Mapper: Add map_to_with_table_flags method

Add a new map_to_with_table_flags method with an additional
parent_table_flags argument to the flags of the parent table entries.

map_to is kept without API changes as a convenience method.
It automatically infers the parent table flags from the flags of the mapping
and then calls into map_to_with_table_flags. To ensure that flags like
NO_CACHE are not automatically set, which have a different meaning on
higher level tables, a hardcoded mask of "safe" flags
(PRESENT | WRITABLE | USER_ACCESSIBLE) is used.

To keep the recursive page table working, PRESENT and WRITABLE flags
for parent entries are also added.

Author: haraldh

src/structures/paging/mapper/mapped_page_table.rs

@@ -44,15 +44,18 @@ impl<'a, P: PhysToVirt> MappedPageTable<'a, P> {
         page: Page<Size1GiB>,
         frame: PhysFrame<Size1GiB>,
         flags: PageTableFlags,
+        parent_table_flags: PageTableFlags,
         allocator: &mut A,
     ) -> Result<MapperFlush<Size1GiB>, MapToError<Size1GiB>>
     where
         A: FrameAllocator<Size4KiB>,
     {
         let p4 = &mut self.level_4_table;
-        let p3 = self
-            .page_table_walker
-            .create_next_table(&mut p4[page.p4_index()], allocator)?;
+        let p3 = self.page_table_walker.create_next_table(
+            &mut p4[page.p4_index()],
+            parent_table_flags,
+            allocator,
+        )?;
 
         if !p3[page.p3_index()].is_unused() {
             return Err(MapToError::PageAlreadyMapped(frame));
@@ -69,18 +72,23 @@ impl<'a, P: PhysToVirt> MappedPageTable<'a, P> {
         page: Page<Size2MiB>,
         frame: PhysFrame<Size2MiB>,
         flags: PageTableFlags,
+        parent_table_flags: PageTableFlags,
         allocator: &mut A,
     ) -> Result<MapperFlush<Size2MiB>, MapToError<Size2MiB>>
     where
         A: FrameAllocator<Size4KiB>,
     {
         let p4 = &mut self.level_4_table;
-        let p3 = self
-            .page_table_walker
-            .create_next_table(&mut p4[page.p4_index()], allocator)?;
-        let p2 = self
-            .page_table_walker
-            .create_next_table(&mut p3[page.p3_index()], allocator)?;
+        let p3 = self.page_table_walker.create_next_table(
+            &mut p4[page.p4_index()],
+            parent_table_flags,
+            allocator,
+        )?;
+        let p2 = self.page_table_walker.create_next_table(
+            &mut p3[page.p3_index()],
+            parent_table_flags,
+            allocator,
+        )?;
 
         if !p2[page.p2_index()].is_unused() {
             return Err(MapToError::PageAlreadyMapped(frame));
@@ -97,21 +105,28 @@ impl<'a, P: PhysToVirt> MappedPageTable<'a, P> {
         page: Page<Size4KiB>,
         frame: PhysFrame<Size4KiB>,
         flags: PageTableFlags,
+        parent_table_flags: PageTableFlags,
         allocator: &mut A,
     ) -> Result<MapperFlush<Size4KiB>, MapToError<Size4KiB>>
     where
         A: FrameAllocator<Size4KiB>,
     {
         let p4 = &mut self.level_4_table;
-        let p3 = self
-            .page_table_walker
-            .create_next_table(&mut p4[page.p4_index()], allocator)?;
-        let p2 = self
-            .page_table_walker
-            .create_next_table(&mut p3[page.p3_index()], allocator)?;
-        let p1 = self
-            .page_table_walker
-            .create_next_table(&mut p2[page.p2_index()], allocator)?;
+        let p3 = self.page_table_walker.create_next_table(
+            &mut p4[page.p4_index()],
+            parent_table_flags,
+            allocator,
+        )?;
+        let p2 = self.page_table_walker.create_next_table(
+            &mut p3[page.p3_index()],
+            parent_table_flags,
+            allocator,
+        )?;
+        let p1 = self.page_table_walker.create_next_table(
+            &mut p2[page.p2_index()],
+            parent_table_flags,
+            allocator,
+        )?;
 
         if !p1[page.p1_index()].is_unused() {
             return Err(MapToError::PageAlreadyMapped(frame));
@@ -124,17 +139,18 @@ impl<'a, P: PhysToVirt> MappedPageTable<'a, P> {
 
 impl<'a, P: PhysToVirt> Mapper<Size1GiB> for MappedPageTable<'a, P> {
     #[inline]
-    unsafe fn map_to<A>(
+    unsafe fn map_to_with_table_flags<A>(
         &mut self,
         page: Page<Size1GiB>,
         frame: PhysFrame<Size1GiB>,
         flags: PageTableFlags,
+        parent_table_flags: PageTableFlags,
         allocator: &mut A,
     ) -> Result<MapperFlush<Size1GiB>, MapToError<Size1GiB>>
     where
         A: FrameAllocator<Size4KiB>,
     {
-        self.map_to_1gib(page, frame, flags, allocator)
+        self.map_to_1gib(page, frame, flags, parent_table_flags, allocator)
     }
 
     fn unmap(
@@ -198,17 +214,18 @@ impl<'a, P: PhysToVirt> Mapper<Size1GiB> for MappedPageTable<'a, P> {
 
 impl<'a, P: PhysToVirt> Mapper<Size2MiB> for MappedPageTable<'a, P> {
     #[inline]
-    unsafe fn map_to<A>(
+    unsafe fn map_to_with_table_flags<A>(
         &mut self,
         page: Page<Size2MiB>,
         frame: PhysFrame<Size2MiB>,
         flags: PageTableFlags,
+        parent_table_flags: PageTableFlags,
         allocator: &mut A,
     ) -> Result<MapperFlush<Size2MiB>, MapToError<Size2MiB>>
     where
         A: FrameAllocator<Size4KiB>,
     {
-        self.map_to_2mib(page, frame, flags, allocator)
+        self.map_to_2mib(page, frame, flags, parent_table_flags, allocator)
     }
 
     fn unmap(
@@ -280,17 +297,18 @@ impl<'a, P: PhysToVirt> Mapper<Size2MiB> for MappedPageTable<'a, P> {
 
 impl<'a, P: PhysToVirt> Mapper<Size4KiB> for MappedPageTable<'a, P> {
     #[inline]
-    unsafe fn map_to<A>(
+    unsafe fn map_to_with_table_flags<A>(
         &mut self,
         page: Page<Size4KiB>,
         frame: PhysFrame<Size4KiB>,
         flags: PageTableFlags,
+        parent_table_flags: PageTableFlags,
         allocator: &mut A,
     ) -> Result<MapperFlush<Size4KiB>, MapToError<Size4KiB>>
     where
         A: FrameAllocator<Size4KiB>,
     {
-        self.map_to_4kib(page, frame, flags, allocator)
+        self.map_to_4kib(page, frame, flags, parent_table_flags, allocator)
     }
 
     fn unmap(
@@ -461,6 +479,7 @@ impl<P: PhysToVirt> PageTableWalker<P> {
     fn create_next_table<'b, A>(
         &self,
         entry: &'b mut PageTableEntry,
+        insert_flags: PageTableFlags,
         allocator: &mut A,
     ) -> Result<&'b mut PageTable, PageTableCreateError>
     where
@@ -470,12 +489,15 @@ impl<P: PhysToVirt> PageTableWalker<P> {
 
         if entry.is_unused() {
             if let Some(frame) = allocator.allocate_frame() {
-                entry.set_frame(frame, PageTableFlags::PRESENT | PageTableFlags::WRITABLE);
+                entry.set_frame(frame, insert_flags);
                 created = true;
             } else {
                 return Err(PageTableCreateError::FrameAllocationFailed);
             }
         } else {
+            if !insert_flags.is_empty() && !entry.flags().contains(insert_flags) {
+                entry.set_flags(entry.flags() | insert_flags);
+            }
             created = false;
         }
 

src/structures/paging/mapper/mod.rs

@@ -83,6 +83,13 @@ pub trait Mapper<S: PageSize> {
     /// This function might need additional physical frames to create new page tables. These
     /// frames are allocated from the `allocator` argument. At most three frames are required.
     ///
+    /// Parent page table entries are automatically updated with `PRESENT | WRITABLE | USER_ACCESSIBLE`
+    /// if present in the `PageTableFlags`. Depending on the used mapper implementation
+    /// the `PRESENT` and `WRITABLE` flags might be set for parent tables,
+    /// even if they are not set in `PageTableFlags`.
+    ///
+    /// The `map_to_with_table_flags` method gives explicit control over the parent page table flags.
+    ///
     /// ## Safety
     ///
     /// Creating page table mappings is a fundamentally unsafe operation because
@@ -111,13 +118,127 @@ pub trait Mapper<S: PageSize> {
     /// the same in all address spaces, otherwise undefined behavior can occur
     /// because of TLB races. It's worth noting that all the above requirements
     /// also apply to shared mappings, including the aliasing requirements.
+    ///
+    /// # Examples
+    ///
+    /// Create a USER_ACCESSIBLE mapping:
+    ///
+    /// ```
+    /// # use x86_64::structures::paging::{
+    /// #    Mapper, Page, PhysFrame, FrameAllocator,
+    /// #    Size4KiB, OffsetPageTable, page_table::PageTableFlags
+    /// # };
+    /// # unsafe fn test(mapper: &mut OffsetPageTable, frame_allocator: &mut impl FrameAllocator<Size4KiB>,
+    /// #         page: Page<Size4KiB>, frame: PhysFrame) {
+    ///         mapper
+    ///           .map_to(
+    ///               page,
+    ///               frame,
+    ///              PageTableFlags::PRESENT
+    ///                   | PageTableFlags::WRITABLE
+    ///                   | PageTableFlags::USER_ACCESSIBLE,
+    ///               frame_allocator,
+    ///           )
+    ///           .unwrap()
+    ///           .flush();
+    /// # }
+    /// ```
+    #[inline]
     unsafe fn map_to<A>(
         &mut self,
         page: Page<S>,
         frame: PhysFrame<S>,
         flags: PageTableFlags,
         frame_allocator: &mut A,
     ) -> Result<MapperFlush<S>, MapToError<S>>
+    where
+        Self: Sized,
+        A: FrameAllocator<Size4KiB>,
+    {
+        let parent_table_flags = flags
+            & (PageTableFlags::PRESENT
+                | PageTableFlags::WRITABLE
+                | PageTableFlags::USER_ACCESSIBLE);
+
+        self.map_to_with_table_flags(page, frame, flags, parent_table_flags, frame_allocator)
+    }
+
+    /// Creates a new mapping in the page table.
+    ///
+    /// This function might need additional physical frames to create new page tables. These
+    /// frames are allocated from the `allocator` argument. At most three frames are required.
+    ///
+    /// The flags of the parent table(s) can be explicitly specified. Those flags are used for
+    /// newly created table entries, and for existing entries the flags are added.
+    ///
+    /// Depending on the used mapper implementation, the `PRESENT` and `WRITABLE` flags might
+    /// be set for parent tables, even if they are not specified in `parent_table_flags`.
+    ///
+    /// ## Safety
+    ///
+    /// Creating page table mappings is a fundamentally unsafe operation because
+    /// there are various ways to break memory safety through it. For example,
+    /// re-mapping an in-use page to a different frame changes and invalidates
+    /// all values stored in that page, resulting in undefined behavior on the
+    /// next use.
+    ///
+    /// The caller must ensure that no undefined behavior or memory safety
+    /// violations can occur through the new mapping. Among other things, the
+    /// caller must prevent the following:
+    ///
+    /// - Aliasing of `&mut` references, i.e. two `&mut` references that point to
+    ///   the same physical address. This is undefined behavior in Rust.
+    ///     - This can be ensured by mapping each page to an individual physical
+    ///       frame that is not mapped anywhere else.
+    /// - Creating uninitalized or invalid values: Rust requires that all values
+    ///   have a correct memory layout. For example, a `bool` must be either a 0
+    ///   or a 1 in memory, but not a 3 or 4. An exception is the `MaybeUninit`
+    ///   wrapper type, which abstracts over possibly uninitialized memory.
+    ///     - This is only a problem when re-mapping pages to different physical
+    ///       frames. Mapping a page that is not in use yet is fine.
+    ///
+    /// Special care must be taken when sharing pages with other address spaces,
+    /// e.g. by setting the `GLOBAL` flag. For example, a global mapping must be
+    /// the same in all address spaces, otherwise undefined behavior can occur
+    /// because of TLB races. It's worth noting that all the above requirements
+    /// also apply to shared mappings, including the aliasing requirements.
+    ///
+    /// # Examples
+    ///
+    /// Create USER_ACCESSIBLE | NO_EXECUTE | NO_CACHE mapping and update
+    /// the top hierarchy only with USER_ACCESSIBLE:
+    ///
+    /// ```
+    /// # use x86_64::structures::paging::{
+    /// #    Mapper, PhysFrame, Page, FrameAllocator,
+    /// #    Size4KiB, OffsetPageTable, page_table::PageTableFlags
+    /// # };
+    /// # unsafe fn test(mapper: &mut OffsetPageTable, frame_allocator: &mut impl FrameAllocator<Size4KiB>,
+    /// #         page: Page<Size4KiB>, frame: PhysFrame) {
+    ///         mapper
+    ///           .map_to_with_table_flags(
+    ///               page,
+    ///               frame,
+    ///              PageTableFlags::PRESENT
+    ///                   | PageTableFlags::WRITABLE
+    ///                   | PageTableFlags::USER_ACCESSIBLE
+    ///                   | PageTableFlags::NO_EXECUTE
+    ///                   | PageTableFlags::NO_CACHE,
+    ///              PageTableFlags::USER_ACCESSIBLE,
+    ///               frame_allocator,
+    ///           )
+    ///           .unwrap()
+    ///           .flush();
+    /// # }
+    /// ```
+    unsafe fn map_to_with_table_flags<A>(
+        &mut self,
+        page: Page<S>,
+        frame: PhysFrame<S>,
+        flags: PageTableFlags,
+        parent_table_flags: PageTableFlags,
+        frame_allocator: &mut A,
+    ) -> Result<MapperFlush<S>, MapToError<S>>
     where
         Self: Sized,
         A: FrameAllocator<Size4KiB>;

