In my kernel, I receive a physical pointer to a device tree through the C ABI, should I make the type of this parameter a pointer or a usize? If I use a pointer, does Rust assume I have provenance over the memory the pointer accesses, and will it assume I still have provenance if I offset the pointer to its respective virtual memory address that I've mapped it too even if that offset is greater than isize::MAX (which it could be)? If I use a usize, and map it to virtual memory, will the pointer I create from a usize as pointer cast have the exposed provenance it needs since the device tree fits the requirements of:

memory which is outside the control of the Rust abstract machine (MMIO registers, for example) is always considered to be accessible with an exposed provenance, so long as this memory is disjoint from memory that will be used by the abstract machine such as the stack, heap, and statics.

If so, what if I later use the memory where the device tree was as part of my heap? Would that violate the condition that the memory be "disjoint"?

Say I use the device tree's information to make a memory allocator over all of physical memory, how do I provide provenance to the pointers which I return from my memory allocator? If the provenance is a subsection of the provenance of the physical memory allocator's pointer, then will the physical memory allocator be limited to only encompassing isize::MAX bytes? As the provenance of a pointer is only over an allocation, which is limited to isize::MAX.

If my kernel just must have UB, or must just use exposed provenance, should I not attempt to use any strict provenance APIs since they won't have any strict provenance anyway, or should I just use them where I can?

1 post - 1 participant

Read full topic