1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
|
// SPDX-License-Identifier: GPL-2.0
// Copyright (C) 2024 Google LLC.
//! Virtual memory.
//!
//! This module deals with managing a single VMA in the address space of a userspace process. Each
//! VMA corresponds to a region of memory that the userspace process can access, and the VMA lets
//! you control what happens when userspace reads or writes to that region of memory.
//!
//! The module has several different Rust types that all correspond to the C type called
//! `vm_area_struct`. The different structs represent what kind of access you have to the VMA, e.g.
//! [`VmaRef`] is used when you hold the mmap or vma read lock. Using the appropriate struct
//! ensures that you can't, for example, accidentally call a function that requires holding the
//! write lock when you only hold the read lock.
use crate::{
bindings,
error::{code::EINVAL, to_result, Result},
mm::MmWithUser,
page::Page,
types::Opaque,
};
use core::ops::Deref;
/// A wrapper for the kernel's `struct vm_area_struct` with read access.
///
/// It represents an area of virtual memory.
///
/// # Invariants
///
/// The caller must hold the mmap read lock or the vma read lock.
#[repr(transparent)]
pub struct VmaRef {
vma: Opaque<bindings::vm_area_struct>,
}
// Methods you can call when holding the mmap or vma read lock (or stronger). They must be usable
// no matter what the vma flags are.
impl VmaRef {
/// Access a virtual memory area given a raw pointer.
///
/// # Safety
///
/// Callers must ensure that `vma` is valid for the duration of 'a, and that the mmap or vma
/// read lock (or stronger) is held for at least the duration of 'a.
#[inline]
pub unsafe fn from_raw<'a>(vma: *const bindings::vm_area_struct) -> &'a Self {
// SAFETY: The caller ensures that the invariants are satisfied for the duration of 'a.
unsafe { &*vma.cast() }
}
/// Returns a raw pointer to this area.
#[inline]
pub fn as_ptr(&self) -> *mut bindings::vm_area_struct {
self.vma.get()
}
/// Access the underlying `mm_struct`.
#[inline]
pub fn mm(&self) -> &MmWithUser {
// SAFETY: By the type invariants, this `vm_area_struct` is valid and we hold the mmap/vma
// read lock or stronger. This implies that the underlying mm has a non-zero value of
// `mm_users`.
unsafe { MmWithUser::from_raw((*self.as_ptr()).vm_mm) }
}
/// Returns the flags associated with the virtual memory area.
///
/// The possible flags are a combination of the constants in [`flags`].
#[inline]
pub fn flags(&self) -> vm_flags_t {
// SAFETY: By the type invariants, the caller holds at least the mmap read lock, so this
// access is not a data race.
unsafe { (*self.as_ptr()).__bindgen_anon_2.vm_flags }
}
/// Returns the (inclusive) start address of the virtual memory area.
#[inline]
pub fn start(&self) -> usize {
// SAFETY: By the type invariants, the caller holds at least the mmap read lock, so this
// access is not a data race.
unsafe { (*self.as_ptr()).__bindgen_anon_1.__bindgen_anon_1.vm_start }
}
/// Returns the (exclusive) end address of the virtual memory area.
#[inline]
pub fn end(&self) -> usize {
// SAFETY: By the type invariants, the caller holds at least the mmap read lock, so this
// access is not a data race.
unsafe { (*self.as_ptr()).__bindgen_anon_1.__bindgen_anon_1.vm_end }
}
/// Zap pages in the given page range.
///
/// This clears page table mappings for the range at the leaf level, leaving all other page
/// tables intact, and freeing any memory referenced by the VMA in this range. That is,
/// anonymous memory is completely freed, file-backed memory has its reference count on page
/// cache folio's dropped, any dirty data will still be written back to disk as usual.
///
/// It may seem odd that we clear at the leaf level, this is however a product of the page
/// table structure used to map physical memory into a virtual address space - each virtual
/// address actually consists of a bitmap of array indices into page tables, which form a
/// hierarchical page table level structure.
///
/// As a result, each page table level maps a multiple of page table levels below, and thus
/// span ever increasing ranges of pages. At the leaf or PTE level, we map the actual physical
/// memory.
///
/// It is here where a zap operates, as it the only place we can be certain of clearing without
/// impacting any other virtual mappings. It is an implementation detail as to whether the
/// kernel goes further in freeing unused page tables, but for the purposes of this operation
/// we must only assume that the leaf level is cleared.
