Struct kernel::processbuffer::ReadOnlyProcessBuffer

source ·
pub struct ReadOnlyProcessBuffer {
    ptr: *const u8,
    len: usize,
    process_id: Option<ProcessId>,
}
Expand description

Read-only buffer shared by a userspace process.

This struct is provided to capsules when a process allows a particular section of its memory to the kernel and gives the kernel read access to this memory.

It can be used to obtain a ReadableProcessSlice, which is based around a slice of Cells. This is because a userspace can allow overlapping sections of memory into different ReadableProcessSlice. Having at least one mutable Rust slice along with read-only slices to overlapping memory in Rust violates Rust’s aliasing rules. A slice of Cells avoids this issue by explicitly supporting interior mutability. Still, a memory barrier prior to switching to userspace is required, as the compiler is free to reorder reads and writes, even through Cells.

Fields§

§ptr: *const u8§len: usize§process_id: Option<ProcessId>

Implementations§

source§

impl ReadOnlyProcessBuffer

source

pub(crate) unsafe fn new( ptr: *const u8, len: usize, process_id: ProcessId, ) -> Self

Construct a new ReadOnlyProcessBuffer over a given pointer and length.

§Safety requirements

Refer to the safety requirements of ReadOnlyProcessBuffer::new_external.

source

pub unsafe fn new_external( ptr: *const u8, len: usize, process_id: ProcessId, _cap: &dyn ExternalProcessCapability, ) -> Self

Construct a new ReadOnlyProcessBuffer over a given pointer and length.

Publicly accessible constructor, which requires the capabilities::ExternalProcessCapability capability. This is provided to allow implementations of the Process trait outside of the kernel crate.

§Safety requirements

If the length is 0, an arbitrary pointer may be passed into ptr. It does not necessarily have to point to allocated memory, nor does it have to meet Rust’s pointer validity requirements. ReadOnlyProcessBuffer must ensure that all Rust slices with a length of 0 must be constructed over a valid (but not necessarily allocated) base pointer.

If the length is not 0, the memory region of [ptr; ptr + len) must be valid memory of the process of the given ProcessId. It must be allocated and and accessible over the entire lifetime of the ReadOnlyProcessBuffer. It must not point to memory outside of the process’ accessible memory range, or point (in part) to other processes or kernel memory. The ptr must meet Rust’s requirements for pointer validity, in particular it must have a minimum alignment of core::mem::align_of::<u8>() on the respective platform. It must point to memory mapped as readable and optionally writable and executable.

source

pub(crate) fn consume(self) -> (*const u8, usize)

Consumes the ReadOnlyProcessBuffer, returning its constituent pointer and size. This ensures that there cannot simultaneously be both a ReadOnlyProcessBuffer and a pointer to its internal data.

consume can be used when the kernel needs to pass the underlying values across the kernel-to-user boundary (e.g., in return values to system calls).

Trait Implementations§

source§

impl Default for ReadOnlyProcessBuffer

source§

fn default() -> Self

Returns the “default value” for a type. Read more
source§

impl ReadableProcessBuffer for ReadOnlyProcessBuffer

source§

fn len(&self) -> usize

Return the length of the buffer in bytes.

source§

fn ptr(&self) -> *const u8

Return the pointer to the start of the buffer.

source§

fn enter<F, R>(&self, fun: F) -> Result<R, Error>
where F: FnOnce(&ReadableProcessSlice) -> R,

Access the contents of the buffer in a closure.

This verifies the process is still valid before accessing the underlying memory.

Auto Trait Implementations§

Blanket Implementations§

source§

impl<T> Any for T
where T: 'static + ?Sized,

source§

fn type_id(&self) -> TypeId

Gets the TypeId of self. Read more
source§

impl<T> Borrow<T> for T
where T: ?Sized,

source§

fn borrow(&self) -> &T

Immutably borrows from an owned value. Read more
source§

impl<T> BorrowMut<T> for T
where T: ?Sized,

source§

fn borrow_mut(&mut self) -> &mut T

Mutably borrows from an owned value. Read more
source§

impl<T> From<T> for T

source§

fn from(t: T) -> T

Returns the argument unchanged.

source§

impl<T, U> Into<U> for T
where U: From<T>,

source§

fn into(self) -> U

Calls U::from(self).

That is, this conversion is whatever the implementation of From<T> for U chooses to do.

source§

impl<T, U> TryFrom<U> for T
where U: Into<T>,

§

type Error = Infallible

The type returned in the event of a conversion error.
source§

fn try_from(value: U) -> Result<T, <T as TryFrom<U>>::Error>

Performs the conversion.
source§

impl<T, U> TryInto<U> for T
where U: TryFrom<T>,

§

type Error = <U as TryFrom<T>>::Error

The type returned in the event of a conversion error.
source§

fn try_into(self) -> Result<U, <U as TryFrom<T>>::Error>

Performs the conversion.