linux.git/rust/kernel/uaccess.rs, branch v7.1-rc2 Linux kernel source tree Merge tag 'char-misc-7.1-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc 2026-04-24T20:23:50+00:00 Linus Torvalds torvalds@linux-foundation.org 2026-04-24T20:23:50+00:00 cb4eb6771c0f8fd1c52a8f6fdec7762fb087380a Pull char / misc / IIO / and others driver updates from Greg KH: "Here is the char/misc/iio and other smaller driver subsystem updates for 7.1-rc1. Lots of stuff in here, all tiny, but relevant for the different drivers they touch. Major points in here is: - the usual large set of new IIO drivers and updates for that subsystem (the large majority of this diffstat) - lots of comedi driver updates and bugfixes - coresight driver updates - interconnect driver updates and additions - mei driver updates - binder (both rust and C versions) updates and fixes - lots of other smaller driver subsystem updates and additions All of these have been in linux-next for a while with no reported issues" * tag 'char-misc-7.1-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc: (405 commits) coresight: tpdm: fix invalid MMIO access issue mei: me: add nova lake point H DID mei: lb: add late binding version 2 mei: bus: add mei_cldev_uuid w1: ds2490: drop redundant device reference bus: mhi: host: pci_generic: Add Telit FE912C04 modem support mei: csc: wake device while reading firmware status mei: csc: support controller with separate PCI device mei: convert PCI error to common errno mei: trace: print return value of pci_cfg_read mei: me: move trace into firmware status read mei: fix idle print specifiers mei: me: use PCI_DEVICE_DATA macro sonypi: Convert ACPI driver to a platform one misc: apds990x: fix all kernel-doc warnings most: usb: Use kzalloc_objs for endpoint address array hpet: Convert ACPI driver to a platform one misc: vmw_vmci: Fix spelling mistakes in comments parport: Remove completed item from to-do list char: remove unnecessary module_init/exit functions ... 
Pull char / misc / IIO / and others driver updates from Greg KH:
 "Here is the char/misc/iio and other smaller driver subsystem updates
  for 7.1-rc1. Lots of stuff in here, all tiny, but relevant for the
  different drivers they touch. Major points in here is:

   - the usual large set of new IIO drivers and updates for that
     subsystem (the large majority of this diffstat)

   - lots of comedi driver updates and bugfixes

   - coresight driver updates

   - interconnect driver updates and additions

   - mei driver updates

   - binder (both rust and C versions) updates and fixes

   - lots of other smaller driver subsystem updates and additions

  All of these have been in linux-next for a while with no reported
  issues"

* tag 'char-misc-7.1-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc: (405 commits)
  coresight: tpdm: fix invalid MMIO access issue
  mei: me: add nova lake point H DID
  mei: lb: add late binding version 2
  mei: bus: add mei_cldev_uuid
  w1: ds2490: drop redundant device reference
  bus: mhi: host: pci_generic: Add Telit FE912C04 modem support
  mei: csc: wake device while reading firmware status
  mei: csc: support controller with separate PCI device
  mei: convert PCI error to common errno
  mei: trace: print return value of pci_cfg_read
  mei: me: move trace into firmware status read
  mei: fix idle print specifiers
  mei: me: use PCI_DEVICE_DATA macro
  sonypi: Convert ACPI driver to a platform one
  misc: apds990x: fix all kernel-doc warnings
  most: usb: Use kzalloc_objs for endpoint address array
  hpet: Convert ACPI driver to a platform one
  misc: vmw_vmci: Fix spelling mistakes in comments
  parport: Remove completed item from to-do list
  char: remove unnecessary module_init/exit functions
  ...
rust_binder: introduce TransactionInfo 2026-03-31T13:13:56+00:00 Alice Ryhl aliceryhl@google.com 2026-03-06T11:28:46+00:00 5326a18e3e640061ca4b65c1b732feaeace61c39 Rust Binder exposes information about transactions that are sent in various ways: printing to the kernel log, tracepoints, files in binderfs, and the upcoming netlink support. Currently all these mechanisms use disparate ways of obtaining the same information, so let's introduce a single Info struct that collects all the required information in a single place, so that all of these different mechanisms can operate in a more uniform way. For now, the new info struct is only used to replace a few things: * The BinderTransactionDataSg struct that is passed as an argument to several methods is removed as the information is moved into the new info struct and passed down that way. * The oneway spam detection fields on Transaction and Allocation can be removed, as the information can be returned to the caller via the mutable info struct instead. But several other uses of the info struct are planned in follow-up patches. Signed-off-by: Alice Ryhl <aliceryhl@google.com> Link: https://patch.msgid.link/20260306-transaction-info-v1-1-fda58fca558b@google.com Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 
Rust Binder exposes information about transactions that are sent in
various ways: printing to the kernel log, tracepoints, files in
binderfs, and the upcoming netlink support. Currently all these
mechanisms use disparate ways of obtaining the same information, so
let's introduce a single Info struct that collects all the required
information in a single place, so that all of these different mechanisms
can operate in a more uniform way.