#[inline]
pub fn zap_page_range_single(&self, address: usize, size: usize) {
let (end, did_overflow) = address.overflowing_add(size);
if did_overflow || address < self.start() || self.end() < end {
// TODO: call WARN_ONCE once Rust version of it is added
return;
}
// SAFETY: By the type invariants, the caller has read access to this VMA, which is
// sufficient for this method call. This method has no requirements on the vma flags. The
// address range is checked to be within the vma.
unsafe {
bindings::zap_page_range_single(self.as_ptr(), address, size, core::ptr::null_mut())
};
}
/// If the [`VM_MIXEDMAP`] flag is set, returns a [`VmaMixedMap`] to this VMA, otherwise
/// returns `None`.
///
/// This can be used to access methods that require [`VM_MIXEDMAP`] to be set.
///
/// [`VM_MIXEDMAP`]: flags::MIXEDMAP
#[inline]
pub fn as_mixedmap_vma(&self) -> Option<&VmaMixedMap> {
if self.flags() & flags::MIXEDMAP != 0 {
// SAFETY: We just checked that `VM_MIXEDMAP` is set. All other requirements are
// satisfied by the type invariants of `VmaRef`.
Some(unsafe { VmaMixedMap::from_raw(self.as_ptr()) })
} else {
None
}
}
}
/// A wrapper for the kernel's `struct vm_area_struct` with read access and [`VM_MIXEDMAP`] set.
///
/// It represents an area of virtual memory.
///
/// This struct is identical to [`VmaRef`] except that it must only be used when the
/// [`VM_MIXEDMAP`] flag is set on the vma.
///
/// # Invariants
///
/// The caller must hold the mmap read lock or the vma read lock. The `VM_MIXEDMAP` flag must be
/// set.
///
/// [`VM_MIXEDMAP`]: flags::MIXEDMAP
#[repr(transparent)]
pub struct VmaMixedMap {
vma: VmaRef,
}
// Make all `VmaRef` methods available on `VmaMixedMap`.
impl Deref for VmaMixedMap {
type Target = VmaRef;
#[inline]
fn deref(&self) -> &VmaRef {
&self.vma
}
}
impl VmaMixedMap {
/// Access a virtual memory area given a raw pointer.
///
/// # Safety
///
/// Callers must ensure that `vma` is valid for the duration of 'a, and that the mmap read lock
/// (or stronger) is held for at least the duration of 'a. The `VM_MIXEDMAP` flag must be set.
#[inline]
pub unsafe fn from_raw<'a>(vma: *const bindings::vm_area_struct) -> &'a Self {
// SAFETY: The caller ensures that the invariants are satisfied for the duration of 'a.
unsafe { &*vma.cast() }
}
/// Maps a single page at the given address within the virtual memory area.
///
/// This operation does not take ownership of the page.
#[inline]
pub fn vm_insert_page(&self, address: usize, page: &Page) -> Result {
// SAFETY: By the type invariant of `Self` caller has read access and has verified that
// `VM_MIXEDMAP` is set. By invariant on `Page` the page has order 0.
to_result(unsafe { bindings::vm_insert_page(self.as_ptr(), address, page.as_ptr()) })
}
}
/// A configuration object for setting up a VMA in an `f_ops->mmap()` hook.
///
/// The `f_ops->mmap()` hook is called when a new VMA is being created, and the hook is able to
/// configure the VMA in various ways to fit the driver that owns it. Using `VmaNew` indicates that
/// you are allowed to perform operations on the VMA that can only be performed before the VMA is
/// fully initialized.
///
/// # Invariants
///
/// For the duration of 'a, the referenced vma must be undergoing initialization in an
/// `f_ops->mmap()` hook.
pub struct VmaNew {
vma: VmaRef,
}
// Make all `VmaRef` methods available on `VmaNew`.
impl Deref for VmaNew {
type Target = VmaRef;
#[inline]
fn deref(&self) -> &VmaRef {
&self.vma
}
}
impl VmaNew {
/// Access a virtual memory area given a raw pointer.
///
/// # Safety
///
/// Callers must ensure that `vma` is undergoing initial vma setup for the duration of 'a.
#[inline]
pub unsafe fn from_raw<'a>(vma: *mut bindings::vm_area_struct) -> &'a Self {
// SAFETY: The caller ensures that the invariants are satisfied for the duration of 'a.
unsafe { &*vma.cast() }
}
/// Internal method for updating the vma flags.
