Re: [PATCH REF v4 24/27] gpu: nova-core: use lifetime for Bar

[sashiko-bot@kernel.org]

Thank you for your contribution! Sashiko AI review found 2 potential issue(s) to consider:
- [High] The raw pointer cast artificially extends a short-lived local reference to the `'bound` lifetime, bypassing the borrow checker and causing undefined behavior.
- [High] Creating a self-reference to a standard, non-Opaque field violates Rust's aliasing rules and causes Undefined Behavior.
--

commit 324bc88b7f0822485a9eb9d34c17aabba9845b74
Author: Danilo Krummrich <dakr@kernel.org>
Subject: gpu: nova-core: use lifetime for Bar

This commit removes the Arc<Devres<Bar0>> indirection and replaces it with
a lifetime-parameterized pci::Bar<'bound> in NovaCore. It passes a borrowed
reference to Gpu<'bound> by attempting to use a self-reference during pin
initialization.

> diff --git a/drivers/gpu/nova-core/driver.rs b/drivers/gpu/nova-core/driver.rs
> index d3f2245ba2e0c..d4cf4379ee87c 100644
> --- a/drivers/gpu/nova-core/driver.rs
> +++ b/drivers/gpu/nova-core/driver.rs

[ ... ]

> @@ -95,14 +93,14 @@ fn probe<'bound>(
>              // other threads of execution.
>              unsafe { pdev.dma_set_mask_and_coherent(DmaMask::new::<GPU_DMA_BITS>())? };
>  
> -            let bar = Arc::new(
> -                pdev.iomap_region_sized::<BAR0_SIZE>(0, c"nova-core/bar0")?
> -                    .into_devres()?,
> -                GFP_KERNEL,
> -            )?;
> -
>              Ok(try_pin_init!(NovaCore {
> -                gpu <- Gpu::new(pdev, bar.clone(), bar.access(pdev.as_ref())?),
> +                bar: pdev.iomap_region_sized::<BAR0_SIZE>(0, c"nova-core/bar0")?,
> +                // TODO: Use &bar self-referential pin-init syntax once available.
> +                //
> +                // SAFETY: bar is initialized before this expression is evaluated
> +                // (try_pin_init!() initializes fields in declaration order), lives at a pinned
> +                // stable address, and is dropped after gpu (struct field drop order).
> +                gpu <- Gpu::new(pdev, unsafe { &*core::ptr::from_ref(bar) }),

[Severity: High]
Does coercing this local reference through a raw pointer artificially extend
its lifetime to 'bound?

Since Gpu<'bound> requires its bar reference to live for the 'bound lifetime
(which is tied to the PCI device), and the NovaCore allocation has a strictly
shorter lifespan than the device itself, could this forged lifetime bypass
the borrow checker and cause undefined behavior?

[Severity: High]
Could creating a self-reference to a standard, non-Opaque field here violate
Rust's aliasing rules?

Because bar is not wrapped in kernel::types::Opaque, any subsequent mutable
borrow of the NovaCore struct (such as when the allocation is finalized into
a Pin<Box<NovaCore>>) asserts exclusive mutable access over all its fields.

Wouldn't this recursively invalidate the shared reference to Bar0 stored
inside gpu, leading to undefined behavior upon later access?

-- 
Sashiko AI review · https://sashiko.dev/#/patchset/20260521233501.1191842-1-dakr@kernel.org?part=24