /// Return a view that covers the full region.
+ #[inline]
+ pub fn as_view(&self) -> Mmio<'_, Region<SIZE>> {
+ // SAFETY: `Mmio` has same invariant as `MmioOwned`.
+ unsafe { Mmio::from_raw(self.0) }
+ }
}
-/// [`MmioOwned`] wrapper using relaxed accessors.
+/// [`Mmio`] but using relaxed accessors.
///
/// This type provides an implementation of [`Io`] that uses relaxed I/O MMIO operands instead of
/// the regular ones.
///
-/// See [`MmioOwned::relaxed`] for a usage example.
-#[repr(transparent)]
-pub struct RelaxedMmio<const SIZE: usize = 0>(MmioOwned<SIZE>);
+/// See [`Mmio::relaxed`] for a usage example.
+///
+/// # Invariant
+///
+/// `ptr` points to a valid and aligned memory-mapped I/O region for the duration lifetime `'a`.
+pub struct RelaxedMmio<'a, T: ?Sized> {
+ ptr: *mut T,
+ phantom: PhantomData<&'a ()>,
+}
-impl<'a, const SIZE: usize> Io for &'a RelaxedMmio<SIZE> {
- type Target = Region<SIZE>;
+impl<T: ?Sized> Copy for RelaxedMmio<'_, T> {}
+impl<T: ?Sized> Clone for RelaxedMmio<'_, T> {
+ #[inline]
+ fn clone(&self) -> Self {
+ *self
+ }
+}
+
+// SAFETY: `RelaxedMmio<'_, T>` is conceptually `&T` but in I/O memory.
+unsafe impl<T: ?Sized + Sync> Send for RelaxedMmio<'_, T> {}
+
+// SAFETY: `RelaxedMmio<'_, T>` is conceptually `&T` but in I/O memory.
+unsafe impl<T: ?Sized + Sync> Sync for RelaxedMmio<'_, T> {}
+
+impl<T: ?Sized + KnownSize> Io for RelaxedMmio<'_, T> {
+ type Target = T;
#[inline]
fn addr(self) -> usize {
- self.0.addr()
+ self.ptr.addr()
}
#[inline]
fn maxsize(self) -> usize {
- self.0.maxsize()
+ KnownSize::size(self.ptr)
}
}
-impl<const SIZE: usize> MmioOwned<SIZE> {
+impl<'a, T: ?Sized> Mmio<'a, T> {
/// Returns a [`RelaxedMmio`] reference that performs relaxed I/O operations.
///
/// Relaxed accessors do not provide ordering guarantees with respect to DMA or memory accesses
@@ -922,20 +1029,24 @@ impl<const SIZE: usize> MmioOwned<SIZE> {
/// ```no_run
/// use kernel::io::{
/// Io,
- /// MmioOwned,
+ /// Mmio,
+ /// Region,
/// RelaxedMmio,
/// };
///
- /// fn do_io(io: &MmioOwned<0x100>) {
+ /// fn do_io(io: Mmio<'_, Region<0x100>>) {
/// // The access is performed using `readl_relaxed` instead of `readl`.
/// let v = io.relaxed().read32(0x10);
/// }
///
/// ```
- pub fn relaxed(&self) -> &RelaxedMmio<SIZE> {
- // SAFETY: `RelaxedMmio` is `#[repr(transparent)]` over `MmioOwned`, so `MmioOwned<SIZE>`
- // and `RelaxedMmio<SIZE>` have identical layout.
- unsafe { core::mem::transmute(self) }
+ #[inline]
+ pub fn relaxed(self) -> RelaxedMmio<'a, T> {
+ // INVARIANT: `RelaxedMmio` has the same invariant as `Mmio`.
+ RelaxedMmio {
+ ptr: self.ptr,
+ phantom: PhantomData,
+ }
}
}
diff --git a/rust/kernel/io/poll.rs b/rust/kernel/io/poll.rs
index 79828a8006b5..d75f2fcf46f2 100644
--- a/rust/kernel/io/poll.rs
+++ b/rust/kernel/io/poll.rs
@@ -47,14 +47,15 @@
/// ```no_run
/// use kernel::io::{
/// Io,
-/// MmioOwned,
+/// Mmio,
+/// Region,
/// poll::read_poll_timeout, //
/// };
/// use kernel::time::Delta;
///
/// const HW_READY: u16 = 0x01;
///
-/// fn wait_for_hardware<const SIZE: usize>(io: &MmioOwned<SIZE>) -> Result {
+/// fn wait_for_hardware<const SIZE: usize>(io: Mmio<'_, Region<SIZE>>) -> Result {
/// read_poll_timeout(
/// // The `op` closure reads the value of a specific status register.
/// || io.try_read16(0x1000),
@@ -134,14 +135,15 @@ pub fn read_poll_timeout<Op, Cond, T>(
/// ```no_run
/// use kernel::io::{
/// Io,
-/// MmioOwned,
+/// Mmio,
+/// Region,
/// poll::read_poll_timeout_atomic, //
/// };
/// use kernel::time::Delta;
///
/// const HW_READY: u16 = 0x01;
///
-/// fn wait_for_hardware<const SIZE: usize>(io: &MmioOwned<SIZE>) -> Result {
+/// fn wait_for_hardware<const SIZE: usize>(io: Mmio<'_, Region<SIZE>>) -> Result {
/// read_poll_timeout_atomic(
/// // The `op` closure reads the value of a specific status register.
/// || io.try_read16(0x1000),
diff --git a/rust/kernel/io/register.rs b/rust/kernel/io/register.rs
index 242ad96ac805..d0feaf7c8736 100644
--- a/rust/kernel/io/register.rs
+++ b/rust/kernel/io/register.rs
@@ -58,7 +58,7 @@
//! },
//! num::Bounded,
//! };
-//! # use kernel::io::MmioOwned;
+//! # use kernel::io::{Mmio, Region};
//! # register! {
//! # pub BOOT_0(u32) @ 0x00000100 {
//! # 15:8 vendor_id;
@@ -66,7 +66,7 @@
//! # 3:0 minor_revision;
//! # }
//! # }
-//! # fn test(io: &MmioOwned<0x1000>) {
+//! # fn test(io: Mmio<'_, Region<0x1000>>) {
//! # fn obtain_vendor_id() -> u8 { 0xff }
//!
//! // Read from the register's defined offset (0x100).
@@ -447,7 +447,7 @@ fn into_io_op(self) -> (FixedRegisterLoc<T>, T) {
/// Io,
/// },
/// };
-/// # use kernel::io::MmioOwned;
+/// # use kernel::io::{Mmio, Region};
///
/// register! {
/// FIXED_REG(u32) @ 0x100 {
@@ -456,7 +456,7 @@ fn into_io_op(self) -> (FixedRegisterLoc<T>, T) {
/// }
/// }
///
-/// # fn test(io: &MmioOwned<0x1000>) {
+/// # fn test(io: Mmio<'_, Region<0x1000>>) {
/// let val = io.read(FIXED_REG);
///
/// // Write from an already-existing value.
@@ -560,7 +560,7 @@ fn into_io_op(self) -> (FixedRegisterLoc<T>, T) {
/// Io,
/// },
/// };
-/// # use kernel::io::MmioOwned;
+/// # use kernel::io::{Mmio, Region};
///
/// // Type used to identify the base.
/// pub struct CpuCtlBase;
@@ -585,7 +585,7 @@ fn into_io_op(self) -> (FixedRegisterLoc<T>, T) {
/// }
/// }
///
-/// # fn test(io: MmioOwned<0x1000>) {
+/// # fn test(io: Mmio<'_, Region<0x1000>>) {
/// // Read the status of `Cpu0`.
/// let cpu0_started = io.read(CPU_CTL::of::<Cpu0>());
///
@@ -602,7 +602,7 @@ fn into_io_op(self) -> (FixedRegisterLoc<T>, T) {
/// }
/// }
///
-/// # fn test2(io: MmioOwned<0x1000>) {
+/// # fn test2(io: Mmio<'_, Region<0x1000>>) {
/// // Start the aliased `CPU0`, leaving its other fields untouched.
/// io.update(CPU_CTL_ALIAS::of::<Cpu0>(), |r| r.with_alias_start(true));
/// # }
@@ -639,7 +639,7 @@ fn into_io_op(self) -> (FixedRegisterLoc<T>, T) {
/// Io,
/// },
/// };
-/// # use kernel::io::MmioOwned;
+/// # use kernel::io::{Mmio, Region};
/// # fn get_scratch_idx() -> usize {
/// # 0x15
/// # }
@@ -652,7 +652,7 @@ fn into_io_op(self) -> (FixedRegisterLoc<T>, T) {
/// }
/// }
///
-/// # fn test(io: &MmioOwned<0x1000>)
+/// # fn test(io: Mmio<'_, Region<0x1000>>)
/// # -> Result<(), Error>{
/// // Read scratch register 0, i.e. I/O address `0x80`.
/// let scratch_0 = io.read(SCRATCH::at(0)).value();
@@ -725,7 +725,7 @@ fn into_io_op(self) -> (FixedRegisterLoc<T>, T) {
/// Io,
/// },
/// };
-/// # use kernel::io::MmioOwned;
+/// # use kernel::io::{Mmio, Region};
/// # fn get_scratch_idx() -> usize {
/// # 0x15
/// # }
@@ -753,7 +753,7 @@ fn into_io_op(self) -> (FixedRegisterLoc<T>, T) {
/// }
/// }
///
-/// # fn test(io: &MmioOwned<0x1000>) -> Result<(), Error> {
+/// # fn test(io: Mmio<'_, Region<0x1000>>) -> Result<(), Error> {
/// // Read scratch register 0 of CPU0.
/// let scratch = io.read(CPU_SCRATCH::of::<Cpu0>().at(0));
///
@@ -795,7 +795,7 @@ fn into_io_op(self) -> (FixedRegisterLoc<T>, T) {
/// }
/// }
///
-/// # fn test2(io: &MmioOwned<0x1000>) -> Result<(), Error> {
+/// # fn test2(io: Mmio<'_, Region<0x1000>>) -> Result<(), Error> {
/// let cpu0_status = io.read(CPU_FIRMWARE_STATUS::of::<Cpu0>()).status();
/// # Ok(())
/// # }
--
2.54.0
^ permalink raw reply related [flat|nested] 36+ messages in thread
* [PATCH v4 08/20] rust: pci: io: make `ConfigSpace` a view
2026-06-11 16:28 [PATCH v4 00/20] rust: I/O type generalization and projection Gary Guo
` (6 preceding siblings ...)
2026-06-11 16:28 ` [PATCH v4 07/20] rust: io: implement `Mmio` as view type Gary Guo
@ 2026-06-11 16:28 ` Gary Guo
2026-06-11 16:28 ` [PATCH v4 09/20] rust: io: use view types instead of addresses for `Io` Gary Guo
` (11 subsequent siblings)
19 siblings, 0 replies; 36+ messages in thread
From: Gary Guo @ 2026-06-11 16:28 UTC (permalink / raw)
To: Alice Ryhl, Daniel Almeida, Greg Kroah-Hartman, Rafael J. Wysocki,
Miguel Ojeda, Boqun Feng, Gary Guo, Björn Roy Baron,
Benno Lossin, Andreas Hindborg, Trevor Gross, Bjorn Helgaas,
Krzysztof Wilczyński, Abdiel Janulgue, Robin Murphy,
Alexandre Courbot, David Airlie, Simona Vetter
Cc: Danilo Krummrich, driver-core, rust-for-linux, linux-kernel,
linux-pci, nova-gpu, dri-devel
In order to support I/O projection, we are splitting I/O types into two
categories: owned objects and views. Owned objects have a specific type
that is related to setting up and tearing down, while views can have their
type changed with I/O projection.
Things like `IoMem` or `Bar` are owned objects, which requires setting up
mapping and cleaning up on drop. On the other side, `ConfigSpace` is really
just a view, as the resource is associated with the `pci::Device`.
Remove the `ConfigSpaceKind` bound on `ConfigSpace` and make it a generic
view. This means that `ConfigSpace` object now represents a subregion and
therefore encodes offset (as address of pointers) and size (as metadata of
pointers) itself. The full region case is still supported with offset 0 and
size of `cfg_size`.
Signed-off-by: Gary Guo <gary@garyguo.net>
---
rust/kernel/pci/io.rs | 64 +++++++++++++++++++++++++++++----------------------
1 file changed, 36 insertions(+), 28 deletions(-)
diff --git a/rust/kernel/pci/io.rs b/rust/kernel/pci/io.rs
index e0acb62f58a2..89f4bb483a7f 100644
--- a/rust/kernel/pci/io.rs
+++ b/rust/kernel/pci/io.rs
@@ -18,7 +18,6 @@
ptr::KnownSize, //
};
use core::{
- marker::PhantomData,
ops::Deref, //
};
@@ -53,33 +52,42 @@ pub const fn into_raw(self) -> usize {
/// Alias for extended (4096-byte) PCIe configuration space.
pub type Extended = Region<4096>;
-/// Trait for PCI configuration space size markers.
-///
-/// This trait is implemented by [`Normal`] and [`Extended`] to provide
-/// compile-time knowledge of the configuration space size.
-pub trait ConfigSpaceKind: KnownSize {}
-
-impl ConfigSpaceKind for Normal {}
-
-impl ConfigSpaceKind for Extended {}
-
-/// The PCI configuration space of a device.
+/// A view of PCI configuration space of a device.
///
/// Provides typed read and write accessors for configuration registers
/// using the standard `pci_read_config_*` and `pci_write_config_*` helpers.
///
-/// The generic parameter `S` indicates the maximum size of the configuration space.
-/// Use [`Normal`] for 256-byte legacy configuration space or [`Extended`] for
-/// 4096-byte PCIe extended configuration space (default).
-pub struct ConfigSpace<'a, S: ?Sized + ConfigSpaceKind = Extended> {
+/// The generic parameter `T` is the type of the view. The full configuration space is also a
+/// special type of view; in such cases, `T` can be [`Normal`] for 256-byte legacy configuration
+/// space or [`Extended`] for 4096-byte PCIe extended configuration space (default).
+///
+/// # Invariants
+///
+/// `ptr` is aligned and range `ptr..ptr + KnownSize::size(ptr)` is within
+/// `0..pdev.cfg_size().into_raw()`.
+pub struct ConfigSpace<'a, T: ?Sized = Extended> {
pub(crate) pdev: &'a Device<device::Bound>,
- _marker: PhantomData<S>,
+ ptr: *mut T,
}
+impl<T: ?Sized> Copy for ConfigSpace<'_, T> {}
+impl<T: ?Sized> Clone for ConfigSpace<'_, T> {
+ #[inline]
+ fn clone(&self) -> Self {
+ *self
+ }
+}
+
+// SAFETY: `ConfigSpace<'_, T>` is conceptually `&T` but in I/O memory.
+unsafe impl<T: ?Sized + Sync> Send for ConfigSpace<'_, T> {}
+
+// SAFETY: `ConfigSpace<'_, T>` is conceptually `&T` but in I/O memory.
+unsafe impl<T: ?Sized + Sync> Sync for ConfigSpace<'_, T> {}
+
/// Implements [`IoCapable`] on [`ConfigSpace`] for `$ty` using `$read_fn` and `$write_fn`.
macro_rules! impl_config_space_io_capable {
($ty:ty, $read_fn:ident, $write_fn:ident) => {
- impl<'a, S: ?Sized + ConfigSpaceKind> IoCapable<$ty> for &ConfigSpace<'a, S> {
+ impl<'a, T: ?Sized> IoCapable<$ty> for ConfigSpace<'a, T> {
unsafe fn io_read(self, address: usize) -> $ty {
let mut val: $ty = 0;
@@ -112,19 +120,17 @@ unsafe fn io_write(self, value: $ty, address: usize) {
impl_config_space_io_capable!(u16, pci_read_config_word, pci_write_config_word);
impl_config_space_io_capable!(u32, pci_read_config_dword, pci_write_config_dword);
-impl<'a, S: ?Sized + ConfigSpaceKind> Io for &ConfigSpace<'a, S> {
- type Target = S;
+impl<'a, T: ?Sized + KnownSize> Io for ConfigSpace<'a, T> {
+ type Target = T;
- /// Returns the base address of the I/O region. It is always 0 for configuration space.
#[inline]
fn addr(self) -> usize {
- 0
+ self.ptr.addr()
}
- /// Returns the maximum size of the configuration space.
#[inline]
fn maxsize(self) -> usize {
- self.pdev.cfg_size().into_raw()
+ KnownSize::size(self.ptr)
}
}
@@ -281,23 +287,25 @@ pub fn cfg_size(&self) -> ConfigSpaceSize {
}
}
- /// Return an initialized normal (256-byte) config space object.
+ /// Return a view of the normal (256-byte) config space.
pub fn config_space<'a>(&'a self) -> ConfigSpace<'a, Normal> {
+ // INVARIANT: null is aligned and the range is within config space.
ConfigSpace {
pdev: self,
- _marker: PhantomData,
+ ptr: Normal::ptr_from_raw_parts_mut(core::ptr::null_mut(), self.cfg_size().into_raw()),
}
}
- /// Return an initialized extended (4096-byte) config space object.
+ /// Return a view of the extended (4096-byte) config space.
pub fn config_space_extended<'a>(&'a self) -> Result<ConfigSpace<'a, Extended>> {
if self.cfg_size() != ConfigSpaceSize::Extended {
return Err(EINVAL);
}
+ // INVARIANT: null is aligned and we just checked the `cfg_size`.
Ok(ConfigSpace {
pdev: self,
- _marker: PhantomData,
+ ptr: Extended::ptr_from_raw_parts_mut(core::ptr::null_mut(), 4096),
})
}
}
--
2.54.0
^ permalink raw reply related [flat|nested] 36+ messages in thread
* [PATCH v4 09/20] rust: io: use view types instead of addresses for `Io`
2026-06-11 16:28 [PATCH v4 00/20] rust: I/O type generalization and projection Gary Guo
` (7 preceding siblings ...)
2026-06-11 16:28 ` [PATCH v4 08/20] rust: pci: io: make `ConfigSpace` a view Gary Guo
@ 2026-06-11 16:28 ` Gary Guo
2026-06-11 16:28 ` [PATCH v4 10/20] rust: io: remove `MmioOwned` Gary Guo
` (10 subsequent siblings)
19 siblings, 0 replies; 36+ messages in thread
From: Gary Guo @ 2026-06-11 16:28 UTC (permalink / raw)
To: Alice Ryhl, Daniel Almeida, Greg Kroah-Hartman, Rafael J. Wysocki,
Miguel Ojeda, Boqun Feng, Gary Guo, Björn Roy Baron,
Benno Lossin, Andreas Hindborg, Trevor Gross, Bjorn Helgaas,
Krzysztof Wilczyński, Abdiel Janulgue, Robin Murphy,
Alexandre Courbot, David Airlie, Simona Vetter
Cc: Danilo Krummrich, driver-core, rust-for-linux, linux-kernel,
linux-pci, nova-gpu, dri-devel
Currently, `io_read` and `io_write` methods require the exact type of `Io`
plus an address. This means that they need to be monomorphized for each
different `Io` instance. This also means that multiple I/O implementors for
the same I/O kind needs to duplicate implementation (e.g. `Mmio` and
`MmioOwned`).
Create a new `IoBackend` trait and define these operations on it instead.
The operations are just going to receive a view type and operate on them.
This has the additional advantage that the invariants can be moved from the
trait (and guaranteed via `unsafe`) to type invariants on the canonical
view types of the backends, so `io_read` and `io_write` can be safe.
Note that view type is needed; addresses are insufficient in this
designk, as they do not carry sufficient information. For example,
`ConfigSpace` needs `&pci::Device` in addition to the address.
Signed-off-by: Gary Guo <gary@garyguo.net>
---
rust/kernel/io.rs | 345 ++++++++++++++++++++++++++------------------------
rust/kernel/pci/io.rs | 70 ++++++----
2 files changed, 224 insertions(+), 191 deletions(-)
diff --git a/rust/kernel/io.rs b/rust/kernel/io.rs
index 3ac8b396f5a7..e422a5ff2a5e 100644
--- a/rust/kernel/io.rs
+++ b/rust/kernel/io.rs
@@ -244,6 +244,38 @@ const fn offset_valid<U>(base: usize, offset: usize, size: usize) -> bool {
}
}
+/// I/O backends.
+///
+/// This is an abstract representation to be implemented by arbitrary I/O
+/// backends (e.g. MMIO, PCI config space, etc.).
+///
+/// The base trait only defines the projection operations; which I/O methods are available depends
+/// on which [`IoCapable<T>`] traits are implemented for the type. For example, for MMIO regions,
+/// all widths (u8, u16, u32, and u64 on 64-bit systems) are typically supported. For PCI
+/// configuration space, u8, u16, and u32 are supported but u64 is not.
+///
+/// This trait is separate from the `Io` trait as multiple different I/O types may share the same
+/// operation.
+pub trait IoBackend {
+ /// View type for this I/O backend.
+ type View<'a, T: ?Sized + KnownSize>: Io<'a, Backend = Self, Target = T>;
+
+ /// Convert a `view` to a raw pointer for projection.
+ fn as_ptr<'a, T: ?Sized + KnownSize>(view: Self::View<'a, T>) -> *mut T;
+
+ /// Project `view` to its subregion indicated by `ptr`.
+ ///
+ /// If input `view` is valid, returned view must also be valid.
+ ///
+ /// # Safety
+ ///
+ /// `ptr` must be a projection of `Self::as_ptr(view)`.
+ unsafe fn project_view<'a, T: ?Sized + KnownSize, U: ?Sized + KnownSize>(
+ view: Self::View<'a, T>,
+ ptr: *mut U,
+ ) -> Self::View<'a, U>;
+}
+
/// Trait indicating that an I/O backend supports operations of a certain type and providing an
/// implementation for these operations.
///
@@ -252,22 +284,12 @@ const fn offset_valid<U>(base: usize, offset: usize, size: usize) -> bool {
/// For example, a PCI configuration space may implement `IoCapable<u8>`, `IoCapable<u16>`,
/// and `IoCapable<u32>`, but not `IoCapable<u64>`, while an MMIO region on a 64-bit
/// system might implement all four.
-pub trait IoCapable<T> {
- /// Performs an I/O read of type `T` at `address` and returns the result.
- ///
- /// # Safety
- ///
- /// - The range `[address..address + size_of::<T>()]` must be within the bounds of `Self`.
- /// - `address` must be aligned.
- unsafe fn io_read(self, address: usize) -> T;
+pub trait IoCapable<T>: IoBackend {
+ /// Performs an I/O read of type `T` at `view` and returns the result.
+ fn io_read<'a>(view: Self::View<'a, T>) -> T;
- /// Performs an I/O write of `value` at `address`.
- ///
- /// # Safety
- ///
- /// - The range `[address..address + size_of::<T>()]` must be within the bounds of `Self`.
- /// - `address` must be aligned.
- unsafe fn io_write(self, value: T, address: usize);
+ /// Performs an I/O write of `value` at `view`.
+ fn io_write<'a>(view: Self::View<'a, T>, value: T);
}
/// Describes a given I/O location: its offset, width, and type to convert the raw value from and
@@ -319,56 +341,54 @@ fn offset(self) -> usize {
/// Types implementing this trait (e.g. MMIO BARs or PCI config regions)
/// can perform I/O operations on regions of memory.
///
-/// This is an abstract representation to be implemented by arbitrary I/O
-/// backends (e.g. MMIO, PCI config space, etc.).
-///
/// The [`Io`] trait provides:
-/// - Base address and size information
+/// - Method to convert into [`IoBackend::View`].
/// - Helper methods for offset validation and address calculation
/// - Fallible (runtime checked) accessors for different data widths
///
-/// Which I/O methods are available depends on which [`IoCapable<T>`] traits
-/// are implemented for the type.
-///
-/// # Examples
-///
-/// For MMIO regions, all widths (u8, u16, u32, and u64 on 64-bit systems) are typically
-/// supported. For PCI configuration space, u8, u16, and u32 are supported but u64 is not.
-pub trait Io: Copy {
+/// Which I/O methods are available depends on the associated [`IoBackend`] implementation.
+pub trait Io<'a>: Copy {
+ /// Type that defines all I/O operations.
+ type Backend: IoBackend;
+
/// Type of this I/O region. For untyped regions, [`Region`] can be used.
type Target: ?Sized + KnownSize;
- /// Returns the base address of this mapping.
- fn addr(self) -> usize;
-
- /// Returns the maximum size of this mapping.
- fn maxsize(self) -> usize;
+ /// Return a view that covers the full region.
+ fn as_view(self) -> <Self::Backend as IoBackend>::View<'a, Self::Target>;
- /// Returns the absolute I/O address for a given `offset`,
- /// performing compile-time bound checks.
+ /// Returns a view for a given `offset`, performing compile-time bound checks.
// Always inline to optimize out error path of `build_assert`.
#[inline(always)]
- fn io_addr_assert<U>(self, offset: usize) -> usize {
- // We cannot check alignment with `offset_valid` using `self.addr()`. So set 0 for it and
+ fn io_addr_assert<U>(self, offset: usize) -> <Self::Backend as IoBackend>::View<'a, U> {
+ // We cannot check alignment with `offset_valid` using `ptr.addr()`. So set 0 for it and
// ensure alignment by checking that the alignment of `U` is smaller or equal to the
// alignment of `Self::Target`.
const_assert!(Alignment::of::<U>().as_usize() <= Self::Target::MIN_ALIGN.as_usize());
build_assert!(offset_valid::<U>(0, offset, Self::Target::MIN_SIZE));
- self.addr() + offset
+ let view = self.as_view();
+ let ptr = Self::Backend::as_ptr(view);
+ let projected_ptr = ptr.cast::<U>().wrapping_byte_add(offset);
+ // SAFETY: `offset_valid` checks for size and alignment and therefore `projected_ptr` is a
+ // valid projection.
+ unsafe { Self::Backend::project_view(view, projected_ptr) }
}
- /// Returns the absolute I/O address for a given `offset`,
- /// performing runtime bound checks.
+ /// Returns a view for a given `offset`, performing runtime bound checks.
#[inline]
- fn io_addr<U>(self, offset: usize) -> Result<usize> {
- if !offset_valid::<U>(self.addr(), offset, self.maxsize()) {
+ fn io_addr<U>(self, offset: usize) -> Result<<Self::Backend as IoBackend>::View<'a, U>> {
+ let view = self.as_view();
+ let ptr = Self::Backend::as_ptr(view);
+
+ if !offset_valid::<U>(ptr.addr(), offset, KnownSize::size(ptr)) {
return Err(EINVAL);
}
- // Probably no need to check, since the safety requirements of `Self::new` guarantee that
- // this can't overflow.
- self.addr().checked_add(offset).ok_or(EINVAL)
+ let projected_ptr = ptr.cast::<U>().wrapping_byte_add(offset);
+ // SAFETY: `offset_valid` checks for size and alignment and therefore `projected_ptr` is a
+ // valid projection.
+ Ok(unsafe { Self::Backend::project_view(view, projected_ptr) })
}
/// Fallible 8-bit read with runtime bounds check.