///
/// # Safety
///
/// This must not be used to set the flags to an invalid value.
#[inline]
unsafe fn update_flags(&self, set: vm_flags_t, unset: vm_flags_t) {
let mut flags = self.flags();
flags |= set;
flags &= !unset;
// SAFETY: This is not a data race: the vma is undergoing initial setup, so it's not yet
// shared. Additionally, `VmaNew` is `!Sync`, so it cannot be used to write in parallel.
// The caller promises that this does not set the flags to an invalid value.
unsafe { (*self.as_ptr()).__bindgen_anon_2.__vm_flags = flags };
}
/// Set the `VM_MIXEDMAP` flag on this vma.
///
/// This enables the vma to contain both `struct page` and pure PFN pages. Returns a reference
/// that can be used to call `vm_insert_page` on the vma.
#[inline]
pub fn set_mixedmap(&self) -> &VmaMixedMap {
// SAFETY: We don't yet provide a way to set VM_PFNMAP, so this cannot put the flags in an
// invalid state.
unsafe { self.update_flags(flags::MIXEDMAP, 0) };
// SAFETY: We just set `VM_MIXEDMAP` on the vma.
unsafe { VmaMixedMap::from_raw(self.vma.as_ptr()) }
}
/// Set the `VM_IO` flag on this vma.
///
/// This is used for memory mapped IO and similar. The flag tells other parts of the kernel to
/// avoid looking at the pages. For memory mapped IO this is useful as accesses to the pages
/// could have side effects.
#[inline]
pub fn set_io(&self) {
// SAFETY: Setting the VM_IO flag is always okay.
unsafe { self.update_flags(flags::IO, 0) };
}
/// Set the `VM_DONTEXPAND` flag on this vma.
///
/// This prevents the vma from being expanded with `mremap()`.
#[inline]
pub fn set_dontexpand(&self) {
// SAFETY: Setting the VM_DONTEXPAND flag is always okay.
unsafe { self.update_flags(flags::DONTEXPAND, 0) };
}
/// Set the `VM_DONTCOPY` flag on this vma.
///
/// This prevents the vma from being copied on fork. This option is only permanent if `VM_IO`
/// is set.
#[inline]
pub fn set_dontcopy(&self) {
// SAFETY: Setting the VM_DONTCOPY flag is always okay.
unsafe { self.update_flags(flags::DONTCOPY, 0) };
}
/// Set the `VM_DONTDUMP` flag on this vma.
///
/// This prevents the vma from being included in core dumps. This option is only permanent if
/// `VM_IO` is set.
#[inline]
pub fn set_dontdump(&self) {
// SAFETY: Setting the VM_DONTDUMP flag is always okay.
unsafe { self.update_flags(flags::DONTDUMP, 0) };
}
/// Returns whether `VM_READ` is set.
///
/// This flag indicates whether userspace is mapping this vma as readable.
#[inline]
pub fn readable(&self) -> bool {
(self.flags() & flags::READ) != 0
}
/// Try to clear the `VM_MAYREAD` flag, failing if `VM_READ` is set.
///
/// This flag indicates whether userspace is allowed to make this vma readable with
/// `mprotect()`.
///
/// Note that this operation is irreversible. Once `VM_MAYREAD` has been cleared, it can never
/// be set again.
#[inline]
pub fn try_clear_mayread(&self) -> Result {
if self.readable() {
return Err(EINVAL);
}
// SAFETY: Clearing `VM_MAYREAD` is okay when `VM_READ` is not set.
unsafe { self.update_flags(0, flags::MAYREAD) };
Ok(())
}
/// Returns whether `VM_WRITE` is set.
///
/// This flag indicates whether userspace is mapping this vma as writable.
#[inline]
pub fn writable(&self) -> bool {
(self.flags() & flags::WRITE) != 0
}
/// Try to clear the `VM_MAYWRITE` flag, failing if `VM_WRITE` is set.
///
/// This flag indicates whether userspace is allowed to make this vma writable with
/// `mprotect()`.
///
/// Note that this operation is irreversible. Once `VM_MAYWRITE` has been cleared, it can never
/// be set again.
#[inline]
pub fn try_clear_maywrite(&self) -> Result {
if self.writable() {
return Err(EINVAL);
}
// SAFETY: Clearing `VM_MAYWRITE` is okay when `VM_WRITE` is not set.
unsafe { self.update_flags(0, flags::MAYWRITE) };
Ok(())
}
/// Returns whether `VM_EXEC` is set.
///
/// This flag indicates whether userspace is mapping this vma as executable.
#[inline]
pub fn executable(&self) -> bool {
(self.flags() & flags::EXEC) != 0
}
/// Try to clear the `VM_MAYEXEC` flag, failing if `VM_EXEC` is set.
///
/// This flag indicates whether userspace is allowed to make this vma executable with
/// `mprotect()`.
///
/// Note that this operation is irreversible. Once `VM_MAYEXEC` has been cleared, it can never
/// be set again.
#[inline]
pub fn try_clear_mayexec(&self) -> Result {
if self.executable() {
return Err(EINVAL);
}
// SAFETY: Clearing `VM_MAYEXEC` is okay when `VM_EXEC` is not set.
unsafe { self.update_flags(0, flags::MAYEXEC) };
Ok(())
}
}
/// The integer type used for vma flags.
#[doc(inline)]
pub use bindings::vm_flags_t;
/// All possible flags for [`VmaRef`].
pub mod flags {
use super::vm_flags_t;
use crate::bindings;
/// No flags are set.
pub const NONE: vm_flags_t = bindings::VM_NONE as _;
/// Mapping allows reads.
pub const READ: vm_flags_t = bindings::VM_READ as _;
/// Mapping allows writes.
pub const WRITE: vm_flags_t = bindings::VM_WRITE as _;
/// Mapping allows execution.
pub const EXEC: vm_flags_t = bindings::VM_EXEC as _;
/// Mapping is shared.
pub const SHARED: vm_flags_t = bindings::VM_SHARED as _;
/// Mapping may be updated to allow reads.
pub const MAYREAD: vm_flags_t = bindings::VM_MAYREAD as _;
/// Mapping may be updated to allow writes.
pub const MAYWRITE: vm_flags_t = bindings::VM_MAYWRITE as _;
/// Mapping may be updated to allow execution.
pub const MAYEXEC: vm_flags_t = bindings::VM_MAYEXEC as _;
/// Mapping may be updated to be shared.
pub const MAYSHARE: vm_flags_t = bindings::VM_MAYSHARE as _;
/// Page-ranges managed without `struct page`, just pure PFN.
pub const PFNMAP: vm_flags_t = bindings::VM_PFNMAP as _;
/// Memory mapped I/O or similar.
pub const IO: vm_flags_t = bindings::VM_IO as _;
/// Do not copy this vma on fork.
pub const DONTCOPY: vm_flags_t = bindings::VM_DONTCOPY as _;
/// Cannot expand with mremap().
pub const DONTEXPAND: vm_flags_t = bindings::VM_DONTEXPAND as _;
/// Lock the pages covered when they are faulted in.
pub const LOCKONFAULT: vm_flags_t = bindings::VM_LOCKONFAULT as _;
/// Is a VM accounted object.
pub const ACCOUNT: vm_flags_t = bindings::VM_ACCOUNT as _;
/// Should the VM suppress accounting.
pub const NORESERVE: vm_flags_t = bindings::VM_NORESERVE as _;
/// Huge TLB Page VM.
pub const HUGETLB: vm_flags_t = bindings::VM_HUGETLB as _;
/// Synchronous page faults. (DAX-specific)
pub const SYNC: vm_flags_t = bindings::VM_SYNC as _;
/// Architecture-specific flag.
pub const ARCH_1: vm_flags_t = bindings::VM_ARCH_1 as _;
/// Wipe VMA contents in child on fork.
pub const WIPEONFORK: vm_flags_t = bindings::VM_WIPEONFORK as _;
/// Do not include in the core dump.
pub const DONTDUMP: vm_flags_t = bindings::VM_DONTDUMP as _;
/// Not soft dirty clean area.
pub const SOFTDIRTY: vm_flags_t = bindings::VM_SOFTDIRTY as _;
/// Can contain `struct page` and pure PFN pages.
pub const MIXEDMAP: vm_flags_t = bindings::VM_MIXEDMAP as _;
/// MADV_HUGEPAGE marked this vma.
pub const HUGEPAGE: vm_flags_t = bindings::VM_HUGEPAGE as _;
/// MADV_NOHUGEPAGE marked this vma.
pub const NOHUGEPAGE: vm_flags_t = bindings::VM_NOHUGEPAGE as _;
/// KSM may merge identical pages.
pub const MERGEABLE: vm_flags_t = bindings::VM_MERGEABLE as _;
}
|