For now, the new info struct is only used to replace a few things:
* The BinderTransactionDataSg struct that is passed as an argument to
  several methods is removed as the information is moved into the new
  info struct and passed down that way.
* The oneway spam detection fields on Transaction and Allocation can be
  removed, as the information can be returned to the caller via the
  mutable info struct instead.
But several other uses of the info struct are planned in follow-up
patches.

Signed-off-by: Alice Ryhl <aliceryhl@google.com>
Link: https://patch.msgid.link/20260306-transaction-info-v1-1-fda58fca558b@google.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
rust: uaccess: generalize write_dma() to accept any Coherent<T> 2026-03-27T20:48:09+00:00 Danilo Krummrich dakr@kernel.org 2026-03-25T00:39:15+00:00 25fe63db0024da172457055532c96bef924a8c78 Generalize write_dma() from &Coherent<[u8]> to &Coherent<T> where T: KnownSize + AsBytes + ?Sized. The function body only uses as_ptr() and size(), which work for any such T, so there is no reason to restrict it to byte slices. Acked-by: Miguel Ojeda <ojeda@kernel.org> Acked-by: Gary Guo <gary@garyguo.net> Reviewed-by: Alexandre Courbot <acourbot@nvidia.com> Reviewed-by: Alice Ryhl <aliceryhl@google.com> Link: https://patch.msgid.link/20260325003921.3420-1-dakr@kernel.org Signed-off-by: Danilo Krummrich <dakr@kernel.org> 
Generalize write_dma() from &Coherent<[u8]> to &Coherent<T> where
T: KnownSize + AsBytes + ?Sized. The function body only uses as_ptr()
and size(), which work for any such T, so there is no reason to
restrict it to byte slices.

Acked-by: Miguel Ojeda <ojeda@kernel.org>
Acked-by: Gary Guo <gary@garyguo.net>
Reviewed-by: Alexandre Courbot <acourbot@nvidia.com>
Reviewed-by: Alice Ryhl <aliceryhl@google.com>
Link: https://patch.msgid.link/20260325003921.3420-1-dakr@kernel.org
Signed-off-by: Danilo Krummrich <dakr@kernel.org>
rust: uaccess: add write_dma() for copying from DMA buffers to userspace 2026-03-25T00:23:59+00:00 Timur Tabi ttabi@nvidia.com 2026-03-19T21:26:54+00:00 69bfce0f25c8f949f7a02c3ed93e36aadad3fa57 Add UserSliceWriter::write_dma() to copy data from a Coherent<[u8]> to userspace. This provides a safe interface for copying DMA buffer contents to userspace without requiring callers to work with raw pointers. Because write_dma() and write_slice() have common code, factor that code out into a helper function, write_raw(). The method handles bounds checking and offset calculation internally, wrapping the unsafe copy_to_user() call. Signed-off-by: Timur Tabi <ttabi@nvidia.com> Reviewed-by: Alexandre Courbot <acourbot@nvidia.com> Acked-by: Miguel Ojeda <ojeda@kernel.org> Tested-by: John Hubbard <jhubbard@nvidia.com> Tested-by: Eliot Courtney <ecourtney@nvidia.com> Reviewed-by: Alice Ryhl <aliceryhl@google.com> Link: https://patch.msgid.link/20260319212658.2541610-3-ttabi@nvidia.com [ Rebase onto Coherent<T> changes; remove unnecessary turbofish from cast(). - Danilo ] Signed-off-by: Danilo Krummrich <dakr@kernel.org> 
Add UserSliceWriter::write_dma() to copy data from a Coherent<[u8]> to
userspace. This provides a safe interface for copying DMA buffer
contents to userspace without requiring callers to work with raw
pointers.

