Re: [PATCH v8 2/7] rust: uaccess: add write_dma() for copying from DMA buffers to userspace

public inbox for rust-for-linux@vger.kernel.org
 help / color / mirror / Atom feed

From: "Alexandre Courbot" <acourbot@nvidia.com>
To: "Timur Tabi" <ttabi@nvidia.com>
Cc: "Gary Guo" <gary@garyguo.net>,
	"Alice Ryhl" <aliceryhl@google.com>, <mmaurer@google.com>,
	"Danilo Krummrich" <dakr@kernel.org>,
	"John Hubbard" <jhubbard@nvidia.com>,
	"Joel Fernandes" <joelagnelf@nvidia.com>,
	<rust-for-linux@vger.kernel.org>, <nouveau@lists.freedesktop.org>
Subject: Re: [PATCH v8 2/7] rust: uaccess: add write_dma() for copying from DMA buffers to userspace
Date: Fri, 13 Mar 2026 11:11:00 +0900	[thread overview]
Message-ID: <DH1AFW7NXUIJ.1NZJ6680XB5UZ@nvidia.com> (raw)
In-Reply-To: <20260310220000.1897166-3-ttabi@nvidia.com>

On Wed Mar 11, 2026 at 6:59 AM JST, Timur Tabi wrote:
> Add UserSliceWriter::write_dma() to copy data from a CoherentAllocation<u8>
> to userspace. This provides a safe interface for copying DMA buffer
> contents to userspace without requiring callers to work with raw pointers.
>
> Because write_dma() and write_slice() have common code, factor that code
> out into a helper function, write_raw().
>
> The method handles bounds checking and offset calculation internally,
> wrapping the unsafe copy_to_user() call.
>
> Signed-off-by: Timur Tabi <ttabi@nvidia.com>
> ---
>  rust/kernel/uaccess.rs | 84 +++++++++++++++++++++++++++++++++++++-----
>  1 file changed, 74 insertions(+), 10 deletions(-)
>
> diff --git a/rust/kernel/uaccess.rs b/rust/kernel/uaccess.rs
> index f989539a31b4..3f569acc3718 100644
> --- a/rust/kernel/uaccess.rs
> +++ b/rust/kernel/uaccess.rs
> @@ -7,6 +7,7 @@
>  use crate::{
>      alloc::{Allocator, Flags},
>      bindings,
> +    dma::CoherentAllocation,
>      error::Result,
>      ffi::{c_char, c_void},
>      fs::file,
> @@ -459,20 +460,25 @@ pub fn is_empty(&self) -> bool {
>          self.length == 0
>      }
>  
> -    /// Writes raw data to this user pointer from a kernel buffer.
> +    /// Low-level write from a raw pointer.
>      ///
> -    /// Fails with [`EFAULT`] if the write happens on a bad address, or if the write goes out of
> -    /// bounds of this [`UserSliceWriter`]. This call may modify the associated userspace slice even
> -    /// if it returns an error.
> -    pub fn write_slice(&mut self, data: &[u8]) -> Result {
> -        let len = data.len();
> -        let data_ptr = data.as_ptr().cast::<c_void>();
> +    /// # Safety
> +    ///
> +    /// The caller must ensure that `ptr` points to a valid slice of `len` bytes (i.e., it is
> +    /// valid for reads of `len` bytes and is properly aligned).

Bytes arrays are supposed to be byte-aligned, so I am not sure the
"properly aligned" adds something (it's also not technically incorrect
so fine to keep it).

