Re: [PATCH 3/3] rust: dma: add as_slice/write functions for CoherentAllocation

From: Andreas Hindborg
Date: Mon Mar 31 2025 - 03:24:06 EST

Next message: Andy Shevchenko: "[PATCH v1 1/1] media: i2c: ds90ub9x3: Remove (explicitly) unused header"
Previous message: Andy Shevchenko: "[PATCH v1 1/1] ACPI: VIOT: Remove (explicitly) unused header"
In reply to: Benno Lossin: "Re: [PATCH 3/3] rust: dma: add as_slice/write functions for CoherentAllocation"
Next in thread: Miguel Ojeda: "Re: [PATCH 3/3] rust: dma: add as_slice/write functions for CoherentAllocation"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

"Benno Lossin" <benno.lossin@xxxxxxxxx> writes:

> On Wed Mar 26, 2025 at 9:11 PM CET, Abdiel Janulgue wrote:
>> + /// Returns the data from the region starting from `offset` as a slice.
>> + /// `offset` and `count` are in units of `T`, not the number of bytes.
>> + ///
>> + /// Due to the safety requirements of slice, the caller should consider that the region could
>> + /// be modified by the device at anytime. For ringbuffer type of r/w access or use-cases where
>> + /// the pointer to the live data is needed, `start_ptr()` or `start_ptr_mut()` could be
>> + /// used instead.
>> + ///
>> + /// # Safety
>> + ///
>> + /// * Callers must ensure that no hardware operations that involve the buffer are currently
>> + /// taking place while the returned slice is live.
>> + /// * Callers must ensure that this call does not race with a write to the same region while
>> + /// while the returned slice is live.
>> + pub unsafe fn as_slice(&self, offset: usize, count: usize) -> Result<&[T]> {
>> + let end = offset.checked_add(count).ok_or(EOVERFLOW)?;
>> + if end >= self.count {
>> + return Err(EINVAL);
>> + }
>> + // SAFETY:
>> + // - The pointer is valid due to type invariant on `CoherentAllocation`,
>> + // we've just checked that the range and index is within bounds. The immutability of the
>> + // of data is also guaranteed by the safety requirements of the function.
>> + // - `offset` can't overflow since it is smaller than `self.count` and we've checked
>> + // that `self.count` won't overflow early in the constructor.
>> + Ok(unsafe { core::slice::from_raw_parts(self.cpu_addr.add(offset), count) })
>
> I vaguely recall that there was some discussion on why this is OK (ie
> the value behind the reference being modified by the device), but I
> haven't followed it. Can you add the reasoning for why that is fine to
> some comment here?

My objection was with the function being safe. In this version it is
unsafe, and the safety requirement is that there must be no concurrent
reads/writes to the memory being operated on. That seems fine to me.

> I also am not really fond of the phrase "hardware operations that
> involve the buffer":
> * what do you mean with "buffer"? `self`?
> * what are "hardware operations"? (I no nothing about hardware, so that
> might be a knowledge gap on my part)
> * what does "involve" mean?

It is clear to me, but using terminology read/write to/from memory is
probably better. The operations being executed by hardware is not
strictly relevant. We could have a note cautioning that devices must
also obey this.

Best regards,
Andreas Hindborg

Next message: Andy Shevchenko: "[PATCH v1 1/1] media: i2c: ds90ub9x3: Remove (explicitly) unused header"
Previous message: Andy Shevchenko: "[PATCH v1 1/1] ACPI: VIOT: Remove (explicitly) unused header"
In reply to: Benno Lossin: "Re: [PATCH 3/3] rust: dma: add as_slice/write functions for CoherentAllocation"
Next in thread: Miguel Ojeda: "Re: [PATCH 3/3] rust: dma: add as_slice/write functions for CoherentAllocation"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]