From: sashiko-bot@kernel.org
To: "Gary Guo" <gary@garyguo.net>
Cc: "Danilo Krummrich" <dakr@kernel.org>,
ojeda@kernel.org, "Alexandre Courbot" <acourbot@nvidia.com>,
dri-devel@lists.freedesktop.org
Subject: Re: [PATCH v2 3/4] gpu: nova-core: fix barrier usage in CPU->GSP messaging path
Date: Tue, 09 Jun 2026 15:50:37 +0000 [thread overview]
Message-ID: <20260609155038.20E901F00898@smtp.kernel.org> (raw)
In-Reply-To: <20260609-rust-barrier-v2-3-30fcc48e1cd0@garyguo.net>
Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:
Pre-existing issues:
- [High] Missing sequence number validation allows mismatched RPC replies to be accepted after a timeout.
--
commit 0c5cf61612018cf7b218d6031a8329297e4ac9dc
Author: Gary Guo <gary@garyguo.net>
gpu: nova-core: fix barrier usage in CPU->GSP messaging path
This commit fixes the barrier usage in the CPU->GSP messaging path. It
clarifies the LOAD->STORE ordering dependency and moves the STORE->STORE
barrier to immediately before the write pointer advance to prevent the GSP
from observing an advanced pointer before the command is fully written.
> diff --git a/drivers/gpu/nova-core/gsp/cmdq.rs b/drivers/gpu/nova-core/gsp/cmdq.rs
> index 070de0731e950..94c2790d943d0 100644
> --- a/drivers/gpu/nova-core/gsp/cmdq.rs
> +++ b/drivers/gpu/nova-core/gsp/cmdq.rs
[ ... ]
[Severity: High]
This isn't a bug introduced by this patch, but while looking at the
messaging path, I noticed a potential issue with sequence number
validation.
If a previous command times out in Cmdq::send_command():
drivers/gpu/nova-core/gsp/cmdq.rs:Cmdq::send_command() {
...
loop {
match inner.receive_msg::<M::Reply>(Self::RECEIVE_TIMEOUT) {
Ok(reply) => break Ok(reply),
Err(ERANGE) => continue,
Err(e) => break Err(e),
}
}
...
}
The timeout returns ETIMEDOUT and drops the command queue lock, but the
delayed reply might eventually arrive and remain in the message queue.
When another command with the same function code is subsequently sent,
CmdqInner::receive_msg() validates the incoming message:
drivers/gpu/nova-core/gsp/cmdq.rs:CmdqInner::receive_msg() {
...
let result = if function == M::FUNCTION {
let (cmd, contents_1) = M::Message::from_bytes_prefix(...
...
}
Does this code incorrectly accept the stale reply as a successful response
because it only checks if function == M::FUNCTION?
Could this break RPC protocol synchronization and cause the driver to
process incorrect payload data? Should the sequence number be validated
(e.g., via header.sequence()) to prevent mismatched replies?
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260609-rust-barrier-v2-0-30fcc48e1cd0@garyguo.net?part=3
next prev parent reply other threads:[~2026-06-09 15:50 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-09 15:38 [PATCH v2 0/4] rust: more memory barriers bindings Gary Guo
2026-06-09 15:38 ` [PATCH v2 1/4] rust: sync: add helpers for mb, dma_mb and friends Gary Guo
2026-06-09 15:38 ` [PATCH v2 2/4] rust: sync: generic memory barriers Gary Guo
2026-06-09 15:48 ` sashiko-bot
2026-06-09 15:38 ` [PATCH v2 3/4] gpu: nova-core: fix barrier usage in CPU->GSP messaging path Gary Guo
2026-06-09 15:50 ` sashiko-bot [this message]
2026-06-09 15:38 ` [PATCH v2 4/4] gpu: nova-core: fix barrier usage in GSP->CPU " Gary Guo
2026-06-09 15:49 ` sashiko-bot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260609155038.20E901F00898@smtp.kernel.org \
--to=sashiko-bot@kernel.org \
--cc=acourbot@nvidia.com \
--cc=dakr@kernel.org \
--cc=dri-devel@lists.freedesktop.org \
--cc=gary@garyguo.net \
--cc=ojeda@kernel.org \
--cc=sashiko-reviews@lists.linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.