> +    unsafe fn write_raw(&mut self, ptr: *const u8, len: usize) -> Result {
>          if len > self.length {
>              return Err(EFAULT);
>          }
> -        // SAFETY: `data_ptr` points into an immutable slice of length `len`, so we may read
> -        // that many bytes from it.
> -        let res = unsafe { bindings::copy_to_user(self.ptr.as_mut_ptr(), data_ptr, len) };
> +        // SAFETY:
> +        // - `self.ptr` is a userspace pointer, and `len <= self.length` is checked above to
> +        //   ensure we don't exceed the caller-specified bounds.
> +        // - `ptr` is valid for reading `len` bytes as required by this function's safety contract.
> +        // - `copy_to_user` validates the userspace address at runtime and returns non-zero on
> +        //   failure (e.g., bad address or unmapped memory).
> +        let res = unsafe {
> +            bindings::copy_to_user(self.ptr.as_mut_ptr(), ptr.cast::<c_void>(), len)
> +        };
>          if res != 0 {
>              return Err(EFAULT);
>          }
> @@ -481,6 +487,64 @@ pub fn write_slice(&mut self, data: &[u8]) -> Result {
>          Ok(())
>      }
>  
> +    /// Writes raw data to this user pointer from a kernel buffer.
> +    ///
> +    /// Fails with [`EFAULT`] if the write happens on a bad address, or if the write goes out of
> +    /// bounds of this [`UserSliceWriter`]. This call may modify the associated userspace slice even
> +    /// if it returns an error.
> +    pub fn write_slice(&mut self, data: &[u8]) -> Result {
> +        // SAFETY: `data` is a valid slice, so `data.as_ptr()` is valid for
> +        // reading `data.len()` bytes.
> +        unsafe { self.write_raw(data.as_ptr(), data.len()) }
> +    }
> +
> +    /// Writes raw data to this user pointer from a DMA coherent allocation.
> +    ///
> +    /// # Arguments
> +    ///
> +    /// * `data` - The DMA coherent allocation to copy from.
> +    /// * `offset` - The byte offset into `data` to start copying from.
> +    /// * `count` - The number of bytes to copy.
> +    ///
> +    /// # Errors

Nit: missing empty line.

Other thank that (and the test robot warnings),

Reviewed-by: Alexandre Courbot <acourbot@nvidia.com>

next prev parent reply	other threads:[~2026-03-13  2:11 UTC|newest]

Thread overview: 21+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-03-10 21:59 [PATCH v8 0/7] gpu: nova-core: expose the logging buffers via debugfs Timur Tabi
2026-03-10 21:59 ` [PATCH v8 1/7] rust: device: add device name method Timur Tabi
2026-03-10 22:05   ` Alice Ryhl
2026-03-13  2:10   ` Alexandre Courbot
2026-03-10 21:59 ` [PATCH v8 2/7] rust: uaccess: add write_dma() for copying from DMA buffers to userspace Timur Tabi
2026-03-11  5:48   ` kernel test robot
2026-03-13  2:11   ` Alexandre Courbot [this message]
2026-03-10 21:59 ` [PATCH v8 3/7] rust: dma: implement BinaryWriter for CoherentAllocation<u8> Timur Tabi
2026-03-13  2:11   ` Alexandre Courbot
2026-03-14  2:05     ` Timur Tabi
2026-03-15  5:11       ` Alexandre Courbot
2026-03-15 18:57         ` Timur Tabi
2026-03-16  3:44           ` Alexandre Courbot
2026-03-10 21:59 ` [PATCH v8 4/7] gpu: nova-core: Replace module_pci_driver! with explicit module init Timur Tabi
2026-03-10 21:59 ` [PATCH v8 5/7] gpu: nova-core: use pin projection in method boot() Timur Tabi
2026-03-13  2:13   ` Alexandre Courbot
2026-03-14  2:20     ` Timur Tabi
2026-03-10 21:59 ` [PATCH v8 6/7] gpu: nova-core: create debugfs root in module init Timur Tabi
2026-03-10 22:00 ` [PATCH v8 7/7] gpu: nova-core: create GSP-RM logging buffers debugfs entries Timur Tabi
2026-03-10 22:20 ` [PATCH v8 0/7] gpu: nova-core: expose the logging buffers via debugfs John Hubbard
2026-03-12  3:50 ` John Hubbard

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=DH1AFW7NXUIJ.1NZJ6680XB5UZ@nvidia.com \
    --to=acourbot@nvidia.com \
    --cc=aliceryhl@google.com \
    --cc=dakr@kernel.org \
    --cc=gary@garyguo.net \
    --cc=jhubbard@nvidia.com \
    --cc=joelagnelf@nvidia.com \
    --cc=mmaurer@google.com \
    --cc=nouveau@lists.freedesktop.org \
    --cc=rust-for-linux@vger.kernel.org \
    --cc=ttabi@nvidia.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox