mem+boot+x86_64+aarch64: switch to lock-free PFA

Author: Qix-

oro-arch-aarch64/src/mem/address_space.rs

@@ -220,8 +220,9 @@ impl AddressSpaceLayout {
 	///
 	/// This probably isn't used by the kernel, but instead by the
 	/// preboot environment to map stubs.
+	#[must_use]
 	pub fn new_supervisor_space_ttbr0() -> Option<Ttbr0Handle> {
-		Self::new_supervisor_space_ttbr0_in(&mut oro_mem::global_alloc::GlobalPfa)
+		Self::new_supervisor_space_ttbr0_in(&oro_mem::global_alloc::GlobalPfa)
 	}
 
 	/// Creates a new supervisor (EL1) address space that addresses
@@ -230,7 +231,7 @@ impl AddressSpaceLayout {
 	///
 	/// This probably isn't used by the kernel, but instead by the
 	/// preboot environment to map stubs.
-	pub fn new_supervisor_space_ttbr0_in<A>(alloc: &mut A) -> Option<Ttbr0Handle>
+	pub fn new_supervisor_space_ttbr0_in<A>(alloc: &A) -> Option<Ttbr0Handle>
 	where
 		A: Alloc,
 	{
@@ -327,7 +328,7 @@ unsafe impl AddressSpace for AddressSpaceLayout {
 		}
 	}
 
-	fn new_supervisor_space_in<A>(alloc: &mut A) -> Option<Self::SupervisorHandle>
+	fn new_supervisor_space_in<A>(alloc: &A) -> Option<Self::SupervisorHandle>
 	where
 		A: Alloc,
 	{
@@ -350,10 +351,7 @@ unsafe impl AddressSpace for AddressSpaceLayout {
 		Some(Ttbr1Handle { base_phys })
 	}
 
-	fn new_user_space_in<A>(
-		_space: &Self::SupervisorHandle,
-		alloc: &mut A,
-	) -> Option<Self::UserHandle>
+	fn new_user_space_in<A>(_space: &Self::SupervisorHandle, alloc: &A) -> Option<Self::UserHandle>
 	where
 		A: Alloc,
 	{
@@ -370,7 +368,7 @@ unsafe impl AddressSpace for AddressSpaceLayout {
 
 	fn duplicate_supervisor_space_shallow_in<A>(
 		space: &Self::SupervisorHandle,
-		alloc: &mut A,
+		alloc: &A,
 	) -> Option<Self::SupervisorHandle>
 	where
 		A: Alloc,
@@ -390,7 +388,7 @@ unsafe impl AddressSpace for AddressSpaceLayout {
 
 	fn duplicate_user_space_shallow_in<A>(
 		space: &Self::UserHandle,
-		alloc: &mut A,
+		alloc: &A,
 	) -> Option<Self::UserHandle>
 	where
 		A: Alloc,
@@ -408,7 +406,7 @@ unsafe impl AddressSpace for AddressSpaceLayout {
 		Some(Self::UserHandle { base_phys })
 	}
 
-	fn new_user_space_empty_in<A>(alloc: &mut A) -> Option<Self::UserHandle>
+	fn new_user_space_empty_in<A>(alloc: &A) -> Option<Self::UserHandle>
 	where
 		A: Alloc,
 	{
@@ -419,7 +417,7 @@ unsafe impl AddressSpace for AddressSpaceLayout {
 		})
 	}
 
-	fn free_user_space_handle_in<A>(space: Self::UserHandle, alloc: &mut A)
+	fn free_user_space_handle_in<A>(space: Self::UserHandle, alloc: &A)
 	where
 		A: Alloc,
 	{
@@ -431,7 +429,7 @@ unsafe impl AddressSpace for AddressSpaceLayout {
 		}
 	}
 
-	fn free_user_space_deep_in<A>(_space: Self::UserHandle, _alloc: &mut A)
+	fn free_user_space_deep_in<A>(_space: Self::UserHandle, _alloc: &A)
 	where
 		A: Alloc,
 	{

oro-arch-aarch64/src/mem/segment.rs

@@ -57,7 +57,7 @@ impl Segment {
 	pub(crate) fn entry<'a, A, Handle>(
 		&'a self,
 		space: &'a Handle,
-		alloc: &'a mut A,
+		alloc: &'a A,
 		virt: usize,
 	) -> Result<&'a mut PageTableEntry, MapError>
 	where
@@ -185,7 +185,7 @@ impl Segment {
 	unsafe fn try_unmap<A, Handle>(
 		&self,
 		space: &Handle,
-		alloc: &mut A,
+		alloc: &A,
 		virt: usize,
 	) -> Result<Option<u64>, UnmapError>
 	where
@@ -300,7 +300,7 @@ impl Segment {
 }
 
