Re: [PATCH 1/2] rust: page: add `SafePage` for race-free page access

Next message: Alice Ryhl: "Re: [PATCH] rust: sync: export lock::do_unlocked"
Previous message: Bartosz Golaszewski: "Re: [PATCH 1/2] mfd: lpc_ich: expose the GPIO controller cell's software node"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Alice Ryhl

Date: Mon Feb 16 2026 - 03:52:21 EST

On Sun, Feb 15, 2026 at 09:03:30PM +0100, Andreas Hindborg wrote:
> `SafePage` wraps a regular page but adds an invariant that the page data
> area does not incur data races. This means `SafePage` cannot be mapped to
> user space or shared with devices, and it becomes simpler to directly
> reference the contents of the page.
>
> Signed-off-by: Andreas Hindborg <a.hindborg@xxxxxxxxxx>

> impl Page {
> + fn alloc_page_raw(flags: Flags) -> Result<NonNull<bindings::page>, AllocError> {
> + // SAFETY: Depending on the value of `gfp_flags`, this call may sleep. Other than that, it
> + // is always safe to call this method.
> + let page = unsafe { bindings::alloc_pages(flags.as_raw(), 0) };
> + NonNull::new(page).ok_or(AllocError)
> + }

Could potentially just implement Page::alloc_page() in terms of
SafePage::alloc_page()

> +/// A page whose data area does not incur data races.
> +///
> +/// [`SafePage`] has the same usage constraints as other Rust types. Thus, it cannot be mapped to
> +/// user space or shared with devices. This makes it safe to reference the contents of the page
> +/// while the page is mapped in kernel space.
> +///
> +/// # Invariants
> +///
> +/// There are no data races for the contents of this page.

This isn't really a great invariant. You could say something more direct
such as "has exclusive access to the contents of the page".

Alice