Because write_dma() and write_slice() have common code, factor that code
out into a helper function, write_raw().

The method handles bounds checking and offset calculation internally,
wrapping the unsafe copy_to_user() call.

Signed-off-by: Timur Tabi <ttabi@nvidia.com>
Reviewed-by: Alexandre Courbot <acourbot@nvidia.com>
Acked-by: Miguel Ojeda <ojeda@kernel.org>
Tested-by: John Hubbard <jhubbard@nvidia.com>
Tested-by: Eliot Courtney <ecourtney@nvidia.com>
Reviewed-by: Alice Ryhl <aliceryhl@google.com>
Link: https://patch.msgid.link/20260319212658.2541610-3-ttabi@nvidia.com
[ Rebase onto Coherent<T> changes; remove unnecessary turbofish from
  cast(). - Danilo ]
Signed-off-by: Danilo Krummrich <dakr@kernel.org>
rust: uaccess: add UserSliceWriter::write_slice_file() 2025-11-04T23:35:37+00:00 Danilo Krummrich dakr@kernel.org 2025-10-22T14:30:39+00:00 0ddceba2701e7012646f6df6d32c4e4b7c4dc938 Add UserSliceWriter::write_slice_file(), which is the same as UserSliceWriter::write_slice_partial() but updates the given file::Offset by the number of bytes written. This is equivalent to C's `simple_read_from_buffer()` and useful when dealing with file offsets from file operations. Reviewed-by: Alice Ryhl <aliceryhl@google.com> Acked-by: Miguel Ojeda <ojeda@kernel.org> [ Replace saturating_add() with the raw operator and a corresponding OVERFLOW comment. - Danilo ] Signed-off-by: Danilo Krummrich <dakr@kernel.org> 
Add UserSliceWriter::write_slice_file(), which is the same as
UserSliceWriter::write_slice_partial() but updates the given
file::Offset by the number of bytes written.

This is equivalent to C's `simple_read_from_buffer()` and useful when
dealing with file offsets from file operations.

Reviewed-by: Alice Ryhl <aliceryhl@google.com>
Acked-by: Miguel Ojeda <ojeda@kernel.org>
[ Replace saturating_add() with the raw operator and a corresponding
  OVERFLOW comment. - Danilo ]
Signed-off-by: Danilo Krummrich <dakr@kernel.org>
rust: uaccess: add UserSliceWriter::write_slice_partial() 2025-11-04T23:35:27+00:00 Danilo Krummrich dakr@kernel.org 2025-10-22T14:30:38+00:00 86150533476774ee6ad5875e764ff6acc9a2e48a The existing write_slice() method is a wrapper around copy_to_user() and expects the user buffer to be larger than the source buffer. However, userspace may split up reads in multiple partial operations providing an offset into the source buffer and a smaller user buffer. In order to support this common case, provide a helper for partial writes. Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Reviewed-by: Matthew Maurer <mmaurer@google.com> Reviewed-by: Alice Ryhl <aliceryhl@google.com> Reviewed-by: Alexandre Courbot <acourbot@nvidia.com> Acked-by: Miguel Ojeda <ojeda@kernel.org> [ Replace map_or() with let-else; use saturating_add(). - Danilo ] Signed-off-by: Danilo Krummrich <dakr@kernel.org> 
The existing write_slice() method is a wrapper around copy_to_user() and
expects the user buffer to be larger than the source buffer.

However, userspace may split up reads in multiple partial operations
providing an offset into the source buffer and a smaller user buffer.

In order to support this common case, provide a helper for partial
writes.

Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Reviewed-by: Matthew Maurer <mmaurer@google.com>
Reviewed-by: Alice Ryhl <aliceryhl@google.com>
Reviewed-by: Alexandre Courbot <acourbot@nvidia.com>
Acked-by: Miguel Ojeda <ojeda@kernel.org>
[ Replace map_or() with let-else; use saturating_add(). - Danilo ]
Signed-off-by: Danilo Krummrich <dakr@kernel.org>
rust: uaccess: add UserSliceReader::read_slice_file() 2025-11-04T23:35:25+00:00 Danilo Krummrich dakr@kernel.org 2025-10-22T14:30:37+00:00 5829e330482b67a14c8c6d2d500431846d493d67 Add UserSliceReader::read_slice_file(), which is the same as UserSliceReader::read_slice_partial() but updates the given file::Offset by the number of bytes read. This is equivalent to C's `simple_write_to_buffer()` and useful when dealing with file offsets from file operations. Reviewed-by: Alice Ryhl <aliceryhl@google.com> Reviewed-by: Alexandre Courbot <acourbot@nvidia.com> Acked-by: Miguel Ojeda <ojeda@kernel.org> [ Replace saturating_add() with the raw operator and a corresponding OVERFLOW comment. - Danilo ] Signed-off-by: Danilo Krummrich <dakr@kernel.org> 
Add UserSliceReader::read_slice_file(), which is the same as
UserSliceReader::read_slice_partial() but updates the given file::Offset
by the number of bytes read.

This is equivalent to C's `simple_write_to_buffer()` and useful when
dealing with file offsets from file operations.

Reviewed-by: Alice Ryhl <aliceryhl@google.com>
Reviewed-by: Alexandre Courbot <acourbot@nvidia.com>
Acked-by: Miguel Ojeda <ojeda@kernel.org>
[ Replace saturating_add() with the raw operator and a corresponding
  OVERFLOW comment. - Danilo ]
Signed-off-by: Danilo Krummrich <dakr@kernel.org>
rust: uaccess: add UserSliceReader::read_slice_partial() 2025-11-04T23:35:20+00:00 Danilo Krummrich dakr@kernel.org 2025-10-22T14:30:36+00:00 f2af7b01b05545fff1cea0768c14e2da552a56ee The existing read_slice() method is a wrapper around copy_from_user() and expects the user buffer to be larger than the destination buffer. However, userspace may split up writes in multiple partial operations providing an offset into the destination buffer and a smaller user buffer. In order to support this common case, provide a helper for partial reads. Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Reviewed-by: Matthew Maurer <mmaurer@google.com> Reviewed-by: Alice Ryhl <aliceryhl@google.com> Reviewed-by: Alexandre Courbot <acourbot@nvidia.com> Acked-by: Miguel Ojeda <ojeda@kernel.org> [ Replace map_or() with let-else; use saturating_add(). - Danilo ] Signed-off-by: Danilo Krummrich <dakr@kernel.org> 
The existing read_slice() method is a wrapper around copy_from_user()
and expects the user buffer to be larger than the destination buffer.

However, userspace may split up writes in multiple partial operations
providing an offset into the destination buffer and a smaller user
buffer.

In order to support this common case, provide a helper for partial
reads.

Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Reviewed-by: Matthew Maurer <mmaurer@google.com>
Reviewed-by: Alice Ryhl <aliceryhl@google.com>
Reviewed-by: Alexandre Courbot <acourbot@nvidia.com>
Acked-by: Miguel Ojeda <ojeda@kernel.org>
[ Replace map_or() with let-else; use saturating_add(). - Danilo ]
Signed-off-by: Danilo Krummrich <dakr@kernel.org>
rust: uaccess: use newtype for user pointers 2025-07-14T21:52:45+00:00 Alice Ryhl aliceryhl@google.com 2025-06-16T13:45:57+00:00 60ecf796cdc8638c570a4ad06bae6a0d48a8986d Currently, Rust code uses a typedef for unsigned long to represent userspace addresses. This is unfortunate because it means that userspace addresses could accidentally be mixed up with other integers. To alleviate that, we introduce a new UserPtr struct that wraps a raw pointer to represent a userspace address. By using a struct, type checking enforces that userspace addresses cannot be mixed up with anything else. This is similar to the __user annotation in C that detects cases where user pointers are mixed with non-user pointers. Note that unlike __user pointers in C, this type is just a pointer without a target type. This means that it can't detect cases such as mixing up which struct this user pointer references. However, that is okay due to the way this is intended to be used - generally, you create a UserPtr in your ioctl callback from the provided usize *before* dispatching on which ioctl is in use, and then after dispatching on the ioctl you pass the UserPtr into a UserSliceReader or UserSliceWriter; selecting the target type does not happen until you have obtained the UserSliceReader/Writer. The UserPtr type is not marked with #[derive(Debug)], which means that it's not possible to print values of this type. This avoids ASLR leakage. The type is added to the prelude as it is a fairly fundamental type similar to c_int. The wrapping_add() method is renamed to wrapping_byte_add() for consistency with the method name found on raw pointers. Reviewed-by: Benno Lossin <lossin@kernel.org> Reviewed-by: Danilo Krummrich <dakr@kernel.org> Reviewed-by: Christian Schrefl <chrisi.schrefl@gmail.com> Reviewed-by: Boqun Feng <boqun.feng@gmail.com> Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: Alice Ryhl <aliceryhl@google.com> Link: https://lore.kernel.org/r/20250616-userptr-newtype-v3-1-5ff7b2d18d9e@google.com [ Reworded title. - Miguel ] Signed-off-by: Miguel Ojeda <ojeda@kernel.org> 
Currently, Rust code uses a typedef for unsigned long to represent
userspace addresses. This is unfortunate because it means that userspace
addresses could accidentally be mixed up with other integers. To
alleviate that, we introduce a new UserPtr struct that wraps a raw
pointer to represent a userspace address. By using a struct, type
checking enforces that userspace addresses cannot be mixed up with
anything else.