@@ -376,7 +396,7 @@ fn io_addr<U>(self, offset: usize) -> Result<usize> {
fn try_read8(self, offset: usize) -> Result<u8>
where
usize: IoLoc<Self::Target, u8, IoType = u8>,
- Self: IoCapable<u8>,
+ Self::Backend: IoCapable<u8>,
{
self.try_read(offset)
}
@@ -386,7 +406,7 @@ fn try_read8(self, offset: usize) -> Result<u8>
fn try_read16(self, offset: usize) -> Result<u16>
where
usize: IoLoc<Self::Target, u16, IoType = u16>,
- Self: IoCapable<u16>,
+ Self::Backend: IoCapable<u16>,
{
self.try_read(offset)
}
@@ -396,7 +416,7 @@ fn try_read16(self, offset: usize) -> Result<u16>
fn try_read32(self, offset: usize) -> Result<u32>
where
usize: IoLoc<Self::Target, u32, IoType = u32>,
- Self: IoCapable<u32>,
+ Self::Backend: IoCapable<u32>,
{
self.try_read(offset)
}
@@ -406,7 +426,7 @@ fn try_read32(self, offset: usize) -> Result<u32>
fn try_read64(self, offset: usize) -> Result<u64>
where
usize: IoLoc<Self::Target, u64, IoType = u64>,
- Self: IoCapable<u64>,
+ Self::Backend: IoCapable<u64>,
{
self.try_read(offset)
}
@@ -416,7 +436,7 @@ fn try_read64(self, offset: usize) -> Result<u64>
fn try_write8(self, value: u8, offset: usize) -> Result
where
usize: IoLoc<Self::Target, u8, IoType = u8>,
- Self: IoCapable<u8>,
+ Self::Backend: IoCapable<u8>,
{
self.try_write(offset, value)
}
@@ -426,7 +446,7 @@ fn try_write8(self, value: u8, offset: usize) -> Result
fn try_write16(self, value: u16, offset: usize) -> Result
where
usize: IoLoc<Self::Target, u16, IoType = u16>,
- Self: IoCapable<u16>,
+ Self::Backend: IoCapable<u16>,
{
self.try_write(offset, value)
}
@@ -436,7 +456,7 @@ fn try_write16(self, value: u16, offset: usize) -> Result
fn try_write32(self, value: u32, offset: usize) -> Result
where
usize: IoLoc<Self::Target, u32, IoType = u32>,
- Self: IoCapable<u32>,
+ Self::Backend: IoCapable<u32>,
{
self.try_write(offset, value)
}
@@ -446,7 +466,7 @@ fn try_write32(self, value: u32, offset: usize) -> Result
fn try_write64(self, value: u64, offset: usize) -> Result
where
usize: IoLoc<Self::Target, u64, IoType = u64>,
- Self: IoCapable<u64>,
+ Self::Backend: IoCapable<u64>,
{
self.try_write(offset, value)
}
@@ -456,7 +476,7 @@ fn try_write64(self, value: u64, offset: usize) -> Result
fn read8(self, offset: usize) -> u8
where
usize: IoLoc<Self::Target, u8, IoType = u8>,
- Self: IoCapable<u8>,
+ Self::Backend: IoCapable<u8>,
{
self.read(offset)
}
@@ -466,7 +486,7 @@ fn read8(self, offset: usize) -> u8
fn read16(self, offset: usize) -> u16
where
usize: IoLoc<Self::Target, u16, IoType = u16>,
- Self: IoCapable<u16>,
+ Self::Backend: IoCapable<u16>,
{
self.read(offset)
}
@@ -476,7 +496,7 @@ fn read16(self, offset: usize) -> u16
fn read32(self, offset: usize) -> u32
where
usize: IoLoc<Self::Target, u32, IoType = u32>,
- Self: IoCapable<u32>,
+ Self::Backend: IoCapable<u32>,
{
self.read(offset)
}
@@ -486,7 +506,7 @@ fn read32(self, offset: usize) -> u32
fn read64(self, offset: usize) -> u64
where
usize: IoLoc<Self::Target, u64, IoType = u64>,
- Self: IoCapable<u64>,
+ Self::Backend: IoCapable<u64>,
{
self.read(offset)
}
@@ -496,7 +516,7 @@ fn read64(self, offset: usize) -> u64
fn write8(self, value: u8, offset: usize)
where
usize: IoLoc<Self::Target, u8, IoType = u8>,
- Self: IoCapable<u8>,
+ Self::Backend: IoCapable<u8>,
{
self.write(offset, value)
}
@@ -506,7 +526,7 @@ fn write8(self, value: u8, offset: usize)
fn write16(self, value: u16, offset: usize)
where
usize: IoLoc<Self::Target, u16, IoType = u16>,
- Self: IoCapable<u16>,
+ Self::Backend: IoCapable<u16>,
{
self.write(offset, value)
}
@@ -516,7 +536,7 @@ fn write16(self, value: u16, offset: usize)
fn write32(self, value: u32, offset: usize)
where
usize: IoLoc<Self::Target, u32, IoType = u32>,
- Self: IoCapable<u32>,
+ Self::Backend: IoCapable<u32>,
{
self.write(offset, value)
}
@@ -526,7 +546,7 @@ fn write32(self, value: u32, offset: usize)
fn write64(self, value: u64, offset: usize)
where
usize: IoLoc<Self::Target, u64, IoType = u64>,
- Self: IoCapable<u64>,
+ Self::Backend: IoCapable<u64>,
{
self.write(offset, value)
}
@@ -558,12 +578,10 @@ fn write64(self, value: u64, offset: usize)
fn try_read<T, L>(self, location: L) -> Result<T>
where
L: IoLoc<Self::Target, T>,
- Self: IoCapable<L::IoType>,
+ Self::Backend: IoCapable<L::IoType>,
{
- let address = self.io_addr::<L::IoType>(location.offset())?;
-
- // SAFETY: `address` has been validated by `io_addr`.
- Ok(unsafe { self.io_read(address) }.into())
+ let view = self.io_addr::<L::IoType>(location.offset())?;
+ Ok(Self::Backend::io_read(view).into())
}
/// Generic fallible write with runtime bounds check.
@@ -593,14 +611,11 @@ fn try_read<T, L>(self, location: L) -> Result<T>
fn try_write<T, L>(self, location: L, value: T) -> Result
where
L: IoLoc<Self::Target, T>,
- Self: IoCapable<L::IoType>,
+ Self::Backend: IoCapable<L::IoType>,
{
- let address = self.io_addr::<L::IoType>(location.offset())?;
+ let view = self.io_addr::<L::IoType>(location.offset())?;
let io_value = value.into();
-
- // SAFETY: `address` has been validated by `io_addr`.
- unsafe { self.io_write(io_value, address) }
-
+ Self::Backend::io_write(view, io_value);
Ok(())
}
@@ -641,7 +656,7 @@ fn try_write_reg<T, L, V>(self, value: V) -> Result
where
L: IoLoc<Self::Target, T>,
V: LocatedRegister<Self::Target, Location = L, Value = T>,
- Self: IoCapable<L::IoType>,
+ Self::Backend: IoCapable<L::IoType>,
{
let (location, value) = value.into_io_op();
@@ -674,17 +689,14 @@ fn try_write_reg<T, L, V>(self, value: V) -> Result
fn try_update<T, L, F>(self, location: L, f: F) -> Result
where
L: IoLoc<Self::Target, T>,
- Self: IoCapable<L::IoType>,
+ Self::Backend: IoCapable<L::IoType>,
F: FnOnce(T) -> T,
{
- let address = self.io_addr::<L::IoType>(location.offset())?;
+ let view = self.io_addr::<L::IoType>(location.offset())?;
- // SAFETY: `address` has been validated by `io_addr`.
- let value: T = unsafe { self.io_read(address) }.into();
+ let value: T = Self::Backend::io_read(view).into();
let io_value = f(value).into();
-
- // SAFETY: `address` has been validated by `io_addr`.
- unsafe { self.io_write(io_value, address) }
+ Self::Backend::io_write(view, io_value);
Ok(())
}
@@ -714,12 +726,10 @@ fn try_update<T, L, F>(self, location: L, f: F) -> Result
fn read<T, L>(self, location: L) -> T
where
L: IoLoc<Self::Target, T>,
- Self: IoCapable<L::IoType>,
+ Self::Backend: IoCapable<L::IoType>,
{
- let address = self.io_addr_assert::<L::IoType>(location.offset());
-
- // SAFETY: `address` has been validated by `io_addr_assert`.
- unsafe { self.io_read(address) }.into()
+ let view = self.io_addr_assert::<L::IoType>(location.offset());
+ Self::Backend::io_read(view).into()
}
/// Generic infallible write with compile-time bounds check.
@@ -747,13 +757,11 @@ fn read<T, L>(self, location: L) -> T
fn write<T, L>(self, location: L, value: T)
where
L: IoLoc<Self::Target, T>,
- Self: IoCapable<L::IoType>,
+ Self::Backend: IoCapable<L::IoType>,
{
- let address = self.io_addr_assert::<L::IoType>(location.offset());
+ let view = self.io_addr_assert::<L::IoType>(location.offset());
let io_value = value.into();
-
- // SAFETY: `address` has been validated by `io_addr_assert`.
- unsafe { self.io_write(io_value, address) }
+ Self::Backend::io_write(view, io_value);
}
/// Generic infallible write of a fully-located register value.
@@ -792,7 +800,7 @@ fn write_reg<T, L, V>(self, value: V)
where
L: IoLoc<Self::Target, T>,
V: LocatedRegister<Self::Target, Location = L, Value = T>,
- Self: IoCapable<L::IoType>,
+ Self::Backend: IoCapable<L::IoType>,
{
let (location, value) = value.into_io_op();
@@ -825,17 +833,13 @@ fn write_reg<T, L, V>(self, value: V)
fn update<T, L, F>(self, location: L, f: F)
where
L: IoLoc<Self::Target, T>,
- Self: IoCapable<L::IoType>,
+ Self::Backend: IoCapable<L::IoType>,
F: FnOnce(T) -> T,
{
- let address = self.io_addr_assert::<L::IoType>(location.offset());
-
- // SAFETY: `address` has been validated by `io_addr_assert`.
- let value: T = unsafe { self.io_read(address) }.into();
+ let view = self.io_addr_assert::<L::IoType>(location.offset());
+ let value: T = Self::Backend::io_read(view).into();
let io_value = f(value).into();
-
- // SAFETY: `address` has been validated by `io_addr_assert`.
- unsafe { self.io_write(io_value, address) }
+ Self::Backend::io_write(view, io_value);
}
}
@@ -879,78 +883,76 @@ unsafe impl<T: ?Sized + Sync> Send for Mmio<'_, T> {}
// SAFETY: `Mmio<'_, T>` is conceptually `&T` but in I/O memory.
unsafe impl<T: ?Sized + Sync> Sync for Mmio<'_, T> {}
-impl<T: ?Sized + KnownSize> Io for Mmio<'_, T> {
+impl<'a, T: ?Sized + KnownSize> Io<'a> for Mmio<'a, T> {
+ type Backend = MmioBackend;
type Target = T;
#[inline]
- fn addr(self) -> usize {
- self.ptr.addr()
+ fn as_view(self) -> Mmio<'a, T> {
+ self
}
+}
+
+/// I/O Backend for memory-mapped I/O.
+pub struct MmioBackend;
+
+impl IoBackend for MmioBackend {
+ type View<'a, T: ?Sized + KnownSize> = Mmio<'a, T>;
#[inline]
- fn maxsize(self) -> usize {
- KnownSize::size(self.ptr)
+ fn as_ptr<'a, T: ?Sized + KnownSize>(view: Self::View<'a, T>) -> *mut T {
+ view.ptr
+ }
+
+ #[inline]
+ unsafe fn project_view<'a, T: ?Sized + KnownSize, U: ?Sized + KnownSize>(
+ _view: Self::View<'a, T>,
+ ptr: *mut U,
+ ) -> Self::View<'a, U> {
+ // INVARIANT: Per safety requirement, `ptr` is projection from `view`, so it is also a valid
+ // memory-mapped I/O region.
+ Mmio {
+ ptr,
+ phantom: PhantomData,
+ }
}
}
-/// Implements [`IoCapable`] on `$mmio` for `$ty` using `$read_fn` and `$write_fn`.
+/// Implements [`IoCapable`] on `$backend` for `$ty` using `$read_fn` and `$write_fn`.
macro_rules! impl_mmio_io_capable {
- ($mmio:ident, $(#[$attr:meta])* $ty:ty, $read_fn:ident, $write_fn:ident) => {
- $(#[$attr])*
- impl<T: ?Sized> IoCapable<$ty> for $mmio<'_, T> {
+ ($backend: ident, $ty:ty, $read_fn:ident, $write_fn:ident) => {
+ impl IoCapable<$ty> for $backend {
#[inline]
- unsafe fn io_read(self, address: usize) -> $ty {
- // SAFETY: By the trait invariant `address` is a valid address for MMIO operations.
- unsafe { bindings::$read_fn(address as *const c_void) }
+ fn io_read(view: <$backend as IoBackend>::View<'_, $ty>) -> $ty {
+ // SAFETY: By the type invariant, `view.ptr` is a valid address for MMIO operations.
+ unsafe { bindings::$read_fn(view.ptr.cast_const().cast()) }
}
#[inline]
- unsafe fn io_write(self, value: $ty, address: usize) {
- // SAFETY: By the trait invariant `address` is a valid address for MMIO operations.
- unsafe { bindings::$write_fn(value, address as *mut c_void) }
+ fn io_write(view: <$backend as IoBackend>::View<'_, $ty>, value: $ty) {
+ // SAFETY: By the type invariant, `view.ptr` is a valid address for MMIO operations.
+ unsafe { bindings::$write_fn(value, view.ptr.cast()) }
}
}
};
}
// MMIO regions support 8, 16, and 32-bit accesses.
-impl_mmio_io_capable!(Mmio, u8, readb, writeb);
-impl_mmio_io_capable!(Mmio, u16, readw, writew);
-impl_mmio_io_capable!(Mmio, u32, readl, writel);
+impl_mmio_io_capable!(MmioBackend, u8, readb, writeb);
+impl_mmio_io_capable!(MmioBackend, u16, readw, writew);
+impl_mmio_io_capable!(MmioBackend, u32, readl, writel);
// MMIO regions on 64-bit systems also support 64-bit accesses.
#[cfg(CONFIG_64BIT)]
-impl_mmio_io_capable!(Mmio, u64, readq, writeq);
+impl_mmio_io_capable!(MmioBackend, u64, readq, writeq);
-impl<'a, const SIZE: usize> Io for &'a MmioOwned<SIZE> {
+impl<'a, const SIZE: usize> Io<'a> for &'a MmioOwned<SIZE> {
+ type Backend = MmioBackend;
type Target = Region<SIZE>;
- /// Returns the base address of this mapping.
#[inline]
- fn addr(self) -> usize {
- self.0.addr()
- }
-
- /// Returns the maximum size of this mapping.
- #[inline]
- fn maxsize(self) -> usize {
- self.0.size()
- }
-}
-
-impl<'a, const SIZE: usize, T> IoCapable<T> for &'a MmioOwned<SIZE>
-where
- Mmio<'a, Region<SIZE>>: IoCapable<T>,
-{
- #[inline]
- unsafe fn io_read(self, address: usize) -> T {
- // SAFETY: Per safety requirement.
- unsafe { self.as_view().io_read(address) }
- }
-
- #[inline]
- unsafe fn io_write(self, value: T, address: usize) {
- // SAFETY: Per safety requirement.
- unsafe { self.as_view().io_write(value, address) }
+ fn as_view(self) -> Mmio<'a, Self::Target> {
+ // SAFETY: `Mmio` has same invariant as `MmioOwned`
+ unsafe { Mmio::from_raw(self.0) }
}
}
@@ -966,13 +968,6 @@ pub unsafe fn from_raw(raw: &MmioRaw<Region<SIZE>>) -> &Self {
// SAFETY: `MmioOwned` is a transparent wrapper around `MmioRaw`.
unsafe { &*core::ptr::from_ref(raw).cast() }
}
-
- /// Return a view that covers the full region.
- #[inline]
- pub fn as_view(&self) -> Mmio<'_, Region<SIZE>> {
- // SAFETY: `Mmio` has same invariant as `MmioOwned`.
- unsafe { Mmio::from_raw(self.0) }
- }
}
/// [`Mmio`] but using relaxed accessors.
@@ -1004,17 +999,38 @@ unsafe impl<T: ?Sized + Sync> Send for RelaxedMmio<'_, T> {}
// SAFETY: `RelaxedMmio<'_, T>` is conceptually `&T` but in I/O memory.
unsafe impl<T: ?Sized + Sync> Sync for RelaxedMmio<'_, T> {}
-impl<T: ?Sized + KnownSize> Io for RelaxedMmio<'_, T> {
- type Target = T;
+/// I/O Backend for memory-mapped I/O, with relaxed access semantics.
+pub struct RelaxedMmioBackend;
+
+impl IoBackend for RelaxedMmioBackend {
+ type View<'a, T: ?Sized + KnownSize> = RelaxedMmio<'a, T>;
#[inline]
- fn addr(self) -> usize {
- self.ptr.addr()
+ fn as_ptr<'a, T: ?Sized + KnownSize>(view: Self::View<'a, T>) -> *mut T {
+ view.ptr
}
#[inline]
- fn maxsize(self) -> usize {
- KnownSize::size(self.ptr)
+ unsafe fn project_view<'a, T: ?Sized + KnownSize, U: ?Sized + KnownSize>(
+ _view: Self::View<'a, T>,
+ ptr: *mut U,
+ ) -> Self::View<'a, U> {
+ // INVARIANT: Per safety requirement, `ptr` is projection from `view`, so it is also a valid
+ // memory-mapped I/O region.
+ RelaxedMmio {
+ ptr,
+ phantom: PhantomData,
+ }
+ }
+}
+
+impl<'a, T: ?Sized + KnownSize> Io<'a> for RelaxedMmio<'a, T> {
+ type Backend = RelaxedMmioBackend;
+ type Target = T;
+
+ #[inline]
+ fn as_view(self) -> RelaxedMmio<'a, T> {
+ self
}
}
@@ -1051,14 +1067,9 @@ pub fn relaxed(self) -> RelaxedMmio<'a, T> {
}
// MMIO regions support 8, 16, and 32-bit accesses.
-impl_mmio_io_capable!(RelaxedMmio, u8, readb_relaxed, writeb_relaxed);
-impl_mmio_io_capable!(RelaxedMmio, u16, readw_relaxed, writew_relaxed);
-impl_mmio_io_capable!(RelaxedMmio, u32, readl_relaxed, writel_relaxed);
+impl_mmio_io_capable!(RelaxedMmioBackend, u8, readb_relaxed, writeb_relaxed);
+impl_mmio_io_capable!(RelaxedMmioBackend, u16, readw_relaxed, writew_relaxed);
+impl_mmio_io_capable!(RelaxedMmioBackend, u32, readl_relaxed, writel_relaxed);
// MMIO regions on 64-bit systems also support 64-bit accesses.
-impl_mmio_io_capable!(
- RelaxedMmio,
- #[cfg(CONFIG_64BIT)]
- u64,
- readq_relaxed,
- writeq_relaxed
-);
+#[cfg(CONFIG_64BIT)]
+impl_mmio_io_capable!(RelaxedMmioBackend, u64, readq_relaxed, writeq_relaxed);
diff --git a/rust/kernel/pci/io.rs b/rust/kernel/pci/io.rs
index 89f4bb483a7f..e67c1e3694fb 100644
--- a/rust/kernel/pci/io.rs
+++ b/rust/kernel/pci/io.rs
@@ -9,6 +9,7 @@
devres::Devres,
io::{
Io,
+ IoBackend,
IoCapable,
MmioOwned,
MmioRaw,
@@ -84,32 +85,57 @@ unsafe impl<T: ?Sized + Sync> Send for ConfigSpace<'_, T> {}
// SAFETY: `ConfigSpace<'_, T>` is conceptually `&T` but in I/O memory.
unsafe impl<T: ?Sized + Sync> Sync for ConfigSpace<'_, T> {}
+/// I/O Backend for PCI configuration space.
+pub struct ConfigSpaceBackend;
+
+impl IoBackend for ConfigSpaceBackend {
+ type View<'a, T: ?Sized + KnownSize> = ConfigSpace<'a, T>;
+
+ #[inline]
+ fn as_ptr<'a, T: ?Sized + KnownSize>(view: ConfigSpace<'a, T>) -> *mut T {
+ view.ptr
+ }
+
+ #[inline]
+ unsafe fn project_view<'a, T: ?Sized + KnownSize, U: ?Sized + KnownSize>(
+ view: Self::View<'a, T>,
+ ptr: *mut U,
+ ) -> Self::View<'a, U> {
+ // INVARIANT: Per safety requirement.
+ ConfigSpace {
+ pdev: view.pdev,
+ ptr,
+ }
+ }
+}
+
/// Implements [`IoCapable`] on [`ConfigSpace`] for `$ty` using `$read_fn` and `$write_fn`.
macro_rules! impl_config_space_io_capable {
($ty:ty, $read_fn:ident, $write_fn:ident) => {
- impl<'a, T: ?Sized> IoCapable<$ty> for ConfigSpace<'a, T> {
- unsafe fn io_read(self, address: usize) -> $ty {
+ impl IoCapable<$ty> for ConfigSpaceBackend {
+ fn io_read(view: ConfigSpace<'_, $ty>) -> $ty {
+ // CAST: The offset is cast to `i32` because the C functions expect a 32-bit
+ // signed offset parameter. PCI configuration space size is at most 4096 bytes,
+ // so the value always fits within `i32` without truncation or sign change.
+ let addr = view.ptr.addr() as i32;
+
let mut val: $ty = 0;
// Return value from C function is ignored in infallible accessors.
- let _ret =
- // SAFETY: By the type invariant `self.pdev` is a valid address.
- // CAST: The offset is cast to `i32` because the C functions expect a 32-bit
- // signed offset parameter. PCI configuration space size is at most 4096 bytes,
- // so the value always fits within `i32` without truncation or sign change.
- unsafe { bindings::$read_fn(self.pdev.as_raw(), address as i32, &mut val) };
-
+ // SAFETY: By the type invariant `pdev` is a valid address.
+ let _ = unsafe { bindings::$read_fn(view.pdev.as_raw(), addr, &mut val) };
val
}
- unsafe fn io_write(self, value: $ty, address: usize) {
+ fn io_write(view: ConfigSpace<'_, $ty>, value: $ty) {
+ // CAST: The offset is cast to `i32` because the C functions expect a 32-bit
+ // signed offset parameter. PCI configuration space size is at most 4096 bytes,
+ // so the value always fits within `i32` without truncation or sign change.
+ let addr = view.ptr.addr() as i32;
+
// Return value from C function is ignored in infallible accessors.
- let _ret =
- // SAFETY: By the type invariant `self.pdev` is a valid address.
- // CAST: The offset is cast to `i32` because the C functions expect a 32-bit
- // signed offset parameter. PCI configuration space size is at most 4096 bytes,
- // so the value always fits within `i32` without truncation or sign change.
- unsafe { bindings::$write_fn(self.pdev.as_raw(), address as i32, value) };
+ // SAFETY: By the type invariant `pdev` is a valid address.
+ let _ = unsafe { bindings::$write_fn(view.pdev.as_raw(), addr, value) };
}
}
};
@@ -120,17 +146,13 @@ unsafe fn io_write(self, value: $ty, address: usize) {
impl_config_space_io_capable!(u16, pci_read_config_word, pci_write_config_word);
impl_config_space_io_capable!(u32, pci_read_config_dword, pci_write_config_dword);
-impl<'a, T: ?Sized + KnownSize> Io for ConfigSpace<'a, T> {
+impl<'a, T: ?Sized + KnownSize> Io<'a> for ConfigSpace<'a, T> {
+ type Backend = ConfigSpaceBackend;
type Target = T;
#[inline]
- fn addr(self) -> usize {
- self.ptr.addr()
- }
-
- #[inline]
- fn maxsize(self) -> usize {
- KnownSize::size(self.ptr)
+ fn as_view(self) -> ConfigSpace<'a, T> {
+ self
}
}
--
2.54.0
^ permalink raw reply related [flat|nested] 36+ messages in thread
* [PATCH v4 10/20] rust: io: remove `MmioOwned`
2026-06-11 16:28 [PATCH v4 00/20] rust: I/O type generalization and projection Gary Guo
` (8 preceding siblings ...)
2026-06-11 16:28 ` [PATCH v4 09/20] rust: io: use view types instead of addresses for `Io` Gary Guo
@ 2026-06-11 16:28 ` Gary Guo
2026-06-11 16:28 ` [PATCH v4 11/20] rust: io: move `Io` methods to extension trait Gary Guo
` (9 subsequent siblings)
19 siblings, 0 replies; 36+ messages in thread
From: Gary Guo @ 2026-06-11 16:28 UTC (permalink / raw)
To: Alice Ryhl, Daniel Almeida, Greg Kroah-Hartman, Rafael J. Wysocki,
Miguel Ojeda, Boqun Feng, Gary Guo, Björn Roy Baron,
Benno Lossin, Andreas Hindborg, Trevor Gross, Bjorn Helgaas,
Krzysztof Wilczyński, Abdiel Janulgue, Robin Murphy,
Alexandre Courbot, David Airlie, Simona Vetter
Cc: Danilo Krummrich, driver-core, rust-for-linux, linux-kernel,
linux-pci, nova-gpu, dri-devel
`Io` trait is now very easy to implement. Thus, implement it on `Bar` and
`IoMem` directly and remove the `MmioOwned` struct.
Signed-off-by: Gary Guo <gary@garyguo.net>
---
rust/kernel/devres.rs | 12 +++---
rust/kernel/io.rs | 103 +-------------------------------------------------
rust/kernel/io/mem.rs | 26 +++++++------
rust/kernel/pci/io.rs | 16 ++++----
4 files changed, 32 insertions(+), 125 deletions(-)
diff --git a/rust/kernel/devres.rs b/rust/kernel/devres.rs
index aed0c994fd30..3545ffc5345d 100644
--- a/rust/kernel/devres.rs
+++ b/rust/kernel/devres.rs
@@ -68,8 +68,9 @@ struct Inner<T> {
/// devres::Devres,
/// io::{
/// Io,
-/// MmioOwned,
+/// Mmio,
/// MmioRaw,
+/// MmioBackend,
/// PhysAddr,
/// Region, //
/// },
@@ -104,12 +105,13 @@ struct Inner<T> {
/// }
/// }
///
-/// impl<const SIZE: usize> Deref for IoMem<SIZE> {
-/// type Target = MmioOwned<SIZE>;
+/// impl<'a, const SIZE: usize> Io<'a> for &'a IoMem<SIZE> {
+/// type Backend = MmioBackend;
+/// type Target = Region<SIZE>;
///
-/// fn deref(&self) -> &Self::Target {
+/// fn as_view(self) -> Mmio<'a, Region<SIZE>> {
/// // SAFETY: The memory range stored in `self` has been properly mapped in `Self::new`.
-/// unsafe { MmioOwned::from_raw(&self.0) }
+/// unsafe { Mmio::from_raw(self.0) }
/// }
/// }
/// # fn no_run(dev: &Device<Bound>) -> Result<(), Error> {
diff --git a/rust/kernel/io.rs b/rust/kernel/io.rs
index e422a5ff2a5e..132454a38d64 100644
--- a/rust/kernel/io.rs
+++ b/rust/kernel/io.rs
@@ -99,8 +99,8 @@ fn size(p: *const Self) -> usize {
/// the represented MMIO region does exist or is properly mapped.
///
/// Instead, the bus specific MMIO implementation must convert this raw representation into an
-/// `MmioOwned` instance providing the actual memory accessors. Only by the conversion into an
-/// `MmioOwned` structure any guarantees are given.
+/// `Mmio` instance providing the actual memory accessors. Only by the conversion into an `Mmio`
+/// structure any guarantees are given.
pub struct MmioRaw<T: ?Sized> {
/// Pointer is in I/O address space.
