NVIDIA GPU driver infrastructure
 help / color / mirror / Atom feed
From: "Danilo Krummrich" <dakr@kernel.org>
To: "Timur Tabi" <ttabi@nvidia.com>
Cc: <driver-core@lists.linux.dev>, <nova-gpu@lists.linux.dev>,
	<rust-for-linux@vger.kernel.org>,
	"Alexandre Courbot" <acourbot@nvidia.com>,
	"Eliot Courtney" <ecourtney@nvidia.com>,
	"Zhi Wang" <zhiw@nvidia.com>,
	"John Hubbard" <jhubbard@nvidia.com>,
	"Luis Chamberlain" <mcgrof@kernel.org>,
	"Russ Weight" <russ.weight@linux.dev>,
	"Miguel Ojeda" <ojeda@kernel.org>, "Gary Guo" <gary@garyguo.net>
Subject: Re: [PATCH v2 1/7] rust: firmware: add request_into_buf()
Date: Tue, 30 Jun 2026 23:09:24 +0200	[thread overview]
Message-ID: <DJMOWWJLKVZU.1N9RUO41QFAE@kernel.org> (raw)
In-Reply-To: <20260630194749.1209490-2-ttabi@nvidia.com>

On Tue Jun 30, 2026 at 9:47 PM CEST, Timur Tabi wrote:
> +/// Load firmware directly into the caller-provided `buf`.
> +///
> +/// On success the firmware image has been copied into `buf`; the caller accesses the data
> +/// through `buf` itself.
> +/// See also `bindings::request_firmware_into_buf`.
> +///
> +/// This is intentionally a stand-alone function rather than a `Firmware` constructor. For
> +/// the `into_buf` path, the firmware data lives in the caller's `buf`, not in a
> +/// kernel-owned buffer, so returning a `Firmware` would expose `Firmware::data()` as a
> +/// second handle aliasing `buf` (and `release_firmware()` does not free `buf` anyway).
> +pub fn request_into_buf(name: &CStr, dev: &Device, buf: &mut [u8]) -> Result {
> +    let mut fw: *mut bindings::firmware = core::ptr::null_mut();
> +    let pfw: *mut *mut bindings::firmware = &mut fw;
> +    let pfw: *mut *const bindings::firmware = pfw.cast();
> +
> +    // SAFETY: `pfw` is a valid pointer to a NULL initialized `bindings::firmware` pointer.
> +    // `name` and `dev` are valid as by their type invariants. `buf` is a valid writable
> +    // buffer of `buf.len()` bytes.
> +    let ret = unsafe {
> +        bindings::request_firmware_into_buf(
> +            pfw,
> +            name.as_char_ptr(),
> +            dev.as_raw(),
> +            buf.as_mut_ptr().cast(),

Sashiko's concern about buf being an empty slice, despite being nonsensical,
seems valid. The allocated_size field in struct fw_priv, if set to zero, is
interpreted as "the driver did not provide a buffer" and hence the firmware
loader assumes that it has to treat the data pointer as a self-allocated buffer.
In the case of passing an empty slice, this would be a dangling pointer.

> +            buf.len(),
> +        )
> +    };
> +    if ret != 0 {
> +        return Err(Error::from_errno(ret));
> +    }
> +
> +    // The firmware bytes are now in `buf`, which the caller owns, so we don't need
> +    // the kernel to hang on to it any more.
> +    // SAFETY: `fw` is a valid pointer returned by `request_firmware_into_buf`.
> +    unsafe { bindings::release_firmware(fw) };
> +
> +    Ok(())
> +}
> +
>  // SAFETY: `Firmware` only holds a pointer to a C `struct firmware`, which is safe to be used from
>  // any thread.
>  unsafe impl Send for Firmware {}
> -- 
> 2.54.0


  reply	other threads:[~2026-06-30 21:09 UTC|newest]

Thread overview: 10+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-06-30 19:47 [PATCH v2 0/7] Transition Nova Core to TLV firmware images Timur Tabi
2026-06-30 19:47 ` [PATCH v2 1/7] rust: firmware: add request_into_buf() Timur Tabi
2026-06-30 21:09   ` Danilo Krummrich [this message]
2026-06-30 19:47 ` [PATCH v2 2/7] gpu: nova-core: add TLV parser for firmware files Timur Tabi
2026-06-30 21:27   ` Danilo Krummrich
2026-06-30 19:47 ` [PATCH v2 3/7] gpu: nova-core: transition booter_load to TLV images Timur Tabi
2026-06-30 19:47 ` [PATCH v2 4/7] gpu: nova-core: transition gsp " Timur Tabi
2026-06-30 19:47 ` [PATCH v2 5/7] gpu: nova-core: transition gen_bootloader " Timur Tabi
2026-06-30 19:47 ` [PATCH v2 6/7] gpu: nova-core: transition fsp " Timur Tabi
2026-06-30 19:47 ` [PATCH v2 7/7] gpu: nova-core: update firmware module info for " Timur Tabi

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=DJMOWWJLKVZU.1N9RUO41QFAE@kernel.org \
    --to=dakr@kernel.org \
    --cc=acourbot@nvidia.com \
    --cc=driver-core@lists.linux.dev \
    --cc=ecourtney@nvidia.com \
    --cc=gary@garyguo.net \
    --cc=jhubbard@nvidia.com \
    --cc=mcgrof@kernel.org \
    --cc=nova-gpu@lists.linux.dev \
    --cc=ojeda@kernel.org \
    --cc=russ.weight@linux.dev \
    --cc=rust-for-linux@vger.kernel.org \
    --cc=ttabi@nvidia.com \
    --cc=zhiw@nvidia.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox