1 // SPDX-License-Identifier: GPL-2.0 2 3 //! Implementation of [`Box`]. 4 5 #[allow(unused_imports)] // Used in doc comments. 6 use super::allocator::{KVmalloc, Kmalloc, Vmalloc, VmallocPageIter}; 7 use super::{AllocError, Allocator, Flags, NumaNode}; 8 use core::alloc::Layout; 9 use core::borrow::{Borrow, BorrowMut}; 10 use core::marker::PhantomData; 11 use core::mem::ManuallyDrop; 12 use core::mem::MaybeUninit; 13 use core::ops::{Deref, DerefMut}; 14 use core::pin::Pin; 15 use core::ptr::NonNull; 16 use core::result::Result; 17 18 use crate::ffi::c_void; 19 use crate::fmt; 20 use crate::init::InPlaceInit; 21 use crate::page::AsPageIter; 22 use crate::types::ForeignOwnable; 23 use pin_init::{InPlaceWrite, Init, PinInit, ZeroableOption}; 24 25 /// The kernel's [`Box`] type -- a heap allocation for a single value of type `T`. 26 /// 27 /// This is the kernel's version of the Rust stdlib's `Box`. There are several differences, 28 /// for example no `noalias` attribute is emitted and partially moving out of a `Box` is not 29 /// supported. There are also several API differences, e.g. `Box` always requires an [`Allocator`] 30 /// implementation to be passed as generic, page [`Flags`] when allocating memory and all functions 31 /// that may allocate memory are fallible. 32 /// 33 /// `Box` works with any of the kernel's allocators, e.g. [`Kmalloc`], [`Vmalloc`] or [`KVmalloc`]. 34 /// There are aliases for `Box` with these allocators ([`KBox`], [`VBox`], [`KVBox`]). 35 /// 36 /// When dropping a [`Box`], the value is also dropped and the heap memory is automatically freed. 37 /// 38 /// # Examples 39 /// 40 /// ``` 41 /// let b = KBox::<u64>::new(24_u64, GFP_KERNEL)?; 42 /// 43 /// assert_eq!(*b, 24_u64); 44 /// # Ok::<(), Error>(()) 45 /// ``` 46 /// 47 /// ``` 48 /// # use kernel::bindings; 49 /// const SIZE: usize = bindings::KMALLOC_MAX_SIZE as usize + 1; 50 /// struct Huge([u8; SIZE]); 51 /// 52 /// assert!(KBox::<Huge>::new_uninit(GFP_KERNEL | __GFP_NOWARN).is_err()); 53 /// ``` 54 /// 55 /// ``` 56 /// # use kernel::bindings; 57 /// const SIZE: usize = bindings::KMALLOC_MAX_SIZE as usize + 1; 58 /// struct Huge([u8; SIZE]); 59 /// 60 /// assert!(KVBox::<Huge>::new_uninit(GFP_KERNEL).is_ok()); 61 /// ``` 62 /// 63 /// [`Box`]es can also be used to store trait objects by coercing their type: 64 /// 65 /// ``` 66 /// trait FooTrait {} 67 /// 68 /// struct FooStruct; 69 /// impl FooTrait for FooStruct {} 70 /// 71 /// let _ = KBox::new(FooStruct, GFP_KERNEL)? as KBox<dyn FooTrait>; 72 /// # Ok::<(), Error>(()) 73 /// ``` 74 /// 75 /// # Invariants 76 /// 77 /// `self.0` is always properly aligned and either points to memory allocated with `A` or, for 78 /// zero-sized types, is a dangling, well aligned pointer. 79 #[repr(transparent)] 80 #[derive(core::marker::CoercePointee)] 81 pub struct Box<#[pointee] T: ?Sized, A: Allocator>(NonNull<T>, PhantomData<A>); 82 83 /// Type alias for [`Box`] with a [`Kmalloc`] allocator. 84 /// 85 /// # Examples 86 /// 87 /// ``` 88 /// let b = KBox::new(24_u64, GFP_KERNEL)?; 89 /// 90 /// assert_eq!