///
@@ -157,80 +157,6 @@ pub fn size(&self) -> usize {
}
}
-/// IO-mapped memory region.
-///
-/// The creator (usually a subsystem / bus such as PCI) is responsible for creating the
-/// mapping, performing an additional region request etc.
-///
-/// # Invariant
-///
-/// `addr` is the start and `maxsize` the length of valid I/O mapped memory region of size
-/// `maxsize`.
-///
-/// # Examples
-///
-/// ```no_run
-/// use kernel::{
-/// bindings,
-/// ffi::c_void,
-/// io::{
-/// Io,
-/// MmioOwned,
-/// MmioRaw,
-/// PhysAddr,
-/// Region,
-/// },
-/// };
-/// use core::ops::Deref;
-///
-/// // See also `pci::Bar` for a real example.
-/// struct IoMem<const SIZE: usize>(MmioRaw<Region<SIZE>>);
-///
-/// impl<const SIZE: usize> IoMem<SIZE> {
-/// /// # Safety
-/// ///
-/// /// [`paddr`, `paddr` + `SIZE`) must be a valid MMIO region that is mappable into the CPUs
-/// /// virtual address space.
-/// unsafe fn new(paddr: usize) -> Result<Self>{
-/// // SAFETY: By the safety requirements of this function [`paddr`, `paddr` + `SIZE`) is
-/// // valid for `ioremap`.
-/// let addr = unsafe { bindings::ioremap(paddr as PhysAddr, SIZE) };
-/// if addr.is_null() {
-/// return Err(ENOMEM);
-/// }
-///
-/// Ok(IoMem(MmioRaw::new_region(addr as usize, SIZE)?))
-/// }
-/// }
-///
-/// impl<const SIZE: usize> Drop for IoMem<SIZE> {
-/// fn drop(&mut self) {
-/// // SAFETY: `self.0.addr()` is guaranteed to be properly mapped by `Self::new`.
-/// unsafe { bindings::iounmap(self.0.addr() as *mut c_void); };
-/// }
-/// }
-///
-/// impl<const SIZE: usize> Deref for IoMem<SIZE> {
-/// type Target = MmioOwned<SIZE>;
-///
-/// fn deref(&self) -> &Self::Target {
-/// // SAFETY: The memory range stored in `self` has been properly mapped in `Self::new`.
-/// unsafe { MmioOwned::from_raw(&self.0) }
-/// }
-/// }
-///
-///# fn no_run() -> Result<(), Error> {
-/// // SAFETY: Invalid usage for example purposes.
-/// let iomem = unsafe { IoMem::<{ core::mem::size_of::<u32>() }>::new(0xBAAAAAAD)? };
-/// iomem.write32(0x42, 0x0);
-/// assert!(iomem.try_write32(0x42, 0x0).is_ok());
-/// assert!(iomem.try_write32(0x42, 0x4).is_err());
-/// # Ok(())
-/// # }
-/// ```
-#[repr(transparent)]
-pub struct MmioOwned<const SIZE: usize = 0>(MmioRaw<Region<SIZE>>);
-
/// Checks whether an access of type `U` at the given `base` and the given `offset`
/// is valid within this region.
///
@@ -945,31 +871,6 @@ fn io_write(view: <$backend as IoBackend>::View<'_, $ty>, value: $ty) {
#[cfg(CONFIG_64BIT)]
impl_mmio_io_capable!(MmioBackend, u64, readq, writeq);
-impl<'a, const SIZE: usize> Io<'a> for &'a MmioOwned<SIZE> {
- type Backend = MmioBackend;
- type Target = Region<SIZE>;
-
- #[inline]
- fn as_view(self) -> Mmio<'a, Self::Target> {
- // SAFETY: `Mmio` has same invariant as `MmioOwned`
- unsafe { Mmio::from_raw(self.0) }
- }
-}
-
-impl<const SIZE: usize> MmioOwned<SIZE> {
- /// Converts an `MmioRaw` into an `MmioOwned` instance, providing the accessors to the MMIO
- /// mapping.
- ///
- /// # Safety
- ///
- /// Callers must ensure that `addr` is the start of a valid I/O mapped memory region of size
- /// `maxsize`.
- pub unsafe fn from_raw(raw: &MmioRaw<Region<SIZE>>) -> &Self {
- // SAFETY: `MmioOwned` is a transparent wrapper around `MmioRaw`.
- unsafe { &*core::ptr::from_ref(raw).cast() }
- }
-}
-
/// [`Mmio`] but using relaxed accessors.
///
/// This type provides an implementation of [`Io`] that uses relaxed I/O MMIO operands instead of
diff --git a/rust/kernel/io/mem.rs b/rust/kernel/io/mem.rs
index 8f6c257c5b8e..d9b3189d09b4 100644
--- a/rust/kernel/io/mem.rs
+++ b/rust/kernel/io/mem.rs
@@ -2,8 +2,6 @@
//! Generic memory-mapped IO.
-use core::ops::Deref;
-
use crate::{
device::{
Bound,
@@ -16,7 +14,9 @@
Region,
Resource, //
},
- MmioOwned,
+ Io,
+ Mmio,
+ MmioBackend,
MmioRaw, //
},
prelude::*,
@@ -210,11 +210,13 @@ pub fn into_devres(self) -> Result<Devres<ExclusiveIoMem<'static, SIZE>>> {
}
}
-impl<const SIZE: usize> Deref for ExclusiveIoMem<'_, SIZE> {
- type Target = MmioOwned<SIZE>;
+impl<'a, const SIZE: usize> Io<'a> for &'a ExclusiveIoMem<'_, SIZE> {
+ type Backend = MmioBackend;
+ type Target = super::Region<SIZE>;
- fn deref(&self) -> &Self::Target {
- &self.iomem
+ #[inline]
+ fn as_view(self) -> Mmio<'a, Self::Target> {
+ self.iomem.as_view()
}
}
@@ -290,11 +292,13 @@ fn drop(&mut self) {
}
}
-impl<const SIZE: usize> Deref for IoMem<'_, SIZE> {
- type Target = MmioOwned<SIZE>;
+impl<'a, const SIZE: usize> Io<'a> for &'a IoMem<'_, SIZE> {
+ type Backend = MmioBackend;
+ type Target = super::Region<SIZE>;
- fn deref(&self) -> &Self::Target {
+ #[inline]
+ fn as_view(self) -> Mmio<'a, Self::Target> {
// SAFETY: Safe as by the invariant of `IoMem`.
- unsafe { MmioOwned::from_raw(&self.io) }
+ unsafe { Mmio::from_raw(self.io) }
}
}
diff --git a/rust/kernel/pci/io.rs b/rust/kernel/pci/io.rs
index e67c1e3694fb..4be33ecb4192 100644
--- a/rust/kernel/pci/io.rs
+++ b/rust/kernel/pci/io.rs
@@ -11,16 +11,14 @@
Io,
IoBackend,
IoCapable,
- MmioOwned,
+ Mmio,
+ MmioBackend,
MmioRaw,
Region, //
},
prelude::*,
ptr::KnownSize, //
};
-use core::{
- ops::Deref, //
-};
/// Represents the size of a PCI configuration space.
///
@@ -269,12 +267,14 @@ fn drop(&mut self) {
}
}
-impl<const SIZE: usize> Deref for Bar<'_, SIZE> {
- type Target = MmioOwned<SIZE>;
+impl<'a, const SIZE: usize> Io<'a> for &'a Bar<'_, SIZE> {
+ type Backend = MmioBackend;
+ type Target = crate::io::Region<SIZE>;
- fn deref(&self) -> &Self::Target {
+ #[inline]
+ fn as_view(self) -> Mmio<'a, Self::Target> {
// SAFETY: By the type invariant of `Self`, the MMIO range in `self.io` is properly mapped.
- unsafe { MmioOwned::from_raw(&self.io) }
+ unsafe { Mmio::from_raw(self.io) }
}
}
--
2.54.0
^ permalink raw reply related [flat|nested] 36+ messages in thread
* [PATCH v4 11/20] rust: io: move `Io` methods to extension trait
2026-06-11 16:28 [PATCH v4 00/20] rust: I/O type generalization and projection Gary Guo
` (9 preceding siblings ...)
2026-06-11 16:28 ` [PATCH v4 10/20] rust: io: remove `MmioOwned` Gary Guo
@ 2026-06-11 16:28 ` Gary Guo
2026-06-11 16:28 ` [PATCH v4 12/20] rust: prelude: add `zerocopy{,_derive}::IntoBytes` Gary Guo
` (8 subsequent siblings)
19 siblings, 0 replies; 36+ messages in thread
From: Gary Guo @ 2026-06-11 16:28 UTC (permalink / raw)
To: Alice Ryhl, Daniel Almeida, Greg Kroah-Hartman, Rafael J. Wysocki,
Miguel Ojeda, Boqun Feng, Gary Guo, Björn Roy Baron,
Benno Lossin, Andreas Hindborg, Trevor Gross, Bjorn Helgaas,
Krzysztof Wilczyński, Abdiel Janulgue, Robin Murphy,
Alexandre Courbot, David Airlie, Simona Vetter
Cc: Danilo Krummrich, driver-core, rust-for-linux, linux-kernel,
linux-pci, nova-gpu, dri-devel
`Io` trait now has a single required methods with many more provided
methods. Provided methods may want to rely on their implementations to not
be arbitrarily overridden by implementers for correctness or soundness.
Thus, extract these methods to a new trait and provide a blanket
implementation. This pattern is used extensively in userspace Rust
libraries e.g. `tokio` where `AsyncRead` has minimum methods and
`AsyncReadExt` is what users mostly interact with.
To avoid changing all user imports, the base trait is renamed to `IoBase`
and the newly added trait takes the existing `Io` name.
A `size` method is added as an example of methods that users should not
override.
Suggested-by: Danilo Krummrich <dakr@kernel.org>
Signed-off-by: Gary Guo <gary@garyguo.net>
---
rust/kernel/devres.rs | 3 ++-
rust/kernel/io.rs | 34 ++++++++++++++++++++++++----------
rust/kernel/io/mem.rs | 6 +++---
rust/kernel/pci/io.rs | 6 +++---
4 files changed, 32 insertions(+), 17 deletions(-)
diff --git a/rust/kernel/devres.rs b/rust/kernel/devres.rs
index 3545ffc5345d..6e0b845b229b 100644
--- a/rust/kernel/devres.rs
+++ b/rust/kernel/devres.rs
@@ -68,6 +68,7 @@ struct Inner<T> {
/// devres::Devres,
/// io::{
/// Io,
+/// IoBase,
/// Mmio,
/// MmioRaw,
/// MmioBackend,
@@ -105,7 +106,7 @@ struct Inner<T> {
/// }
/// }
///
-/// impl<'a, const SIZE: usize> Io<'a> for &'a IoMem<SIZE> {
+/// impl<'a, const SIZE: usize> IoBase<'a> for &'a IoMem<SIZE> {
/// type Backend = MmioBackend;
/// type Target = Region<SIZE>;
///
diff --git a/rust/kernel/io.rs b/rust/kernel/io.rs
index 132454a38d64..470ee2ed9849 100644
--- a/rust/kernel/io.rs
+++ b/rust/kernel/io.rs
@@ -184,7 +184,7 @@ const fn offset_valid<U>(base: usize, offset: usize, size: usize) -> bool {
/// operation.
pub trait IoBackend {
/// View type for this I/O backend.
- type View<'a, T: ?Sized + KnownSize>: Io<'a, Backend = Self, Target = T>;
+ type View<'a, T: ?Sized + KnownSize>: IoBase<'a, Backend = Self, Target = T>;
/// Convert a `view` to a raw pointer for projection.
fn as_ptr<'a, T: ?Sized + KnownSize>(view: Self::View<'a, T>) -> *mut T;
@@ -267,13 +267,10 @@ fn offset(self) -> usize {
/// Types implementing this trait (e.g. MMIO BARs or PCI config regions)
/// can perform I/O operations on regions of memory.
///
-/// The [`Io`] trait provides:
-/// - Method to convert into [`IoBackend::View`].
-/// - Helper methods for offset validation and address calculation
-/// - Fallible (runtime checked) accessors for different data widths
-///
-/// Which I/O methods are available depends on the associated [`IoBackend`] implementation.
-pub trait Io<'a>: Copy {
+/// This trait defines which backend shall be used for I/O operations and provides a method to
+/// convert into [`IoBackend::View`]. Users should use the [`Io`] trait which provides the actual
+/// methods to perform I/O operations.
+pub trait IoBase<'a>: Copy {
/// Type that defines all I/O operations.
type Backend: IoBackend;
@@ -282,6 +279,21 @@ pub trait Io<'a>: Copy {
/// Return a view that covers the full region.
fn as_view(self) -> <Self::Backend as IoBackend>::View<'a, Self::Target>;
+}
+
+/// Extension trait to provide I/O operation methods to types that implement [`IoBase`].
+///
+/// This trait provides:
+/// - Helper methods for offset validation and address calculation
+/// - Fallible (runtime checked) accessors for different data widths
+///
+/// Which I/O methods are available depends on the associated [`IoBackend`] implementation.
+pub trait Io<'a>: IoBase<'a> {
+ /// Returns the size of this I/O region.
+ #[inline]
+ fn size(self) -> usize {
+ KnownSize::size(Self::Backend::as_ptr(self.as_view()))
+ }
/// Returns a view for a given `offset`, performing compile-time bound checks.
// Always inline to optimize out error path of `build_assert`.
@@ -769,6 +781,8 @@ fn update<T, L, F>(self, location: L, f: F)
}
}
+impl<'a, T: IoBase<'a>> Io<'a> for T {}
+
/// A view of memory-mapped I/O region.
///
/// # Invariant
@@ -809,7 +823,7 @@ unsafe impl<T: ?Sized + Sync> Send for Mmio<'_, T> {}
// SAFETY: `Mmio<'_, T>` is conceptually `&T` but in I/O memory.
unsafe impl<T: ?Sized + Sync> Sync for Mmio<'_, T> {}
-impl<'a, T: ?Sized + KnownSize> Io<'a> for Mmio<'a, T> {
+impl<'a, T: ?Sized + KnownSize> IoBase<'a> for Mmio<'a, T> {
type Backend = MmioBackend;
type Target = T;
@@ -925,7 +939,7 @@ unsafe fn project_view<'a, T: ?Sized + KnownSize, U: ?Sized + KnownSize>(
}
}
-impl<'a, T: ?Sized + KnownSize> Io<'a> for RelaxedMmio<'a, T> {
+impl<'a, T: ?Sized + KnownSize> IoBase<'a> for RelaxedMmio<'a, T> {
type Backend = RelaxedMmioBackend;
type Target = T;
diff --git a/rust/kernel/io/mem.rs b/rust/kernel/io/mem.rs
index d9b3189d09b4..e95b769ebe47 100644
--- a/rust/kernel/io/mem.rs
+++ b/rust/kernel/io/mem.rs
@@ -14,7 +14,7 @@
Region,
Resource, //
},
- Io,
+ IoBase,
Mmio,
MmioBackend,
MmioRaw, //
@@ -210,7 +210,7 @@ pub fn into_devres(self) -> Result<Devres<ExclusiveIoMem<'static, SIZE>>> {
}
}
-impl<'a, const SIZE: usize> Io<'a> for &'a ExclusiveIoMem<'_, SIZE> {
+impl<'a, const SIZE: usize> IoBase<'a> for &'a ExclusiveIoMem<'_, SIZE> {
type Backend = MmioBackend;
type Target = super::Region<SIZE>;
@@ -292,7 +292,7 @@ fn drop(&mut self) {
}
}
-impl<'a, const SIZE: usize> Io<'a> for &'a IoMem<'_, SIZE> {
+impl<'a, const SIZE: usize> IoBase<'a> for &'a IoMem<'_, SIZE> {
type Backend = MmioBackend;
type Target = super::Region<SIZE>;
diff --git a/rust/kernel/pci/io.rs b/rust/kernel/pci/io.rs
index 4be33ecb4192..4d1d0afdc491 100644
--- a/rust/kernel/pci/io.rs
+++ b/rust/kernel/pci/io.rs
@@ -8,8 +8,8 @@
device,
devres::Devres,
io::{
- Io,
IoBackend,
+ IoBase,
IoCapable,
Mmio,
MmioBackend,
@@ -144,7 +144,7 @@ fn io_write(view: ConfigSpace<'_, $ty>, value: $ty) {
impl_config_space_io_capable!(u16, pci_read_config_word, pci_write_config_word);
impl_config_space_io_capable!(u32, pci_read_config_dword, pci_write_config_dword);
-impl<'a, T: ?Sized + KnownSize> Io<'a> for ConfigSpace<'a, T> {
+impl<'a, T: ?Sized + KnownSize> IoBase<'a> for ConfigSpace<'a, T> {
type Backend = ConfigSpaceBackend;
type Target = T;
@@ -267,7 +267,7 @@ fn drop(&mut self) {
}
}
-impl<'a, const SIZE: usize> Io<'a> for &'a Bar<'_, SIZE> {
+impl<'a, const SIZE: usize> IoBase<'a> for &'a Bar<'_, SIZE> {
type Backend = MmioBackend;
type Target = crate::io::Region<SIZE>;
--
2.54.0
^ permalink raw reply related [flat|nested] 36+ messages in thread
* [PATCH v4 12/20] rust: prelude: add `zerocopy{,_derive}::IntoBytes`
2026-06-11 16:28 [PATCH v4 00/20] rust: I/O type generalization and projection Gary Guo
` (10 preceding siblings ...)
2026-06-11 16:28 ` [PATCH v4 11/20] rust: io: move `Io` methods to extension trait Gary Guo
@ 2026-06-11 16:28 ` Gary Guo
2026-06-11 16:28 ` [PATCH v4 13/20] rust: io: add projection macro and methods Gary Guo
` (7 subsequent siblings)
19 siblings, 0 replies; 36+ messages in thread
From: Gary Guo @ 2026-06-11 16:28 UTC (permalink / raw)
To: Alice Ryhl, Daniel Almeida, Greg Kroah-Hartman, Rafael J. Wysocki,
Miguel Ojeda, Boqun Feng, Gary Guo, Björn Roy Baron,
Benno Lossin, Andreas Hindborg, Trevor Gross, Bjorn Helgaas,
Krzysztof Wilczyński, Abdiel Janulgue, Robin Murphy,
Alexandre Courbot, David Airlie, Simona Vetter
Cc: Danilo Krummrich, driver-core, rust-for-linux, linux-kernel,
linux-pci, nova-gpu, dri-devel
In order to easily use `IntoBytes`, add it to the prelude.
This adds both the trait (`zerocopy::IntoBytes`) as well as the derive
macro (`zerocopy_derive::IntoBytes`).
Signed-off-by: Gary Guo <gary@garyguo.net>
---
This is wanted because I want to convert the upcoming I/O projection series
to use `zerocopy` traits rather than keep using transmute module.
It is most helpful for derives in doc tests; I do not want to explicitly use
`#[derive(zerocopy_derive::IntoBytes)]` in the doc tests.
---
rust/kernel/prelude.rs | 10 ++++++++--
1 file changed, 8 insertions(+), 2 deletions(-)
diff --git a/rust/kernel/prelude.rs b/rust/kernel/prelude.rs
index 8a6da92e8da6..ca396f1f78a6 100644
--- a/rust/kernel/prelude.rs
+++ b/rust/kernel/prelude.rs
@@ -61,10 +61,16 @@
};
#[doc(no_inline)]
-pub use zerocopy::FromBytes;
+pub use zerocopy::{
+ FromBytes,
+ IntoBytes, //
+};
#[doc(no_inline)]
-pub use zerocopy_derive::FromBytes;
+pub use zerocopy_derive::{
+ FromBytes,
+ IntoBytes, //
+};
#[doc(no_inline)]
pub use super::{
--
2.54.0
^ permalink raw reply related [flat|nested] 36+ messages in thread
* [PATCH v4 13/20] rust: io: add projection macro and methods
2026-06-11 16:28 [PATCH v4 00/20] rust: I/O type generalization and projection Gary Guo
` (11 preceding siblings ...)
2026-06-11 16:28 ` [PATCH v4 12/20] rust: prelude: add `zerocopy{,_derive}::IntoBytes` Gary Guo
@ 2026-06-11 16:28 ` Gary Guo
2026-06-11 16:28 ` [PATCH v4 14/20] rust: io: add I/O backend for system memory with volatile access Gary Guo
` (6 subsequent siblings)
19 siblings, 0 replies; 36+ messages in thread
From: Gary Guo @ 2026-06-11 16:28 UTC (permalink / raw)
To: Alice Ryhl, Daniel Almeida, Greg Kroah-Hartman, Rafael J. Wysocki,
Miguel Ojeda, Boqun Feng, Gary Guo, Björn Roy Baron,
Benno Lossin, Andreas Hindborg, Trevor Gross, Bjorn Helgaas,
Krzysztof Wilczyński, Abdiel Janulgue, Robin Murphy,
Alexandre Courbot, David Airlie, Simona Vetter
Cc: Danilo Krummrich, driver-core, rust-for-linux, linux-kernel,
linux-pci, nova-gpu, dri-devel
Add an `io_project!()` macro allows projection from `Io` to a subview of
it, using the pointer projection mechanism to perform compile-time checks.
For cases where type-casting is required, the `try_cast()` function may be
used where the size and alignment checks are performed at runtime.
Signed-off-by: Gary Guo <gary@garyguo.net>
---
rust/kernel/io.rs | 130 ++++++++++++++++++++++++++++++++++++++++++++++++++++--
1 file changed, 126 insertions(+), 4 deletions(-)
diff --git a/rust/kernel/io.rs b/rust/kernel/io.rs
index 470ee2ed9849..c7a9952af995 100644
--- a/rust/kernel/io.rs
+++ b/rust/kernel/io.rs
@@ -14,7 +14,7 @@
ptr::{
Alignment,
KnownSize, //
- }, //
+ },
};
pub mod mem;
@@ -44,12 +44,12 @@
/// This type can be used when an I/O region without known type information has a compile-time known
/// minimum size (and a runtime known actual size).
///
-/// This must be 4-byte aligned.
-///
/// # Invariants
///
-/// Size of the region is at least as large as the `SIZE` generic parameter.
+/// - Size of the region is at least as large as the `SIZE` generic parameter.
+/// - Size of the region is multiple of 4.
#[repr(C, align(4))]
+#[derive(FromBytes)]
pub struct Region<const SIZE: usize = 0> {
inner: [u8],
}
@@ -91,6 +91,15 @@ fn size(p: *const Self) -> usize {
}
}
+// SAFETY: Values read from I/O are always treated as initialized.
+//
+// This cannot be derived as `derive(IntoBytes)` does not know that this type is padding free (given
+// `repr(align(4))`).
+unsafe impl<const SIZE: usize> IntoBytes for Region<SIZE> {
+ #[inline]
+ fn only_derive_is_allowed_to_implement_this_trait() {}
+}
+
/// Raw representation of an MMIO region.
///
/// `MmioRaw<T>` is equivalent to `T __iomem *` in C.
@@ -295,6 +304,49 @@ fn size(self) -> usize {
KnownSize::size(Self::Backend::as_ptr(self.as_view()))
}
+ /// Try to convert into a different typed I/O view.
+ ///
+ /// The target type must be of same or smaller size to current type, and the current view must
+ /// be properly aligned for the target type.
+ ///
+ /// # Examples
+ ///
+ /// ```no_run
+ /// use kernel::io::{
+ /// io_project,
+ /// Mmio,
+ /// Io,
+ /// Region,
+ /// };
+ /// #[derive(FromBytes, IntoBytes)]
+ /// struct MyStruct { field: u32, }
+ ///
+ /// # fn test(mmio: &Mmio<'_, Region>) -> Result {
+ /// // let mmio: Mmio<'_, Region>;
+ /// let whole: Mmio<'_, MyStruct> = mmio.try_cast()?;
+ /// # Ok::<(), Error>(()) }
+ /// ```
+ #[inline]
+ fn try_cast<U>(self) -> Result<<Self::Backend as IoBackend>::View<'a, U>>
+ where
+ Self::Target: FromBytes + IntoBytes,
+ U: FromBytes + IntoBytes,
+ {
+ let view = self.as_view();
+ let ptr = Self::Backend::as_ptr(view);
+
+ if size_of::<U>() > KnownSize::size(ptr) {
+ return Err(EINVAL);
+ }
+
+ if ptr.addr() % align_of::<U>() != 0 {
+ return Err(EINVAL);
+ }
+
+ // SAFETY: We have checked bounds and alignment, so this is a valid projection.
+ Ok(unsafe { Self::Backend::project_view(view, ptr.cast()) })
+ }
+
/// Returns a view for a given `offset`, performing compile-time bound checks.
// Always inline to optimize out error path of `build_assert`.
#[inline(always)]
@@ -988,3 +1040,73 @@ pub fn relaxed(self) -> RelaxedMmio<'a, T> {
// MMIO regions on 64-bit systems also support 64-bit accesses.
#[cfg(CONFIG_64BIT)]
impl_mmio_io_capable!(RelaxedMmioBackend, u64, readq_relaxed, writeq_relaxed);
+
+// This helper turns associated functions to methods so it can be invoked in macro.
+// Used by `io_project!()` only.
+#[doc(hidden)]
+#[derive(Clone, Copy)]
+pub struct ProjectHelper<T>(pub T);
+
+impl<'a, T> ProjectHelper<T>
+where
+ T: Io<'a, Backend: IoBackend<View<'a, T::Target> = T>>,
+{
+ // These helper methods must not have symbols present in binary to avoid confusion.
+ #[inline(always)]
+ pub fn as_ptr(self) -> *mut T::Target {
+ T::Backend::as_ptr(self.0)
+ }
+
+ /// # Safety
+ ///
+ /// Same as `IoBackend::project_view`
+ #[inline(always)]
+ pub unsafe fn project_view<U: ?Sized + KnownSize>(
+ self,
+ ptr: *mut U,
+ ) -> <T::Backend as IoBackend>::View<'a, U> {
+ // SAFETY: Per safety requirement.
+ unsafe { T::Backend::project_view::<T::Target, _>(self.0, ptr) }
+ }
+}
+
+/// Project an I/O type to a subview of it.
+///
+/// The syntax is of form `io_project!(io, proj)` where `io` is an expression to a type that
+/// implements [`Io`] and `proj` is a [projection specification](kernel::ptr::project!).
+///
+/// In addition to projecting from [`Io`], you may also project from a [`View`] of an [`Io`].
+///
+/// # Examples
+///
+/// ```
+/// use kernel::io::{
+/// io_project,
+/// Mmio,
+/// };
+/// struct MyStruct { field: u32, }
+///
+/// # fn test(mmio: Mmio<'_, [MyStruct]>) -> Result {
+/// // let mmio: Mmio<[MyStruct]>;
+/// let field: Mmio<'_, u32> = io_project!(mmio, [try: 1].field);
+/// let whole: Mmio<'_, MyStruct> = io_project!(mmio, [try: 2]);
+/// let nested: Mmio<'_, u32> = io_project!(whole, .field);
+/// # Ok::<(), Error>(()) }
+/// ```
+#[macro_export]
+#[doc(hidden)]
+macro_rules! io_project {
+ ($io:expr, $($proj:tt)*) => {{
+ #[allow(unused)]
+ use $crate::io::IoBase as _;
+ let view = $crate::io::ProjectHelper($io.as_view());
+ let ptr = $crate::ptr::project!(
+ mut view.as_ptr(), $($proj)*
+ );
+ #[allow(unused_unsafe)]
+ // SAFETY: `ptr` is a projection.