 unsafe impl<Handle: TtbrHandle> AddressSegment<Handle> for &'static Segment {
-	unsafe fn unmap_all_and_reclaim_in<A>(&self, _space: &Handle, _alloc: &mut A)
+	unsafe fn unmap_all_and_reclaim_in<A>(&self, _space: &Handle, _alloc: &A)
 	where
 		A: Alloc,
 	{
@@ -327,7 +327,7 @@ unsafe impl<Handle: TtbrHandle> AddressSegment<Handle> for &'static Segment {
 		(start, end)
 	}
 
-	fn provision_as_shared_in<A>(&self, space: &Handle, alloc: &mut A) -> Result<(), MapError>
+	fn provision_as_shared_in<A>(&self, space: &Handle, alloc: &A) -> Result<(), MapError>
 	where
 		A: Alloc,
 	{
@@ -352,13 +352,7 @@ unsafe impl<Handle: TtbrHandle> AddressSegment<Handle> for &'static Segment {
 		Ok(())
 	}
 
-	fn map_in<A>(
-		&self,
-		space: &Handle,
-		alloc: &mut A,
-		virt: usize,
-		phys: u64,
-	) -> Result<(), MapError>
+	fn map_in<A>(&self, space: &Handle, alloc: &A, virt: usize, phys: u64) -> Result<(), MapError>
 	where
 		A: Alloc,
 	{
@@ -370,7 +364,7 @@ unsafe impl<Handle: TtbrHandle> AddressSegment<Handle> for &'static Segment {
 	fn map_nofree_in<A>(
 		&self,
 		space: &Handle,
-		alloc: &mut A,
+		alloc: &A,
 
 		virt: usize,
 		phys: u64,
@@ -401,7 +395,7 @@ unsafe impl<Handle: TtbrHandle> AddressSegment<Handle> for &'static Segment {
 		Ok(())
 	}
 
-	fn unmap_in<A>(&self, space: &Handle, alloc: &mut A, virt: usize) -> Result<u64, UnmapError>
+	fn unmap_in<A>(&self, space: &Handle, alloc: &A, virt: usize) -> Result<u64, UnmapError>
 	where
 		A: Alloc,
 	{
@@ -413,7 +407,7 @@ unsafe impl<Handle: TtbrHandle> AddressSegment<Handle> for &'static Segment {
 	fn remap_in<A>(
 		&self,
 		space: &Handle,
-		alloc: &mut A,
+		alloc: &A,
 		virt: usize,
 		phys: u64,
 	) -> Result<Option<u64>, MapError>

oro-arch-x86_64/src/mem/address_space.rs

@@ -247,7 +247,7 @@ unsafe impl AddressSpace for AddressSpaceLayout {
 		}
 	}
 
-	fn new_supervisor_space_in<A>(alloc: &mut A) -> Option<Self::SupervisorHandle>
+	fn new_supervisor_space_in<A>(alloc: &A) -> Option<Self::SupervisorHandle>
 	where
 		A: Alloc,
 	{
@@ -265,10 +265,7 @@ unsafe impl AddressSpace for AddressSpaceLayout {
 		})
 	}
 
-	fn new_user_space_in<A>(
-		space: &Self::SupervisorHandle,
-		alloc: &mut A,
-	) -> Option<Self::UserHandle>
+	fn new_user_space_in<A>(space: &Self::SupervisorHandle, alloc: &A) -> Option<Self::UserHandle>
 	where
 		A: Alloc,
 	{
@@ -286,7 +283,7 @@ unsafe impl AddressSpace for AddressSpaceLayout {
 		Some(duplicated)
 	}
 
-	fn new_user_space_empty_in<A>(alloc: &mut A) -> Option<Self::UserHandle>
+	fn new_user_space_empty_in<A>(alloc: &A) -> Option<Self::UserHandle>
 	where
 		A: Alloc,
 	{
@@ -306,7 +303,7 @@ unsafe impl AddressSpace for AddressSpaceLayout {
 
 	fn duplicate_supervisor_space_shallow_in<A: Alloc>(
 		space: &Self::SupervisorHandle,
-		alloc: &mut A,
+		alloc: &A,
 	) -> Option<Self::SupervisorHandle> {
 		let base_phys = alloc.allocate()?;
 
