From: "Alexandre Courbot" <acourbot@nvidia.com>
To: "Timur Tabi" <ttabi@nvidia.com>
Cc: Gary Guo <gary@garyguo.net>, Alice Ryhl <aliceryhl@google.com>,
mmaurer@google.com, Danilo Krummrich <dakr@kernel.org>,
Joel Fernandes <joelagnelf@nvidia.com>,
rust-for-linux@vger.kernel.org, nouveau@lists.freedesktop.org
Subject: Re: [PATCH v8 2/7] rust: uaccess: add write_dma() for copying from DMA buffers to userspace
Date: Fri, 13 Mar 2026 11:11:00 +0900 [thread overview]
Message-ID: <DH1AFW7NXUIJ.1NZJ6680XB5UZ@nvidia.com> (raw)
In-Reply-To: <20260310220000.1897166-3-ttabi@nvidia.com>
On Wed Mar 11, 2026 at 6:59 AM JST, Timur Tabi wrote:
> Add UserSliceWriter::write_dma() to copy data from a CoherentAllocation<u8>
> to userspace. This provides a safe interface for copying DMA buffer
> contents to userspace without requiring callers to work with raw pointers.
>
> Because write_dma() and write_slice() have common code, factor that code
> out into a helper function, write_raw().
>
> The method handles bounds checking and offset calculation internally,
> wrapping the unsafe copy_to_user() call.
>
> Signed-off-by: Timur Tabi <ttabi@nvidia.com>
> ---
> rust/kernel/uaccess.rs | 84 +++++++++++++++++++++++++++++++++++++-----
> 1 file changed, 74 insertions(+), 10 deletions(-)
>
> diff --git a/rust/kernel/uaccess.rs b/rust/kernel/uaccess.rs
> index f989539a31b4..3f569acc3718 100644
> --- a/rust/kernel/uaccess.rs
> +++ b/rust/kernel/uaccess.rs
> @@ -7,6 +7,7 @@
> use crate::{
> alloc::{Allocator, Flags},
> bindings,
> + dma::CoherentAllocation,
> error::Result,
> ffi::{c_char, c_void},
> fs::file,
> @@ -459,20 +460,25 @@ pub fn is_empty(&self) -> bool {
> self.length == 0
> }
>
> - /// Writes raw data to this user pointer from a kernel buffer.
> + /// Low-level write from a raw pointer.
> ///
> - /// Fails with [`EFAULT`] if the write happens on a bad address, or if the write goes out of
> - /// bounds of this [`UserSliceWriter`]. This call may modify the associated userspace slice even
> - /// if it returns an error.
> - pub fn write_slice(&mut self, data: &[u8]) -> Result {
> - let len = data.len();
> - let data_ptr = data.as_ptr().cast::<c_void>();
> + /// # Safety
> + ///
> + /// The caller must ensure that `ptr` points to a valid slice of `len` bytes (i.e., it is
> + /// valid for reads of `len` bytes and is properly aligned).
Bytes arrays are supposed to be byte-aligned, so I am not sure the
"properly aligned" adds something (it's also not technically incorrect
so fine to keep it).
> + unsafe fn write_raw(&mut self, ptr: *const u8, len: usize) -> Result {
> if len > self.length {
> return Err(EFAULT);
> }
> - // SAFETY: `data_ptr` points into an immutable slice of length `len`, so we may read
> - // that many bytes from it.
> - let res = unsafe { bindings::copy_to_user(self.ptr.as_mut_ptr(), data_ptr, len) };
> + // SAFETY:
> + // - `self.ptr` is a userspace pointer, and `len <= self.length` is checked above to
> + // ensure we don't exceed the caller-specified bounds.
> + // - `ptr` is valid for reading `len` bytes as required by this function's safety contract.
> + // - `copy_to_user` validates the userspace address at runtime and returns non-zero on
> + // failure (e.g., bad address or unmapped memory).
> + let res = unsafe {
> + bindings::copy_to_user(self.ptr.as_mut_ptr(), ptr.cast::<c_void>(), len)
> + };
> if res != 0 {
> return Err(EFAULT);
> }
> @@ -481,6 +487,64 @@ pub fn write_slice(&mut self, data: &[u8]) -> Result {
> Ok(())
> }
>
> + /// Writes raw data to this user pointer from a kernel buffer.
> + ///
> + /// Fails with [`EFAULT`] if the write happens on a bad address, or if the write goes out of
> + /// bounds of this [`UserSliceWriter`]. This call may modify the associated userspace slice even
> + /// if it returns an error.
> + pub fn write_slice(&mut self, data: &[u8]) -> Result {
> + // SAFETY: `data` is a valid slice, so `data.as_ptr()` is valid for
> + // reading `data.len()` bytes.
> + unsafe { self.write_raw(data.as_ptr(), data.len()) }
> + }
> +
> + /// Writes raw data to this user pointer from a DMA coherent allocation.
> + ///
> + /// # Arguments
> + ///
> + /// * `data` - The DMA coherent allocation to copy from.
> + /// * `offset` - The byte offset into `data` to start copying from.
> + /// * `count` - The number of bytes to copy.
> + ///
> + /// # Errors
Nit: missing empty line.
Other thank that (and the test robot warnings),
Reviewed-by: Alexandre Courbot <acourbot@nvidia.com>
WARNING: multiple messages have this Message-ID (diff)
From: "Alexandre Courbot" <acourbot@nvidia.com>
To: "Timur Tabi" <ttabi@nvidia.com>
Cc: "Gary Guo" <gary@garyguo.net>,
"Alice Ryhl" <aliceryhl@google.com>, <mmaurer@google.com>,
"Danilo Krummrich" <dakr@kernel.org>,
"John Hubbard" <jhubbard@nvidia.com>,
"Joel Fernandes" <joelagnelf@nvidia.com>,
<rust-for-linux@vger.kernel.org>, <nouveau@lists.freedesktop.org>
Subject: Re: [PATCH v8 2/7] rust: uaccess: add write_dma() for copying from DMA buffers to userspace
Date: Fri, 13 Mar 2026 11:11:00 +0900 [thread overview]
Message-ID: <DH1AFW7NXUIJ.1NZJ6680XB5UZ@nvidia.com> (raw)
In-Reply-To: <20260310220000.1897166-3-ttabi@nvidia.com>
On Wed Mar 11, 2026 at 6:59 AM JST, Timur Tabi wrote:
> Add UserSliceWriter::write_dma() to copy data from a CoherentAllocation<u8>
> to userspace. This provides a safe interface for copying DMA buffer
> contents to userspace without requiring callers to work with raw pointers.
>
> Because write_dma() and write_slice() have common code, factor that code
> out into a helper function, write_raw().
>
> The method handles bounds checking and offset calculation internally,
> wrapping the unsafe copy_to_user() call.
>
> Signed-off-by: Timur Tabi <ttabi@nvidia.com>
> ---
> rust/kernel/uaccess.rs | 84 +++++++++++++++++++++++++++++++++++++-----
> 1 file changed, 74 insertions(+), 10 deletions(-)
>
> diff --git a/rust/kernel/uaccess.rs b/rust/kernel/uaccess.rs
> index f989539a31b4..3f569acc3718 100644
> --- a/rust/kernel/uaccess.rs
> +++ b/rust/kernel/uaccess.rs
> @@ -7,6 +7,7 @@
> use crate::{
> alloc::{Allocator, Flags},
> bindings,
> + dma::CoherentAllocation,
> error::Result,
> ffi::{c_char, c_void},
> fs::file,
> @@ -459,20 +460,25 @@ pub fn is_empty(&self) -> bool {
> self.length == 0
> }
>
> - /// Writes raw data to this user pointer from a kernel buffer.
> + /// Low-level write from a raw pointer.
> ///
> - /// Fails with [`EFAULT`] if the write happens on a bad address, or if the write goes out of
> - /// bounds of this [`UserSliceWriter`]. This call may modify the associated userspace slice even
> - /// if it returns an error.
> - pub fn write_slice(&mut self, data: &[u8]) -> Result {
> - let len = data.len();
> - let data_ptr = data.as_ptr().cast::<c_void>();
> + /// # Safety
> + ///
> + /// The caller must ensure that `ptr` points to a valid slice of `len` bytes (i.e., it is
> + /// valid for reads of `len` bytes and is properly aligned).
Bytes arrays are supposed to be byte-aligned, so I am not sure the
"properly aligned" adds something (it's also not technically incorrect
so fine to keep it).
> + unsafe fn write_raw(&mut self, ptr: *const u8, len: usize) -> Result {
> if len > self.length {
> return Err(EFAULT);
> }
> - // SAFETY: `data_ptr` points into an immutable slice of length `len`, so we may read
> - // that many bytes from it.
> - let res = unsafe { bindings::copy_to_user(self.ptr.as_mut_ptr(), data_ptr, len) };
> + // SAFETY:
> + // - `self.ptr` is a userspace pointer, and `len <= self.length` is checked above to
> + // ensure we don't exceed the caller-specified bounds.
> + // - `ptr` is valid for reading `len` bytes as required by this function's safety contract.