(*b, 24_u64); 91 /// # Ok::<(), Error>(()) 92 /// ``` 93 pub type KBox<T> = Box<T, super::allocator::Kmalloc>; 94 95 /// Type alias for [`Box`] with a [`Vmalloc`] allocator. 96 /// 97 /// # Examples 98 /// 99 /// ``` 100 /// let b = VBox::new(24_u64, GFP_KERNEL)?; 101 /// 102 /// assert_eq!(*b, 24_u64); 103 /// # Ok::<(), Error>(()) 104 /// ``` 105 pub type VBox<T> = Box<T, super::allocator::Vmalloc>; 106 107 /// Type alias for [`Box`] with a [`KVmalloc`] allocator. 108 /// 109 /// # Examples 110 /// 111 /// ``` 112 /// let b = KVBox::new(24_u64, GFP_KERNEL)?; 113 /// 114 /// assert_eq!(*b, 24_u64); 115 /// # Ok::<(), Error>(()) 116 /// ``` 117 pub type KVBox<T> = Box<T, super::allocator::KVmalloc>; 118 119 // SAFETY: All zeros is equivalent to `None` (option layout optimization guarantee: 120 // <https://doc.rust-lang.org/stable/std/option/index.html#representation>). 121 unsafe impl<T, A: Allocator> ZeroableOption for Box<T, A> {} 122 123 // SAFETY: `Box` is `Send` if `T` is `Send` because the `Box` owns a `T`. 124 unsafe impl<T, A> Send for Box<T, A> 125 where 126 T: Send + ?Sized, 127 A: Allocator, 128 { 129 } 130 131 // SAFETY: `Box` is `Sync` if `T` is `Sync` because the `Box` owns a `T`. 132 unsafe impl<T, A> Sync for Box<T, A> 133 where 134 T: Sync + ?Sized, 135 A: Allocator, 136 { 137 } 138 139 impl<T, A> Box<T, A> 140 where 141 T: ?Sized, 142 A: Allocator, 143 { 144 /// Creates a new `Box<T, A>` from a raw pointer. 145 /// 146 /// # Safety 147 /// 148 /// For non-ZSTs, `raw` must point at an allocation allocated with `A` that is sufficiently 149 /// aligned for and holds a valid `T`. The caller passes ownership of the allocation to the 150 /// `Box`. 151 /// 152 /// For ZSTs, `raw` must be a dangling, well aligned pointer. 153 #[inline] 154 pub const unsafe fn from_raw(raw: *mut T) -> Self { 155 // INVARIANT: Validity of `raw` is guaranteed by the safety preconditions of this function. 156 // SAFETY: By the safety preconditions of this function, `raw` is not a NULL pointer. 157 Self(unsafe { NonNull::new_unchecked(raw) }, PhantomData) 158 } 159 160 /// Consumes the `Box<T, A>` and returns a raw pointer. 161 /// 162 /// This will not run the destructor of `T` and for non-ZSTs the allocation will stay alive 163 /// indefinitely. Use [`Box::from_raw`] to recover the [`Box`], drop the value and free the 164 /// allocation, if any. 165 /// 166 /// # Examples 167 /// 168 /// ``` 169 /// let x = KBox::new(24, GFP_KERNEL)?; 170 /// let ptr = KBox::into_raw(x); 171 /// // SAFETY: `ptr` comes from a previous call to `KBox::into_raw`. 172 /// let x = unsafe { KBox::from_raw(ptr) }; 173 /// 174 /// assert_eq!(*x, 24); 175 /// # Ok::<(), Error>(()) 176 /// ``` 177 #[inline] 178 pub fn into_raw(b: Self) -> *mut T { 179 ManuallyDrop::new(b).0.as_ptr() 180 } 181 182 /// Consumes and leaks the `Box<T, A>` and returns a mutable reference. 183 /// 184 /// See [`Box::into_raw`] for more details. 185 #[inline] 186 pub fn leak<'a>(b: Self) -> &'a mut T { 187 // SAFETY: `Box::into_raw` always returns a properly aligned and dereferenceable pointer 188 // which points to an initialized instance of `T`. 