+ unsafe { view.project_view(ptr) }
+ }};
+}
+#[doc(inline)]
+pub use crate::io_project;
--
2.54.0
^ permalink raw reply related [flat|nested] 36+ messages in thread
* [PATCH v4 14/20] rust: io: add I/O backend for system memory with volatile access
2026-06-11 16:28 [PATCH v4 00/20] rust: I/O type generalization and projection Gary Guo
` (12 preceding siblings ...)
2026-06-11 16:28 ` [PATCH v4 13/20] rust: io: add projection macro and methods Gary Guo
@ 2026-06-11 16:28 ` Gary Guo
2026-06-11 16:28 ` [PATCH v4 15/20] rust: io: implement a view type for `Coherent` Gary Guo
` (5 subsequent siblings)
19 siblings, 0 replies; 36+ messages in thread
From: Gary Guo @ 2026-06-11 16:28 UTC (permalink / raw)
To: Alice Ryhl, Daniel Almeida, Greg Kroah-Hartman, Rafael J. Wysocki,
Miguel Ojeda, Boqun Feng, Gary Guo, Björn Roy Baron,
Benno Lossin, Andreas Hindborg, Trevor Gross, Bjorn Helgaas,
Krzysztof Wilczyński, Abdiel Janulgue, Robin Murphy,
Alexandre Courbot, David Airlie, Simona Vetter
Cc: Danilo Krummrich, driver-core, rust-for-linux, linux-kernel,
linux-pci, nova-gpu, dri-devel, Laura Nao
From: Laura Nao <laura.nao@collabora.com>
Add `SysMem`, an `Io` trait implementation for kernel virtual address
ranges. It uses volatile accessors to provide safe access to shared
memory that may be concurrently accessed by external hardware. Implement
`IoCapable` for `u8`, `u16`, `u32`, and `u64` (for 64-bit system).
This can be used for instead of `Coherent` for cases where a different
layer takes care of mapping the system memory to the device (e.g. dma-buf
or GPUVM).
Signed-off-by: Laura Nao <laura.nao@collabora.com>
[ Rebased and adapted on top of I/O rework. - Gary ]
Co-developed-by: Gary Guo <gary@garyguo.net>
Signed-off-by: Gary Guo <gary@garyguo.net>
---
rust/kernel/io.rs | 122 ++++++++++++++++++++++++++++++++++++++++++++++++++++++
1 file changed, 122 insertions(+)
diff --git a/rust/kernel/io.rs b/rust/kernel/io.rs
index c7a9952af995..a418c8cbb031 100644
--- a/rust/kernel/io.rs
+++ b/rust/kernel/io.rs
@@ -1041,6 +1041,128 @@ pub fn relaxed(self) -> RelaxedMmio<'a, T> {
#[cfg(CONFIG_64BIT)]
impl_mmio_io_capable!(RelaxedMmioBackend, u64, readq_relaxed, writeq_relaxed);
+/// I/O Backend for system memory.
+pub struct SysMemBackend;
+
+impl IoBackend for SysMemBackend {
+ type View<'a, T: ?Sized + KnownSize> = SysMem<'a, T>;
+
+ #[inline]
+ fn as_ptr<'a, T: ?Sized + KnownSize>(view: Self::View<'a, T>) -> *mut T {
+ view.ptr
+ }
+
+ #[inline]
+ unsafe fn project_view<'a, T: ?Sized + KnownSize, U: ?Sized + KnownSize>(
+ _view: Self::View<'a, T>,
+ ptr: *mut U,
+ ) -> Self::View<'a, U> {
+ // INVARIANT: Per safety requirement, `ptr` is projection from `view`, so it is also a valid
+ // kernel accessible memory region.
+ SysMem {
+ ptr,
+ phantom: PhantomData,
+ }
+ }
+}
+
+/// Implements [`IoCapable`] on `SysMemBackend` for `$ty` using `read_volatile` and
+/// `write_volatile`.
+macro_rules! impl_sysmem_io_capable {
+ ($ty:ty) => {
+ impl IoCapable<$ty> for SysMemBackend {
+ #[inline]
+ fn io_read(view: SysMem<'_, $ty>) -> $ty {
+ // SAFETY:
+ // - Per type invariant, `ptr` is valid and aligned.
+ // - Using read_volatile() here so that race with hardware is well-defined.
+ // - Using read_volatile() here is not sound if it races with other CPU per Rust
+ // rules, but this is allowed per LKMM.
+ // - The macro is only used on primitives so all bit patterns are valid.
+ unsafe { view.ptr.read_volatile() }
+ }
+
+ #[inline]
+ fn io_write(view: SysMem<'_, $ty>, value: $ty) {
+ // SAFETY:
+ // - Per type invariant, `ptr` is valid and aligned.
+ // - Using write_volatile() here so that race with hardware is well-defined.
+ // - Using write_volatile() here is not sound if it races with other CPU per Rust
+ // rules, but this is allowed per LKMM.
+ unsafe { view.ptr.write_volatile(value) }
+ }
+ }
+ };
+}
+
+impl_sysmem_io_capable!(u8);
+impl_sysmem_io_capable!(u16);
+impl_sysmem_io_capable!(u32);
+#[cfg(CONFIG_64BIT)]
+impl_sysmem_io_capable!(u64);
+
+/// System memory region.
+///
+/// Provides `Io` trait implementation for kernel virtual address ranges,
+/// using volatile read/write to safely access shared memory that may be
+/// concurrently accessed by external hardware.
+///
+/// # Invariants
+///
+/// `self.ptr.addr() .. self.ptr.addr() + KnownSize::size(self.ptr)` is valid and aligned kernel
+/// accessible memory region for the lifetime `'a`.
+pub struct SysMem<'a, T: ?Sized> {
+ ptr: *mut T,
+ phantom: PhantomData<&'a ()>,
+}
+
+impl<T: ?Sized> Copy for SysMem<'_, T> {}
+impl<T: ?Sized> Clone for SysMem<'_, T> {
+ #[inline]
+ fn clone(&self) -> Self {
+ *self
+ }
+}
+
+// SAFETY: `SysMem<'_, T>` is conceptually `&T` but in I/O memory.
+unsafe impl<T: ?Sized + Sync> Send for SysMem<'_, T> {}
+
+// SAFETY: `SysMem<'_, T>` is conceptually `&T` but in I/O memory.
+unsafe impl<T: ?Sized + Sync> Sync for SysMem<'_, T> {}
+
+impl<'a, T: ?Sized> SysMem<'a, T> {
+ /// Create a `SysMem` from a raw pointer.
+ ///
+ /// # Safety
+ ///
+ /// `ptr.addr() .. ptr.addr() + KnownSize::size(ptr)` must be valid and aligned kernel
+ /// accessible memory region for the lifetime `'a`.
+ #[inline]
+ pub unsafe fn new(ptr: *mut T) -> Self {
+ // INVARIANT: Per safety requirement.
+ Self {
+ ptr,
+ phantom: PhantomData,
+ }
+ }
+
+ /// Obtain the raw pointer to the memory.
+ #[inline]
+ pub fn as_ptr(self) -> *mut T {
+ self.ptr
+ }
+}
+
+impl<'a, T: ?Sized + KnownSize> IoBase<'a> for SysMem<'a, T> {
+ type Backend = SysMemBackend;
+ type Target = T;
+
+ #[inline]
+ fn as_view(self) -> <Self::Backend as IoBackend>::View<'a, Self::Target> {
+ self
+ }
+}
+
// This helper turns associated functions to methods so it can be invoked in macro.
// Used by `io_project!()` only.
#[doc(hidden)]
--
2.54.0
^ permalink raw reply related [flat|nested] 36+ messages in thread
* [PATCH v4 15/20] rust: io: implement a view type for `Coherent`
2026-06-11 16:28 [PATCH v4 00/20] rust: I/O type generalization and projection Gary Guo
` (13 preceding siblings ...)
2026-06-11 16:28 ` [PATCH v4 14/20] rust: io: add I/O backend for system memory with volatile access Gary Guo
@ 2026-06-11 16:28 ` Gary Guo
2026-06-11 16:28 ` [PATCH v4 16/20] rust: io: add `read_val` and `write_val` functions on `Io` Gary Guo
` (4 subsequent siblings)
19 siblings, 0 replies; 36+ messages in thread
From: Gary Guo @ 2026-06-11 16:28 UTC (permalink / raw)
To: Alice Ryhl, Daniel Almeida, Greg Kroah-Hartman, Rafael J. Wysocki,
Miguel Ojeda, Boqun Feng, Gary Guo, Björn Roy Baron,
Benno Lossin, Andreas Hindborg, Trevor Gross, Bjorn Helgaas,
Krzysztof Wilczyński, Abdiel Janulgue, Robin Murphy,
Alexandre Courbot, David Airlie, Simona Vetter
Cc: Danilo Krummrich, driver-core, rust-for-linux, linux-kernel,
linux-pci, nova-gpu, dri-devel
Implement a `CoherentView` type which is a view of `Coherent`. To be able
to give out DMA handles, the view type contains both CPU and DMA pointers,
and the projection method projects both at once.
Delegate most of the `Io` implementation to `SysMemBackend`. Provide a
method to erase the DMA handle and give out a `SysMem` view, if the user
does not need the `dma_handle`.
Signed-off-by: Gary Guo <gary@garyguo.net>
---
rust/kernel/dma.rs | 137 ++++++++++++++++++++++++++++++++++++++++++++++++++++-
1 file changed, 135 insertions(+), 2 deletions(-)
diff --git a/rust/kernel/dma.rs b/rust/kernel/dma.rs
index 200def84fb69..ab6504910e4f 100644
--- a/rust/kernel/dma.rs
+++ b/rust/kernel/dma.rs
@@ -14,14 +14,21 @@
},
error::to_result,
fs::file,
+ io::{
+ IoBackend,
+ IoBase,
+ IoCapable,
+ SysMem,
+ SysMemBackend, //
+ },
prelude::*,
ptr::KnownSize,
sync::aref::ARef,
transmute::{
AsBytes,
FromBytes, //
- }, //
- uaccess::UserSliceWriter,
+ },
+ uaccess::UserSliceWriter, //
};
use core::{
ops::{
@@ -1133,6 +1140,132 @@ unsafe impl Send for CoherentHandle {}
// plain `Copy` values.
unsafe impl Sync for CoherentHandle {}
+/// View type for `Coherent`.
+///
+/// This is same as [`SysMem`] but with additional information that allows handing out a DMA handle.
+pub struct CoherentView<'a, T: ?Sized> {
+ cpu_addr: SysMem<'a, T>,
+ dma_handle: DmaAddress,
+}
+
+impl<T: ?Sized> Copy for CoherentView<'_, T> {}
+impl<T: ?Sized> Clone for CoherentView<'_, T> {
+ #[inline]
+ fn clone(&self) -> Self {
+ *self
+ }
+}
+
+impl<'a, T: ?Sized> CoherentView<'a, T> {
+ /// Erase the DMA handle information and obtain a [`SysMem`] view of the same memory region.
+ #[inline]
+ pub fn as_sys_mem(self) -> SysMem<'a, T> {
+ self.cpu_addr
+ }
+
+ /// Returns a DMA handle which may be given to the device as the DMA address base of the region.
+ #[inline]
+ pub fn dma_handle(self) -> DmaAddress {
+ self.dma_handle
+ }
+
+ /// Returns a reference to the data in the region.
+ ///
+ /// # Safety
+ ///
+ /// * Callers must ensure that the device does not read/write to/from memory while the returned
+ /// reference is live.
+ /// * Callers must ensure that this call does not race with a write to the same region while
+ /// the returned reference is live.
+ #[inline]
+ pub unsafe fn as_ref(self) -> &'a T {
+ // SAFETY: pointer is aligned and valid per type invariant. Aliasing rule is satisfied per
+ // safety requirement.
+ unsafe { &*self.cpu_addr.as_ptr() }
+ }
+
+ /// Returns a mutable reference to the data in the region.
+ ///
+ /// # Safety
+ ///
+ /// * Callers must ensure that the device does not read/write to/from memory while the returned
+ /// reference is live.
+ /// * Callers must ensure that this call does not race with a read or write to the same region
+ /// while the returned reference is live.
+ #[inline]
+ pub unsafe fn as_mut(self) -> &'a mut T {
+ // SAFETY: pointer is aligned and valid per type invariant. Aliasing rule is satisfied per
+ // safety requirement.
+ unsafe { &mut *self.cpu_addr.as_ptr() }
+ }
+}
+
+/// `IoBackend` implementation for `Coherent`.
+pub struct CoherentBackend;
+
+impl IoBackend for CoherentBackend {
+ type View<'a, T: ?Sized + KnownSize> = CoherentView<'a, T>;
+
+ #[inline]
+ fn as_ptr<'a, T: ?Sized + KnownSize>(view: Self::View<'a, T>) -> *mut T {
+ SysMemBackend::as_ptr(view.cpu_addr)
+ }
+
+ #[inline]
+ unsafe fn project_view<'a, T: ?Sized + KnownSize, U: ?Sized + KnownSize>(
+ view: Self::View<'a, T>,
+ ptr: *mut U,
+ ) -> Self::View<'a, U> {
+ let offset = ptr.addr() - view.cpu_addr.as_ptr().addr();
+ // CAST: The offset DMA address can never overflow.
+ let dma_handle = view.dma_handle + offset as DmaAddress;
+ CoherentView {
+ dma_handle,
+ // SAFETY: Per safety requirement.
+ cpu_addr: unsafe { SysMemBackend::project_view(view.cpu_addr, ptr) },
+ }
+ }
+}
+
+impl<T> IoCapable<T> for CoherentBackend
+where
+ SysMemBackend: IoCapable<T>,
+{
+ #[inline]
+ fn io_read<'a>(view: Self::View<'a, T>) -> T {
+ SysMemBackend::io_read(view.cpu_addr)
+ }
+
+ #[inline]
+ fn io_write<'a>(view: Self::View<'a, T>, value: T) {
+ SysMemBackend::io_write(view.cpu_addr, value)
+ }
+}
+
+impl<'a, T: ?Sized + KnownSize> IoBase<'a> for CoherentView<'a, T> {
+ type Backend = CoherentBackend;
+ type Target = T;
+
+ #[inline]
+ fn as_view(self) -> CoherentView<'a, Self::Target> {
+ self
+ }
+}
+
+impl<'a, T: ?Sized + KnownSize> IoBase<'a> for &'a Coherent<T> {
+ type Backend = CoherentBackend;
+ type Target = T;
+
+ #[inline]
+ fn as_view(self) -> CoherentView<'a, Self::Target> {
+ CoherentView {
+ // SAFETY: `cpu_addr` is valid and aligned kernel accessible memory.
+ cpu_addr: unsafe { SysMem::new(self.cpu_addr.as_ptr()) },
+ dma_handle: self.dma_handle,
+ }
+ }
+}
+
/// Reads a field of an item from an allocated region of structs.
///
/// The syntax is of the form `kernel::dma_read!(dma, proj)` where `dma` is an expression evaluating
--
2.54.0
^ permalink raw reply related [flat|nested] 36+ messages in thread
* [PATCH v4 16/20] rust: io: add `read_val` and `write_val` functions on `Io`
2026-06-11 16:28 [PATCH v4 00/20] rust: I/O type generalization and projection Gary Guo
` (14 preceding siblings ...)
2026-06-11 16:28 ` [PATCH v4 15/20] rust: io: implement a view type for `Coherent` Gary Guo
@ 2026-06-11 16:28 ` Gary Guo
2026-06-11 16:28 ` [PATCH v4 17/20] gpu: nova-core: use I/O projection for cleaner encapsulation Gary Guo
` (3 subsequent siblings)
19 siblings, 0 replies; 36+ messages in thread
From: Gary Guo @ 2026-06-11 16:28 UTC (permalink / raw)
To: Alice Ryhl, Daniel Almeida, Greg Kroah-Hartman, Rafael J. Wysocki,
Miguel Ojeda, Boqun Feng, Gary Guo, Björn Roy Baron,
Benno Lossin, Andreas Hindborg, Trevor Gross, Bjorn Helgaas,
Krzysztof Wilczyński, Abdiel Janulgue, Robin Murphy,
Alexandre Courbot, David Airlie, Simona Vetter
Cc: Danilo Krummrich, driver-core, rust-for-linux, linux-kernel,
linux-pci, nova-gpu, dri-devel
Provide `read_val` and `write_val` that allow I/O views to be accessed when
they're narrowed down to just views of primitives.
This is used to provide `io_read!` and `io_write!` macros, which are
generalized version of current `dma_read!` and `dma_write!` macro that work
for all types that implement `Io`.
Note though `io_read!` and `io_write!` only works if backend implements
`IoCapable` for the type; which is typically only implemented for
atomically accessible primitives. `dma_read!` and `dma_write!` currently
supports them via `read_volatile` and `write_volatile`; this can be
undesirable for aggregates as LLVM may turn them to multiple instructions
to access parts and re-assemble, even if they could be combined to a single
instruction. Thus, `io_read!()` and `io_write!()` does not fully replace
`dma_read!()` and `dma_write!()` in this scenario. The ability to
read/write aggregates (when atomicity is of no concern) is better served
with copying primitives (e.g. memcpy_{from,to}io).
Signed-off-by: Gary Guo <gary@garyguo.net>
---
rust/kernel/io.rs | 104 ++++++++++++++++++++++++++++++++++++++++++++++++++++++
1 file changed, 104 insertions(+)
diff --git a/rust/kernel/io.rs b/rust/kernel/io.rs
index a418c8cbb031..f64ca2202ff2 100644
--- a/rust/kernel/io.rs
+++ b/rust/kernel/io.rs
@@ -347,6 +347,50 @@ fn try_cast<U>(self) -> Result<<Self::Backend as IoBackend>::View<'a, U>>
Ok(unsafe { Self::Backend::project_view(view, ptr.cast()) })
}
+ /// Read a value from I/O.
+ ///
+ /// This only works for primitives supported by the I/O backend.
+ ///
+ /// # Examples
+ ///
+ /// ```no_run
+ /// # use kernel::io::*;
+ /// # fn test_read_val(mmio: Mmio<'_, u32>) {
+ /// // let mmio: Mmio<'_, u32>;
+ /// let val: u32 = mmio.read_val();
+ /// # }
+ /// ```
+ #[inline]
+ fn read_val(self) -> Self::Target
+ where
+ Self::Backend: IoCapable<Self::Target>,
+ Self::Target: Sized,
+ {
+ Self::Backend::io_read(self.as_view())
+ }
+
+ /// Write a value to I/O.
+ ///
+ /// This only works for primitives supported by the I/O backend.
+ ///
+ /// # Examples
+ ///
+ /// ```no_run
+ /// # use kernel::io::*;
+ /// # fn test_write_val(mmio: Mmio<'_, u32>) {
+ /// // let mmio: Mmio<'_, u32>;
+ /// mmio.write_val(1u32);
+ /// # }
+ /// ```
+ #[inline]
+ fn write_val(self, value: Self::Target)
+ where
+ Self::Backend: IoCapable<Self::Target>,
+ Self::Target: Sized,
+ {
+ Self::Backend::io_write(self.as_view(), value)
+ }
+
/// Returns a view for a given `offset`, performing compile-time bound checks.
// Always inline to optimize out error path of `build_assert`.
#[inline(always)]
@@ -1232,3 +1276,63 @@ macro_rules! io_project {
}
#[doc(inline)]
pub use crate::io_project;
+
+/// Read from I/O memory.
+///
+/// The syntax is of form `io_read!(io, proj)` where `io` is an expression to a type that
+/// implements [`Io`] and `proj` is a [projection specification](kernel::ptr::project!).
+///
+/// # Examples
+///
+/// ```
+/// struct MyStruct { field: u32, }
+///
+/// # fn test(mmio: kernel::io::Mmio<'_, [MyStruct]>) -> Result {
+/// // let mmio: Mmio<'_, [MyStruct]>;
+/// let field: u32 = kernel::io::io_read!(mmio, [try: 2].field);
+/// # Ok::<(), Error>(()) }
+/// ```
+#[macro_export]
+#[doc(hidden)]
+macro_rules! io_read {
+ ($io:expr, $($proj:tt)*) => {
+ $crate::io::Io::read_val($crate::io_project!($io, $($proj)*))
+ };
+}
+#[doc(inline)]
+pub use crate::io_read;
+
+/// Writes to I/O memory.
+///
+/// The syntax is of form `io_write!(io, proj, val)` where `io` is an expression to a type that
+/// implements [`Io`] and `proj` is a [projection specification](kernel::ptr::project!),
+/// and `val` is the value to be written to the projected location.
+///
+/// # Examples
+///
+/// ```
+/// struct MyStruct { field: u32, }
+///
+/// # fn test(mmio: kernel::io::Mmio<'_, [MyStruct]>) -> Result {
+/// // let mmio: Mmio<'_, [MyStruct]>;
+/// kernel::io::io_write!(mmio, [try: 2].field, 10);
+/// # Ok::<(), Error>(()) }
+/// ```
+#[macro_export]
+#[doc(hidden)]
+macro_rules! io_write {
+ (@parse [$io:expr] [$($proj:tt)*] [, $val:expr]) => {
+ $crate::io::Io::write_val($crate::io_project!($io, $($proj)*), $val)
+ };
+ (@parse [$io:expr] [$($proj:tt)*] [.$field:tt $($rest:tt)*]) => {
+ $crate::io_write!(@parse [$io] [$($proj)* .$field] [$($rest)*])
+ };
+ (@parse [$io:expr] [$($proj:tt)*] [[$flavor:ident: $index:expr] $($rest:tt)*]) => {
+ $crate::io_write!(@parse [$io] [$($proj)* [$flavor: $index]] [$($rest)*])
+ };
+ ($io:expr, $($rest:tt)*) => {
+ $crate::io_write!(@parse [$io] [] [$($rest)*])
+ };
+}
+#[doc(inline)]
+pub use crate::io_write;
--
2.54.0
^ permalink raw reply related [flat|nested] 36+ messages in thread
* [PATCH v4 17/20] gpu: nova-core: use I/O projection for cleaner encapsulation
2026-06-11 16:28 [PATCH v4 00/20] rust: I/O type generalization and projection Gary Guo
` (15 preceding siblings ...)
2026-06-11 16:28 ` [PATCH v4 16/20] rust: io: add `read_val` and `write_val` functions on `Io` Gary Guo
@ 2026-06-11 16:28 ` Gary Guo
2026-06-11 16:28 ` [PATCH v4 18/20] rust: dma: drop `dma_read!` and `dma_write!` API Gary Guo
` (2 subsequent siblings)
19 siblings, 0 replies; 36+ messages in thread
From: Gary Guo @ 2026-06-11 16:28 UTC (permalink / raw)
To: Alice Ryhl, Daniel Almeida, Greg Kroah-Hartman, Rafael J. Wysocki,
Miguel Ojeda, Boqun Feng, Gary Guo, Björn Roy Baron,
Benno Lossin, Andreas Hindborg, Trevor Gross, Bjorn Helgaas,
Krzysztof Wilczyński, Abdiel Janulgue, Robin Murphy,
Alexandre Courbot, David Airlie, Simona Vetter
Cc: Danilo Krummrich, driver-core, rust-for-linux, linux-kernel,
linux-pci, nova-gpu, dri-devel
Use `io_project!` for PTE array and message queues to restore the proper
encapsulation.
The remaining `dma_read!` and `dma_write!` is now only acting on
primitives; thus replace by `io_read!` and `io_write!`.
Signed-off-by: Gary Guo <gary@garyguo.net>
---
drivers/gpu/nova-core/gsp.rs | 53 ++++++++++++-------------
drivers/gpu/nova-core/gsp/cmdq.rs | 66 +++++++++++++++++--------------
drivers/gpu/nova-core/gsp/fw.rs | 82 +++++++++++++--------------------------
3 files changed, 90 insertions(+), 111 deletions(-)
diff --git a/drivers/gpu/nova-core/gsp.rs b/drivers/gpu/nova-core/gsp.rs
index 69175ca3315c..cfa7553cd820 100644
--- a/drivers/gpu/nova-core/gsp.rs
+++ b/drivers/gpu/nova-core/gsp.rs
@@ -9,14 +9,16 @@
dma::{
Coherent,
CoherentBox,
+ CoherentView,
DmaAddress, //
},
+ io::{
+ io_project,
+ io_write,
+ Io, //
+ },
pci,
- prelude::*,
- transmute::{
- AsBytes,
- FromBytes, //
- }, //
+ prelude::*, //
};
pub(crate) mod cmdq;
@@ -48,21 +50,21 @@
/// Array of page table entries, as understood by the GSP bootloader.
#[repr(C)]
+#[derive(FromBytes, IntoBytes)]
struct PteArray<const NUM_ENTRIES: usize>([u64; NUM_ENTRIES]);
-/// SAFETY: arrays of `u64` implement `FromBytes` and we are but a wrapper around one.
-unsafe impl<const NUM_ENTRIES: usize> FromBytes for PteArray<NUM_ENTRIES> {}
-
-/// SAFETY: arrays of `u64` implement `AsBytes` and we are but a wrapper around one.
-unsafe impl<const NUM_ENTRIES: usize> AsBytes for PteArray<NUM_ENTRIES> {}
-
impl<const NUM_PAGES: usize> PteArray<NUM_PAGES> {
- /// Returns the page table entry for `index`, for a mapping starting at `start`.
- // TODO: Replace with `IoView` projection once available.
- fn entry(start: DmaAddress, index: usize) -> Result<u64> {
- start
- .checked_add(num::usize_as_u64(index) << GSP_PAGE_SHIFT)
- .ok_or(EOVERFLOW)
+ /// Initialize a new page table array mapping `NUM_PAGES` GSP pages starting at address `start`.
+ fn init(view: CoherentView<'_, Self>, start: DmaAddress) -> Result<()> {
+ for i in 0..NUM_PAGES {
+ io_write!(view, .0[build: i],
+ start
+ .checked_add(num::usize_as_u64(i) << GSP_PAGE_SHIFT)
+ .ok_or(EOVERFLOW)?
+ );
+ }
+
+ Ok(())
}
}
@@ -89,17 +91,12 @@ fn new(dev: &device::Device<device::Bound>) -> Result<Self> {
let start_addr = obj.0.dma_handle();
- // SAFETY: `obj` has just been created and we are its sole user.
- let pte_region = unsafe {
- &mut obj.0.as_mut()[size_of::<u64>()..][..RM_LOG_BUFFER_NUM_PAGES * size_of::<u64>()]
- };
-
- // Write values one by one to avoid an on-stack instance of `PteArray`.
- for (i, chunk) in pte_region.chunks_exact_mut(size_of::<u64>()).enumerate() {
- let pte_value = PteArray::<0>::entry(start_addr, i)?;
-
- chunk.copy_from_slice(&pte_value.to_ne_bytes());
- }
+ let pte_view = io_project!(
+ obj.0,
+ [build: size_of::<u64>()..][build: ..RM_LOG_BUFFER_NUM_PAGES * size_of::<u64>()]
+ )
+ .try_cast::<PteArray<RM_LOG_BUFFER_NUM_PAGES>>()?;
+ PteArray::init(pte_view, start_addr)?;
Ok(obj)
}
diff --git a/drivers/gpu/nova-core/gsp/cmdq.rs b/drivers/gpu/nova-core/gsp/cmdq.rs
index 070de0731e95..c34b48961496 100644
--- a/drivers/gpu/nova-core/gsp/cmdq.rs
+++ b/drivers/gpu/nova-core/gsp/cmdq.rs
@@ -2,16 +2,23 @@
mod continuation;
-use core::mem;
+use core::{
+ mem,
+ sync::atomic::{
+ fence,
+ Ordering, //
+ },
+};
use kernel::{
device,
dma::{
Coherent,
+ CoherentBox,
DmaAddress, //
},
- dma_write,
io::{
+ io_project,
poll::read_poll_timeout,
Io, //
},
@@ -171,20 +178,18 @@ struct MsgqData {
#[repr(C)]
// There is no struct defined for this in the open-gpu-kernel-source headers.