> + // - `copy_to_user` validates the userspace address at runtime and returns non-zero on
> + // failure (e.g., bad address or unmapped memory).
> + let res = unsafe {
> + bindings::copy_to_user(self.ptr.as_mut_ptr(), ptr.cast::<c_void>(), len)
> + };
> if res != 0 {
> return Err(EFAULT);
> }
> @@ -481,6 +487,64 @@ pub fn write_slice(&mut self, data: &[u8]) -> Result {
> Ok(())
> }
>
> + /// Writes raw data to this user pointer from a kernel buffer.
> + ///
> + /// Fails with [`EFAULT`] if the write happens on a bad address, or if the write goes out of
> + /// bounds of this [`UserSliceWriter`]. This call may modify the associated userspace slice even
> + /// if it returns an error.
> + pub fn write_slice(&mut self, data: &[u8]) -> Result {
> + // SAFETY: `data` is a valid slice, so `data.as_ptr()` is valid for
> + // reading `data.len()` bytes.
> + unsafe { self.write_raw(data.as_ptr(), data.len()) }
> + }
> +
> + /// Writes raw data to this user pointer from a DMA coherent allocation.
> + ///
> + /// # Arguments
> + ///
> + /// * `data` - The DMA coherent allocation to copy from.
> + /// * `offset` - The byte offset into `data` to start copying from.
> + /// * `count` - The number of bytes to copy.
> + ///
> + /// # Errors
Nit: missing empty line.
Other thank that (and the test robot warnings),
Reviewed-by: Alexandre Courbot <acourbot@nvidia.com>
next prev parent reply other threads:[~2026-03-13 2:11 UTC|newest]
Thread overview: 31+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-03-10 21:59 [PATCH v8 0/7] gpu: nova-core: expose the logging buffers via debugfs Timur Tabi
2026-03-10 21:59 ` [PATCH v8 1/7] rust: device: add device name method Timur Tabi
2026-03-10 22:05 ` Alice Ryhl
2026-03-10 22:05 ` Alice Ryhl
2026-03-13 2:10 ` Alexandre Courbot
2026-03-13 2:10 ` Alexandre Courbot
2026-03-10 21:59 ` [PATCH v8 2/7] rust: uaccess: add write_dma() for copying from DMA buffers to userspace Timur Tabi
2026-03-11 5:48 ` kernel test robot
2026-03-13 2:11 ` Alexandre Courbot [this message]
2026-03-13 2:11 ` Alexandre Courbot
2026-03-10 21:59 ` [PATCH v8 3/7] rust: dma: implement BinaryWriter for CoherentAllocation<u8> Timur Tabi
2026-03-13 2:11 ` Alexandre Courbot
2026-03-13 2:11 ` Alexandre Courbot
2026-03-14 2:05 ` Timur Tabi
2026-03-14 2:05 ` Timur Tabi
2026-03-15 5:11 ` Alexandre Courbot
2026-03-15 5:11 ` Alexandre Courbot
2026-03-15 18:57 ` Timur Tabi
2026-03-15 18:57 ` Timur Tabi
2026-03-16 3:44 ` Alexandre Courbot
2026-03-16 3:44 ` Alexandre Courbot
2026-03-10 21:59 ` [PATCH v8 4/7] gpu: nova-core: Replace module_pci_driver! with explicit module init Timur Tabi
2026-03-10 21:59 ` [PATCH v8 5/7] gpu: nova-core: use pin projection in method boot() Timur Tabi
2026-03-13 2:13 ` Alexandre Courbot
2026-03-13 2:13 ` Alexandre Courbot
2026-03-14 2:20 ` Timur Tabi
2026-03-14 2:20 ` Timur Tabi
2026-03-10 21:59 ` [PATCH v8 6/7] gpu: nova-core: create debugfs root in module init Timur Tabi
2026-03-10 22:00 ` [PATCH v8 7/7] gpu: nova-core: create GSP-RM logging buffers debugfs entries Timur Tabi
2026-03-10 22:20 ` [PATCH v8 0/7] gpu: nova-core: expose the logging buffers via debugfs John Hubbard
2026-03-12 3:50 ` John Hubbard
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=DH1AFW7NXUIJ.1NZJ6680XB5UZ@nvidia.com \
--to=acourbot@nvidia.com \
--cc=aliceryhl@google.com \
--cc=dakr@kernel.org \
--cc=gary@garyguo.net \
--cc=joelagnelf@nvidia.com \
--cc=mmaurer@google.com \
--cc=nouveau@lists.freedesktop.org \
--cc=rust-for-linux@vger.kernel.org \
--cc=ttabi@nvidia.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.