189 unsafe { &mut *Box::into_raw(b) } 190 } 191 } 192 193 impl<T, A> Box<MaybeUninit<T>, A> 194 where 195 A: Allocator, 196 { 197 /// Converts a `Box<MaybeUninit<T>, A>` to a `Box<T, A>`. 198 /// 199 /// It is undefined behavior to call this function while the value inside of `b` is not yet 200 /// fully initialized. 201 /// 202 /// # Safety 203 /// 204 /// Callers must ensure that the value inside of `b` is in an initialized state. 205 pub unsafe fn assume_init(self) -> Box<T, A> { 206 let raw = Self::into_raw(self); 207 208 // SAFETY: `raw` comes from a previous call to `Box::into_raw`. By the safety requirements 209 // of this function, the value inside the `Box` is in an initialized state. Hence, it is 210 // safe to reconstruct the `Box` as `Box<T, A>`. 211 unsafe { Box::from_raw(raw.cast()) } 212 } 213 214 /// Writes the value and converts to `Box<T, A>`. 215 pub fn write(mut self, value: T) -> Box<T, A> { 216 (*self).write(value); 217 218 // SAFETY: We've just initialized `b`'s value. 219 unsafe { self.assume_init() } 220 } 221 } 222 223 impl<T, A> Box<T, A> 224 where 225 A: Allocator, 226 { 227 /// Creates a new `Box<T, A>` and initializes its contents with `x`. 228 /// 229 /// New memory is allocated with `A`. The allocation may fail, in which case an error is 230 /// returned. For ZSTs no memory is allocated. 231 pub fn new(x: T, flags: Flags) -> Result<Self, AllocError> { 232 let b = Self::new_uninit(flags)?; 233 Ok(Box::write(b, x)) 234 } 235 236 /// Creates a new `Box<T, A>` with uninitialized contents. 237 /// 238 /// New memory is allocated with `A`. The allocation may fail, in which case an error is 239 /// returned. For ZSTs no memory is allocated. 240 /// 241 /// # Examples 242 /// 243 /// ``` 244 /// let b = KBox::<u64>::new_uninit(GFP_KERNEL)?; 245 /// let b = KBox::write(b, 24); 246 /// 247 /// assert_eq!(*b, 24_u64); 248 /// # Ok::<(), Error>(()) 249 /// ``` 250 pub fn new_uninit(flags: Flags) -> Result<Box<MaybeUninit<T>, A>, AllocError> { 251 let layout = Layout::new::<MaybeUninit<T>>(); 252 let ptr = A::alloc(layout, flags, NumaNode::NO_NODE)?; 253 254 // INVARIANT: `ptr` is either a dangling pointer or points to memory allocated with `A`, 255 // which is sufficient in size and alignment for storing a `T`. 256 Ok(Box(ptr.cast(), PhantomData)) 257 } 258 259 /// Constructs a new `Pin<Box<T, A>>`. If `T` does not implement [`Unpin`], then `x` will be 260 /// pinned in memory and can't be moved. 261 #[inline] 262 pub fn pin(x: T, flags: Flags) -> Result<Pin<Box<T, A>>, AllocError> 263 where 264 A: 'static, 265 { 266 Ok(Self::new(x, flags)?.into()) 267 } 268 269 /// Construct a pinned slice of elements `Pin<Box<[T], A>>`. 270 /// 271 /// This is a convenient means for creation of e.g. slices of structrures containing spinlocks 272 /// or mutexes. 273 /// 274 /// # Examples 275 /// 276 /// ``` 277 /// use kernel::sync::{new_spinlock, SpinLock}; 278 /// 279 /// struct Inner { 280 /// a: u32, 281 /// b: u32, 282 /// } 283 /// 284 /// #[pin_data] 285 /// struct Example { 286 /// c: u32, 287 /// #[pin] 288 /// d: SpinLock<Inner>, 289 /// } 290 /// 291 /// impl Example { 292 /// fn new() -> impl PinInit<Self, Error> { 293 /// try_pin_init!