@@ -328,7 +325,7 @@ unsafe impl AddressSpace for AddressSpaceLayout {
 
 	fn duplicate_user_space_shallow_in<A>(
 		space: &Self::UserHandle,
-		alloc: &mut A,
+		alloc: &A,
 	) -> Option<Self::UserHandle>
 	where
 		A: Alloc,
@@ -337,7 +334,7 @@ unsafe impl AddressSpace for AddressSpaceLayout {
 		Self::duplicate_supervisor_space_shallow_in(space, alloc)
 	}
 
-	fn free_user_space_handle_in<A>(space: Self::UserHandle, alloc: &mut A)
+	fn free_user_space_handle_in<A>(space: Self::UserHandle, alloc: &A)
 	where
 		A: Alloc,
 	{
@@ -349,7 +346,7 @@ unsafe impl AddressSpace for AddressSpaceLayout {
 		}
 	}
 
-	fn free_user_space_deep_in<A>(space: Self::UserHandle, alloc: &mut A)
+	fn free_user_space_deep_in<A>(space: Self::UserHandle, alloc: &A)
 	where
 		A: Alloc,
 	{

oro-arch-x86_64/src/mem/segment.rs

@@ -67,7 +67,7 @@ impl AddressSegment {
 	unsafe fn entry<'a, A, Handle: MapperHandle>(
 		&'a self,
 		space: &'a Handle,
-		alloc: &'a mut A,
+		alloc: &'a A,
 		virt: usize,
 	) -> Result<&'a mut PageTableEntry, MapError>
 	where
@@ -137,7 +137,7 @@ impl AddressSegment {
 	unsafe fn try_unmap_l4<A, Handle: MapperHandle>(
 		&self,
 		space: &Handle,
-		alloc: &mut A,
+		alloc: &A,
 		virt: usize,
 	) -> Result<Option<u64>, UnmapError>
 	where
@@ -229,7 +229,7 @@ impl AddressSegment {
 	unsafe fn try_unmap_l5<A, Handle: MapperHandle>(
 		&self,
 		space: &Handle,
-		alloc: &mut A,
+		alloc: &A,
 		virt: usize,
 	) -> Result<Option<u64>, UnmapError>
 	where
@@ -340,12 +340,8 @@ impl AddressSegment {
 	/// that the entry itself is reclaimable, and that none of the reclaimed pages
 	/// are still being used.
 	#[expect(clippy::only_used_in_recursion)] // false positive
-	unsafe fn unmap_and_reclaim_entry<A>(
-		&self,
-		entry: &mut PageTableEntry,
-		alloc: &mut A,
-		level: usize,
-	) where
+	unsafe fn unmap_and_reclaim_entry<A>(&self, entry: &mut PageTableEntry, alloc: &A, level: usize)
+	where
 		A: Alloc,
 	{
 		if entry.present() {
@@ -445,7 +441,7 @@ unsafe impl Segment<AddressSpaceHandle> for &'static AddressSegment {
 		}
 	}
 
-	unsafe fn unmap_all_and_reclaim_in<A>(&self, space: &AddressSpaceHandle, alloc: &mut A)
+	unsafe fn unmap_all_and_reclaim_in<A>(&self, space: &AddressSpaceHandle, alloc: &A)
 	where
 		A: Alloc,
 	{
@@ -463,7 +459,7 @@ unsafe impl Segment<AddressSpaceHandle> for &'static AddressSegment {
 	fn provision_as_shared_in<A>(
 		&self,
 		space: &AddressSpaceHandle,
-		alloc: &mut A,
+		alloc: &A,
 	) -> Result<(), MapError>
 	where
 		A: Alloc,
@@ -492,7 +488,7 @@ unsafe impl Segment<AddressSpaceHandle> for &'static AddressSegment {
 	fn map_in<A>(
 		&self,
 		space: &AddressSpaceHandle,
-		alloc: &mut A,
+		alloc: &A,
 		virt: usize,
 		phys: u64,
 	) -> Result<(), MapError>
@@ -507,7 +503,7 @@ unsafe impl Segment<AddressSpaceHandle> for &'static AddressSegment {
 	fn map_nofree_in<A>(
 		&self,
 		space: &AddressSpaceHandle,
-		alloc: &mut A,
+		alloc: &A,
 		virt: usize,
 		phys: u64,
 	) -> Result<(), MapError>
@@ -528,7 +524,7 @@ unsafe impl Segment<AddressSpaceHandle> for &'static AddressSegment {
 	fn unmap_in<A>(
 		&self,
 		space: &AddressSpaceHandle,
-		alloc: &mut A,
+		alloc: &A,
 		virt: usize,
 	) -> Result<u64, UnmapError>
 	where
@@ -546,7 +542,7 @@ unsafe impl Segment<AddressSpaceHandle> for &'static AddressSegment {
 	fn remap_in<A>(
 		&self,
 		space: &AddressSpaceHandle,
-		alloc: &mut A,
+		alloc: &A,
 		virt: usize,
 		phys: u64,
 	) -> Result<Option<u64>, MapError>