src/structures/paging/mapper/offset_page_table.rs

@@ -1,6 +1,8 @@
 #![cfg(target_arch = "x86_64")]
 
-use crate::structures::paging::{frame::PhysFrame, mapper::*, page_table::PageTable};
+use crate::structures::paging::{
+    frame::PhysFrame, mapper::*, page_table::PageTable, Page, PageTableFlags,
+};
 
 /// A Mapper implementation that requires that the complete physically memory is mapped at some
 /// offset in the virtual address space.
@@ -54,17 +56,19 @@ impl PhysToVirt for PhysOffset {
 
 impl<'a> Mapper<Size1GiB> for OffsetPageTable<'a> {
     #[inline]
-    unsafe fn map_to<A>(
+    unsafe fn map_to_with_table_flags<A>(
         &mut self,
         page: Page<Size1GiB>,
         frame: PhysFrame<Size1GiB>,
         flags: PageTableFlags,
+        parent_table_flags: PageTableFlags,
         allocator: &mut A,
     ) -> Result<MapperFlush<Size1GiB>, MapToError<Size1GiB>>
     where
         A: FrameAllocator<Size4KiB>,
     {
-        self.inner.map_to(page, frame, flags, allocator)
+        self.inner
+            .map_to_with_table_flags(page, frame, flags, parent_table_flags, allocator)
     }
 
     #[inline]
@@ -92,17 +96,19 @@ impl<'a> Mapper<Size1GiB> for OffsetPageTable<'a> {
 
 impl<'a> Mapper<Size2MiB> for OffsetPageTable<'a> {
     #[inline]
-    unsafe fn map_to<A>(
+    unsafe fn map_to_with_table_flags<A>(
         &mut self,
         page: Page<Size2MiB>,
         frame: PhysFrame<Size2MiB>,
         flags: PageTableFlags,
+        parent_table_flags: PageTableFlags,
         allocator: &mut A,
     ) -> Result<MapperFlush<Size2MiB>, MapToError<Size2MiB>>
     where
         A: FrameAllocator<Size4KiB>,
     {
-        self.inner.map_to(page, frame, flags, allocator)
+        self.inner
+            .map_to_with_table_flags(page, frame, flags, parent_table_flags, allocator)
     }
 
     #[inline]
@@ -130,17 +136,19 @@ impl<'a> Mapper<Size2MiB> for OffsetPageTable<'a> {
 
 impl<'a> Mapper<Size4KiB> for OffsetPageTable<'a> {
     #[inline]
-    unsafe fn map_to<A>(
+    unsafe fn map_to_with_table_flags<A>(
         &mut self,
         page: Page<Size4KiB>,
         frame: PhysFrame<Size4KiB>,
         flags: PageTableFlags,
+        parent_table_flags: PageTableFlags,
         allocator: &mut A,
     ) -> Result<MapperFlush<Size4KiB>, MapToError<Size4KiB>>
     where
         A: FrameAllocator<Size4KiB>,
     {
-        self.inner.map_to(page, frame, flags, allocator)
+        self.inner
+            .map_to_with_table_flags(page, frame, flags, parent_table_flags, allocator)
     }
 
     #[inline]