(Self { 294 /// c: 10, 295 /// d <- new_spinlock!(Inner { a: 20, b: 30 }), 296 /// }) 297 /// } 298 /// } 299 /// 300 /// // Allocate a boxed slice of 10 `Example`s. 301 /// let s = KBox::pin_slice( 302 /// | _i | Example::new(), 303 /// 10, 304 /// GFP_KERNEL 305 /// )?; 306 /// 307 /// assert_eq!(s[5].c, 10); 308 /// assert_eq!(s[3].d.lock().a, 20); 309 /// # Ok::<(), Error>(()) 310 /// ``` 311 pub fn pin_slice<Func, Item, E>( 312 mut init: Func, 313 len: usize, 314 flags: Flags, 315 ) -> Result<Pin<Box<[T], A>>, E> 316 where 317 Func: FnMut(usize) -> Item, 318 Item: PinInit<T, E>, 319 E: From<AllocError>, 320 { 321 let mut buffer = super::Vec::<T, A>::with_capacity(len, flags)?; 322 for i in 0..len { 323 let ptr = buffer.spare_capacity_mut().as_mut_ptr().cast(); 324 // SAFETY: 325 // - `ptr` is a valid pointer to uninitialized memory. 326 // - `ptr` is not used if an error is returned. 327 // - `ptr` won't be moved until it is dropped, i.e. it is pinned. 328 unsafe { init(i).__pinned_init(ptr)? }; 329 330 // SAFETY: 331 // - `i + 1 <= len`, hence we don't exceed the capacity, due to the call to 332 // `with_capacity()` above. 333 // - The new value at index buffer.len() + 1 is the only element being added here, and 334 // it has been initialized above by `init(i).__pinned_init(ptr)`. 335 unsafe { buffer.inc_len(1) }; 336 } 337 338 let (ptr, _, _) = buffer.into_raw_parts(); 339 let slice = core::ptr::slice_from_raw_parts_mut(ptr, len); 340 341 // SAFETY: `slice` points to an allocation allocated with `A` (`buffer`) and holds a valid 342 // `[T]`. 343 Ok(Pin::from(unsafe { Box::from_raw(slice) })) 344 } 345 346 /// Convert a [`Box<T,A>`] to a [`Pin<Box<T,A>>`]. If `T` does not implement 347 /// [`Unpin`], then `x` will be pinned in memory and can't be moved. 348 pub fn into_pin(this: Self) -> Pin<Self> { 349 this.into() 350 } 351 352 /// Forgets the contents (does not run the destructor), but keeps the allocation. 353 fn forget_contents(this: Self) -> Box<MaybeUninit<T>, A> { 354 let ptr = Self::into_raw(this); 355 356 // SAFETY: `ptr` is valid, because it came from `Box::into_raw`. 357 unsafe { Box::from_raw(ptr.cast()) } 358 } 359 360 /// Drops the contents, but keeps the allocation. 361 /// 362 /// # Examples 363 /// 364 /// ``` 365 /// let value = KBox::new([0; 32], GFP_KERNEL)?; 366 /// assert_eq!(*value, [0; 32]); 367 /// let value = KBox::drop_contents(value); 368 /// // Now we can re-use `value`: 369 /// let value = KBox::write(value, [1; 32]); 370 /// assert_eq!(*value, [1; 32]); 371 /// # Ok::<(), Error>(()) 372 /// ``` 373 pub fn drop_contents(this: Self) -> Box<MaybeUninit<T>, A> { 374 let ptr = this.0.as_ptr(); 375 376 // SAFETY: `ptr` is valid, because it came from `this`. After this call we never access the 377 // value stored in `this` again. 378 unsafe { core::ptr::drop_in_place(ptr) }; 379 380 Self::forget_contents(this) 381 } 382 383 /// Moves the `Box`'s value out of the `Box` and consumes the `Box`. 