From: sashiko-bot@kernel.org
To: "Antonin Malzieu Ridolfi via B4 Relay"
<devnull+dev.nanonej.com@kernel.org>
Cc: "Alexandre Courbot" <acourbot@nvidia.com>,
dri-devel@lists.freedesktop.org,
"Danilo Krummrich" <dakr@kernel.org>
Subject: Re: [PATCH 5/5] gpu: nova-core: falcon: Move PFSP register
Date: Tue, 23 Jun 2026 20:24:19 +0000 [thread overview]
Message-ID: <20260623202419.CECC51F000E9@smtp.kernel.org> (raw)
In-Reply-To: <20260617-nova-core-regs-split-v1-5-4c7dc4450ea7@nanonej.com>
Thank you for your contribution! Sashiko AI review found 3 potential issue(s) to consider:
New issues:
- [Low] The commit modifies import statements without migrating them to the kernel's vertical import style.
Pre-existing issues:
- [High] FSP queue registers are defined as arrays of 8 elements without a `stride` parameter, defaulting to a 4-byte stride which silently overlaps with adjacent registers.
- [High] Unbounded allocation in `recv_msg` based on untrusted hardware input can trigger an Out-of-Memory (OOM) condition or kernel panic.
--
commit 2170d35504c32c252c52eca31b351aad8e873b56
Author: Antonin Malzieu Ridolfi <dev@nanonej.com>
gpu: nova-core: falcon: Move PFSP register
This patch moves the PFSP register definitions into the falcon module and
updates the registers' visibility.
> diff --git a/drivers/gpu/nova-core/falcon/fsp.rs b/drivers/gpu/nova-core/falcon/fsp.rs
> index 52cdb84ef0e80..547843e6483c6 100644
> --- a/drivers/gpu/nova-core/falcon/fsp.rs
> +++ b/drivers/gpu/nova-core/falcon/fsp.rs
> @@ -26,10 +26,10 @@
> Falcon,
> FalconEngine,
> PFalcon2Base,
> - PFalconBase, //
> + PFalconBase,
> + regs, //
> },
> - num,
> - regs, //
> + num, //
> };
[Severity: Low]
Does this import block need to be updated to match the kernel vertical import
style? The Rust subsystem coding guidelines require flattening nested imports
when they are modified.
[ ... ]
> diff --git a/drivers/gpu/nova-core/falcon/regs.rs b/drivers/gpu/nova-core/falcon/regs.rs
> index 4d4e69b235fc6..81530abfb54c3 100644
> --- a/drivers/gpu/nova-core/falcon/regs.rs
> +++ b/drivers/gpu/nova-core/falcon/regs.rs
[ ... ]
> +register! {
> + pub(super) NV_PFSP_QUEUE_HEAD(u32)[8] @ 0x008f2c00 {
> + 31:0 address => u32;
> + }
> +
> + pub(super) NV_PFSP_QUEUE_TAIL(u32)[8] @ 0x008f2c04 {
> + 31:0 address => u32;
> + }
[Severity: High]
This is a pre-existing issue, but does NV_PFSP_QUEUE_HEAD need a stride
parameter?
Since the elements are 4 bytes, omitting the stride defaults it to 4 bytes.
This would place index 1 of NV_PFSP_QUEUE_HEAD at 0x008f2c04, which overlaps
with NV_PFSP_QUEUE_TAIL.
Should this be defined as [8, stride = 8] to prevent accessing the wrong
register for indices > 0?
[ ... ]
[Severity: High]
This isn't a bug introduced by this patch, but is there an unbounded
allocation risk in recv_msg()?
Looking at fsp.rs, poll_msgq() derives the message size directly from
the hardware MMIO registers without bounds checking:
tail.saturating_sub(head).saturating_add(4)
This untrusted size is then used to allocate kernel memory:
drivers/gpu/nova-core/falcon/fsp.rs:recv_msg() {
...
let mut buffer = KVec::<u8>::new();
buffer.resize(msg_size, 0, GFP_KERNEL)?;
...
}
Could a compromised or misbehaving FSP firmware provide a massive message
size, exhausting kernel memory and triggering an OOM condition?
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260617-nova-core-regs-split-v1-0-4c7dc4450ea7@nanonej.com?part=5
prev parent reply other threads:[~2026-06-23 20:24 UTC|newest]
Thread overview: 17+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-16 23:48 [PATCH 0/5] gpu: nova-core: Move registers definitions Antonin Malzieu Ridolfi
2026-06-16 23:48 ` Antonin Malzieu Ridolfi via B4 Relay
2026-06-16 23:48 ` [PATCH 1/5] gpu: nova-core: fb: Move PDISP register definition Antonin Malzieu Ridolfi
2026-06-16 23:48 ` Antonin Malzieu Ridolfi via B4 Relay
2026-06-23 6:18 ` Alexandre Courbot
2026-06-16 23:48 ` [PATCH 2/5] gpu: nova-core: gsp: Move PBUS " Antonin Malzieu Ridolfi
2026-06-16 23:48 ` Antonin Malzieu Ridolfi via B4 Relay
2026-06-23 6:18 ` Alexandre Courbot
2026-06-16 23:48 ` [PATCH 3/5] gpu: nova-core: falcon: Move PFALCON2 register Antonin Malzieu Ridolfi
2026-06-16 23:48 ` Antonin Malzieu Ridolfi via B4 Relay
2026-06-23 6:22 ` Alexandre Courbot
2026-06-23 20:12 ` sashiko-bot
2026-06-16 23:48 ` [PATCH 4/5] gpu: nova-core: falcon: Move PRISCV register Antonin Malzieu Ridolfi
2026-06-16 23:48 ` Antonin Malzieu Ridolfi via B4 Relay
2026-06-16 23:48 ` [PATCH 5/5] gpu: nova-core: falcon: Move PFSP register Antonin Malzieu Ridolfi
2026-06-16 23:48 ` Antonin Malzieu Ridolfi via B4 Relay
2026-06-23 20:24 ` sashiko-bot [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260623202419.CECC51F000E9@smtp.kernel.org \
--to=sashiko-bot@kernel.org \
--cc=acourbot@nvidia.com \
--cc=dakr@kernel.org \
--cc=devnull+dev.nanonej.com@kernel.org \
--cc=dri-devel@lists.freedesktop.org \
--cc=sashiko-reviews@lists.linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.