// Instead it is defined by code in `GspMsgQueuesInit()`.
-// TODO: Revert to private once `IoView` projections replace the `gsp_mem` module.
-pub(super) struct Msgq {
+struct Msgq {
/// Header for sending messages, including the write pointer.
- pub(super) tx: MsgqTxHeader,
+ tx: MsgqTxHeader,
/// Header for receiving messages, including the read pointer.
- pub(super) rx: MsgqRxHeader,
+ rx: MsgqRxHeader,
/// The message queue proper.
msgq: MsgqData,
}
/// Structure shared between the driver and the GSP and containing the command and message queues.
#[repr(C)]
-// TODO: Revert to private once `IoView` projections replace the `gsp_mem` module.
-pub(super) struct GspMem {
+struct GspMem {
/// Self-mapping page table entries.
ptes: PteArray<{ Self::PTE_ARRAY_SIZE }>,
/// CPU queue: the driver writes commands here, and the GSP reads them. It also contains the
@@ -192,13 +197,13 @@ pub(super) struct GspMem {
/// index into the GSP queue.
///
/// This member is read-only for the GSP.
- pub(super) cpuq: Msgq,
+ cpuq: Msgq,
/// GSP queue: the GSP writes messages here, and the driver reads them. It also contains the
/// write and read pointers that the GSP updates. This means that the read pointer here is an
/// index into the CPU queue.
///
/// This member is read-only for the driver.
- pub(super) gspq: Msgq,
+ gspq: Msgq,
}
impl GspMem {
@@ -232,20 +237,12 @@ fn new(dev: &device::Device<device::Bound>) -> Result<Self> {
const MSGQ_SIZE: u32 = num::usize_into_u32::<{ size_of::<Msgq>() }>();
const RX_HDR_OFF: u32 = num::usize_into_u32::<{ mem::offset_of!(Msgq, rx) }>();
- let gsp_mem = Coherent::<GspMem>::zeroed(dev, GFP_KERNEL)?;
-
- let start = gsp_mem.dma_handle();
- // Write values one by one to avoid an on-stack instance of `PteArray`.
- for i in 0..GspMem::PTE_ARRAY_SIZE {
- dma_write!(gsp_mem, .ptes.0[build: i], PteArray::<0>::entry(start, i)?);
- }
+ let mut gsp_mem = CoherentBox::<GspMem>::zeroed(dev, GFP_KERNEL)?;
+ gsp_mem.cpuq.tx = MsgqTxHeader::new(MSGQ_SIZE, RX_HDR_OFF, MSGQ_NUM_PAGES);
+ gsp_mem.cpuq.rx = MsgqRxHeader::new();
- dma_write!(
- gsp_mem,
- .cpuq.tx,
- MsgqTxHeader::new(MSGQ_SIZE, RX_HDR_OFF, MSGQ_NUM_PAGES)
- );
- dma_write!(gsp_mem, .cpuq.rx, MsgqRxHeader::new());
+ let gsp_mem: Coherent<_> = gsp_mem.into();
+ PteArray::init(io_project!(gsp_mem, .ptes), gsp_mem.dma_handle())?;
Ok(Self(gsp_mem))
}
@@ -406,7 +403,7 @@ fn allocate_command(&mut self, size: usize, timeout: Delta) -> Result<GspCommand
//
// - The returned value is within `0..MSGQ_NUM_PAGES`.
fn gsp_write_ptr(&self) -> u32 {
- super::fw::gsp_mem::gsp_write_ptr(&self.0)
+ MsgqTxHeader::write_ptr(io_project!(self.0, .gspq.tx)) % MSGQ_NUM_PAGES
}
// Returns the index of the memory page the GSP will read the next command from.
@@ -415,7 +412,7 @@ fn gsp_write_ptr(&self) -> u32 {
//
// - The returned value is within `0..MSGQ_NUM_PAGES`.
fn gsp_read_ptr(&self) -> u32 {
- super::fw::gsp_mem::gsp_read_ptr(&self.0)
+ MsgqRxHeader::read_ptr(io_project!(self.0, .gspq.rx)) % MSGQ_NUM_PAGES
}
// Returns the index of the memory page the CPU can read the next message from.
@@ -424,12 +421,18 @@ fn gsp_read_ptr(&self) -> u32 {
//
// - The returned value is within `0..MSGQ_NUM_PAGES`.
fn cpu_read_ptr(&self) -> u32 {
- super::fw::gsp_mem::cpu_read_ptr(&self.0)
+ MsgqRxHeader::read_ptr(io_project!(self.0, .cpuq.rx)) % MSGQ_NUM_PAGES
}
// Informs the GSP that it can send `elem_count` new pages into the message queue.
fn advance_cpu_read_ptr(&mut self, elem_count: u32) {
- super::fw::gsp_mem::advance_cpu_read_ptr(&self.0, elem_count)
+ let rx = io_project!(self.0, .cpuq.rx);
+ let rptr = MsgqRxHeader::read_ptr(rx).wrapping_add(elem_count) % MSGQ_NUM_PAGES;
+
+ // Ensure read pointer is properly ordered.
+ fence(Ordering::SeqCst);
+
+ MsgqRxHeader::set_read_ptr(rx, rptr)
}
// Returns the index of the memory page the CPU can write the next command to.
@@ -438,12 +441,17 @@ fn advance_cpu_read_ptr(&mut self, elem_count: u32) {
//
// - The returned value is within `0..MSGQ_NUM_PAGES`.
fn cpu_write_ptr(&self) -> u32 {
- super::fw::gsp_mem::cpu_write_ptr(&self.0)
+ MsgqTxHeader::write_ptr(io_project!(self.0, .cpuq.tx)) % MSGQ_NUM_PAGES
}
// Informs the GSP that it can process `elem_count` new pages from the command queue.
fn advance_cpu_write_ptr(&mut self, elem_count: u32) {
- super::fw::gsp_mem::advance_cpu_write_ptr(&self.0, elem_count)
+ let tx = io_project!(self.0, .cpuq.tx);
+ let wptr = MsgqTxHeader::write_ptr(tx).wrapping_add(elem_count) % MSGQ_NUM_PAGES;
+ MsgqTxHeader::set_write_ptr(tx, wptr);
+
+ // Ensure all command data is visible before triggering the GSP read.
+ fence(Ordering::SeqCst);
}
}
diff --git a/drivers/gpu/nova-core/gsp/fw.rs b/drivers/gpu/nova-core/gsp/fw.rs
index 4db0cfa4dc4d..b0e7de328eaf 100644
--- a/drivers/gpu/nova-core/gsp/fw.rs
+++ b/drivers/gpu/nova-core/gsp/fw.rs
@@ -10,7 +10,14 @@
use core::ops::Range;
use kernel::{
- dma::Coherent,
+ dma::{
+ Coherent,
+ CoherentView, //
+ },
+ io::{
+ io_read,
+ io_write, //
+ },
prelude::*,
ptr::{
Alignable,
@@ -44,59 +51,6 @@
},
};
-// TODO: Replace with `IoView` projections once available.
-pub(super) mod gsp_mem {
- use core::sync::atomic::{
- fence,
- Ordering, //
- };
-
- use kernel::{
- dma::Coherent,
- dma_read,
- dma_write, //
- };
-
- use crate::gsp::cmdq::{
- GspMem,
- MSGQ_NUM_PAGES, //
- };
-
- pub(in crate::gsp) fn gsp_write_ptr(qs: &Coherent<GspMem>) -> u32 {
- dma_read!(qs, .gspq.tx.0.writePtr) % MSGQ_NUM_PAGES
- }
-
- pub(in crate::gsp) fn gsp_read_ptr(qs: &Coherent<GspMem>) -> u32 {
- dma_read!(qs, .gspq.rx.0.readPtr) % MSGQ_NUM_PAGES
- }
-
- pub(in crate::gsp) fn cpu_read_ptr(qs: &Coherent<GspMem>) -> u32 {
- dma_read!(qs, .cpuq.rx.0.readPtr) % MSGQ_NUM_PAGES
- }
-
- pub(in crate::gsp) fn advance_cpu_read_ptr(qs: &Coherent<GspMem>, count: u32) {
- let rptr = cpu_read_ptr(qs).wrapping_add(count) % MSGQ_NUM_PAGES;
-
- // Ensure read pointer is properly ordered.
- fence(Ordering::SeqCst);
-
- dma_write!(qs, .cpuq.rx.0.readPtr, rptr);
- }
-
- pub(in crate::gsp) fn cpu_write_ptr(qs: &Coherent<GspMem>) -> u32 {
- dma_read!(qs, .cpuq.tx.0.writePtr) % MSGQ_NUM_PAGES
- }
-
- pub(in crate::gsp) fn advance_cpu_write_ptr(qs: &Coherent<GspMem>, count: u32) {
- let wptr = cpu_write_ptr(qs).wrapping_add(count) % MSGQ_NUM_PAGES;
-
- dma_write!(qs, .cpuq.tx.0.writePtr, wptr);
-
- // Ensure all command data is visible before triggering the GSP read.
- fence(Ordering::SeqCst);
- }
-}
-
/// Maximum size of a single GSP message queue element in bytes.
pub(crate) const GSP_MSG_QUEUE_ELEMENT_SIZE_MAX: usize =
num::u32_as_usize(bindings::GSP_MSG_QUEUE_ELEMENT_SIZE_MAX);
@@ -720,6 +674,16 @@ pub(crate) fn new(msgq_size: u32, rx_hdr_offset: u32, msg_count: u32) -> Self {
entryOff: num::usize_into_u32::<GSP_PAGE_SIZE>(),
})
}
+
+ /// Returns the value of the write pointer for this queue.
+ pub(crate) fn write_ptr(this: CoherentView<'_, Self>) -> u32 {
+ io_read!(this, .0.writePtr)
+ }
+
+ /// Sets the value of the write pointer for this queue.
+ pub(crate) fn set_write_ptr(this: CoherentView<'_, Self>, val: u32) {
+ io_write!(this, .0.writePtr, val)
+ }
}
// SAFETY: Padding is explicit and does not contain uninitialized data.
@@ -735,6 +699,16 @@ impl MsgqRxHeader {
pub(crate) fn new() -> Self {
Self(Default::default())
}
+
+ /// Returns the value of the read pointer for this queue.
+ pub(crate) fn read_ptr(this: CoherentView<'_, Self>) -> u32 {
+ io_read!(this, .0.readPtr)
+ }
+
+ /// Sets the value of the read pointer for this queue.
+ pub(crate) fn set_read_ptr(this: CoherentView<'_, Self>, val: u32) {
+ io_write!(this, .0.readPtr, val)
+ }
}
// SAFETY: Padding is explicit and does not contain uninitialized data.
--
2.54.0
^ permalink raw reply related [flat|nested] 36+ messages in thread
* [PATCH v4 18/20] rust: dma: drop `dma_read!` and `dma_write!` API
2026-06-11 16:28 [PATCH v4 00/20] rust: I/O type generalization and projection Gary Guo
` (16 preceding siblings ...)
2026-06-11 16:28 ` [PATCH v4 17/20] gpu: nova-core: use I/O projection for cleaner encapsulation Gary Guo
@ 2026-06-11 16:28 ` Gary Guo
2026-06-11 16:28 ` [PATCH v4 19/20] rust: io: add copying methods Gary Guo
2026-06-11 16:28 ` [PATCH v4 20/20] rust: io: implement `IoSysMap` Gary Guo
19 siblings, 0 replies; 36+ messages in thread
From: Gary Guo @ 2026-06-11 16:28 UTC (permalink / raw)
To: Alice Ryhl, Daniel Almeida, Greg Kroah-Hartman, Rafael J. Wysocki,
Miguel Ojeda, Boqun Feng, Gary Guo, Björn Roy Baron,
Benno Lossin, Andreas Hindborg, Trevor Gross, Bjorn Helgaas,
Krzysztof Wilczyński, Abdiel Janulgue, Robin Murphy,
Alexandre Courbot, David Airlie, Simona Vetter
Cc: Danilo Krummrich, driver-core, rust-for-linux, linux-kernel,
linux-pci, nova-gpu, dri-devel
The primitive read/write use case is covered by the `io_read!` and
`io_write!` macro. The non-primitive use case was finicky; they should
either be achieved using `CoherentBox` or `as_ref()/as_mut()` to assert the
lack of concurrent access, or should be using memcpy-like APIs to express
the non-atomic and tearable nature.
Reviewed-by: Andreas Hindborg <a.hindborg@kernel.org>
Signed-off-by: Gary Guo <gary@garyguo.net>
---
rust/kernel/dma.rs | 128 -----------------------------------------------
samples/rust/rust_dma.rs | 13 ++---
2 files changed, 7 insertions(+), 134 deletions(-)
diff --git a/rust/kernel/dma.rs b/rust/kernel/dma.rs
index ab6504910e4f..0ff4cce8e809 100644
--- a/rust/kernel/dma.rs
+++ b/rust/kernel/dma.rs
@@ -661,52 +661,6 @@ pub unsafe fn as_mut(&self) -> &mut T {
// SAFETY: per safety requirement.
unsafe { &mut *self.as_mut_ptr() }
}
-
- /// Reads the value of `field` and ensures that its type is [`FromBytes`].
- ///
- /// # Safety
- ///
- /// This must be called from the [`dma_read`] macro which ensures that the `field` pointer is
- /// validated beforehand.
- ///
- /// Public but hidden since it should only be used from [`dma_read`] macro.
- #[doc(hidden)]
- pub unsafe fn field_read<F: FromBytes>(&self, field: *const F) -> F {
- // SAFETY:
- // - By the safety requirements field is valid.
- // - Using read_volatile() here is not sound as per the usual rules, the usage here is
- // a special exception with the following notes in place. When dealing with a potential
- // race from a hardware or code outside kernel (e.g. user-space program), we need that
- // read on a valid memory is not UB. Currently read_volatile() is used for this, and the
- // rationale behind is that it should generate the same code as READ_ONCE() which the
- // kernel already relies on to avoid UB on data races. Note that the usage of
- // read_volatile() is limited to this particular case, it cannot be used to prevent
- // the UB caused by racing between two kernel functions nor do they provide atomicity.
- unsafe { field.read_volatile() }
- }
-
- /// Writes a value to `field` and ensures that its type is [`AsBytes`].
- ///
- /// # Safety
- ///
- /// This must be called from the [`dma_write`] macro which ensures that the `field` pointer is
- /// validated beforehand.
- ///
- /// Public but hidden since it should only be used from [`dma_write`] macro.
- #[doc(hidden)]
- pub unsafe fn field_write<F: AsBytes>(&self, field: *mut F, val: F) {
- // SAFETY:
- // - By the safety requirements field is valid.
- // - Using write_volatile() here is not sound as per the usual rules, the usage here is
- // a special exception with the following notes in place. When dealing with a potential
- // race from a hardware or code outside kernel (e.g. user-space program), we need that
- // write on a valid memory is not UB. Currently write_volatile() is used for this, and the
- // rationale behind is that it should generate the same code as WRITE_ONCE() which the
- // kernel already relies on to avoid UB on data races. Note that the usage of
- // write_volatile() is limited to this particular case, it cannot be used to prevent
- // the UB caused by racing between two kernel functions nor do they provide atomicity.
- unsafe { field.write_volatile(val) }
- }
}
impl<T: AsBytes + FromBytes> Coherent<T> {
@@ -1265,85 +1219,3 @@ fn as_view(self) -> CoherentView<'a, Self::Target> {
}
}
}
-
-/// Reads a field of an item from an allocated region of structs.
-///
-/// The syntax is of the form `kernel::dma_read!(dma, proj)` where `dma` is an expression evaluating
-/// to a [`Coherent`] and `proj` is a [projection specification](kernel::ptr::project!).
-///
-/// # Examples
-///
-/// ```
-/// use kernel::device::Device;
-/// use kernel::dma::{attrs::*, Coherent};
-///
-/// struct MyStruct { field: u32, }
-///
-/// // SAFETY: All bit patterns are acceptable values for `MyStruct`.
-/// unsafe impl kernel::transmute::FromBytes for MyStruct{};
-/// // SAFETY: Instances of `MyStruct` have no uninitialized portions.
-/// unsafe impl kernel::transmute::AsBytes for MyStruct{};
-///
-/// # fn test(alloc: &kernel::dma::Coherent<[MyStruct]>) -> Result {
-/// let whole = kernel::dma_read!(alloc, [try: 2]);
-/// let field = kernel::dma_read!(alloc, [panic: 1].field);
-/// # Ok::<(), Error>(()) }
-/// ```
-#[macro_export]
-macro_rules! dma_read {
- ($dma:expr, $($proj:tt)*) => {{
- let dma = &$dma;
- let ptr = $crate::ptr::project!(
- $crate::dma::Coherent::as_ptr(dma), $($proj)*
- );
- // SAFETY: The pointer created by the projection is within the DMA region.
- unsafe { $crate::dma::Coherent::field_read(dma, ptr) }
- }};
-}
-
-/// Writes to a field of an item from an allocated region of structs.
-///
-/// The syntax is of the form `kernel::dma_write!(dma, proj, val)` where `dma` is an expression
-/// evaluating to a [`Coherent`], `proj` is a
-/// [projection specification](kernel::ptr::project!), and `val` is the value to be written to the
-/// projected location.
-///
-/// # Examples
-///
-/// ```
-/// use kernel::device::Device;
-/// use kernel::dma::{attrs::*, Coherent};
-///
-/// struct MyStruct { member: u32, }
-///
-/// // SAFETY: All bit patterns are acceptable values for `MyStruct`.
-/// unsafe impl kernel::transmute::FromBytes for MyStruct{};
-/// // SAFETY: Instances of `MyStruct` have no uninitialized portions.
-/// unsafe impl kernel::transmute::AsBytes for MyStruct{};
-///
-/// # fn test(alloc: &kernel::dma::Coherent<[MyStruct]>) -> Result {
-/// kernel::dma_write!(alloc, [try: 2].member, 0xf);
-/// kernel::dma_write!(alloc, [panic: 1], MyStruct { member: 0xf });
-/// # Ok::<(), Error>(()) }
-/// ```
-#[macro_export]
-macro_rules! dma_write {
- (@parse [$dma:expr] [$($proj:tt)*] [, $val:expr]) => {{
- let dma = &$dma;
- let ptr = $crate::ptr::project!(
- mut $crate::dma::Coherent::as_mut_ptr(dma), $($proj)*
- );
- let val = $val;
- // SAFETY: The pointer created by the projection is within the DMA region.
- unsafe { $crate::dma::Coherent::field_write(dma, ptr, val) }
- }};
- (@parse [$dma:expr] [$($proj:tt)*] [.$field:tt $($rest:tt)*]) => {
- $crate::dma_write!(@parse [$dma] [$($proj)* .$field] [$($rest)*])
- };
- (@parse [$dma:expr] [$($proj:tt)*] [[$flavor:ident: $index:expr] $($rest:tt)*]) => {
- $crate::dma_write!(@parse [$dma] [$($proj)* [$flavor: $index]] [$($rest)*])
- };
- ($dma:expr, $($rest:tt)*) => {
- $crate::dma_write!(@parse [$dma] [] [$($rest)*])
- };
-}
diff --git a/samples/rust/rust_dma.rs b/samples/rust/rust_dma.rs
index 5046b4628d0e..6727c441658a 100644
--- a/samples/rust/rust_dma.rs
+++ b/samples/rust/rust_dma.rs
@@ -12,6 +12,7 @@
Device,
DmaMask, //
},
+ io::io_read,
page, pci,
prelude::*,
scatterlist::{Owned, SGTable},
@@ -73,11 +74,11 @@ fn probe<'bound>(
// SAFETY: There are no concurrent calls to DMA allocation and mapping primitives.
unsafe { pdev.dma_set_mask_and_coherent(mask)? };
- let ca: Coherent<[MyStruct]> =
- Coherent::zeroed_slice(pdev.as_ref(), TEST_VALUES.len(), GFP_KERNEL)?;
+ let mut ca: CoherentBox<[MyStruct]> =
+ CoherentBox::zeroed_slice(pdev.as_ref(), TEST_VALUES.len(), GFP_KERNEL)?;
for (i, value) in TEST_VALUES.into_iter().enumerate() {
- kernel::dma_write!(ca, [try: i], MyStruct::new(value.0, value.1));
+ ca.init_at(i, MyStruct::new(value.0, value.1))?;
}
let size = 4 * page::PAGE_SIZE;
@@ -87,7 +88,7 @@ fn probe<'bound>(
Ok(try_pin_init!(Self {
pdev: pdev.into(),
- ca,
+ ca: ca.into(),
sgt <- sgt,
}))
})
@@ -97,8 +98,8 @@ fn probe<'bound>(
impl DmaSampleDriver {
fn check_dma(&self) {
for (i, value) in TEST_VALUES.into_iter().enumerate() {
- let val0 = kernel::dma_read!(self.ca, [panic: i].h);
- let val1 = kernel::dma_read!(self.ca, [panic: i].b);
+ let val0 = io_read!(self.ca, [panic: i].h);
+ let val1 = io_read!(self.ca, [panic: i].b);
assert_eq!(val0, value.0);
assert_eq!(val1, value.1);
--
2.54.0
^ permalink raw reply related [flat|nested] 36+ messages in thread
* [PATCH v4 19/20] rust: io: add copying methods
2026-06-11 16:28 [PATCH v4 00/20] rust: I/O type generalization and projection Gary Guo
` (17 preceding siblings ...)
2026-06-11 16:28 ` [PATCH v4 18/20] rust: dma: drop `dma_read!` and `dma_write!` API Gary Guo
@ 2026-06-11 16:28 ` Gary Guo
2026-06-11 19:36 ` Gary Guo
2026-06-11 16:28 ` [PATCH v4 20/20] rust: io: implement `IoSysMap` Gary Guo
19 siblings, 1 reply; 36+ messages in thread
From: Gary Guo @ 2026-06-11 16:28 UTC (permalink / raw)
To: Alice Ryhl, Daniel Almeida, Greg Kroah-Hartman, Rafael J. Wysocki,
Miguel Ojeda, Boqun Feng, Gary Guo, Björn Roy Baron,
Benno Lossin, Andreas Hindborg, Trevor Gross, Bjorn Helgaas,
Krzysztof Wilczyński, Abdiel Janulgue, Robin Murphy,
Alexandre Courbot, David Airlie, Simona Vetter
Cc: Danilo Krummrich, driver-core, rust-for-linux, linux-kernel,
linux-pci, nova-gpu, dri-devel
One feature that was lost from the old `dma_read!` and `dma_write!` when
moving to `io_read!` and `io_write!` was the ability to read/write a large
structs. However, the semantics was unclear to begin with, as there was no
guarantee about their atomicity even for structs that were small enough to
fit in u32. Re-introduce the capability in the form of copying methods.
dma_read!(foo, bar) -> io_project!(foo, bar).copy_read()
dma_write!(foo, bar, baz) -> io_project!(foo, bar).copy_write(baz)
Model these semantics after memcpy so user has clear expectation of lack of
atomicity. As an additional benefit of this change, this now works for MMIO
as well by mapping them to `memcpy_{from,to}io`.
For slices which is DST so the `copy_read` and `copy_write` API above can't
work, add `copy_from_slice` and `copy_to_slice` to copy from/to normal
memory.
Signed-off-by: Gary Guo <gary@garyguo.net>
---
rust/helpers/io.c | 13 +++
rust/kernel/dma.rs | 25 +++++
rust/kernel/io.rs | 238 ++++++++++++++++++++++++++++++++++++++++++++++-
samples/rust/rust_dma.rs | 15 ++-
4 files changed, 285 insertions(+), 6 deletions(-)
diff --git a/rust/helpers/io.c b/rust/helpers/io.c
index 397810864a24..7ed9a4f77f1b 100644
--- a/rust/helpers/io.c
+++ b/rust/helpers/io.c
@@ -19,6 +19,19 @@ __rust_helper void rust_helper_iounmap(void __iomem *addr)
iounmap(addr);
}
+__rust_helper void rust_helper_memcpy_fromio(void *dst,
+ const volatile void __iomem *src,
+ size_t count)
+{
+ memcpy_fromio(dst, src, count);
+}
+
+__rust_helper void rust_helper_memcpy_toio(volatile void __iomem *dst,
+ const void *src, size_t count)
+{
+ memcpy_toio(dst, src, count);
+}
+
__rust_helper u8 rust_helper_readb(const void __iomem *addr)
{
return readb(addr);
diff --git a/rust/kernel/dma.rs b/rust/kernel/dma.rs
index 0ff4cce8e809..37bc20895803 100644
--- a/rust/kernel/dma.rs
+++ b/rust/kernel/dma.rs
@@ -18,6 +18,7 @@
IoBackend,
IoBase,
IoCapable,
+ IoCopyable,
SysMem,
SysMemBackend, //
},
@@ -1196,6 +1197,30 @@ fn io_write<'a>(view: Self::View<'a, T>, value: T) {
}
}
+impl IoCopyable for CoherentBackend {
+ #[inline]
+ unsafe fn copy_from_io(view: Self::View<'_, [u8]>, buffer: *mut u8) {
+ // SAFETY: Per safety requirement.
+ unsafe { SysMemBackend::copy_from_io(view.cpu_addr, buffer) }
+ }
+
+ #[inline]
+ unsafe fn copy_to_io(view: Self::View<'_, [u8]>, buffer: *const u8) {
+ // SAFETY: Per safety requirement.
+ unsafe { SysMemBackend::copy_to_io(view.cpu_addr, buffer) }
+ }
+
+ #[inline]
+ fn copy_read<T: zerocopy::FromBytes>(view: Self::View<'_, T>) -> T {
+ SysMemBackend::copy_read(view.cpu_addr)
+ }
+
+ #[inline]
+ fn copy_write<T: zerocopy::IntoBytes>(view: Self::View<'_, T>, value: T) {
+ SysMemBackend::copy_write(view.cpu_addr, value)
+ }
+}
+
impl<'a, T: ?Sized + KnownSize> IoBase<'a> for CoherentView<'a, T> {
type Backend = CoherentBackend;
type Target = T;
diff --git a/rust/kernel/io.rs b/rust/kernel/io.rs
index f64ca2202ff2..16f818d396bf 100644
--- a/rust/kernel/io.rs
+++ b/rust/kernel/io.rs
@@ -5,7 +5,8 @@
//! C header: [`include/asm-generic/io.h`](srctree/include/asm-generic/io.h)
use core::{
- marker::PhantomData, //
+ marker::PhantomData,
+ mem::MaybeUninit, //
};
use crate::{
@@ -227,6 +228,61 @@ pub trait IoCapable<T>: IoBackend {
fn io_write<'a>(view: Self::View<'a, T>, value: T);
}
+/// Trait indicating that an I/O backend supports memory copy operations.
+pub trait IoCopyable: IoBackend {
+ /// Copy contents of `view` to `buffer`.
+ ///
+ /// # Safety
+ ///
+ /// - `buffer` is valid for volatile write for `view.size()` bytes.
+ unsafe fn copy_from_io(view: Self::View<'_, [u8]>, buffer: *mut u8);
+
+ /// Copy `size` bytes from `buffer` to `address`.
+ ///
+ /// # Safety
+ ///
+ /// - `buffer` is valid for volatile read for `view.size()` bytes.
+ unsafe fn copy_to_io(view: Self::View<'_, [u8]>, buffer: *const u8);
+
+ /// Copy from `view` and return the value.