384 pub fn into_inner(b: Self) -> T { 385 // SAFETY: By the type invariant `&*b` is valid for `read`. 386 let value = unsafe { core::ptr::read(&*b) }; 387 let _ = Self::forget_contents(b); 388 value 389 } 390 } 391 392 impl<T, A> From<Box<T, A>> for Pin<Box<T, A>> 393 where 394 T: ?Sized, 395 A: Allocator, 396 { 397 /// Converts a `Box<T, A>` into a `Pin<Box<T, A>>`. If `T` does not implement [`Unpin`], then 398 /// `*b` will be pinned in memory and can't be moved. 399 /// 400 /// This moves `b` into `Pin` without moving `*b` or allocating and copying any memory. 401 fn from(b: Box<T, A>) -> Self { 402 // SAFETY: The value wrapped inside a `Pin<Box<T, A>>` cannot be moved or replaced as long 403 // as `T` does not implement `Unpin`. 404 unsafe { Pin::new_unchecked(b) } 405 } 406 } 407 408 impl<T, A> InPlaceWrite<T> for Box<MaybeUninit<T>, A> 409 where 410 A: Allocator + 'static, 411 { 412 type Initialized = Box<T, A>; 413 414 fn write_init<E>(mut self, init: impl Init<T, E>) -> Result<Self::Initialized, E> { 415 let slot = self.as_mut_ptr(); 416 // SAFETY: When init errors/panics, slot will get deallocated but not dropped, 417 // slot is valid. 418 unsafe { init.__init(slot)? }; 419 // SAFETY: All fields have been initialized. 420 Ok(unsafe { Box::assume_init(self) }) 421 } 422 423 fn write_pin_init<E>(mut self, init: impl PinInit<T, E>) -> Result<Pin<Self::Initialized>, E> { 424 let slot = self.as_mut_ptr(); 425 // SAFETY: When init errors/panics, slot will get deallocated but not dropped, 426 // slot is valid and will not be moved, because we pin it later. 427 unsafe { init.__pinned_init(slot)? }; 428 // SAFETY: All fields have been initialized. 429 Ok(unsafe { Box::assume_init(self) }.into()) 430 } 431 } 432 433 impl<T, A> InPlaceInit<T> for Box<T, A> 434 where 435 A: Allocator + 'static, 436 { 437 type PinnedSelf = Pin<Self>; 438 439 #[inline] 440 fn try_pin_init<E>(init: impl PinInit<T, E>, flags: Flags) -> Result<Pin<Self>, E> 441 where 442 E: From<AllocError>, 443 { 444 Box::<_, A>::new_uninit(flags)?.write_pin_init(init) 445 } 446 447 #[inline] 448 fn try_init<E>(init: impl Init<T, E>, flags: Flags) -> Result<Self, E> 449 where 450 E: From<AllocError>, 451 { 452 Box::<_, A>::new_uninit(flags)?.write_init(init) 453 } 454 } 455 456 // SAFETY: The pointer returned by `into_foreign` comes from a well aligned 457 // pointer to `T` allocated by `A`. 458 unsafe impl<T: 'static, A> ForeignOwnable for Box<T, A> 459 where 460 A: Allocator, 461 { 462 const FOREIGN_ALIGN: usize = if core::mem::align_of::<T>() < A::MIN_ALIGN { 463 A::MIN_ALIGN 464 } else { 465 core::mem::align_of::<T>() 466 }; 467 468 type Borrowed<'a> = &'a T; 469 type BorrowedMut<'a> = &'a mut T; 470 471 fn into_foreign(self) -> *mut c_void { 472 Box::into_raw(self).cast() 473 } 474 475 unsafe fn from_foreign(ptr: *mut c_void) -> Self { 476 // SAFETY: The safety requirements of this function ensure that `ptr` comes from a previous 477 // call to `Self::into_foreign`. 