@@ -58,6 +58,7 @@ impl super::QueueInner::ver {
5858
5959 let cmdbuf_read_size =
6060 ( cmd. cmd_buffer_size as usize ) . min ( core:: mem:: size_of :: < uapi:: drm_asahi_cmd_compute > ( ) ) ;
61+ // SAFETY: This is the sole UserSlicePtr instance for this cmd_buffer.
6162 let mut cmdbuf_reader = unsafe {
6263 UserSlicePtr :: new (
6364 cmd. cmd_buffer as usize as * mut _ ,
@@ -67,6 +68,8 @@ impl super::QueueInner::ver {
6768 } ;
6869
6970 let mut cmdbuf: uapi:: drm_asahi_cmd_compute = Default :: default ( ) ;
71+ // SAFETY: The output pointer is valid, and the size does not exceed the type size
72+ // per the min() above, and all bit patterns are valid.
7073 unsafe {
7174 cmdbuf_reader. read_raw ( & mut cmdbuf as * mut _ as * mut u8 , cmdbuf_read_size) ?;
7275 }
@@ -80,6 +83,9 @@ impl super::QueueInner::ver {
8083 let mut ext_ptr = cmdbuf. extensions ;
8184 while ext_ptr != 0 {
8285 let ext_type = u32:: from_ne_bytes (
86+ // SAFETY: There is a double read from userspace here, but there is no TOCTOU
87+ // issue since at worst the extension parse below will read garbage, and
88+ // we do not trust any fields anyway.
8389 unsafe { UserSlicePtr :: new ( ext_ptr as usize as * mut _ , 4 ) }
8490 . read_all ( ) ?
8591 . try_into ( )
@@ -91,13 +97,16 @@ impl super::QueueInner::ver {
9197 let mut ext_user_timestamps: uapi:: drm_asahi_cmd_compute_user_timestamps =
9298 Default :: default ( ) ;
9399
100+ // SAFETY: See above
94101 let mut ext_reader = unsafe {
95102 UserSlicePtr :: new (
96103 ext_ptr as usize as * mut _ ,
97104 core:: mem:: size_of :: < uapi:: drm_asahi_cmd_compute_user_timestamps > ( ) ,
98105 )
99106 . reader ( )
100107 } ;
108+ // SAFETY: The output buffer is valid and of the correct size, and all bit
109+ // patterns are valid.
101110 unsafe {
102111 ext_reader. read_raw (
103112 & mut ext_user_timestamps as * mut _ as * mut u8 ,
0 commit comments