This is similar to the __user annotation in C that detects cases where
user pointers are mixed with non-user pointers.

Note that unlike __user pointers in C, this type is just a pointer
without a target type. This means that it can't detect cases such as
mixing up which struct this user pointer references. However, that is
okay due to the way this is intended to be used - generally, you create
a UserPtr in your ioctl callback from the provided usize *before*
dispatching on which ioctl is in use, and then after dispatching on the
ioctl you pass the UserPtr into a UserSliceReader or UserSliceWriter;
selecting the target type does not happen until you have obtained the
UserSliceReader/Writer.

The UserPtr type is not marked with #[derive(Debug)], which means that
it's not possible to print values of this type. This avoids ASLR
leakage.

The type is added to the prelude as it is a fairly fundamental type
similar to c_int. The wrapping_add() method is renamed to
wrapping_byte_add() for consistency with the method name found on raw
pointers.

Reviewed-by: Benno Lossin <lossin@kernel.org>
Reviewed-by: Danilo Krummrich <dakr@kernel.org>
Reviewed-by: Christian Schrefl <chrisi.schrefl@gmail.com>
Reviewed-by: Boqun Feng <boqun.feng@gmail.com>
Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Alice Ryhl <aliceryhl@google.com>
Link: https://lore.kernel.org/r/20250616-userptr-newtype-v3-1-5ff7b2d18d9e@google.com
[ Reworded title. - Miguel ]
Signed-off-by: Miguel Ojeda <ojeda@kernel.org>
rust: uaccess: add UserSliceReader::strcpy_into_buf 2025-07-13T23:34:12+00:00 Alice Ryhl aliceryhl@google.com 2025-06-16T12:41:48+00:00 17bbbefbf6715a543ff4713e26f7b8e6b7a876d6 This patch adds a more convenient method for reading C strings from userspace. Logic is added to NUL-terminate the buffer when necessary so that a &CStr can be returned. Note that we treat attempts to read past `self.length` as a fault, so this returns EFAULT if that limit is exceeded before `buf.len()` is reached. Reviewed-by: Danilo Krummrich <dakr@kernel.org> Signed-off-by: Alice Ryhl <aliceryhl@google.com> Reviewed-by: Benno Lossin <lossin@kernel.org> Link: https://lore.kernel.org/r/20250616-strncpy-from-user-v5-2-2d3fb0e1f5af@google.com [ Use `from_mut` to clean `clippy::ref_as_ptr` lint. Reworded title. - Miguel ] Signed-off-by: Miguel Ojeda <ojeda@kernel.org> 
This patch adds a more convenient method for reading C strings from
userspace. Logic is added to NUL-terminate the buffer when necessary so
that a &CStr can be returned.

Note that we treat attempts to read past `self.length` as a fault, so
this returns EFAULT if that limit is exceeded before `buf.len()` is
reached.

Reviewed-by: Danilo Krummrich <dakr@kernel.org>
Signed-off-by: Alice Ryhl <aliceryhl@google.com>
Reviewed-by: Benno Lossin <lossin@kernel.org>
Link: https://lore.kernel.org/r/20250616-strncpy-from-user-v5-2-2d3fb0e1f5af@google.com
[ Use `from_mut` to clean `clippy::ref_as_ptr` lint. Reworded
  title. - Miguel ]
Signed-off-by: Miguel Ojeda <ojeda@kernel.org>