478 unsafe { Box::from_raw(ptr.cast()) } 479 } 480 481 unsafe fn borrow<'a>(ptr: *mut c_void) -> &'a T { 482 // SAFETY: The safety requirements of this method ensure that the object remains alive and 483 // immutable for the duration of 'a. 484 unsafe { &*ptr.cast() } 485 } 486 487 unsafe fn borrow_mut<'a>(ptr: *mut c_void) -> &'a mut T { 488 let ptr = ptr.cast(); 489 // SAFETY: The safety requirements of this method ensure that the pointer is valid and that 490 // nothing else will access the value for the duration of 'a. 491 unsafe { &mut *ptr } 492 } 493 } 494 495 // SAFETY: The pointer returned by `into_foreign` comes from a well aligned 496 // pointer to `T` allocated by `A`. 497 unsafe impl<T: 'static, A> ForeignOwnable for Pin<Box<T, A>> 498 where 499 A: Allocator, 500 { 501 const FOREIGN_ALIGN: usize = <Box<T, A> as ForeignOwnable>::FOREIGN_ALIGN; 502 type Borrowed<'a> = Pin<&'a T>; 503 type BorrowedMut<'a> = Pin<&'a mut T>; 504 505 fn into_foreign(self) -> *mut c_void { 506 // SAFETY: We are still treating the box as pinned. 507 Box::into_raw(unsafe { Pin::into_inner_unchecked(self) }).cast() 508 } 509 510 unsafe fn from_foreign(ptr: *mut c_void) -> Self { 511 // SAFETY: The safety requirements of this function ensure that `ptr` comes from a previous 512 // call to `Self::into_foreign`. 513 unsafe { Pin::new_unchecked(Box::from_raw(ptr.cast())) } 514 } 515 516 unsafe fn borrow<'a>(ptr: *mut c_void) -> Pin<&'a T> { 517 // SAFETY: The safety requirements for this function ensure that the object is still alive, 518 // so it is safe to dereference the raw pointer. 519 // The safety requirements of `from_foreign` also ensure that the object remains alive for 520 // the lifetime of the returned value. 521 let r = unsafe { &*ptr.cast() }; 522 523 // SAFETY: This pointer originates from a `Pin<Box<T>>`. 524 unsafe { Pin::new_unchecked(r) } 525 } 526 527 unsafe fn borrow_mut<'a>(ptr: *mut c_void) -> Pin<&'a mut T> { 528 let ptr = ptr.cast(); 529 // SAFETY: The safety requirements for this function ensure that the object is still alive, 530 // so it is safe to dereference the raw pointer. 531 // The safety requirements of `from_foreign` also ensure that the object remains alive for 532 // the lifetime of the returned value. 533 let r = unsafe { &mut *ptr }; 534 535 // SAFETY: This pointer originates from a `Pin<Box<T>>`. 536 unsafe { Pin::new_unchecked(r) } 537 } 538 } 539 540 impl<T, A> Deref for Box<T, A> 541 where 542 T: ?Sized, 543 A: Allocator, 544 { 545 type Target = T; 546 547 fn deref(&self) -> &T { 548 // SAFETY: `self.0` is always properly aligned, dereferenceable and points to an initialized 549 // instance of `T`. 550 unsafe { self.0.as_ref() } 551 } 552 } 553 554 impl<T, A> DerefMut for Box<T, A> 555 where 556 T: ?Sized, 557 A: Allocator, 558 { 559 fn deref_mut(&mut self) -> &mut T { 560 // SAFETY: `self.0` is always properly aligned, dereferenceable and points to an initialized 561 // instance of `T`. 562 unsafe { self.0.as_mut() } 563 } 564 } 565 566 /// # Examples 567 /// 568 /// ``` 569 /// # use core::borrow::Borrow; 570 /// # use kernel::alloc::KBox; 571 /// struct Foo<B: Borrow<u32>>(B); 572 /// 573 /// // Owned instance. 574 /// let owned = Foo(1); 575 /// 576 /// // Owned instance using `KBox`. 