+ #[inline]
+ fn copy_read<T: FromBytes>(view: Self::View<'_, T>) -> T {
+ // Project `self` to `[u8]`.
+ let ptr = Self::as_ptr(view);
+ // SAFETY: This is a identity projection.
+ let slice_view = unsafe {
+ Self::project_view(
+ view,
+ core::ptr::slice_from_raw_parts_mut::<u8>(ptr.cast(), size_of::<T>()),
+ )
+ };
+
+ let mut buf = MaybeUninit::<T>::uninit();
+ // SAFETY: `buf.as_mut_ptr()` is valid for write for `size_of::<T>()` bytes.
+ unsafe { Self::copy_from_io(slice_view, buf.as_mut_ptr().cast()) };
+ // SAFETY: T: FromBytes` guarantee that all bit patterns are valid.
+ unsafe { buf.assume_init() }
+ }
+
+ /// Copy `value` to `view`.
+ #[inline]
+ fn copy_write<T: IntoBytes>(view: Self::View<'_, T>, value: T) {
+ // Project `self` to `[u8]`.
+ let ptr = Self::as_ptr(view);
+ // SAFETY: This is a identity projection.
+ let slice_view = unsafe {
+ Self::project_view(
+ view,
+ core::ptr::slice_from_raw_parts_mut::<u8>(ptr.cast(), size_of::<T>()),
+ )
+ };
+
+ // SAFETY: `&raw const value` is valid for read for `size_of::<T>()` bytes.
+ unsafe { Self::copy_to_io(slice_view, (&raw const value).cast()) };
+ core::mem::forget(value);
+ }
+}
+
/// Describes a given I/O location: its offset, width, and type to convert the raw value from and
/// into.
///
@@ -304,6 +360,24 @@ fn size(self) -> usize {
KnownSize::size(Self::Backend::as_ptr(self.as_view()))
}
+ /// Returns the length of the slice in number of elements.
+ #[inline]
+ fn len<T>(self) -> usize
+ where
+ Self: Io<'a, Target = [T]>,
+ {
+ Self::Backend::as_ptr(self.as_view()).len()
+ }
+
+ /// Returns `true` if the slice has a length of 0.
+ #[inline]
+ fn is_empty<T>(self) -> bool
+ where
+ Self: Io<'a, Target = [T]>,
+ {
+ self.len() == 0
+ }
+
/// Try to convert into a different typed I/O view.
///
/// The target type must be of same or smaller size to current type, and the current view must
@@ -391,6 +465,105 @@ fn write_val(self, value: Self::Target)
Self::Backend::io_write(self.as_view(), value)
}
+ /// Copy-read from I/O memory.
+ ///
+ /// There is no atomicity guarantee.
+ ///
+ /// # Examples
+ ///
+ /// ```no_run
+ /// # use kernel::io::*;
+ /// # fn test_copy_read(mmio: Mmio<'_, [u8; 6]>) {
+ /// // let mmio: Mmio<'_, [u8; 6]>;
+ /// let val: [u8; 6] = mmio.copy_read();
+ /// # }
+ /// ```
+ #[inline]
+ fn copy_read(self) -> Self::Target
+ where
+ Self::Backend: IoCopyable,
+ Self::Target: Sized + FromBytes,
+ {
+ Self::Backend::copy_read(self.as_view())
+ }
+
+ /// Copy-write to I/O memory.
+ ///
+ /// There is no atomicity guarantee.
+ ///
+ /// # Examples
+ ///
+ /// ```no_run
+ /// # use kernel::io::*;
+ /// # fn test_copy_write(mmio: Mmio<'_, [u8; 6]>) {
+ /// // let mmio: Mmio<'_, [u8; 6]>;
+ /// mmio.copy_write([0xAA, 0xBB, 0xCC, 0xDD, 0xEE, 0xFF]);
+ /// # }
+ /// ```
+ #[inline]
+ fn copy_write(self, value: Self::Target)
+ where
+ Self::Backend: IoCopyable,
+ Self::Target: Sized + IntoBytes,
+ {
+ Self::Backend::copy_write(self.as_view(), value);
+ }
+
+ /// Copy bytes from slice to I/O memory.
+ ///
+ /// The length of `self` must be the same as `data`, similar to [`[u8]::copy_from_slice`].
+ ///
+ /// # Examples
+ ///
+ /// ```no_run
+ /// # use kernel::io::*;
+ /// # fn test_copy_write(mmio: Mmio<'_, [u8]>) {
+ /// // let mmio: Mmio<'_, [u8]>;
+ /// mmio.copy_from_slice(&[0xAA, 0xBB, 0xCC, 0xDD, 0xEE, 0xFF]);
+ /// # }
+ /// ```
+ #[inline]
+ fn copy_from_slice(self, data: &[u8])
+ where
+ Self::Backend: IoCopyable,
+ Self: Io<'a, Target = [u8]>,
+ {
+ assert_eq!(self.len(), data.len());
+
+ // SAFETY: `data.as_ptr()` is valid for read for `self.size()` bytes.
+ unsafe {
+ Self::Backend::copy_to_io(self.as_view(), data.as_ptr());
+ }
+ }
+
+ /// Copy bytes from I/O memory to slice.
+ ///
+ /// The length of `self` must be the same as `data`, similar to [`[u8]::copy_from_slice`].
+ ///
+ /// # Examples
+ ///
+ /// ```no_run
+ /// # use kernel::io::*;
+ /// # fn test_copy_write(mmio: Mmio<'_, [u8]>) {
+ /// // let mmio: Mmio<'_, [u8]>;
+ /// let mut buf = [0; 6];
+ /// mmio.copy_to_slice(&mut buf);
+ /// # }
+ /// ```
+ #[inline]
+ fn copy_to_slice(self, data: &mut [u8])
+ where
+ Self::Backend: IoCopyable,
+ Self: Io<'a, Target = [u8]>,
+ {
+ assert_eq!(self.len(), data.len());
+
+ // SAFETY: `data.as_ptr()` is valid for write for `self.size()` bytes.
+ unsafe {
+ Self::Backend::copy_from_io(self.as_view(), data.as_mut_ptr());
+ }
+ }
+
/// Returns a view for a given `offset`, performing compile-time bound checks.
// Always inline to optimize out error path of `build_assert`.
#[inline(always)]
@@ -981,6 +1154,28 @@ fn io_write(view: <$backend as IoBackend>::View<'_, $ty>, value: $ty) {
#[cfg(CONFIG_64BIT)]
impl_mmio_io_capable!(MmioBackend, u64, readq, writeq);
+impl IoCopyable for MmioBackend {
+ #[inline]
+ unsafe fn copy_from_io(view: Self::View<'_, [u8]>, buffer: *mut u8) {
+ // SAFETY:
+ // - `view.ptr` is valid MMIO memory for `view.size()` bytes.
+ // - `buffer` is valid for write for `view.size()` bytes.
+ unsafe {
+ bindings::memcpy_fromio(buffer.cast(), view.ptr.cast(), view.size());
+ }
+ }
+
+ #[inline]
+ unsafe fn copy_to_io(view: Self::View<'_, [u8]>, buffer: *const u8) {
+ // SAFETY:
+ // - `view.ptr` is valid MMIO memory for `view.size()` bytes.
+ // - `buffer` is valid for read for `view.size()` bytes.
+ unsafe {
+ bindings::memcpy_toio(view.ptr.cast(), buffer.cast(), view.size());
+ }
+ }
+}
+
/// [`Mmio`] but using relaxed accessors.
///
/// This type provides an implementation of [`Io`] that uses relaxed I/O MMIO operands instead of
@@ -1145,6 +1340,47 @@ fn io_write(view: SysMem<'_, $ty>, value: $ty) {
#[cfg(CONFIG_64BIT)]
impl_sysmem_io_capable!(u64);
+impl IoCopyable for SysMemBackend {
+ #[inline]
+ unsafe fn copy_from_io(view: Self::View<'_, [u8]>, buffer: *mut u8) {
+ // Use `bindings::memcpy` instead of copy_nonoverlapping for volatile.
+ // SAFETY:
+ // - `view.ptr` is in CPU address space and valid for read.
+ // - `buffer` is valid for write for `view.size()` bytes which is equal to `view.ptr.len()`.
+ unsafe { bindings::memcpy(buffer.cast(), view.ptr.cast(), view.ptr.len()) };
+ }
+
+ #[inline]
+ unsafe fn copy_to_io(view: Self::View<'_, [u8]>, buffer: *const u8) {
+ // Use `bindings::memcpy` instead of copy_nonoverlapping for volatile.
+ // SAFETY:
+ // - `view.ptr` is in CPU address space and valid for write.
+ // - `buffer` is valid for read for `view.size()` bytes which is equal to `view.ptr.len()`.
+ unsafe { bindings::memcpy(view.ptr.cast(), buffer.cast(), view.ptr.len()) };
+ }
+
+ #[inline]
+ fn copy_read<T: FromBytes>(view: Self::View<'_, T>) -> T {
+ // SAFETY:
+ // - Per type invariant, `ptr` is valid and aligned.
+ // - Using read_volatile() here so that race with hardware is well-defined.
+ // - Using read_volatile() here is not sound if it races with other CPU per Rust
+ // rules, but this is allowed per LKMM.
+ // - The macro is only used on primitives so all bit patterns are valid.
+ unsafe { view.ptr.read_volatile() }
+ }
+
+ #[inline]
+ fn copy_write<T: IntoBytes>(view: Self::View<'_, T>, value: T) {
+ // SAFETY:
+ // - Per type invariant, `ptr` is valid and aligned.
+ // - Using write_volatile() here so that race with hardware is well-defined.
+ // - Using write_volatile() here is not sound if it races with other CPU per Rust
+ // rules, but this is allowed per LKMM.
+ unsafe { view.ptr.write_volatile(value) }
+ }
+}
+
/// System memory region.
///
/// Provides `Io` trait implementation for kernel virtual address ranges,
diff --git a/samples/rust/rust_dma.rs b/samples/rust/rust_dma.rs
index 6727c441658a..b629acc6d915 100644
--- a/samples/rust/rust_dma.rs
+++ b/samples/rust/rust_dma.rs
@@ -12,7 +12,11 @@
Device,
DmaMask, //
},
- io::io_read,
+ io::{
+ io_project,
+ io_read,
+ Io, //
+ },
page, pci,
prelude::*,
scatterlist::{Owned, SGTable},
@@ -35,6 +39,7 @@ struct DmaSampleDriver {
(0xcd, 0xef),
];
+#[derive(FromBytes, IntoBytes)]
struct MyStruct {
h: u32,
b: u32,
@@ -74,11 +79,11 @@ fn probe<'bound>(
// SAFETY: There are no concurrent calls to DMA allocation and mapping primitives.
unsafe { pdev.dma_set_mask_and_coherent(mask)? };
- let mut ca: CoherentBox<[MyStruct]> =
- CoherentBox::zeroed_slice(pdev.as_ref(), TEST_VALUES.len(), GFP_KERNEL)?;
+ let ca: Coherent<[MyStruct]> =
+ Coherent::zeroed_slice(pdev.as_ref(), TEST_VALUES.len(), GFP_KERNEL)?;
for (i, value) in TEST_VALUES.into_iter().enumerate() {
- ca.init_at(i, MyStruct::new(value.0, value.1))?;
+ io_project!(ca, [panic: i]).copy_write(MyStruct::new(value.0, value.1));
}
let size = 4 * page::PAGE_SIZE;
@@ -88,7 +93,7 @@ fn probe<'bound>(
Ok(try_pin_init!(Self {
pdev: pdev.into(),
- ca: ca.into(),
+ ca,
sgt <- sgt,
}))
})
--
2.54.0
^ permalink raw reply related [flat|nested] 36+ messages in thread
* [PATCH v4 20/20] rust: io: implement `IoSysMap`
2026-06-11 16:28 [PATCH v4 00/20] rust: I/O type generalization and projection Gary Guo
` (18 preceding siblings ...)
2026-06-11 16:28 ` [PATCH v4 19/20] rust: io: add copying methods Gary Guo
@ 2026-06-11 16:28 ` Gary Guo
19 siblings, 0 replies; 36+ messages in thread
From: Gary Guo @ 2026-06-11 16:28 UTC (permalink / raw)
To: Alice Ryhl, Daniel Almeida, Greg Kroah-Hartman, Rafael J. Wysocki,
Miguel Ojeda, Boqun Feng, Gary Guo, Björn Roy Baron,
Benno Lossin, Andreas Hindborg, Trevor Gross, Bjorn Helgaas,
Krzysztof Wilczyński, Abdiel Janulgue, Robin Murphy,
Alexandre Courbot, David Airlie, Simona Vetter
Cc: Danilo Krummrich, driver-core, rust-for-linux, linux-kernel,
linux-pci, nova-gpu, dri-devel
Add an enum as sum type for `Mmio` and `SysMem`. This serves similar
purpose of `iosys_map`. Thanks to Rust's type system, all of projection and
struct read/write can be handled by the generic I/O projection mechanism
(i.e. `io_project!`, `io_read!, `io_write!`) for free, and there is no need
to provide things like `iosys_map_rd_field` or `iosys_map_wr_field`. An
enum type also makes it very easy to construct or destruct.
This could be made more generic by implementing on a general purpose sum
type like `Either`; however this is kept specific unless a need arises that
warrants this to be generic over other I/O backends.
Signed-off-by: Gary Guo <gary@garyguo.net>
---
rust/kernel/io.rs | 135 ++++++++++++++++++++++++++++++++++++++++++++++++++++++
1 file changed, 135 insertions(+)
diff --git a/rust/kernel/io.rs b/rust/kernel/io.rs
index 16f818d396bf..5cd4756cf237 100644
--- a/rust/kernel/io.rs
+++ b/rust/kernel/io.rs
@@ -1443,6 +1443,141 @@ fn as_view(self) -> <Self::Backend as IoBackend>::View<'a, Self::Target> {
}
}
+/// I/O Backend for [`IoSysMap`].
+pub struct IoSysMapBackend;
+
+/// Either [`Mmio`] or [`SysMem`].
+///
+/// This can be used when a piece of logic may wish to handle both MMIO or system memory but does
+/// not want or cannot be generic over I/O backends. This serves a similar purpose to
+/// [`include/linux/iosys-map.h`] in C.
+///
+/// This type can be used like any other types that implements [`Io`]; this also include
+/// [`io_project!`], [`io_read!`], [`io_write!`].
+///
+/// [`include/linux/iosys-map.h`](srctree/include/linux/iosys-map.h)
+pub enum IoSysMap<'a, T: ?Sized> {
+ Io(Mmio<'a, T>),
+ Sys(SysMem<'a, T>),
+}
+
+impl<T: ?Sized> Copy for IoSysMap<'_, T> {}
+impl<T: ?Sized> Clone for IoSysMap<'_, T> {
+ #[inline]
+ fn clone(&self) -> Self {
+ *self
+ }
+}
+
+impl<'a, T: ?Sized> From<Mmio<'a, T>> for IoSysMap<'a, T> {
+ #[inline]
+ fn from(value: Mmio<'a, T>) -> Self {
+ IoSysMap::Io(value)
+ }
+}
+
+impl<'a, T: ?Sized> From<SysMem<'a, T>> for IoSysMap<'a, T> {
+ #[inline]
+ fn from(value: SysMem<'a, T>) -> Self {
+ IoSysMap::Sys(value)
+ }
+}
+
+impl IoBackend for IoSysMapBackend {
+ type View<'a, T: ?Sized + KnownSize> = IoSysMap<'a, T>;
+
+ #[inline]
+ fn as_ptr<'a, T: ?Sized + KnownSize>(view: Self::View<'a, T>) -> *mut T {
+ match view {
+ IoSysMap::Io(l) => MmioBackend::as_ptr(l),
+ IoSysMap::Sys(r) => SysMemBackend::as_ptr(r),
+ }
+ }
+
+ #[inline]
+ unsafe fn project_view<'a, T: ?Sized + KnownSize, U: ?Sized + KnownSize>(
+ view: Self::View<'a, T>,
+ ptr: *mut U,
+ ) -> Self::View<'a, U> {
+ match view {
+ // SAFETY: Per safety requirement.
+ IoSysMap::Io(l) => IoSysMap::Io(unsafe { MmioBackend::project_view(l, ptr) }),
+ // SAFETY: Per safety requirement.
+ IoSysMap::Sys(r) => IoSysMap::Sys(unsafe { SysMemBackend::project_view(r, ptr) }),
+ }
+ }
+}
+
+impl<T> IoCapable<T> for IoSysMapBackend
+where
+ MmioBackend: IoCapable<T>,
+ SysMemBackend: IoCapable<T>,
+{
+ #[inline]
+ fn io_read(view: Self::View<'_, T>) -> T {
+ match view {
+ IoSysMap::Io(l) => MmioBackend::io_read(l),
+ IoSysMap::Sys(r) => SysMemBackend::io_read(r),
+ }
+ }
+
+ #[inline]
+ fn io_write<'a>(view: Self::View<'a, T>, value: T) {
+ match view {
+ IoSysMap::Io(l) => MmioBackend::io_write(l, value),
+ IoSysMap::Sys(r) => SysMemBackend::io_write(r, value),
+ }
+ }
+}
+
+impl IoCopyable for IoSysMapBackend {
+ #[inline]
+ unsafe fn copy_from_io(view: Self::View<'_, [u8]>, buffer: *mut u8) {
+ match view {
+ // SAFETY: Per safety requirement.
+ IoSysMap::Io(l) => unsafe { MmioBackend::copy_from_io(l, buffer) },
+ // SAFETY: Per safety requirement.
+ IoSysMap::Sys(r) => unsafe { SysMemBackend::copy_from_io(r, buffer) },
+ }
+ }
+
+ #[inline]
+ unsafe fn copy_to_io(view: Self::View<'_, [u8]>, buffer: *const u8) {
+ match view {
+ // SAFETY: Per safety requirement.
+ IoSysMap::Io(l) => unsafe { MmioBackend::copy_to_io(l, buffer) },
+ // SAFETY: Per safety requirement.
+ IoSysMap::Sys(r) => unsafe { SysMemBackend::copy_to_io(r, buffer) },
+ }
+ }
+
+ #[inline]
+ fn copy_read<T: FromBytes>(view: Self::View<'_, T>) -> T {
+ match view {
+ IoSysMap::Io(l) => MmioBackend::copy_read(l),
+ IoSysMap::Sys(r) => SysMemBackend::copy_read(r),
+ }
+ }
+
+ #[inline]
+ fn copy_write<T: IntoBytes>(view: Self::View<'_, T>, value: T) {
+ match view {
+ IoSysMap::Io(l) => MmioBackend::copy_write(l, value),
+ IoSysMap::Sys(r) => SysMemBackend::copy_write(r, value),
+ }
+ }
+}
+
+impl<'a, T: ?Sized + KnownSize> IoBase<'a> for IoSysMap<'a, T> {
+ type Backend = IoSysMapBackend;
+ type Target = T;
+
+ #[inline]
+ fn as_view(self) -> IoSysMap<'a, T> {
+ self
+ }
+}
+
// This helper turns associated functions to methods so it can be invoked in macro.
// Used by `io_project!()` only.
#[doc(hidden)]
--
2.54.0
^ permalink raw reply related [flat|nested] 36+ messages in thread
* Re: [PATCH v4 19/20] rust: io: add copying methods
2026-06-11 16:28 ` [PATCH v4 19/20] rust: io: add copying methods Gary Guo
@ 2026-06-11 19:36 ` Gary Guo
0 siblings, 0 replies; 36+ messages in thread
From: Gary Guo @ 2026-06-11 19:36 UTC (permalink / raw)
To: Gary Guo, Alice Ryhl, Daniel Almeida, Greg Kroah-Hartman,
Rafael J. Wysocki, Miguel Ojeda, Boqun Feng, Björn Roy Baron,
Benno Lossin, Andreas Hindborg, Trevor Gross, Bjorn Helgaas,
Krzysztof Wilczyński, Abdiel Janulgue, Robin Murphy,
Alexandre Courbot, David Airlie, Simona Vetter
Cc: Danilo Krummrich, driver-core, rust-for-linux, linux-kernel,
linux-pci, nova-gpu, dri-devel
On Thu Jun 11, 2026 at 5:28 PM BST, Gary Guo wrote:
> One feature that was lost from the old `dma_read!` and `dma_write!` when
> moving to `io_read!` and `io_write!` was the ability to read/write a large
> structs. However, the semantics was unclear to begin with, as there was no
> guarantee about their atomicity even for structs that were small enough to
> fit in u32. Re-introduce the capability in the form of copying methods.
>
> dma_read!(foo, bar) -> io_project!(foo, bar).copy_read()
> dma_write!(foo, bar, baz) -> io_project!(foo, bar).copy_write(baz)
>
> Model these semantics after memcpy so user has clear expectation of lack of
> atomicity. As an additional benefit of this change, this now works for MMIO
> as well by mapping them to `memcpy_{from,to}io`.
>
> For slices which is DST so the `copy_read` and `copy_write` API above can't
> work, add `copy_from_slice` and `copy_to_slice` to copy from/to normal
> memory.
>
> Signed-off-by: Gary Guo <gary@garyguo.net>
> ---
> rust/helpers/io.c | 13 +++
> rust/kernel/dma.rs | 25 +++++
> rust/kernel/io.rs | 238 ++++++++++++++++++++++++++++++++++++++++++++++-
> samples/rust/rust_dma.rs | 15 ++-
> 4 files changed, 285 insertions(+), 6 deletions(-)
>
> [snip]
>
> +
> + #[inline]
> + fn copy_read<T: FromBytes>(view: Self::View<'_, T>) -> T {
> + // SAFETY:
> + // - Per type invariant, `ptr` is valid and aligned.
> + // - Using read_volatile() here so that race with hardware is well-defined.
> + // - Using read_volatile() here is not sound if it races with other CPU per Rust
> + // rules, but this is allowed per LKMM.
> + // - The macro is only used on primitives so all bit patterns are valid.
This line should read "`T: FromBytes` so all bit patterns are valid.". I copied
from `IoCapable` impl and forgot to update the comment.
Best,
Gary
> + unsafe { view.ptr.read_volatile() }
> + }
> +
> + #[inline]
> + fn copy_write<T: IntoBytes>(view: Self::View<'_, T>, value: T) {
> + // SAFETY:
> + // - Per type invariant, `ptr` is valid and aligned.
> + // - Using write_volatile() here so that race with hardware is well-defined.
> + // - Using write_volatile() here is not sound if it races with other CPU per Rust
> + // rules, but this is allowed per LKMM.
> + unsafe { view.ptr.write_volatile(value) }
> + }
> +}
> +
> /// System memory region.
> ///
> /// Provides `Io` trait implementation for kernel virtual address ranges,
^ permalink raw reply [flat|nested] 36+ messages in thread
* Re: [PATCH v4 01/20] rust: io: add dynamically-sized `Region` type
2026-06-11 16:28 ` [PATCH v4 01/20] rust: io: add dynamically-sized `Region` type Gary Guo
@ 2026-06-13 10:05 ` Miguel Ojeda
2026-06-15 4:03 ` Alexandre Courbot
1 sibling, 0 replies; 36+ messages in thread
From: Miguel Ojeda @ 2026-06-13 10:05 UTC (permalink / raw)
To: Gary Guo
Cc: Alice Ryhl, Daniel Almeida, Greg Kroah-Hartman, Rafael J. Wysocki,
Miguel Ojeda, Boqun Feng, Björn Roy Baron, Benno Lossin,
Andreas Hindborg, Trevor Gross, Bjorn Helgaas,
Krzysztof Wilczyński, Abdiel Janulgue, Robin Murphy,
Alexandre Courbot, David Airlie, Simona Vetter, Danilo Krummrich,
driver-core, rust-for-linux, linux-kernel, linux-pci, nova-gpu,
dri-devel
On Thu, Jun 11, 2026 at 6:28 PM Gary Guo <gary@garyguo.net> wrote:
>
> + /// Create a raw mutable pointer from given base address and size.
> + ///
> + /// The alignment of `base` is checked, and `size` is checked against the minimum size specified
> + /// via const generics.
> + #[inline]
> + pub fn ptr_try_from_raw_parts_mut(base: *mut u8, size: usize) -> Result<*mut Self> {
> + if size < SIZE || base.align_offset(4) != 0 || !size.is_multiple_of(4) {
> + return Err(EINVAL);
> + }
> +
> + Ok(Self::ptr_from_raw_parts_mut(base, size))
> + }
Hmm... I wonder if, at least for the `try_` one, we should have `//
INVARIANT:` on top of the `Ok`, since we at least checked that part.
> +// Stable since Rust 1.87.0.
> +#![feature(unsigned_is_multiple_of)]
It indeed appears available without changes since Rust 1.82.0 <= MSRV.
Acked-by: Miguel Ojeda <ojeda@kernel.org>
I think Danilo asked for the Acked-by back in the first version but
you dropped it since the patch changed, so here it is again :)
Thanks!
Cheers,
Miguel
^ permalink raw reply [flat|nested] 36+ messages in thread
* Re: [PATCH v4 01/20] rust: io: add dynamically-sized `Region` type
2026-06-11 16:28 ` [PATCH v4 01/20] rust: io: add dynamically-sized `Region` type Gary Guo
2026-06-13 10:05 ` Miguel Ojeda
@ 2026-06-15 4:03 ` Alexandre Courbot
2026-06-15 10:05 ` Gary Guo
2026-06-15 11:47 ` Miguel Ojeda
1 sibling, 2 replies; 36+ messages in thread
From: Alexandre Courbot @ 2026-06-15 4:03 UTC (permalink / raw)
To: Gary Guo
Cc: Alice Ryhl, Daniel Almeida, Greg Kroah-Hartman, Rafael J. Wysocki,
Miguel Ojeda, Boqun Feng, Björn Roy Baron, Benno Lossin,
Andreas Hindborg, Trevor Gross, Bjorn Helgaas,
Krzysztof Wilczyński, Abdiel Janulgue, Robin Murphy,
David Airlie, Simona Vetter, Danilo Krummrich, driver-core,
rust-for-linux, linux-kernel, linux-pci, nova-gpu, dri-devel
On Fri Jun 12, 2026 at 1:28 AM JST, Gary Guo wrote:
> Currently many I/O related structs carry a `SIZE` parameter to denote the
> minimum size of the I/O region, while they also carry a field indicating
> the actual size. Proliferation of the pattern creates a lot of duplicated
> code, and makes it hard to create typed views of I/O.
>
> Introduce a `Region` type that carries the `SIZE` parameter. It is a
> wrapper of `[u8]`, which makes it dynamically sized with a metadata of
> `usize`. This way, pointers to `Region` naturally carry size information.
> This type is required to be 4-byte aligned.
>
> Expose the minimum size information via `MIN_SIZE` constant of the
> `KnownSize` trait. Similarly, expose the minimum alignment information via
> `KnownSize::MIN_ALIGN`.
>
> With these changes, it is possible to add an associated type to `Io` trait
> to represent the type of I/O region. For untyped regions, this is the newly
> added `Region` type. Remove `IoKnownSize` as it is no longer necessary. Use
> the same mechanism to indicate minimum size of PCI config spaces.
