From: "Danilo Krummrich" <dakr@kernel.org>
To: "Timur Tabi" <ttabi@nvidia.com>
Cc: <driver-core@lists.linux.dev>, <nova-gpu@lists.linux.dev>,
<rust-for-linux@vger.kernel.org>,
"Alexandre Courbot" <acourbot@nvidia.com>,
"Eliot Courtney" <ecourtney@nvidia.com>,
"Zhi Wang" <zhiw@nvidia.com>,
"John Hubbard" <jhubbard@nvidia.com>,
"Luis Chamberlain" <mcgrof@kernel.org>,
"Russ Weight" <russ.weight@linux.dev>,
"Miguel Ojeda" <ojeda@kernel.org>, "Gary Guo" <gary@garyguo.net>
Subject: Re: [PATCH v2 1/7] rust: firmware: add request_into_buf()
Date: Tue, 30 Jun 2026 23:09:24 +0200 [thread overview]
Message-ID: <DJMOWWJLKVZU.1N9RUO41QFAE@kernel.org> (raw)
In-Reply-To: <20260630194749.1209490-2-ttabi@nvidia.com>
On Tue Jun 30, 2026 at 9:47 PM CEST, Timur Tabi wrote:
> +/// Load firmware directly into the caller-provided `buf`.
> +///
> +/// On success the firmware image has been copied into `buf`; the caller accesses the data
> +/// through `buf` itself.
> +/// See also `bindings::request_firmware_into_buf`.
> +///
> +/// This is intentionally a stand-alone function rather than a `Firmware` constructor. For
> +/// the `into_buf` path, the firmware data lives in the caller's `buf`, not in a
> +/// kernel-owned buffer, so returning a `Firmware` would expose `Firmware::data()` as a
> +/// second handle aliasing `buf` (and `release_firmware()` does not free `buf` anyway).
> +pub fn request_into_buf(name: &CStr, dev: &Device, buf: &mut [u8]) -> Result {
> + let mut fw: *mut bindings::firmware = core::ptr::null_mut();
> + let pfw: *mut *mut bindings::firmware = &mut fw;
> + let pfw: *mut *const bindings::firmware = pfw.cast();
> +
> + // SAFETY: `pfw` is a valid pointer to a NULL initialized `bindings::firmware` pointer.
> + // `name` and `dev` are valid as by their type invariants. `buf` is a valid writable
> + // buffer of `buf.len()` bytes.
> + let ret = unsafe {
> + bindings::request_firmware_into_buf(
> + pfw,
> + name.as_char_ptr(),
> + dev.as_raw(),
> + buf.as_mut_ptr().cast(),
Sashiko's concern about buf being an empty slice, despite being nonsensical,
seems valid. The allocated_size field in struct fw_priv, if set to zero, is
interpreted as "the driver did not provide a buffer" and hence the firmware
loader assumes that it has to treat the data pointer as a self-allocated buffer.
In the case of passing an empty slice, this would be a dangling pointer.
> + buf.len(),
> + )
> + };
> + if ret != 0 {
> + return Err(Error::from_errno(ret));
> + }
> +
> + // The firmware bytes are now in `buf`, which the caller owns, so we don't need
> + // the kernel to hang on to it any more.
> + // SAFETY: `fw` is a valid pointer returned by `request_firmware_into_buf`.
> + unsafe { bindings::release_firmware(fw) };
> +
> + Ok(())
> +}
> +
> // SAFETY: `Firmware` only holds a pointer to a C `struct firmware`, which is safe to be used from
> // any thread.
> unsafe impl Send for Firmware {}
> --
> 2.54.0
next prev parent reply other threads:[~2026-06-30 21:09 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-30 19:47 [PATCH v2 0/7] Transition Nova Core to TLV firmware images Timur Tabi
2026-06-30 19:47 ` [PATCH v2 1/7] rust: firmware: add request_into_buf() Timur Tabi
2026-06-30 21:09 ` Danilo Krummrich [this message]
2026-06-30 19:47 ` [PATCH v2 2/7] gpu: nova-core: add TLV parser for firmware files Timur Tabi
2026-06-30 21:27 ` Danilo Krummrich
2026-06-30 19:47 ` [PATCH v2 3/7] gpu: nova-core: transition booter_load to TLV images Timur Tabi
2026-06-30 19:47 ` [PATCH v2 4/7] gpu: nova-core: transition gsp " Timur Tabi
2026-06-30 19:47 ` [PATCH v2 5/7] gpu: nova-core: transition gen_bootloader " Timur Tabi
2026-06-30 19:47 ` [PATCH v2 6/7] gpu: nova-core: transition fsp " Timur Tabi
2026-06-30 19:47 ` [PATCH v2 7/7] gpu: nova-core: update firmware module info for " Timur Tabi
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=DJMOWWJLKVZU.1N9RUO41QFAE@kernel.org \
--to=dakr@kernel.org \
--cc=acourbot@nvidia.com \
--cc=driver-core@lists.linux.dev \
--cc=ecourtney@nvidia.com \
--cc=gary@garyguo.net \
--cc=jhubbard@nvidia.com \
--cc=mcgrof@kernel.org \
--cc=nova-gpu@lists.linux.dev \
--cc=ojeda@kernel.org \
--cc=russ.weight@linux.dev \
--cc=rust-for-linux@vger.kernel.org \
--cc=ttabi@nvidia.com \
--cc=zhiw@nvidia.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox