From: sashiko-bot@kernel.org
To: "SeungJong Ha via B4 Relay"
<devnull+engineer.jjhama.gmail.com@kernel.org>
Cc: ojeda@kernel.org, dri-devel@lists.freedesktop.org,
"Alexandre Courbot" <acourbot@nvidia.com>,
"Danilo Krummrich" <dakr@kernel.org>
Subject: Re: [PATCH RFC 4/4] gpu: nova-core: gsp: convert GspMem to zerocopy via the transmute bridge
Date: Sun, 28 Jun 2026 17:22:00 +0000 [thread overview]
Message-ID: <20260628172200.B116D1F000E9@smtp.kernel.org> (raw)
In-Reply-To: <20260628-dma-zerocopy-bridge-v1-4-9a2895ebe30d@gmail.com>
Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:
Pre-existing issues:
- [High] Time-of-Check to Time-of-Use (TOCTOU) vulnerability parsing message queue headers from coherent DMA memory.
--
commit e9f51c49f1590127c704379d2f179c17f740df94
Author: SeungJong Ha <engineer.jjhama@gmail.com>
gpu: nova-core: gsp: convert GspMem to zerocopy via the transmute bridge
This commit converts GspMem and related structures to use zerocopy for safe
transmutations by adding explicit padding and deriving FromBytes and IntoBytes.
It replaces the manual unsafe transmute implementations.
> diff --git a/drivers/gpu/nova-core/gsp/cmdq.rs b/drivers/gpu/nova-core/gsp/cmdq.rs
> index 070de0731e950..d9929d24d3165 100644
> --- a/drivers/gpu/nova-core/gsp/cmdq.rs
> +++ b/drivers/gpu/nova-core/gsp/cmdq.rs
[ ... ]
> @@ -169,6 +169,7 @@ struct MsgqData {
> /// read pointer of `rx` actually refers to the `Msgq` owned by the other side.
> /// This design ensures that only the driver or GSP ever writes to a given instance of this struct.
> #[repr(C)]
> +#[derive(FromBytes, IntoBytes, Immutable)]
> // There is no struct defined for this in the open-gpu-kernel-source headers.
> // Instead it is defined by code in `GspMsgQueuesInit()`.
> // TODO: Revert to private once `IoView` projections replace the `gsp_mem` module.
[Severity: High]
This isn't a bug introduced by this patch, but could this coherent shared memory
lead to a time-of-check to time-of-use vulnerability?
The driver validates lengths and checksums by reading fields like length from
GspMsgElement, which is mapped directly into shared memory. For instance,
in wait_for_msg():
wait_for_msg()
let (header, slice_1) = GspMsgElement::from_bytes_prefix(slice_1).ok_or(EIO)?;
However, receive_msg() seems to re-read the header fields directly from shared
memory to advance the ring buffer pointer:
receive_msg()
self.gsp_mem.advance_cpu_read_ptr(u32::try_from(
message.header.length().div_ceil(GSP_PAGE_SIZE),
)?);
Can a compromised hardware component modify the message length concurrently
after the initial validation but before pointer advancement, potentially
corrupting the host read pointer?
Similarly, send_single_command() initializes a message header in shared memory
and then reads its element_count to advance the write pointer:
send_single_command()
let elem_count = dst.header.element_count();
self.seq += 1;
self.gsp_mem.advance_cpu_write_ptr(elem_count);
Does this allow the device to race and corrupt the host write pointer by
modifying element_count before it is read back?
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260628-dma-zerocopy-bridge-v1-0-9a2895ebe30d@gmail.com?part=4
next prev parent reply other threads:[~2026-06-28 17:22 UTC|newest]
Thread overview: 20+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-28 17:10 [PATCH RFC 0/4] rust: dma: bridge zerocopy-derived types into the transmute byte-safety bound SeungJong Ha via B4 Relay
2026-06-28 17:10 ` SeungJong Ha
2026-06-28 17:10 ` [PATCH RFC 1/4] rust: transmute: add `impl_transmute_via_zerocopy!` macro SeungJong Ha via B4 Relay
2026-06-28 17:10 ` SeungJong Ha
2026-06-28 17:10 ` [PATCH RFC 2/4] rust: prelude: re-export `zerocopy::Immutable` SeungJong Ha via B4 Relay
2026-06-28 17:10 ` SeungJong Ha
2026-06-28 17:10 ` [PATCH RFC 3/4] gpu: nova-core: gsp: derive zerocopy traits for the msgq POD types SeungJong Ha via B4 Relay
2026-06-28 17:10 ` SeungJong Ha
2026-06-28 17:10 ` [PATCH RFC 4/4] gpu: nova-core: gsp: convert GspMem to zerocopy via the transmute bridge SeungJong Ha via B4 Relay
2026-06-28 17:10 ` SeungJong Ha
2026-06-28 17:22 ` sashiko-bot [this message]
2026-06-28 18:21 ` SeungJong Ha
2026-06-29 7:10 ` Alexandre Courbot
2026-06-29 7:59 ` SeungJong Ha
2026-06-29 9:49 ` Alexandre Courbot
2026-06-29 7:17 ` [PATCH RFC 0/4] rust: dma: bridge zerocopy-derived types into the transmute byte-safety bound Alexandre Courbot
2026-06-29 8:20 ` Alistair Popple
2026-06-29 8:57 ` Danilo Krummrich
2026-06-29 11:38 ` SeungJong Ha
2026-06-29 11:16 ` SeungJong Ha
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260628172200.B116D1F000E9@smtp.kernel.org \
--to=sashiko-bot@kernel.org \
--cc=acourbot@nvidia.com \
--cc=dakr@kernel.org \
--cc=devnull+engineer.jjhama.gmail.com@kernel.org \
--cc=dri-devel@lists.freedesktop.org \
--cc=ojeda@kernel.org \
--cc=sashiko-reviews@lists.linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.