From: "Gary Guo" <gary@garyguo.net>
To: "Eliot Courtney" <ecourtney@nvidia.com>,
"Danilo Krummrich" <dakr@kernel.org>,
"Alexandre Courbot" <acourbot@nvidia.com>,
"Alice Ryhl" <aliceryhl@google.com>,
"David Airlie" <airlied@gmail.com>,
"Simona Vetter" <simona@ffwll.ch>,
"Alistair Popple" <apopple@nvidia.com>
Cc: nouveau@lists.freedesktop.org, rust-for-linux@vger.kernel.org,
dri-devel@lists.freedesktop.org, linux-kernel@vger.kernel.org
Subject: Re: [PATCH 3/4] gpu: nova-core: gsp: fix improper handling of empty slot in cmdq
Date: Fri, 23 Jan 2026 18:31:21 +0000 [thread overview]
Message-ID: <DFW6LTFCK75Y.1U7ZRPNHVVC2I@garyguo.net> (raw)
In-Reply-To: <20260122-nova-core-cmdq1-v1-3-7f8fe4683f11@nvidia.com>
On Thu Jan 22, 2026 at 2:59 AM GMT, Eliot Courtney wrote:
> The current code hands out buffers that go all the way up to and
> including `rx - 1`, but we need to maintain an empty slot to prevent the
> ring buffer from wrapping around into having 'tx == rx', which means
> empty.
Doesn't this mean that you're effectively wasting a slot? You can easily
implementing a ring buffer that allows you to disambiguate empty/full while
still using all slots.
A common approach is to only do modulo/masking operation before accessing the
slot. Then `write_ptr.wrapping_sub(read_ptr)` will give you the accurate length of
things inside the ring buffer.
Best,
Gary
>
> Also add more rigorous no-panic proofs.
>
> Fixes: 75f6b1de8133 ("gpu: nova-core: gsp: Add GSP command queue bindings and handling")
> Signed-off-by: Eliot Courtney <ecourtney@nvidia.com>
> ---
> drivers/gpu/nova-core/gsp/cmdq.rs | 31 +++++++++++++++++--------------
> 1 file changed, 17 insertions(+), 14 deletions(-)
>
> diff --git a/drivers/gpu/nova-core/gsp/cmdq.rs b/drivers/gpu/nova-core/gsp/cmdq.rs
> index 09c28eeb6f12..b6d6093e3ac0 100644
> --- a/drivers/gpu/nova-core/gsp/cmdq.rs
> +++ b/drivers/gpu/nova-core/gsp/cmdq.rs
> @@ -227,21 +227,24 @@ fn new(dev: &device::Device<device::Bound>) -> Result<Self> {
> // PANIC: per the invariant of `cpu_write_ptr`, `tx` is `< MSGQ_NUM_PAGES`.
> let (before_tx, after_tx) = gsp_mem.cpuq.msgq.data.split_at_mut(tx);
>
> - if rx <= tx {
> - // The area from `tx` up to the end of the ring, and from the beginning of the ring up
> - // to `rx`, minus one unit, belongs to the driver.
> - if rx == 0 {
> - let last = after_tx.len() - 1;
> - (&mut after_tx[..last], &mut before_tx[0..0])
> - } else {
> - (after_tx, &mut before_tx[..rx])
> - }
> + // The area starting at `tx` and ending at `rx - 2` modulo MSGQ_NUM_PAGES, inclusive,
> + // belongs to the driver for writing.
> + if rx == 0 {
> + // Since `rx` is zero, leave an empty slot at end of the buffer.
> + let last = after_tx.len() - 1;
> + (&mut after_tx[..last], &mut before_tx[0..0])
> + } else if rx > tx {
> + // The area is contiguous and we leave an empty slot before `rx`.
> + // PANIC: since `rx > tx` we have `rx - tx - 1 >= 0`
> + // PANIC: since `tx < rx < MSGQ_NUM_PAGES && after_tx.len() == MSGQ_NUM_PAGES - tx`:
> + // `rx - 1 <= MSGQ_NUM_PAGES` -> `rx - tx - 1 <= MSGQ_NUM_PAGES - tx`
> + // -> `rx - tx - 1 <= after_tx.len()`
> + (&mut after_tx[..(rx - tx - 1)], &mut before_tx[0..0])
> } else {
> - // The area from `tx` to `rx`, minus one unit, belongs to the driver.
> - //
> - // PANIC: per the invariants of `cpu_write_ptr` and `gsp_read_ptr`, `rx` and `tx` are
> - // `<= MSGQ_NUM_PAGES`, and the test above ensured that `rx > tx`.
> - (after_tx.split_at_mut(rx - tx).0, &mut before_tx[0..0])
> + // The area is discontiguous and we leave an empty slot before `rx`.
> + // PANIC: since `rx != 0 && rx is unsigned` we have `rx - 1 >= 0`
> + // PANIC: since `rx <= tx && before_tx.len() == tx` we have `rx - 1 <= before_tx.len()`
> + (after_tx, &mut before_tx[..(rx - 1)])
> }
> }
>
WARNING: multiple messages have this Message-ID (diff)
From: "Gary Guo" <gary@garyguo.net>
To: "Eliot Courtney" <ecourtney@nvidia.com>,
"Danilo Krummrich" <dakr@kernel.org>,
"Alexandre Courbot" <acourbot@nvidia.com>,
"Alice Ryhl" <aliceryhl@google.com>,
"David Airlie" <airlied@gmail.com>,
"Simona Vetter" <simona@ffwll.ch>,
"Alistair Popple" <apopple@nvidia.com>
Cc: <nouveau@lists.freedesktop.org>, <rust-for-linux@vger.kernel.org>,
<dri-devel@lists.freedesktop.org>, <linux-kernel@vger.kernel.org>
Subject: Re: [PATCH 3/4] gpu: nova-core: gsp: fix improper handling of empty slot in cmdq
Date: Fri, 23 Jan 2026 18:31:21 +0000 [thread overview]
Message-ID: <DFW6LTFCK75Y.1U7ZRPNHVVC2I@garyguo.net> (raw)
In-Reply-To: <20260122-nova-core-cmdq1-v1-3-7f8fe4683f11@nvidia.com>
On Thu Jan 22, 2026 at 2:59 AM GMT, Eliot Courtney wrote:
> The current code hands out buffers that go all the way up to and
> including `rx - 1`, but we need to maintain an empty slot to prevent the
> ring buffer from wrapping around into having 'tx == rx', which means
> empty.
Doesn't this mean that you're effectively wasting a slot? You can easily
implementing a ring buffer that allows you to disambiguate empty/full while
still using all slots.
A common approach is to only do modulo/masking operation before accessing the
slot. Then `write_ptr.wrapping_sub(read_ptr)` will give you the accurate length of
things inside the ring buffer.
Best,
Gary
>
> Also add more rigorous no-panic proofs.
>
> Fixes: 75f6b1de8133 ("gpu: nova-core: gsp: Add GSP command queue bindings and handling")
> Signed-off-by: Eliot Courtney <ecourtney@nvidia.com>
> ---
> drivers/gpu/nova-core/gsp/cmdq.rs | 31 +++++++++++++++++--------------
> 1 file changed, 17 insertions(+), 14 deletions(-)
>
> diff --git a/drivers/gpu/nova-core/gsp/cmdq.rs b/drivers/gpu/nova-core/gsp/cmdq.rs
> index 09c28eeb6f12..b6d6093e3ac0 100644
> --- a/drivers/gpu/nova-core/gsp/cmdq.rs
> +++ b/drivers/gpu/nova-core/gsp/cmdq.rs
> @@ -227,21 +227,24 @@ fn new(dev: &device::Device<device::Bound>) -> Result<Self> {
> // PANIC: per the invariant of `cpu_write_ptr`, `tx` is `< MSGQ_NUM_PAGES`.
> let (before_tx, after_tx) = gsp_mem.cpuq.msgq.data.split_at_mut(tx);
>
> - if rx <= tx {
> - // The area from `tx` up to the end of the ring, and from the beginning of the ring up
> - // to `rx`, minus one unit, belongs to the driver.
> - if rx == 0 {
> - let last = after_tx.len() - 1;
> - (&mut after_tx[..last], &mut before_tx[0..0])
> - } else {
> - (after_tx, &mut before_tx[..rx])
> - }
> + // The area starting at `tx` and ending at `rx - 2` modulo MSGQ_NUM_PAGES, inclusive,
> + // belongs to the driver for writing.
