From: sashiko-bot@kernel.org
To: "Danilo Krummrich" <dakr@kernel.org>
Cc: linux-pci@vger.kernel.org, ojeda@kernel.org
Subject: Re: [PATCH REF v4 25/27] gpu: nova-core: unregister sysmem flush page from Drop
Date: Fri, 22 May 2026 00:47:13 +0000 [thread overview]
Message-ID: <20260522004713.9ECD61F000E9@smtp.kernel.org> (raw)
In-Reply-To: <20260521233501.1191842-26-dakr@kernel.org>
Thank you for your contribution! Sashiko AI review found 3 potential issue(s) to consider:
Pre-existing issues:
- [High] Missing MMIO readback after unregistering the sysmem flush page allows DMA to freed memory.
- [High] Incorrect teardown order causes child DRM drivers to be unregistered after GPU resources are freed.
- [High] GPU hardware is not halted before its DMA memory is freed during teardown.
--
commit 4d00660f7b8829d00187ed0c9645cb7d2b811fe2
Author: Danilo Krummrich <dakr@kernel.org>
gpu: nova-core: unregister sysmem flush page from Drop
Now that SysmemFlush can borrow the Bar via HRT lifetime, store a
&'bound Bar0 reference and implement Drop to automatically unregister
the sysmem flush page. This removes the need for manual unregister()
calls and the Gpu::unbind() method.
Link: https://lore.kernel.org/all/20260409-fix-systemflush-v1-1-a1d6c968f17c@nvidia.com/
> diff --git a/drivers/gpu/nova-core/driver.rs b/drivers/gpu/nova-core/driver.rs
> index d4cf4379ee87c..cff5034c2dcd2 100644
> --- a/drivers/gpu/nova-core/driver.rs
> +++ b/drivers/gpu/nova-core/driver.rs
> @@ -113,8 +113,4 @@ fn probe<'bound>(
> }))
> })
> }
> -
> - fn unbind<'bound>(_pdev: &'bound pci::Device<Core<'_>>, this: Pin<&Self::Data<'bound>>) {
> - this.gpu.unbind();
> - }
[Severity: High]
This isn't a bug introduced by this patch, but by relying on Drop for
teardown, does the struct field declaration order cause child DRM drivers
to be unregistered after GPU resources are freed?
In Rust, struct fields are dropped in declaration order. If gpu and bar
are declared before _reg (the auxiliary device registration) in NovaCore,
dropping NovaCore will drop gpu first (freeing GSP DMA buffers and
unmapping the sysmem flush page).
Later, _reg is dropped, which invokes auxiliary_device_delete and
triggers the child DRM driver's remove callback. This means the child
driver is unbound and executes its teardown after the GPU hardware state
has been torn down and its backing DMA memory freed.
Could this lead to crashes or use-after-free?
[Severity: High]
This is a pre-existing issue, but is the GPU hardware halted before its
DMA memory is freed during teardown?
When the Gpu struct is dropped, the DMA memory for the sysmem flush page
and GSP is freed via their respective Drop implementations. However,
neither Gpu, Gsp, nor Falcon appear to implement a Drop routine that
actually halts the GSP firmware or resets the falcons.
Because the hardware is left running while its DMA backing memory is
returned to the system allocator, could the GPU continue to execute and
access the freed memory?
> }
> diff --git a/drivers/gpu/nova-core/fb.rs b/drivers/gpu/nova-core/fb.rs
> index bdd5eed760e17..64fe5f27f41ee 100644
> --- a/drivers/gpu/nova-core/fb.rs
> +++ b/drivers/gpu/nova-core/fb.rs
[ ... ]
> @@ -70,19 +69,18 @@ pub(crate) fn register(
> Ok(Self {
> chipset,
> device: dev.into(),
> + bar,
> page,
> })
> }
> +}
>
> - /// Unregister the managed sysmem flush page.
> - ///
> - /// In order to gracefully tear down the GPU, users must make sure to call this method before
> - /// dropping the object.
> - pub(crate) fn unregister(&self, bar: &Bar0) {
> +impl Drop for SysmemFlush<'_> {
> + fn drop(&mut self) {
> let hal = hal::fb_hal(self.chipset);
>
> - if hal.read_sysmem_flush_page(bar) == self.page.dma_handle() {
> - let _ = hal.write_sysmem_flush_page(bar, 0).inspect_err(|e| {
> + if hal.read_sysmem_flush_page(self.bar) == self.page.dma_handle() {
> + let _ = hal.write_sysmem_flush_page(self.bar, 0).inspect_err(|e| {
[Severity: High]
This is a pre-existing issue, but does this MMIO write need a readback?
When SysmemFlush::drop unregisters the flush page, it issues a PCIe MMIO
write. PCIe writes are posted and can be buffered. Because there is no
subsequent MMIO read to flush the posted write, the CPU can immediately
proceed to drop self.page and free the DMA memory while the hardware's
register update is still in flight.
If the GPU executes a sysmem flush before the register actually updates,
could it write to freed memory?