oro-boot/src/lib.rs

@@ -72,7 +72,7 @@ pub struct OroBootstrapper<
 	I: Iterator<Item = M> + Clone,
 > {
 	/// The PFA used to write variable length bootloader protocol structures to memory.
-	pfa: pfa::PrebootPfa<M, I>,
+	pfa: pfa::UnsafePrebootPfa<M, I>,
 	/// The supervisor space
 	supervisor_space: self::target::SupervisorHandle,
 	/// The mapped kernel's request section scanner.
@@ -125,7 +125,7 @@ impl<M: Into<oro_boot_protocol::MemoryMapEntry> + Clone, I: Iterator<Item = M> +
 	/// `stack_pages` is zero.
 	///
 	/// # Safety
-	/// Can only be used once per boot.
+	/// Can only be used once per boot. **Must be called by the primary core.**
 	#[expect(clippy::needless_pass_by_value)]
 	pub unsafe fn bootstrap(
 		linear_offset: u64,
@@ -138,15 +138,15 @@ impl<M: Into<oro_boot_protocol::MemoryMapEntry> + Clone, I: Iterator<Item = M> +
 		// SAFETY: this is only to be called once.
 		unsafe { oro_mem::translate::set_global_map_offset(linear_offset) };
 
-		let mut pfa = pfa::PrebootPfa::new(iter, linear_offset);
-		let supervisor_space = target::AddressSpace::new_supervisor_space_in(&mut pfa)
+		let pfa = pfa::UnsafePrebootPfa::new(iter, linear_offset);
+		let supervisor_space = target::AddressSpace::new_supervisor_space_in(&pfa)
 			.ok_or(Error::MapError(MapError::OutOfMemory))?;
 
 		let (kernel_entry, scanner) =
-			self::map::map_kernel_to_supervisor_space(&mut pfa, &supervisor_space, &kernel)?;
+			self::map::map_kernel_to_supervisor_space(&pfa, &supervisor_space, &kernel)?;
 
 		// Map in a stack
-		let stack_addr = self::map::map_kernel_stack(&mut pfa, &supervisor_space, stack_pages)?;
+		let stack_addr = self::map::map_kernel_stack(&pfa, &supervisor_space, stack_pages)?;
 
 		Ok(Self {
 			pfa,
@@ -210,8 +210,8 @@ impl<M: Into<oro_boot_protocol::MemoryMapEntry> + Clone, I: Iterator<Item = M> +
 		let mut last_phys = 0;
 
 		for mut item in iter {
-			let (phys, data) = self
-				.pfa
+			// SAFETY: We're only accessing the inner PFA for a short moment.
+			let (phys, data) = unsafe { self.pfa.get_mut() }
 				.allocate::<T>()
 				.ok_or(Error::MapError(MapError::OutOfMemory))?;
 			item.set_next(last_phys);
@@ -234,8 +234,9 @@ impl<M: Into<oro_boot_protocol::MemoryMapEntry> + Clone, I: Iterator<Item = M> +
 			unsafe { self::target::prepare_transfer(&mut self.supervisor_space, &mut self.pfa)? };
 
 		// Consume the PFA and write out the memory map.
-		let first_entry = self
-			.pfa
+		// SAFETY: We're only accessing the PFA for a short moment.
+		let pfa = self.pfa.into_inner();
+		let first_entry = pfa
 			.write_memory_map()
 			.ok_or(Error::MapError(MapError::OutOfMemory))?;
 
@@ -246,8 +247,8 @@ impl<M: Into<oro_boot_protocol::MemoryMapEntry> + Clone, I: Iterator<Item = M> +
 		);
 
 		// Perform the transfer
-		// SAFETY(qix-): We can assume the kernel entry point is valid given that it's
-		// SAFETY(qix-): coming from the ELF and validated by the mapper.
+		// SAFETY: We can assume the kernel entry point is valid given that it's
+		// SAFETY: coming from the ELF and validated by the mapper.
 		unsafe {
 			self::target::transfer(
 				&mut self.supervisor_space,