Struct kernel::processbuffer::ReadOnlyProcessBuffer

pub struct ReadOnlyProcessBuffer { /* private fields */ }

Read-only buffer shared by a userspace process.

This struct is provided to capsules when a process allows a particular section of its memory to the kernel and gives the kernel read access to this memory.

It can be used to obtain a ReadableProcessSlice, which is based around a slice of Cells. This is because a userspace can allow overlapping sections of memory into different ReadableProcessSlice. Having at least one mutable Rust slice along with read-only slices to overlapping memory in Rust violates Rust’s aliasing rules. A slice of Cells avoids this issue by explicitly supporting interior mutability. Still, a memory barrier prior to switching to userspace is required, as the compiler is free to reorder reads and writes, even through Cells.

Implementations

impl ReadOnlyProcessBuffer

pub unsafe fn new_external( ptr: *const u8, len: usize, process_id: ProcessId, _cap: &dyn ExternalProcessCapability ) -> Self

Construct a new ReadOnlyProcessBuffer over a given pointer and length.

Publicly accessible constructor, which requires the capabilities::ExternalProcessCapability capability. This is provided to allow implementations of the Process trait outside of the kernel crate.

Safety requirements

If the length is 0, an arbitrary pointer may be passed into ptr. It does not necessarily have to point to allocated memory, nor does it have to meet Rust’s pointer validity requirements. ReadOnlyProcessBuffer must ensure that all Rust slices with a length of 0 must be constructed over a valid (but not necessarily allocated) base pointer.

If the length is not 0, the memory region of [ptr; ptr + len) must be valid memory of the process of the given ProcessId. It must be allocated and and accessible over the entire lifetime of the ReadOnlyProcessBuffer. It must not point to memory outside of the process’ accessible memory range, or point (in part) to other processes or kernel memory. The ptr must meet Rust’s requirements for pointer validity, in particular it must have a minimum alignment of core::mem::align_of::<u8>() on the respective platform. It must point to memory mapped as readable and optionally writable and executable.

Trait Implementations

impl Default for ReadOnlyProcessBuffer

fn default() -> Self

Returns the “default value” for a type.

impl ReadableProcessBuffer for ReadOnlyProcessBuffer

fn len(&self) -> usize

Return the length of the buffer in bytes.

fn ptr(&self) -> *const u8

Return the pointer to the start of the buffer.

fn enter<F, R>(&self, fun: F) -> Result<R, Error>

where F: FnOnce(&ReadableProcessSlice) -> R,

Access the contents of the buffer in a closure.

This verifies the process is still valid before accessing the underlying memory.