>
> Signed-off-by: Gary Guo <gary@garyguo.net>
> ---
> rust/kernel/devres.rs | 6 +--
> rust/kernel/io.rs | 130 +++++++++++++++++++++++++++++++++-----------------
> rust/kernel/lib.rs | 3 ++
> rust/kernel/pci.rs | 1 -
> rust/kernel/pci/io.rs | 40 +++++++---------
> rust/kernel/ptr.rs | 12 +++++
> 6 files changed, 118 insertions(+), 74 deletions(-)
>
> diff --git a/rust/kernel/devres.rs b/rust/kernel/devres.rs
> index 11ce500e9b76..ed30ccc6e68e 100644
> --- a/rust/kernel/devres.rs
> +++ b/rust/kernel/devres.rs
> @@ -68,7 +68,6 @@ struct Inner<T> {
> /// devres::Devres,
> /// io::{
> /// Io,
> -/// IoKnownSize,
> /// Mmio,
> /// MmioRaw,
> /// PhysAddr, //
> @@ -297,10 +296,7 @@ pub fn device(&self) -> &Device {
> /// use kernel::{
> /// device::Core,
> /// devres::Devres,
> - /// io::{
> - /// Io,
> - /// IoKnownSize, //
> - /// },
> + /// io::Io,
> /// pci, //
> /// };
> ///
> diff --git a/rust/kernel/io.rs b/rust/kernel/io.rs
> index fcc7678fd9e3..bef571dad6eb 100644
> --- a/rust/kernel/io.rs
> +++ b/rust/kernel/io.rs
> @@ -6,7 +6,11 @@
>
> use crate::{
> bindings,
> - prelude::*, //
> + prelude::*,
> + ptr::{
> + Alignment,
> + KnownSize, //
> + }, //
> };
>
> pub mod mem;
> @@ -31,6 +35,58 @@
> /// `CONFIG_PHYS_ADDR_T_64BIT`, and it can be a u64 even on 32-bit architectures.
> pub type ResourceSize = bindings::resource_size_t;
>
> +/// Untyped I/O region.
> +///
> +/// This type can be used when an I/O region without known type information has a compile-time known
> +/// minimum size (and a runtime known actual size).
> +///
> +/// This must be 4-byte aligned.
> +///
> +/// # Invariants
> +///
> +/// Size of the region is at least as large as the `SIZE` generic parameter.
I noticed that patch 13 adds the "size must be multiple of 4" invariant.
The doccomment for `ptr_from_raw_parts_mut` says that "size should be
4-bytes aligned" though, which sounds like the same to me. So should
that second invariant be introduced in this patch instead of patch 13?
> +#[repr(C, align(4))]
> +pub struct Region<const SIZE: usize = 0> {
> + inner: [u8],
> +}
> +
> +impl<const SIZE: usize> Region<SIZE> {
> + /// Create a raw mutable pointer from given base address and size.
> + ///
> + /// `size` should be at least as large as the minimum size `SIZE`, and `base` and `size` should
> + /// be 4-byte aligned to uphold the type invariant.
s/should/must? I guess we are running into all sort of issues if we
create regions which runtime size is smaller than the compile-time one,
and this is an invariant of `Region` itself.
Maybe this method should even be made `unsafe` for this reason? The
caller will need to write a `SAFETY` comment before dereferencing the
pointer, but IIUC this comment is bound to cover the pointer invariants,
not necessarily those of `Region`. Making the method `unsafe` would
force the user to cover them here.
> + ///
> + /// Just like other methods on raw pointers, it is not unsafe to create a raw pointer
> + /// that does not uphold the type invariants. However such pointers are not valid.
> + #[inline]
> + pub fn ptr_from_raw_parts_mut(base: *mut u8, size: usize) -> *mut Self {
> + core::ptr::slice_from_raw_parts_mut(base, size) as *mut Region<SIZE>
> + }
> +
> + /// Create a raw mutable pointer from given base address and size.
> + ///
> + /// The alignment of `base` is checked, and `size` is checked against the minimum size specified
> + /// via const generics.
> + #[inline]
> + pub fn ptr_try_from_raw_parts_mut(base: *mut u8, size: usize) -> Result<*mut Self> {
> + if size < SIZE || base.align_offset(4) != 0 || !size.is_multiple_of(4) {
> + return Err(EINVAL);
> + }
> +
> + Ok(Self::ptr_from_raw_parts_mut(base, size))
> + }
> +}
> +
> +impl<const SIZE: usize> KnownSize for Region<SIZE> {
> + const MIN_SIZE: usize = SIZE;
> + const MIN_ALIGN: Alignment = Alignment::new::<4>();
> +
> + #[inline(always)]
> + fn size(p: *const Self) -> usize {
> + (p as *const [u8]).len()
> + }
> +}
> +
> /// Raw representation of an MMIO region.
> ///
> /// By itself, the existence of an instance of this structure does not provide any guarantees that
> @@ -85,7 +141,6 @@ pub fn maxsize(&self) -> usize {
> /// ffi::c_void,
> /// io::{
> /// Io,
> -/// IoKnownSize,
> /// Mmio,
> /// MmioRaw,
> /// PhysAddr,
> @@ -241,12 +296,25 @@ fn offset(self) -> usize {
> /// For MMIO regions, all widths (u8, u16, u32, and u64 on 64-bit systems) are typically
> /// supported. For PCI configuration space, u8, u16, and u32 are supported but u64 is not.
> pub trait Io {
> + /// Type of this I/O region. For untyped regions, [`Region`] can be used.
> + type Target: ?Sized + KnownSize;
> +
> /// Returns the base address of this mapping.
> fn addr(&self) -> usize;
>
> /// Returns the maximum size of this mapping.
> fn maxsize(&self) -> usize;
>
> + /// Returns the absolute I/O address for a given `offset`,
> + /// performing compile-time bound checks.
nit: this doccomment could be a one liner.
^ permalink raw reply [flat|nested] 36+ messages in thread
* Re: [PATCH v4 02/20] rust: io: add missing safety requirement in `IoCapable` methods
2026-06-11 16:28 ` [PATCH v4 02/20] rust: io: add missing safety requirement in `IoCapable` methods Gary Guo
@ 2026-06-15 4:28 ` Alexandre Courbot
2026-06-15 10:13 ` Gary Guo
0 siblings, 1 reply; 36+ messages in thread
From: Alexandre Courbot @ 2026-06-15 4:28 UTC (permalink / raw)
To: Gary Guo
Cc: Alice Ryhl, Daniel Almeida, Greg Kroah-Hartman, Rafael J. Wysocki,
Miguel Ojeda, Boqun Feng, Björn Roy Baron, Benno Lossin,
Andreas Hindborg, Trevor Gross, Bjorn Helgaas,
Krzysztof Wilczyński, Abdiel Janulgue, Robin Murphy,
David Airlie, Simona Vetter, Danilo Krummrich, driver-core,
rust-for-linux, linux-kernel, linux-pci, nova-gpu, dri-devel
On Fri Jun 12, 2026 at 1:28 AM JST, Gary Guo wrote:
> The current safety comment on `io_read`/`io_write` does not cover the topic
> about alignment. Add it so it can be relied on by implementor of
> `IoCapable`.
>
> Expand the check `Io` by taking `self.addr()` into consideration when
"the check performed by `Io`" maybe?
> checking if `offset` is aligned. For the compile-time `io_addr_assert`
> check, check using the known minimum alignment of `IO::Target` and the
typo: s/IO/Io.
> accessed type.
>
> While at it, fix the alignment check to use `align_of` instead of
> `size_of`. The values match for all primitives (including u64, given that
> we do not provide u64 accessor on 32-bit platforms), but are not
> necessarily true for custom types.
>
> Signed-off-by: Gary Guo <gary@garyguo.net>
> ---
> rust/kernel/io.rs | 25 ++++++++++++++++---------
> 1 file changed, 16 insertions(+), 9 deletions(-)
>
> diff --git a/rust/kernel/io.rs b/rust/kernel/io.rs
> index bef571dad6eb..fa9ae39ad9d2 100644
> --- a/rust/kernel/io.rs
> +++ b/rust/kernel/io.rs
> @@ -196,13 +196,14 @@ pub fn maxsize(&self) -> usize {
> #[repr(transparent)]
> pub struct Mmio<const SIZE: usize = 0>(MmioRaw<SIZE>);
>
> -/// Checks whether an access of type `U` at the given `offset`
> +/// Checks whether an access of type `U` at the given `base` and the given `offset`
> /// is valid within this region.
> +///
> +/// The `base` is used for alignment checking only. This can be set to 0 to skip the check.
> #[inline]
> -const fn offset_valid<U>(offset: usize, size: usize) -> bool {
> - let type_size = core::mem::size_of::<U>();
> - if let Some(end) = offset.checked_add(type_size) {
> - end <= size && offset % type_size == 0
> +const fn offset_valid<U>(base: usize, offset: usize, size: usize) -> bool {
> + if let Some(end) = offset.checked_add(size_of::<U>()) {
> + end <= size && (base.wrapping_add(offset) % align_of::<U>() == 0)
> } else {
> false
> }
> @@ -221,14 +222,16 @@ pub trait IoCapable<T> {
> ///
> /// # Safety
> ///
> - /// The range `[address..address + size_of::<T>()]` must be within the bounds of `Self`.
> + /// - The range `[address..address + size_of::<T>()]` must be within the bounds of `Self`.
> + /// - `address` must be aligned.
> unsafe fn io_read(&self, address: usize) -> T;
>
> /// Performs an I/O write of `value` at `address`.
> ///
> /// # Safety
> ///
> - /// The range `[address..address + size_of::<T>()]` must be within the bounds of `Self`.
> + /// - The range `[address..address + size_of::<T>()]` must be within the bounds of `Self`.
> + /// - `address` must be aligned.
> unsafe fn io_write(&self, value: T, address: usize);
> }
>
> @@ -310,7 +313,11 @@ pub trait Io {
> // Always inline to optimize out error path of `build_assert`.
> #[inline(always)]
> fn io_addr_assert<U>(&self, offset: usize) -> usize {
> - build_assert!(offset_valid::<U>(offset, Self::Target::MIN_SIZE));
> + // We cannot check alignment with `offset_valid` using `self.addr()`. So set 0 for it and
> + // ensure alignment by checking that the alignment of `U` is smaller or equal to the
> + // alignment of `Self::Target`.
> + const_assert!(Alignment::of::<U>().as_usize() <= Self::Target::MIN_ALIGN.as_usize());
> + build_assert!(offset_valid::<U>(0, offset, Self::Target::MIN_SIZE));
IIUC this can allow unaligned accesses if `self.addr()` itself is not
properly aligned. Do we need a new `Io` invariant for that or is it
already enforced somewhere?
^ permalink raw reply [flat|nested] 36+ messages in thread
* Re: [PATCH v4 03/20] rust: io: restrict untyped IO access and `register!` to `Region`
2026-06-11 16:28 ` [PATCH v4 03/20] rust: io: restrict untyped IO access and `register!` to `Region` Gary Guo
@ 2026-06-15 5:17 ` Alexandre Courbot
2026-06-15 10:22 ` Gary Guo
0 siblings, 1 reply; 36+ messages in thread
From: Alexandre Courbot @ 2026-06-15 5:17 UTC (permalink / raw)
To: Gary Guo
Cc: Alice Ryhl, Daniel Almeida, Greg Kroah-Hartman, Rafael J. Wysocki,
Miguel Ojeda, Boqun Feng, Björn Roy Baron, Benno Lossin,
Andreas Hindborg, Trevor Gross, Bjorn Helgaas,
Krzysztof Wilczyński, Abdiel Janulgue, Robin Murphy,
David Airlie, Simona Vetter, Danilo Krummrich, driver-core,
rust-for-linux, linux-kernel, linux-pci, nova-gpu, dri-devel
On Fri Jun 12, 2026 at 1:28 AM JST, Gary Guo wrote:
> Currently the `Io` trait exposes a bunch of untyped IO accesses, but if the
> `Io` region itself is typed, then it might be weird to have
>
> let io: Mmio<u32> = /* ... */;
> io.read8(1);
>
> while not unsound, it is surely strange. Thus, restrict the untyped methods
> and also the register macro to `Region` type only.
>
> Implement it by adding a generic type to `IoLoc` indicating allowed base
> types. This also paves the way to add typed register blocks in the future;
> for example, we could use this mechanism to block driver A's `register!()`
> generated macro from being used on driver B's MMIO. The same mechanism
> could be used for relative IO registers. These are future opportunities,
> and for now restrict everything to require `IoLoc<Region<SIZE>, _>`.
>
> Suggested-by: Alexandre Courbot <acourbot@nvidia.com>
> Link: https://lore.kernel.org/rust-for-linux/DHLB3RO3OSF5.2R7F27U99BKLN@nvidia.com/
> Signed-off-by: Gary Guo <gary@garyguo.net>
Reviewed-by: Alexandre Courbot <acourbot@nvidia.com>
<...>
> --- a/rust/kernel/io/register.rs
> +++ b/rust/kernel/io/register.rs
> @@ -113,6 +113,8 @@
> io::IoLoc, //
> };
>
> +use super::Region;
> +
> /// Trait implemented by all registers.
> pub trait Register: Sized {
> /// Backing primitive type of the register.
> @@ -129,7 +131,7 @@ pub trait FixedRegister: Register {}
>
> /// Allows `()` to be used as the `location` parameter of [`Io::write`](super::Io::write) when
> /// passing a [`FixedRegister`] value.
> -impl<T> IoLoc<T> for ()
> +impl<const SIZE: usize, T> IoLoc<Region<SIZE>, T> for ()
> where
> T: FixedRegister,
> {
> @@ -143,7 +145,7 @@ fn offset(self) -> usize {
>
> /// A [`FixedRegister`] carries its location in its type. Thus `FixedRegister` values can be used
> /// as an [`IoLoc`].
> -impl<T> IoLoc<T> for T
> +impl<const SIZE: usize, T> IoLoc<Region<SIZE>, T> for T
> where
> T: FixedRegister,
> {
> @@ -168,7 +170,7 @@ pub const fn new() -> Self {
> }
> }
>
> -impl<T> IoLoc<T> for FixedRegisterLoc<T>
> +impl<const SIZE: usize, T> IoLoc<Region<SIZE>, T> for FixedRegisterLoc<T>
> where
> T: FixedRegister,
> {
> @@ -239,7 +241,8 @@ const fn offset(self) -> usize {
> }
> }
>
> -impl<T, B> IoLoc<T> for RelativeRegisterLoc<T, B>
> +// FIXME: Make use of `Base` type parameter of `Region` directly.
`Region` does not have any `Base` type parameter, so I am not sure what
this refers to.
Is this to make relative registers tied to a specific register block
type? If so, it would help to expand this FIXME a bit as it might be
difficult to understand without context.
^ permalink raw reply [flat|nested] 36+ messages in thread
* Re: [PATCH v4 04/20] rust: io: implement `Io` on reference types instead
2026-06-11 16:28 ` [PATCH v4 04/20] rust: io: implement `Io` on reference types instead Gary Guo
@ 2026-06-15 5:29 ` Alexandre Courbot
0 siblings, 0 replies; 36+ messages in thread
From: Alexandre Courbot @ 2026-06-15 5:29 UTC (permalink / raw)
To: Gary Guo
Cc: Alice Ryhl, Daniel Almeida, Greg Kroah-Hartman, Rafael J. Wysocki,
Miguel Ojeda, Boqun Feng, Björn Roy Baron, Benno Lossin,
Andreas Hindborg, Trevor Gross, Bjorn Helgaas,
Krzysztof Wilczyński, Abdiel Janulgue, Robin Murphy,
David Airlie, Simona Vetter, Danilo Krummrich, driver-core,
rust-for-linux, linux-kernel, linux-pci, nova-gpu, dri-devel
On Fri Jun 12, 2026 at 1:28 AM JST, Gary Guo wrote:
> Currently, `Io` is implemented on owned I/O objects (e.g. `Bar`). This is
> going to change with I/O projections, as then `Io` need to work both for
nit: s/need/needs.
> owned objects and views of them. Views are themselves reference-like
> (however they obviously cannot be references, because they belong to a
> different address space).
>
> To faciliate the change, change `Io` to be implemented on reference types
typo: facilitate.
> for the owned I/O objects, and make methods take `self` instead of `&self`.
> When I/O views are implemented, we can then naturally implement `Io` for
> these objects.
>
> Signed-off-by: Gary Guo <gary@garyguo.net>
> ---
> rust/kernel/io.rs | 80 +++++++++++++++++++++++++--------------------------
> rust/kernel/pci/io.rs | 12 ++++----
> 2 files changed, 46 insertions(+), 46 deletions(-)
>
> diff --git a/rust/kernel/io.rs b/rust/kernel/io.rs
> index 38281636b4da..3b478dcf10f9 100644
> --- a/rust/kernel/io.rs
> +++ b/rust/kernel/io.rs
> @@ -224,7 +224,7 @@ pub trait IoCapable<T> {
> ///
> /// - The range `[address..address + size_of::<T>()]` must be within the bounds of `Self`.
> /// - `address` must be aligned.
> - unsafe fn io_read(&self, address: usize) -> T;
> + unsafe fn io_read(self, address: usize) -> T;
>
> /// Performs an I/O write of `value` at `address`.
> ///
> @@ -232,7 +232,7 @@ pub trait IoCapable<T> {
> ///
> /// - The range `[address..address + size_of::<T>()]` must be within the bounds of `Self`.
> /// - `address` must be aligned.
> - unsafe fn io_write(&self, value: T, address: usize);
> + unsafe fn io_write(self, value: T, address: usize);
> }
>
> /// Describes a given I/O location: its offset, width, and type to convert the raw value from and
> @@ -299,21 +299,21 @@ fn offset(self) -> usize {
> ///
> /// For MMIO regions, all widths (u8, u16, u32, and u64 on 64-bit systems) are typically
> /// supported. For PCI configuration space, u8, u16, and u32 are supported but u64 is not.
> -pub trait Io {
> +pub trait Io: Copy {
This requirement on `Copy` could seem a bit confusing without context -
maybe mention explicitly in `Io`'s doccomment that this type is expected
to be implemented on cheaply copyable handles like references and views?
Regardless,
Reviewed-by: Alexandre Courbot <acourbot@nvidia.com>
^ permalink raw reply [flat|nested] 36+ messages in thread
* Re: [PATCH v4 05/20] rust: io: generalize `MmioRaw` to pointer to arbitrary type
2026-06-11 16:28 ` [PATCH v4 05/20] rust: io: generalize `MmioRaw` to pointer to arbitrary type Gary Guo
@ 2026-06-15 8:04 ` Alexandre Courbot
0 siblings, 0 replies; 36+ messages in thread
From: Alexandre Courbot @ 2026-06-15 8:04 UTC (permalink / raw)
To: Gary Guo
Cc: Alice Ryhl, Daniel Almeida, Greg Kroah-Hartman, Rafael J. Wysocki,
Miguel Ojeda, Boqun Feng, Björn Roy Baron, Benno Lossin,
Andreas Hindborg, Trevor Gross, Bjorn Helgaas,
Krzysztof Wilczyński, Abdiel Janulgue, Robin Murphy,
David Airlie, Simona Vetter, Danilo Krummrich, driver-core,
rust-for-linux, linux-kernel, linux-pci, nova-gpu, dri-devel
On Fri Jun 12, 2026 at 1:28 AM JST, Gary Guo wrote:
> Conceptually, `MmioRaw` is just `__iomem *`, so it should work for any
> types. Update the existing use case where it represents a region of
> compile-time known minimum size and run-time known actual size to use the
> dynamic-sized type `Region<SIZE>` instead. Rename `maxsize` method to
> reflect that it is the actual size (not a bound) of the region.
>
> Implement `Clone` and `Copy` manually, which cannot be derived due to the
> generic parameter. The use of raw pointers also cause the `Send` and `Sync`
> auto trait implementation to be lost, so add them back by manual
> implementation.
>
> Signed-off-by: Gary Guo <gary@garyguo.net>
Sashiko's potential leak on ioremap's error path seems worthy of
investigation, but it is not introduced by this patch so:
Reviewed-by: Alexandre Courbot <acourbot@nvidia.com>
^ permalink raw reply [flat|nested] 36+ messages in thread
* Re: [PATCH v4 06/20] rust: io: rename `Mmio` to `MmioOwned`
2026-06-11 16:28 ` [PATCH v4 06/20] rust: io: rename `Mmio` to `MmioOwned` Gary Guo
@ 2026-06-15 8:09 ` Alexandre Courbot
0 siblings, 0 replies; 36+ messages in thread
From: Alexandre Courbot @ 2026-06-15 8:09 UTC (permalink / raw)
To: Gary Guo
Cc: Alice Ryhl, Daniel Almeida, Greg Kroah-Hartman, Rafael J. Wysocki,
Miguel Ojeda, Boqun Feng, Björn Roy Baron, Benno Lossin,
Andreas Hindborg, Trevor Gross, Bjorn Helgaas,
Krzysztof Wilczyński, Abdiel Janulgue, Robin Murphy,
David Airlie, Simona Vetter, Danilo Krummrich, driver-core,
rust-for-linux, linux-kernel, linux-pci, nova-gpu, dri-devel
On Fri Jun 12, 2026 at 1:28 AM JST, Gary Guo wrote:
> Most users would more commonly reach out to a view of `Mmio` rather than an
> owned instance of `Mmio`. Only implementor of `Io` like `Bar` or `IoMem`
> would need the owned version. Thus, rename `Mmio` to `MmioOwned` so that
> the name `Mmio` can be used for the view type instead.
>
> Signed-off-by: Gary Guo <gary@garyguo.net>
Reviewed-by: Alexandre Courbot <acourbot@nvidia.com>
^ permalink raw reply [flat|nested] 36+ messages in thread
* Re: [PATCH v4 01/20] rust: io: add dynamically-sized `Region` type
2026-06-15 4:03 ` Alexandre Courbot
@ 2026-06-15 10:05 ` Gary Guo
2026-06-15 11:47 ` Miguel Ojeda
1 sibling, 0 replies; 36+ messages in thread
From: Gary Guo @ 2026-06-15 10:05 UTC (permalink / raw)
To: Alexandre Courbot, Gary Guo
Cc: Alice Ryhl, Daniel Almeida, Greg Kroah-Hartman, Rafael J. Wysocki,
Miguel Ojeda, Boqun Feng, Björn Roy Baron, Benno Lossin,
Andreas Hindborg, Trevor Gross, Bjorn Helgaas,
Krzysztof Wilczyński, Abdiel Janulgue, Robin Murphy,
David Airlie, Simona Vetter, Danilo Krummrich, driver-core,
rust-for-linux, linux-kernel, linux-pci, nova-gpu, dri-devel
On Mon Jun 15, 2026 at 5:03 AM BST, Alexandre Courbot wrote:
> On Fri Jun 12, 2026 at 1:28 AM JST, Gary Guo wrote:
>> Currently many I/O related structs carry a `SIZE` parameter to denote the
>> minimum size of the I/O region, while they also carry a field indicating
>> the actual size. Proliferation of the pattern creates a lot of duplicated
>> code, and makes it hard to create typed views of I/O.
>>
>> Introduce a `Region` type that carries the `SIZE` parameter. It is a
>> wrapper of `[u8]`, which makes it dynamically sized with a metadata of
>> `usize`. This way, pointers to `Region` naturally carry size information.
>> This type is required to be 4-byte aligned.
>>
>> Expose the minimum size information via `MIN_SIZE` constant of the
>> `KnownSize` trait. Similarly, expose the minimum alignment information via
>> `KnownSize::MIN_ALIGN`.
>>
>> With these changes, it is possible to add an associated type to `Io` trait
>> to represent the type of I/O region. For untyped regions, this is the newly
>> added `Region` type. Remove `IoKnownSize` as it is no longer necessary. Use
>> the same mechanism to indicate minimum size of PCI config spaces.
>>
>> Signed-off-by: Gary Guo <gary@garyguo.net>
>> ---
>> rust/kernel/devres.rs | 6 +--
>> rust/kernel/io.rs | 130 +++++++++++++++++++++++++++++++++-----------------
>> rust/kernel/lib.rs | 3 ++
>> rust/kernel/pci.rs | 1 -
>> rust/kernel/pci/io.rs | 40 +++++++---------
>> rust/kernel/ptr.rs | 12 +++++
>> 6 files changed, 118 insertions(+), 74 deletions(-)
>>
>> diff --git a/rust/kernel/devres.rs b/rust/kernel/devres.rs
>> index 11ce500e9b76..ed30ccc6e68e 100644
>> --- a/rust/kernel/devres.rs
>> +++ b/rust/kernel/devres.rs
>> @@ -68,7 +68,6 @@ struct Inner<T> {
>> /// devres::Devres,
>> /// io::{
>> /// Io,
>> -/// IoKnownSize,
>> /// Mmio,
>> /// MmioRaw,
>> /// PhysAddr, //
>> @@ -297,10 +296,7 @@ pub fn device(&self) -> &Device {
>> /// use kernel::{
>> /// device::Core,
>> /// devres::Devres,
>> - /// io::{
>> - /// Io,
>> - /// IoKnownSize, //
>> - /// },
>> + /// io::Io,
>> /// pci, //
>> /// };
>> ///
>> diff --git a/rust/kernel/io.rs b/rust/kernel/io.rs
>> index fcc7678fd9e3..bef571dad6eb 100644
>> --- a/rust/kernel/io.rs
>> +++ b/rust/kernel/io.rs
>> @@ -6,7 +6,11 @@
>>
>> use crate::{
>> bindings,
>> - prelude::*, //
>> + prelude::*,
>> + ptr::{
>> + Alignment,
>> + KnownSize, //
>> + }, //
>> };
>>
>> pub mod mem;
>> @@ -31,6 +35,58 @@
>> /// `CONFIG_PHYS_ADDR_T_64BIT`, and it can be a u64 even on 32-bit architectures.
>> pub type ResourceSize = bindings::resource_size_t;
>>
>> +/// Untyped I/O region.
>> +///
>> +/// This type can be used when an I/O region without known type information has a compile-time known
>> +/// minimum size (and a runtime known actual size).
>> +///
>> +/// This must be 4-byte aligned.
>> +///
>> +/// # Invariants
>> +///
>> +/// Size of the region is at least as large as the `SIZE` generic parameter.
>
> I noticed that patch 13 adds the "size must be multiple of 4" invariant.
> The doccomment for `ptr_from_raw_parts_mut` says that "size should be
> 4-bytes aligned" though, which sounds like the same to me. So should
> that second invariant be introduced in this patch instead of patch 13?
Oops, I think this is a bad `git absorb` operation that I didn't checked
carefully.
>
>> +#[repr(C, align(4))]
>> +pub struct Region<const SIZE: usize = 0> {
>> + inner: [u8],
>> +}
>> +
>> +impl<const SIZE: usize> Region<SIZE> {
>> + /// Create a raw mutable pointer from given base address and size.
>> + ///
>> + /// `size` should be at least as large as the minimum size `SIZE`, and `base` and `size` should
>> + /// be 4-byte aligned to uphold the type invariant.
>
> s/should/must? I guess we are running into all sort of issues if we
> create regions which runtime size is smaller than the compile-time one,
> and this is an invariant of `Region` itself.
>
> Maybe this method should even be made `unsafe` for this reason? The
> caller will need to write a `SAFETY` comment before dereferencing the
> pointer, but IIUC this comment is bound to cover the pointer invariants,
> not necessarily those of `Region`. Making the method `unsafe` would
> force the user to cover them here.
Note that the function implementation is completely safe, and it can be done
outside the module, too.
Thus, the real constraint is that user doing raw pointer needs to be careful.
This is true for all pointers. You can safely cast between any raw pointers, and
dereference requires you to uphold the invariant of target type. This is true
for all types with invariants, you can do
*core::ptr::from_ref(&0).cast::<NonZero<u8>>()
And the unsafe part is the dereference, not the cast.
