[PATCH v2 2/2] rust: page: add method to copy data between safe pages

[Andreas Hindborg <a.hindborg@kernel.org>]

Add `SafePage::copy_to_page` to copy data from one page to another at a
given offset. Because `SafePage` cannot be mapped to user space or shared
with devices, there are no data races and the copy can be performed using
the existing `with_pointer_into_page` and `write_raw` methods.

Signed-off-by: Andreas Hindborg <a.hindborg@kernel.org>
---
 rust/kernel/page.rs | 48 ++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 48 insertions(+)

diff --git a/rust/kernel/page.rs b/rust/kernel/page.rs
index f143b42d1bd6..2307e1f06360 100644
--- a/rust/kernel/page.rs
+++ b/rust/kernel/page.rs
@@ -23,6 +23,7 @@
     marker::PhantomData,
     mem::ManuallyDrop,
     ops::{Deref, DerefMut},
+    pin::Pin,
     ptr::{
         self,
         NonNull, //
@@ -427,6 +428,53 @@ pub fn alloc_page(flags: Flags) -> Result<Owned<Self>, AllocError> {
         // `Page` and `SafePage` are transparent, we can cast to the raw page pointer directly.
         Ok(unsafe { Owned::from_raw(page.cast()) })
     }
+
+    /// Copies `len` bytes from this page to `dst` at the specified byte offset.
+    ///
+    /// Copying starts within both pages at the same offset.
+    ///
+    /// # Examples
+    ///
+    /// ```
+    /// use kernel::error::code::EINVAL;
+    /// use kernel::page::{SafePage, PAGE_SIZE};
+    ///
+    /// let mut src_page = SafePage::alloc_page(GFP_KERNEL)?;
+    /// let mut dst_page = SafePage::alloc_page(GFP_KERNEL)?;
+    ///
+    /// let data = [0xdeu8, 0xad, 0xbe, 0xef];
+    /// // SAFETY: `data` is valid for reading `data.len()` bytes, and `src_page` is exclusively
+    /// // owned, so there is no concurrent access to its data.
+    /// unsafe { src_page.write_raw(data.as_ptr(), 0, data.len())? };
+    ///
+    /// assert!(src_page.copy_to_page(dst_page.as_pin_mut(), 0, data.len()).is_ok());
+    ///
+    /// let mut buf = [0u8; 4];
+    /// // SAFETY: `buf` is valid for writing `buf.len()` bytes, and `dst_page` is exclusively
+    /// // owned, so there is no concurrent access to its data.
+    /// unsafe { dst_page.read_raw(buf.as_mut_ptr(), 0, buf.len())? };
+    /// assert_eq!(buf, data);
+    ///
+    /// // A copy that would extend past the end of the page fails with `EINVAL`.
+    /// assert_eq!(
+    ///     src_page.copy_to_page(dst_page.as_pin_mut(), 0, PAGE_SIZE + 1),
+    ///     Err(EINVAL),
+    /// );
+    /// # Ok::<(), kernel::error::Error>(())
+    /// ```
+    pub fn copy_to_page(&self, dst: Pin<&mut Self>, offset: usize, len: usize) -> Result {
+        // INVARIANT: The following code makes sure to not cause data races.
+        self.with_pointer_into_page(offset, len, |src| {
+            // SAFETY:
+            // - If `with_pointer_into_page` calls into this closure, then it has performed a
+            //   bounds check and guarantees that `src` is valid for `len` bytes.
+            // - By type invariant and existence of shared reference, there are no writes to
+            //   `src` during this call.
+            // - By exclusive ownership of `dst`, there are no other writes to `dst` during this
+            //   call.
+            unsafe { dst.write_raw(src, offset, len) }
+        })
+    }
 }
 
 impl Ownable for SafePage {

-- 
2.51.2