577 /// let owned_kbox = Foo(KBox::new(1, GFP_KERNEL)?); 578 /// 579 /// let i = 1; 580 /// // Borrowed from `i`. 581 /// let borrowed = Foo(&i); 582 /// # Ok::<(), Error>(()) 583 /// ``` 584 impl<T, A> Borrow<T> for Box<T, A> 585 where 586 T: ?Sized, 587 A: Allocator, 588 { 589 fn borrow(&self) -> &T { 590 self.deref() 591 } 592 } 593 594 /// # Examples 595 /// 596 /// ``` 597 /// # use core::borrow::BorrowMut; 598 /// # use kernel::alloc::KBox; 599 /// struct Foo<B: BorrowMut<u32>>(B); 600 /// 601 /// // Owned instance. 602 /// let owned = Foo(1); 603 /// 604 /// // Owned instance using `KBox`. 605 /// let owned_kbox = Foo(KBox::new(1, GFP_KERNEL)?); 606 /// 607 /// let mut i = 1; 608 /// // Borrowed from `i`. 609 /// let borrowed = Foo(&mut i); 610 /// # Ok::<(), Error>(()) 611 /// ``` 612 impl<T, A> BorrowMut<T> for Box<T, A> 613 where 614 T: ?Sized, 615 A: Allocator, 616 { 617 fn borrow_mut(&mut self) -> &mut T { 618 self.deref_mut() 619 } 620 } 621 622 impl<T, A> fmt::Display for Box<T, A> 623 where 624 T: ?Sized + fmt::Display, 625 A: Allocator, 626 { 627 fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result { 628 <T as fmt::Display>::fmt(&**self, f) 629 } 630 } 631 632 impl<T, A> fmt::Debug for Box<T, A> 633 where 634 T: ?Sized + fmt::Debug, 635 A: Allocator, 636 { 637 fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result { 638 <T as fmt::Debug>::fmt(&**self, f) 639 } 640 } 641 642 impl<T, A> Drop for Box<T, A> 643 where 644 T: ?Sized, 645 A: Allocator, 646 { 647 fn drop(&mut self) { 648 let layout = Layout::for_value::<T>(self); 649 650 // SAFETY: The pointer in `self.0` is guaranteed to be valid by the type invariant. 651 unsafe { core::ptr::drop_in_place::<T>(self.deref_mut()) }; 652 653 // SAFETY: 654 // - `self.0` was previously allocated with `A`. 655 // - `layout` is equal to the `Layout´ `self.0` was allocated with. 656 unsafe { A::free(self.0.cast(), layout) }; 657 } 658 } 659 660 /// # Examples 661 /// 662 /// ``` 663 /// # use kernel::prelude::*; 664 /// use kernel::alloc::allocator::VmallocPageIter; 665 /// use kernel::page::{AsPageIter, PAGE_SIZE}; 666 /// 667 /// let mut vbox = VBox::new((), GFP_KERNEL)?; 668 /// 669 /// assert!(vbox.page_iter().next().is_none()); 670 /// 671 /// let mut vbox = VBox::<[u8; PAGE_SIZE]>::new_uninit(GFP_KERNEL)?; 672 /// 673 /// let page = vbox.page_iter().next().expect("At least one page should be available.\n"); 674 /// 675 /// // SAFETY: There is no concurrent read or write to the same page. 676 /// unsafe { page.fill_zero_raw(0, PAGE_SIZE)? }; 677 /// # Ok::<(), Error>(()) 678 /// ``` 679 impl<T> AsPageIter for VBox<T> { 680 type Iter<'a> 681 = VmallocPageIter<'a> 682 where 683 T: 'a; 684 685 fn page_iter(&mut self) -> Self::Iter<'_> { 686 let ptr = self.0.cast(); 687 let size = core::mem::size_of::<T>(); 688 689 // SAFETY: 690 // - `ptr` is a valid pointer to the beginning of a `Vmalloc` allocation. 691 // - `ptr` is guaranteed to be valid for the lifetime of `'a`. 692 // - `size` is the size of the `Vmalloc` allocation `ptr` points to. 693 unsafe { VmallocPageIter::new(ptr, size) } 694 } 695 } 696