> + if rx == 0 {
> + // Since `rx` is zero, leave an empty slot at end of the buffer.
> + let last = after_tx.len() - 1;
> + (&mut after_tx[..last], &mut before_tx[0..0])
> + } else if rx > tx {
> + // The area is contiguous and we leave an empty slot before `rx`.
> + // PANIC: since `rx > tx` we have `rx - tx - 1 >= 0`
> + // PANIC: since `tx < rx < MSGQ_NUM_PAGES && after_tx.len() == MSGQ_NUM_PAGES - tx`:
> + // `rx - 1 <= MSGQ_NUM_PAGES` -> `rx - tx - 1 <= MSGQ_NUM_PAGES - tx`
> + // -> `rx - tx - 1 <= after_tx.len()`
> + (&mut after_tx[..(rx - tx - 1)], &mut before_tx[0..0])
> } else {
> - // The area from `tx` to `rx`, minus one unit, belongs to the driver.
> - //
> - // PANIC: per the invariants of `cpu_write_ptr` and `gsp_read_ptr`, `rx` and `tx` are
> - // `<= MSGQ_NUM_PAGES`, and the test above ensured that `rx > tx`.
> - (after_tx.split_at_mut(rx - tx).0, &mut before_tx[0..0])
> + // The area is discontiguous and we leave an empty slot before `rx`.
> + // PANIC: since `rx != 0 && rx is unsigned` we have `rx - 1 >= 0`
> + // PANIC: since `rx <= tx && before_tx.len() == tx` we have `rx - 1 <= before_tx.len()`
> + (after_tx, &mut before_tx[..(rx - 1)])
> }
> }
>
next prev parent reply other threads:[~2026-01-23 18:31 UTC|newest]
Thread overview: 22+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-01-22 2:59 [PATCH 0/4] gpu: nova-core: gsp: fix command queue ring buffer bugs Eliot Courtney
2026-01-22 2:59 ` [PATCH 1/4] gpu: nova-core: gsp: fix incorrect advancing of write pointer Eliot Courtney
2026-01-23 18:28 ` Gary Guo
2026-01-23 18:28 ` Gary Guo
2026-01-26 4:02 ` Eliot Courtney
2026-01-26 4:02 ` Eliot Courtney
2026-01-22 2:59 ` [PATCH 2/4] gpu: nova-core: gsp: clarify comments about invariants and pointer roles Eliot Courtney
2026-01-22 2:59 ` [PATCH 3/4] gpu: nova-core: gsp: fix improper handling of empty slot in cmdq Eliot Courtney
2026-01-22 3:26 ` John Hubbard
2026-01-22 5:07 ` Eliot Courtney
2026-01-22 5:07 ` Eliot Courtney
2026-01-22 9:27 ` Alexandre Courbot
2026-01-22 9:27 ` Alexandre Courbot
2026-01-23 14:19 ` Miguel Ojeda
2026-01-23 14:19 ` Miguel Ojeda
2026-01-22 11:11 ` Miguel Ojeda
2026-01-22 11:11 ` Miguel Ojeda
2026-01-23 18:31 ` Gary Guo [this message]
2026-01-23 18:31 ` Gary Guo
2026-01-26 4:17 ` Eliot Courtney
2026-01-26 4:17 ` Eliot Courtney
2026-01-22 2:59 ` [PATCH 4/4] gpu: nova-core: gsp: fix improper indexing in driver_read_area Eliot Courtney
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=DFW6LTFCK75Y.1U7ZRPNHVVC2I@garyguo.net \
--to=gary@garyguo.net \
--cc=acourbot@nvidia.com \
--cc=airlied@gmail.com \
--cc=aliceryhl@google.com \
--cc=apopple@nvidia.com \
--cc=dakr@kernel.org \
--cc=dri-devel@lists.freedesktop.org \
--cc=ecourtney@nvidia.com \
--cc=linux-kernel@vger.kernel.org \
--cc=nouveau@lists.freedesktop.org \
--cc=rust-for-linux@vger.kernel.org \
--cc=simona@ffwll.ch \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.