> dev_warn!(
> &self.device,
> "failed to unregister sysmem flush page: {:?}\n",
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260521233501.1191842-1-dakr@kernel.org?part=25
next prev parent reply other threads:[~2026-05-22 0:47 UTC|newest]
Thread overview: 63+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-05-21 23:34 [PATCH v4 00/27] rust: device: Higher-Ranked Lifetime Types for device drivers Danilo Krummrich
2026-05-21 23:34 ` [PATCH v4 01/27] rust: alloc: remove `'static` bound on `ForeignOwnable` Danilo Krummrich
2026-05-22 0:13 ` sashiko-bot
2026-05-21 23:34 ` [PATCH v4 02/27] rust: driver: move 'static bounds to constructor Danilo Krummrich
2026-05-21 23:34 ` [PATCH v4 03/27] rust: driver: decouple driver private data from driver type Danilo Krummrich
2026-05-21 23:56 ` sashiko-bot
2026-05-21 23:34 ` [PATCH v4 04/27] rust: driver core: drop drvdata before devres release Danilo Krummrich
2026-05-22 0:10 ` sashiko-bot
2026-05-21 23:34 ` [PATCH v4 05/27] rust: pci: implement Sync for Device<Bound> Danilo Krummrich
2026-05-21 23:34 ` [PATCH v4 06/27] rust: platform: " Danilo Krummrich
2026-05-21 23:34 ` [PATCH v4 07/27] rust: auxiliary: " Danilo Krummrich
2026-05-21 23:34 ` [PATCH v4 08/27] rust: usb: " Danilo Krummrich
2026-05-22 0:16 ` sashiko-bot
2026-05-21 23:34 ` [PATCH v4 09/27] rust: device: " Danilo Krummrich
2026-05-21 23:34 ` [PATCH v4 10/27] rust: device: make Core and CoreInternal lifetime-parameterized Danilo Krummrich
2026-05-25 4:21 ` Eliot Courtney
2026-05-25 11:02 ` Alexandre Courbot
2026-05-21 23:34 ` [PATCH v4 11/27] rust: pci: make Driver trait lifetime-parameterized Danilo Krummrich
2026-05-22 0:14 ` sashiko-bot
2026-05-21 23:34 ` [PATCH v4 12/27] rust: platform: " Danilo Krummrich
2026-05-21 23:34 ` [PATCH v4 13/27] rust: auxiliary: " Danilo Krummrich
2026-05-21 23:34 ` [PATCH v4 14/27] rust: usb: " Danilo Krummrich
2026-05-22 0:23 ` sashiko-bot
2026-05-25 4:31 ` Eliot Courtney
2026-05-21 23:34 ` [PATCH v4 15/27] rust: i2c: " Danilo Krummrich
2026-05-21 23:34 ` [PATCH v4 16/27] rust: driver: update module documentation for GAT-based Data type Danilo Krummrich
2026-05-21 23:34 ` [PATCH v4 17/27] rust: pci: make Bar lifetime-parameterized Danilo Krummrich
2026-05-22 0:49 ` sashiko-bot
2026-05-25 4:37 ` Eliot Courtney
2026-05-25 11:40 ` Gary Guo
2026-05-25 12:05 ` Danilo Krummrich
2026-05-25 11:10 ` Alexandre Courbot
2026-05-25 11:12 ` Alexandre Courbot
2026-05-21 23:34 ` [PATCH v4 18/27] rust: io: make IoMem and ExclusiveIoMem lifetime-parameterized Danilo Krummrich
2026-05-22 0:45 ` sashiko-bot
2026-05-25 13:10 ` Alexandre Courbot
2026-05-21 23:34 ` [PATCH v4 19/27] samples: rust: rust_driver_pci: use HRT lifetime for Bar Danilo Krummrich
2026-05-22 1:27 ` sashiko-bot
2026-05-25 13:55 ` Alexandre Courbot
2026-05-21 23:34 ` [PATCH v4 20/27] gpu: nova-core: separate driver type from driver data Danilo Krummrich
2026-05-25 4:40 ` Eliot Courtney
2026-05-25 14:11 ` Alexandre Courbot
2026-05-21 23:34 ` [PATCH v4 21/27] rust: types: add `ForLt` trait for higher-ranked lifetime support Danilo Krummrich
2026-05-22 0:31 ` sashiko-bot
2026-05-23 15:46 ` Danilo Krummrich
2026-05-25 12:31 ` Eliot Courtney
2026-05-21 23:34 ` [PATCH v4 22/27] rust: auxiliary: generalize Registration over ForLt Danilo Krummrich
2026-05-22 0:49 ` sashiko-bot
2026-05-25 6:03 ` Eliot Courtney
2026-05-25 14:42 ` Alexandre Courbot
2026-05-21 23:34 ` [PATCH v4 23/27] samples: rust: rust_driver_auxiliary: showcase lifetime-bound registration data Danilo Krummrich
2026-05-25 14:48 ` Alexandre Courbot
2026-05-21 23:34 ` [PATCH REF v4 24/27] gpu: nova-core: use lifetime for Bar Danilo Krummrich
2026-05-22 1:28 ` sashiko-bot
2026-05-26 2:10 ` Alexandre Courbot
2026-05-26 5:48 ` Alexandre Courbot
2026-05-21 23:34 ` [PATCH REF v4 25/27] gpu: nova-core: unregister sysmem flush page from Drop Danilo Krummrich
2026-05-22 0:47 ` sashiko-bot [this message]
2026-05-21 23:34 ` [PATCH REF v4 26/27] gpu: nova-core: replace ARef<Device> with &'bound Device in SysmemFlush Danilo Krummrich
2026-05-22 0:46 ` sashiko-bot
2026-05-21 23:34 ` [PATCH REF v4 27/27] gpu: drm: tyr: use lifetime for IoMem Danilo Krummrich
2026-05-22 0:42 ` sashiko-bot
2026-05-22 10:14 ` [PATCH v4 00/27] rust: device: Higher-Ranked Lifetime Types for device drivers Greg KH
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260522004713.9ECD61F000E9@smtp.kernel.org \
--to=sashiko-bot@kernel.org \
--cc=dakr@kernel.org \
--cc=linux-pci@vger.kernel.org \
--cc=ojeda@kernel.org \
--cc=sashiko-reviews@lists.linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.