Add unsafe with caller-upheld comments

ostd/src/io/io_mem/allocator.rs

@@ -114,7 +114,8 @@ pub static IO_MEM_ALLOCATOR: Once<IoMemAllocator> = Once::new();
 /// User must ensure all the memory I/O regions that belong to the system device have been removed by calling the
 /// `remove` function.
 pub(crate) unsafe fn init(io_mem_builder: IoMemAllocatorBuilder) {
-    IO_MEM_ALLOCATOR.call_once(|| IoMemAllocator::new(io_mem_builder.allocators));
+    // SAFETY: The safety is upheld by the caller.
+    IO_MEM_ALLOCATOR.call_once(|| unsafe { IoMemAllocator::new(io_mem_builder.allocators) });
 }
 
 fn find_allocator<'a>(

ostd/src/io/mod.rs

@@ -37,7 +37,12 @@ cfg_if!(
 /// 3. `MAX_IO_PORT` defined in `crate::arch::io` is guaranteed not to
 ///    exceed the maximum value specified by architecture.
 pub(crate) unsafe fn init(io_mem_builder: IoMemAllocatorBuilder) {
-    self::io_mem::init(io_mem_builder);
+    // SAFETY: The safety is upheld by the caller.
+    unsafe { self::io_mem::init(io_mem_builder) };
+
+    // SAFETY: The safety is upheld by the caller.
     #[cfg(target_arch = "x86_64")]
-    self::io_port::init();
+    unsafe {
+        self::io_port::init()
+    };
 }

ostd/src/mm/io.rs

@@ -302,7 +302,9 @@ unsafe fn memcpy(dst: *mut u8, src: *const u8, len: usize) {
     //
     // For more details and future possibilities, see
     // <https://github.com/asterinas/asterinas/pull/1001#discussion_r1667317406>.
-    core::intrinsics::volatile_copy_memory(dst, src, len);
+
+    // SAFETY: The safety is guaranteed by the safety preconditions and the explanation above.
+    unsafe { core::intrinsics::volatile_copy_memory(dst, src, len) };
 }
 
 /// Copies `len` bytes from `src` to `dst`.
@@ -322,7 +324,8 @@ unsafe fn memcpy(dst: *mut u8, src: *const u8, len: usize) {
 ///
 /// [valid]: crate::mm::io#safety
 unsafe fn memcpy_fallible(dst: *mut u8, src: *const u8, len: usize) -> usize {
-    let failed_bytes = __memcpy_fallible(dst, src, len);
+    // SAFETY: The safety is upheld by the caller.
+    let failed_bytes = unsafe { __memcpy_fallible(dst, src, len) };
     len - failed_bytes
 }
 
@@ -337,7 +340,8 @@ unsafe fn memcpy_fallible(dst: *mut u8, src: *const u8, len: usize) -> usize {
 ///
 /// [valid]: crate::mm::io#safety
 unsafe fn memset_fallible(dst: *mut u8, value: u8, len: usize) -> usize {
-    let failed_bytes = __memset_fallible(dst, value, len);
+    // SAFETY: The safety is upheld by the caller.
+    let failed_bytes = unsafe { __memset_fallible(dst, value, len) };
     len - failed_bytes
 }
 

ostd/src/mm/page_table/cursor/mod.rs

@@ -781,7 +781,8 @@ impl<'rcu, M: PageTableMode, E: PageTableEntryTrait, C: PagingConstsTrait>
                     // Do copy.
                     op(&mut prop);
                     self.jump(src_va).unwrap();
-                    let original = self.map(page, prop);
+                    // SAFETY: The safety is upheld by the caller.
+                    let original = unsafe { self.map(page, prop) };
                     assert!(original.is_none());
 
                     // Only move the source cursor forward since `Self::map` will do it.

ostd/src/mm/page_table/mod.rs

@@ -183,7 +183,10 @@ impl PageTable<KernelMode> {
     ) -> Result<(), PageTableError> {
         let preempt_guard = disable_preempt();
         let mut cursor = CursorMut::new(self, &preempt_guard, vaddr)?;
-        while let Some(range) = cursor.protect_next(vaddr.end - cursor.virt_addr(), &mut op) {
+        // SAFETY: The safety is upheld by the caller.
+        while let Some(range) =
+            unsafe { cursor.protect_next(vaddr.end - cursor.virt_addr(), &mut op) }
+        {
             crate::arch::mm::tlb_flush_addr(range.start);
         }
         Ok(())
@@ -202,7 +205,8 @@ impl<M: PageTableMode, E: PageTableEntryTrait, C: PagingConstsTrait> PageTable<M
     }
 
     pub(in crate::mm) unsafe fn first_activate_unchecked(&self) {
-        self.root.first_activate();
+        // SAFETY: The safety is upheld by the caller.
+        unsafe { self.root.first_activate() };
     }
 
     /// The physical address of the root page table.
@@ -221,7 +225,9 @@ impl<M: PageTableMode, E: PageTableEntryTrait, C: PagingConstsTrait> PageTable<M
         prop: PageProperty,
     ) -> Result<(), PageTableError> {
         let preempt_guard = disable_preempt();
-        self.cursor_mut(&preempt_guard, vaddr)?.map_pa(paddr, prop);
+        let mut cursor = self.cursor_mut(&preempt_guard, vaddr)?;
+        // SAFETY: The safety is upheld by the caller.
+        unsafe { cursor.map_pa(paddr, prop) };
         Ok(())
     }
 

ostd/src/mm/page_table/node/mod.rs

@@ -109,7 +109,8 @@ impl<E: PageTableEntryTrait, C: PagingConstsTrait> PageTableNode<E, C> {
             return;
         }
 
-        activate_page_table(self.clone().into_raw(), CachePolicy::Writeback);
+        // SAFETY: The safety is upheld by the caller.
+        unsafe { activate_page_table(self.clone().into_raw(), CachePolicy::Writeback) };
 
         // Restore and drop the last activated page table.
         // SAFETY: The physical address is valid and points to a forgotten page table node.
@@ -123,7 +124,8 @@ impl<E: PageTableEntryTrait, C: PagingConstsTrait> PageTableNode<E, C> {
     pub(super) unsafe fn first_activate(&self) {
         use crate::{arch::mm::activate_page_table, mm::CachePolicy};
 
-        activate_page_table(self.clone().into_raw(), CachePolicy::Writeback);
+        // SAFETY: The safety is upheld by the caller.
+        unsafe { activate_page_table(self.clone().into_raw(), CachePolicy::Writeback) };
     }
 }