Best,
Gary
^ permalink raw reply [flat|nested] 36+ messages in thread
* Re: [PATCH v4 02/20] rust: io: add missing safety requirement in `IoCapable` methods
2026-06-15 4:28 ` Alexandre Courbot
@ 2026-06-15 10:13 ` Gary Guo
2026-06-15 14:10 ` Alexandre Courbot
0 siblings, 1 reply; 36+ messages in thread
From: Gary Guo @ 2026-06-15 10:13 UTC (permalink / raw)
To: Alexandre Courbot, Gary Guo
Cc: Alice Ryhl, Daniel Almeida, Greg Kroah-Hartman, Rafael J. Wysocki,
Miguel Ojeda, Boqun Feng, Björn Roy Baron, Benno Lossin,
Andreas Hindborg, Trevor Gross, Bjorn Helgaas,
Krzysztof Wilczyński, Abdiel Janulgue, Robin Murphy,
David Airlie, Simona Vetter, Danilo Krummrich, driver-core,
rust-for-linux, linux-kernel, linux-pci, nova-gpu, dri-devel
On Mon Jun 15, 2026 at 5:28 AM BST, Alexandre Courbot wrote:
> On Fri Jun 12, 2026 at 1:28 AM JST, Gary Guo wrote:
>> The current safety comment on `io_read`/`io_write` does not cover the topic
>> about alignment. Add it so it can be relied on by implementor of
>> `IoCapable`.
>>
>> Expand the check `Io` by taking `self.addr()` into consideration when
>
> "the check performed by `Io`" maybe?
>
>> checking if `offset` is aligned. For the compile-time `io_addr_assert`
>> check, check using the known minimum alignment of `IO::Target` and the
>
> typo: s/IO/Io.
>
>> accessed type.
>>
>> While at it, fix the alignment check to use `align_of` instead of
>> `size_of`. The values match for all primitives (including u64, given that
>> we do not provide u64 accessor on 32-bit platforms), but are not
>> necessarily true for custom types.
>>
>> Signed-off-by: Gary Guo <gary@garyguo.net>
>> ---
>> rust/kernel/io.rs | 25 ++++++++++++++++---------
>> 1 file changed, 16 insertions(+), 9 deletions(-)
>>
>> diff --git a/rust/kernel/io.rs b/rust/kernel/io.rs
>> index bef571dad6eb..fa9ae39ad9d2 100644
>> --- a/rust/kernel/io.rs
>> +++ b/rust/kernel/io.rs
>> @@ -196,13 +196,14 @@ pub fn maxsize(&self) -> usize {
>> #[repr(transparent)]
>> pub struct Mmio<const SIZE: usize = 0>(MmioRaw<SIZE>);
>>
>> -/// Checks whether an access of type `U` at the given `offset`
>> +/// Checks whether an access of type `U` at the given `base` and the given `offset`
>> /// is valid within this region.
>> +///
>> +/// The `base` is used for alignment checking only. This can be set to 0 to skip the check.
>> #[inline]
>> -const fn offset_valid<U>(offset: usize, size: usize) -> bool {
>> - let type_size = core::mem::size_of::<U>();
>> - if let Some(end) = offset.checked_add(type_size) {
>> - end <= size && offset % type_size == 0
>> +const fn offset_valid<U>(base: usize, offset: usize, size: usize) -> bool {
>> + if let Some(end) = offset.checked_add(size_of::<U>()) {
>> + end <= size && (base.wrapping_add(offset) % align_of::<U>() == 0)
>> } else {
>> false
>> }
>> @@ -221,14 +222,16 @@ pub trait IoCapable<T> {
>> ///
>> /// # Safety
>> ///
>> - /// The range `[address..address + size_of::<T>()]` must be within the bounds of `Self`.
>> + /// - The range `[address..address + size_of::<T>()]` must be within the bounds of `Self`.
>> + /// - `address` must be aligned.
>> unsafe fn io_read(&self, address: usize) -> T;
>>
>> /// Performs an I/O write of `value` at `address`.
>> ///
>> /// # Safety
>> ///
>> - /// The range `[address..address + size_of::<T>()]` must be within the bounds of `Self`.
>> + /// - The range `[address..address + size_of::<T>()]` must be within the bounds of `Self`.
>> + /// - `address` must be aligned.
>> unsafe fn io_write(&self, value: T, address: usize);
>> }
>>
>> @@ -310,7 +313,11 @@ pub trait Io {
>> // Always inline to optimize out error path of `build_assert`.
>> #[inline(always)]
>> fn io_addr_assert<U>(&self, offset: usize) -> usize {
>> - build_assert!(offset_valid::<U>(offset, Self::Target::MIN_SIZE));
>> + // We cannot check alignment with `offset_valid` using `self.addr()`. So set 0 for it and
>> + // ensure alignment by checking that the alignment of `U` is smaller or equal to the
>> + // alignment of `Self::Target`.
>> + const_assert!(Alignment::of::<U>().as_usize() <= Self::Target::MIN_ALIGN.as_usize());
>> + build_assert!(offset_valid::<U>(0, offset, Self::Target::MIN_SIZE));
>
> IIUC this can allow unaligned accesses if `self.addr()` itself is not
> properly aligned. Do we need a new `Io` invariant for that or is it
> already enforced somewhere?
Adding a trait invariant would require marking the trait as `unsafe`, which I
don't want to do because the `addr()` method is removed later anyway.
One argument is that it's `Io` implementation causing issue for its own if its
`addr()` is not aligned. This is later redefined using projection and views,
which further shifts responsiblity of upholding invariants to the `Io` type
implementator itself.
Best,
Gary
^ permalink raw reply [flat|nested] 36+ messages in thread
* Re: [PATCH v4 03/20] rust: io: restrict untyped IO access and `register!` to `Region`
2026-06-15 5:17 ` Alexandre Courbot
@ 2026-06-15 10:22 ` Gary Guo
0 siblings, 0 replies; 36+ messages in thread
From: Gary Guo @ 2026-06-15 10:22 UTC (permalink / raw)
To: Alexandre Courbot, Gary Guo
Cc: Alice Ryhl, Daniel Almeida, Greg Kroah-Hartman, Rafael J. Wysocki,
Miguel Ojeda, Boqun Feng, Björn Roy Baron, Benno Lossin,
Andreas Hindborg, Trevor Gross, Bjorn Helgaas,
Krzysztof Wilczyński, Abdiel Janulgue, Robin Murphy,
David Airlie, Simona Vetter, Danilo Krummrich, driver-core,
rust-for-linux, linux-kernel, linux-pci, nova-gpu, dri-devel
On Mon Jun 15, 2026 at 6:17 AM BST, Alexandre Courbot wrote:
> On Fri Jun 12, 2026 at 1:28 AM JST, Gary Guo wrote:
>> -impl<T, B> IoLoc<T> for RelativeRegisterLoc<T, B>
>> +// FIXME: Make use of `Base` type parameter of `Region` directly.
>
> `Region` does not have any `Base` type parameter, so I am not sure what
> this refers to.
Hmm, this is indeed awkwardly worded. I think I want to say
Make use of `Base` type parameter instead of using `Region` directly.
The idea is that with `IoLoc<Base, T>`, we can have
#[repr(transparent)]
struct Subregion(Region<SUBREGION_SIZE>);
and have `RelativeRegisterLoc` just become `impl IoLoc<Subregion, T>`.
`Subregion` then itself can be a `impl IoLoc<Region, Subregion>` and we can use
projection to get the view of the subregion.
Anyhow, that is all further possibilities, and I'll just remove this line in the
next version.
Best,
Gary
>
> Is this to make relative registers tied to a specific register block
> type? If so, it would help to expand this FIXME a bit as it might be
> difficult to understand without context.
^ permalink raw reply [flat|nested] 36+ messages in thread
* Re: [PATCH v4 01/20] rust: io: add dynamically-sized `Region` type
2026-06-15 4:03 ` Alexandre Courbot
2026-06-15 10:05 ` Gary Guo
@ 2026-06-15 11:47 ` Miguel Ojeda
1 sibling, 0 replies; 36+ messages in thread
From: Miguel Ojeda @ 2026-06-15 11:47 UTC (permalink / raw)
To: Alexandre Courbot
Cc: Gary Guo, Alice Ryhl, Daniel Almeida, Greg Kroah-Hartman,
Rafael J. Wysocki, Miguel Ojeda, Boqun Feng, Björn Roy Baron,
Benno Lossin, Andreas Hindborg, Trevor Gross, Bjorn Helgaas,
Krzysztof Wilczyński, Abdiel Janulgue, Robin Murphy,
David Airlie, Simona Vetter, Danilo Krummrich, driver-core,
rust-for-linux, linux-kernel, linux-pci, nova-gpu, dri-devel
On Mon, Jun 15, 2026 at 6:03 AM Alexandre Courbot <acourbot@nvidia.com> wrote:
>
> s/should/must? I guess we are running into all sort of issues if we
> create regions which runtime size is smaller than the compile-time one,
> and this is an invariant of `Region` itself.
>
> Maybe this method should even be made `unsafe` for this reason? The
> caller will need to write a `SAFETY` comment before dereferencing the
> pointer, but IIUC this comment is bound to cover the pointer invariants,
> not necessarily those of `Region`. Making the method `unsafe` would
> force the user to cover them here.
Given e.g. `dangling()` is available as a safe function for any `T`,
this necessarily can be safe too.
In addition, in general, in Linux we have been trying to avoid
unnecessary `unsafe` tagging, i.e. we try to avoid using it for
"merely dangerous" operations.
Thus taking those two things into consideration, then this should be safe too.
However, I think you may be pointing at the safety vs. validity
invariant difference (terminology is still up in the air as of a
couple weeks ago, from a quick check) -- it is true that technically
dereferencing a pointer doesn't require library invariants to uphold
right away, but in most cases (especially so if it is not your own
type) one needs to be very careful when dereferencing pointers w.r.t.
the library invariants of the type too (because otherwise it is likely
you end up with an unsound module or just UB soon after).
Cheers,
Miguel
^ permalink raw reply [flat|nested] 36+ messages in thread
* Re: [PATCH v4 02/20] rust: io: add missing safety requirement in `IoCapable` methods
2026-06-15 10:13 ` Gary Guo
@ 2026-06-15 14:10 ` Alexandre Courbot
0 siblings, 0 replies; 36+ messages in thread
From: Alexandre Courbot @ 2026-06-15 14:10 UTC (permalink / raw)
To: Gary Guo
Cc: Alice Ryhl, Daniel Almeida, Greg Kroah-Hartman, Rafael J. Wysocki,
Miguel Ojeda, Boqun Feng, Björn Roy Baron, Benno Lossin,
Andreas Hindborg, Trevor Gross, Bjorn Helgaas,
Krzysztof Wilczyński, Abdiel Janulgue, Robin Murphy,
David Airlie, Simona Vetter, Danilo Krummrich, driver-core,
rust-for-linux, linux-kernel, linux-pci, nova-gpu, dri-devel
On Mon Jun 15, 2026 at 7:13 PM JST, Gary Guo wrote:
> On Mon Jun 15, 2026 at 5:28 AM BST, Alexandre Courbot wrote:
>> On Fri Jun 12, 2026 at 1:28 AM JST, Gary Guo wrote:
>>> The current safety comment on `io_read`/`io_write` does not cover the topic
>>> about alignment. Add it so it can be relied on by implementor of
>>> `IoCapable`.
>>>
>>> Expand the check `Io` by taking `self.addr()` into consideration when
>>
>> "the check performed by `Io`" maybe?
>>
>>> checking if `offset` is aligned. For the compile-time `io_addr_assert`
>>> check, check using the known minimum alignment of `IO::Target` and the
>>
>> typo: s/IO/Io.
>>
>>> accessed type.
>>>
>>> While at it, fix the alignment check to use `align_of` instead of
>>> `size_of`. The values match for all primitives (including u64, given that
>>> we do not provide u64 accessor on 32-bit platforms), but are not
>>> necessarily true for custom types.
>>>
>>> Signed-off-by: Gary Guo <gary@garyguo.net>
>>> ---
>>> rust/kernel/io.rs | 25 ++++++++++++++++---------
>>> 1 file changed, 16 insertions(+), 9 deletions(-)
>>>
>>> diff --git a/rust/kernel/io.rs b/rust/kernel/io.rs
>>> index bef571dad6eb..fa9ae39ad9d2 100644
>>> --- a/rust/kernel/io.rs
>>> +++ b/rust/kernel/io.rs
>>> @@ -196,13 +196,14 @@ pub fn maxsize(&self) -> usize {
>>> #[repr(transparent)]
>>> pub struct Mmio<const SIZE: usize = 0>(MmioRaw<SIZE>);
>>>
>>> -/// Checks whether an access of type `U` at the given `offset`
>>> +/// Checks whether an access of type `U` at the given `base` and the given `offset`
>>> /// is valid within this region.
>>> +///
>>> +/// The `base` is used for alignment checking only. This can be set to 0 to skip the check.
>>> #[inline]
>>> -const fn offset_valid<U>(offset: usize, size: usize) -> bool {
>>> - let type_size = core::mem::size_of::<U>();
>>> - if let Some(end) = offset.checked_add(type_size) {
>>> - end <= size && offset % type_size == 0
>>> +const fn offset_valid<U>(base: usize, offset: usize, size: usize) -> bool {
>>> + if let Some(end) = offset.checked_add(size_of::<U>()) {
>>> + end <= size && (base.wrapping_add(offset) % align_of::<U>() == 0)
>>> } else {
>>> false
>>> }
>>> @@ -221,14 +222,16 @@ pub trait IoCapable<T> {
>>> ///
>>> /// # Safety
>>> ///
>>> - /// The range `[address..address + size_of::<T>()]` must be within the bounds of `Self`.
>>> + /// - The range `[address..address + size_of::<T>()]` must be within the bounds of `Self`.
>>> + /// - `address` must be aligned.
>>> unsafe fn io_read(&self, address: usize) -> T;
>>>
>>> /// Performs an I/O write of `value` at `address`.
>>> ///
>>> /// # Safety
>>> ///
>>> - /// The range `[address..address + size_of::<T>()]` must be within the bounds of `Self`.
>>> + /// - The range `[address..address + size_of::<T>()]` must be within the bounds of `Self`.
>>> + /// - `address` must be aligned.
>>> unsafe fn io_write(&self, value: T, address: usize);
>>> }
>>>
>>> @@ -310,7 +313,11 @@ pub trait Io {
>>> // Always inline to optimize out error path of `build_assert`.
>>> #[inline(always)]
>>> fn io_addr_assert<U>(&self, offset: usize) -> usize {
>>> - build_assert!(offset_valid::<U>(offset, Self::Target::MIN_SIZE));
>>> + // We cannot check alignment with `offset_valid` using `self.addr()`. So set 0 for it and
>>> + // ensure alignment by checking that the alignment of `U` is smaller or equal to the
>>> + // alignment of `Self::Target`.
>>> + const_assert!(Alignment::of::<U>().as_usize() <= Self::Target::MIN_ALIGN.as_usize());
>>> + build_assert!(offset_valid::<U>(0, offset, Self::Target::MIN_SIZE));
>>
>> IIUC this can allow unaligned accesses if `self.addr()` itself is not
>> properly aligned. Do we need a new `Io` invariant for that or is it
>> already enforced somewhere?
>
> Adding a trait invariant would require marking the trait as `unsafe`, which I
> don't want to do because the `addr()` method is removed later anyway.
>
> One argument is that it's `Io` implementation causing issue for its own if its
> `addr()` is not aligned. This is later redefined using projection and views,
> which further shifts responsiblity of upholding invariants to the `Io` type
> implementator itself.
If we end up removing `addr` anyway it is less critical to solve this.
Especially since this is not a new issue.
^ permalink raw reply [flat|nested] 36+ messages in thread
* Re: [PATCH v4 07/20] rust: io: implement `Mmio` as view type
2026-06-11 16:28 ` [PATCH v4 07/20] rust: io: implement `Mmio` as view type Gary Guo
@ 2026-06-15 14:52 ` Alexandre Courbot
2026-06-15 15:13 ` Gary Guo
0 siblings, 1 reply; 36+ messages in thread
From: Alexandre Courbot @ 2026-06-15 14:52 UTC (permalink / raw)
To: Gary Guo
Cc: Alice Ryhl, Daniel Almeida, Greg Kroah-Hartman, Rafael J. Wysocki,
Miguel Ojeda, Boqun Feng, Björn Roy Baron, Benno Lossin,
Andreas Hindborg, Trevor Gross, Bjorn Helgaas,
Krzysztof Wilczyński, Abdiel Janulgue, Robin Murphy,
David Airlie, Simona Vetter, Danilo Krummrich, driver-core,
rust-for-linux, linux-kernel, linux-pci, nova-gpu, dri-devel
On Fri Jun 12, 2026 at 1:28 AM JST, Gary Guo wrote:
<...>
> +/// A view of memory-mapped I/O region.
> +///
> +/// # Invariant
> +///
> +/// `ptr` points to a valid and aligned memory-mapped I/O region for the duration lifetime `'a`.
> +pub struct Mmio<'a, T: ?Sized> {
> + ptr: *mut T,
> + phantom: PhantomData<&'a ()>,
> +}
> +
> +impl<T: ?Sized> Copy for Mmio<'_, T> {}
> +impl<T: ?Sized> Clone for Mmio<'_, T> {
> + #[inline]
> + fn clone(&self) -> Self {
> + *self
> + }
> +}
> +
> +impl<'a, T: ?Sized> Mmio<'a, T> {
> + /// Create a `Mmio`, providing the accessors to the MMIO mapping.
> + ///
> + /// # Safety
> + ///
> + /// `raw` represents an valid and aligned memory-mapped I/O region while `'a` is alive.
typo: "a valid".
<...>
> -/// [`MmioOwned`] wrapper using relaxed accessors.
> +/// [`Mmio`] but using relaxed accessors.
> ///
> /// This type provides an implementation of [`Io`] that uses relaxed I/O MMIO operands instead of
> /// the regular ones.
> ///
> -/// See [`MmioOwned::relaxed`] for a usage example.
> -#[repr(transparent)]
> -pub struct RelaxedMmio<const SIZE: usize = 0>(MmioOwned<SIZE>);
> +/// See [`Mmio::relaxed`] for a usage example.
> +///
> +/// # Invariant
> +///
> +/// `ptr` points to a valid and aligned memory-mapped I/O region for the duration lifetime `'a`.
> +pub struct RelaxedMmio<'a, T: ?Sized> {
> + ptr: *mut T,
> + phantom: PhantomData<&'a ()>,
> +}
Is there a reason for not just declaring `RelaxedMmio` as
#[repr(transparent)]
pub struct RelaxedMmio<'a, T: ?Sized>(Mmio<'a, T>);
similarly to what the original code did with `MmioOwned`?
I tried locally and could build. This avoids declaring `Mmio` and
`RelaxedMmio` as basically identical types, and lets us remove the
explicit `Send` and `Sync` implementations. IIUC you can also reduce or
even remove the invariant section as it is enforced by `Mmio`.
>
> -impl<'a, const SIZE: usize> Io for &'a RelaxedMmio<SIZE> {
> - type Target = Region<SIZE>;
> +impl<T: ?Sized> Copy for RelaxedMmio<'_, T> {}
> +impl<T: ?Sized> Clone for RelaxedMmio<'_, T> {
> + #[inline]
> + fn clone(&self) -> Self {
> + *self
> + }
> +}
> +
> +// SAFETY: `RelaxedMmio<'_, T>` is conceptually `&T` but in I/O memory.
> +unsafe impl<T: ?Sized + Sync> Send for RelaxedMmio<'_, T> {}
> +
> +// SAFETY: `RelaxedMmio<'_, T>` is conceptually `&T` but in I/O memory.
> +unsafe impl<T: ?Sized + Sync> Sync for RelaxedMmio<'_, T> {}
> +
> +impl<T: ?Sized + KnownSize> Io for RelaxedMmio<'_, T> {
> + type Target = T;
>
> #[inline]
> fn addr(self) -> usize {
> - self.0.addr()
> + self.ptr.addr()
> }
>
> #[inline]
> fn maxsize(self) -> usize {
> - self.0.maxsize()
> + KnownSize::size(self.ptr)
> }
> }
>
> -impl<const SIZE: usize> MmioOwned<SIZE> {
> +impl<'a, T: ?Sized> Mmio<'a, T> {
> /// Returns a [`RelaxedMmio`] reference that performs relaxed I/O operations.
The `RelaxedMmio` is now returned by value, so this comment should
probably be updated.
^ permalink raw reply [flat|nested] 36+ messages in thread
* Re: [PATCH v4 07/20] rust: io: implement `Mmio` as view type
2026-06-15 14:52 ` Alexandre Courbot
@ 2026-06-15 15:13 ` Gary Guo
0 siblings, 0 replies; 36+ messages in thread
From: Gary Guo @ 2026-06-15 15:13 UTC (permalink / raw)
To: Alexandre Courbot, Gary Guo
Cc: Alice Ryhl, Daniel Almeida, Greg Kroah-Hartman, Rafael J. Wysocki,
Miguel Ojeda, Boqun Feng, Björn Roy Baron, Benno Lossin,
Andreas Hindborg, Trevor Gross, Bjorn Helgaas,
Krzysztof Wilczyński, Abdiel Janulgue, Robin Murphy,
David Airlie, Simona Vetter, Danilo Krummrich, driver-core,
rust-for-linux, linux-kernel, linux-pci, nova-gpu, dri-devel
On Mon Jun 15, 2026 at 3:52 PM BST, Alexandre Courbot wrote:
> On Fri Jun 12, 2026 at 1:28 AM JST, Gary Guo wrote:
> <...>
>> +/// A view of memory-mapped I/O region.
>> +///
>> +/// # Invariant
>> +///
>> +/// `ptr` points to a valid and aligned memory-mapped I/O region for the duration lifetime `'a`.
>> +pub struct Mmio<'a, T: ?Sized> {
>> + ptr: *mut T,
>> + phantom: PhantomData<&'a ()>,
>> +}
>> +
>> +impl<T: ?Sized> Copy for Mmio<'_, T> {}
>> +impl<T: ?Sized> Clone for Mmio<'_, T> {
>> + #[inline]
>> + fn clone(&self) -> Self {
>> + *self
>> + }
>> +}
>> +
>> +impl<'a, T: ?Sized> Mmio<'a, T> {
>> + /// Create a `Mmio`, providing the accessors to the MMIO mapping.
>> + ///
>> + /// # Safety
>> + ///
>> + /// `raw` represents an valid and aligned memory-mapped I/O region while `'a` is alive.
>
> typo: "a valid".
>
> <...>
>> -/// [`MmioOwned`] wrapper using relaxed accessors.
>> +/// [`Mmio`] but using relaxed accessors.
>> ///
>> /// This type provides an implementation of [`Io`] that uses relaxed I/O MMIO operands instead of
>> /// the regular ones.
>> ///
>> -/// See [`MmioOwned::relaxed`] for a usage example.
>> -#[repr(transparent)]
>> -pub struct RelaxedMmio<const SIZE: usize = 0>(MmioOwned<SIZE>);
>> +/// See [`Mmio::relaxed`] for a usage example.
>> +///
>> +/// # Invariant
>> +///
>> +/// `ptr` points to a valid and aligned memory-mapped I/O region for the duration lifetime `'a`.
>> +pub struct RelaxedMmio<'a, T: ?Sized> {
>> + ptr: *mut T,
>> + phantom: PhantomData<&'a ()>,
>> +}
>
> Is there a reason for not just declaring `RelaxedMmio` as
>
> #[repr(transparent)]
> pub struct RelaxedMmio<'a, T: ?Sized>(Mmio<'a, T>);
>
> similarly to what the original code did with `MmioOwned`?
>
> I tried locally and could build. This avoids declaring `Mmio` and
> `RelaxedMmio` as basically identical types, and lets us remove the
> explicit `Send` and `Sync` implementations. IIUC you can also reduce or
> even remove the invariant section as it is enforced by `Mmio`.
This is what I did originally, but this would cause duplication for
RelaxedMmioBackend, as now you have to do
unsafe { bindings::$read_fn(view.0.ptr.cast_const().cast()) }
and the `.0` causes the macro not being shared with MmioBackend.
Best,
Gary
^ permalink raw reply [flat|nested] 36+ messages in thread
end of thread, other threads:[~2026-06-15 15:13 UTC | newest]
Thread overview: 36+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-06-11 16:28 [PATCH v4 00/20] rust: I/O type generalization and projection Gary Guo
2026-06-11 16:28 ` [PATCH v4 01/20] rust: io: add dynamically-sized `Region` type Gary Guo
2026-06-13 10:05 ` Miguel Ojeda
2026-06-15 4:03 ` Alexandre Courbot
2026-06-15 10:05 ` Gary Guo
2026-06-15 11:47 ` Miguel Ojeda
2026-06-11 16:28 ` [PATCH v4 02/20] rust: io: add missing safety requirement in `IoCapable` methods Gary Guo
2026-06-15 4:28 ` Alexandre Courbot
2026-06-15 10:13 ` Gary Guo
2026-06-15 14:10 ` Alexandre Courbot
2026-06-11 16:28 ` [PATCH v4 03/20] rust: io: restrict untyped IO access and `register!` to `Region` Gary Guo
2026-06-15 5:17 ` Alexandre Courbot
2026-06-15 10:22 ` Gary Guo
2026-06-11 16:28 ` [PATCH v4 04/20] rust: io: implement `Io` on reference types instead Gary Guo
2026-06-15 5:29 ` Alexandre Courbot
2026-06-11 16:28 ` [PATCH v4 05/20] rust: io: generalize `MmioRaw` to pointer to arbitrary type Gary Guo
2026-06-15 8:04 ` Alexandre Courbot
2026-06-11 16:28 ` [PATCH v4 06/20] rust: io: rename `Mmio` to `MmioOwned` Gary Guo
2026-06-15 8:09 ` Alexandre Courbot
2026-06-11 16:28 ` [PATCH v4 07/20] rust: io: implement `Mmio` as view type Gary Guo
2026-06-15 14:52 ` Alexandre Courbot
2026-06-15 15:13 ` Gary Guo
2026-06-11 16:28 ` [PATCH v4 08/20] rust: pci: io: make `ConfigSpace` a view Gary Guo
2026-06-11 16:28 ` [PATCH v4 09/20] rust: io: use view types instead of addresses for `Io` Gary Guo
2026-06-11 16:28 ` [PATCH v4 10/20] rust: io: remove `MmioOwned` Gary Guo
2026-06-11 16:28 ` [PATCH v4 11/20] rust: io: move `Io` methods to extension trait Gary Guo
2026-06-11 16:28 ` [PATCH v4 12/20] rust: prelude: add `zerocopy{,_derive}::IntoBytes` Gary Guo
2026-06-11 16:28 ` [PATCH v4 13/20] rust: io: add projection macro and methods Gary Guo
2026-06-11 16:28 ` [PATCH v4 14/20] rust: io: add I/O backend for system memory with volatile access Gary Guo
2026-06-11 16:28 ` [PATCH v4 15/20] rust: io: implement a view type for `Coherent` Gary Guo
2026-06-11 16:28 ` [PATCH v4 16/20] rust: io: add `read_val` and `write_val` functions on `Io` Gary Guo
2026-06-11 16:28 ` [PATCH v4 17/20] gpu: nova-core: use I/O projection for cleaner encapsulation Gary Guo
2026-06-11 16:28 ` [PATCH v4 18/20] rust: dma: drop `dma_read!` and `dma_write!` API Gary Guo
2026-06-11 16:28 ` [PATCH v4 19/20] rust: io: add copying methods Gary Guo
2026-06-11 19:36 ` Gary Guo
2026-06-11 16:28 ` [PATCH v4 20/20] rust: io: implement `IoSysMap` Gary Guo
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox