Re: [PATCH v2 4/4] gpu: nova-core: gsp: fix improper indexing in driver_read_area

All of lore.kernel.org
 help / color / mirror / Atom feed

From: "Alexandre Courbot" <acourbot@nvidia.com>
To: "Gary Guo" <gary@garyguo.net>
Cc: Eliot Courtney <ecourtney@nvidia.com>,
	Danilo Krummrich <dakr@kernel.org>,
	Alice Ryhl <aliceryhl@google.com>,
	Simona Vetter <simona@ffwll.ch>,
	Alistair Popple <apopple@nvidia.com>,
	nouveau@lists.freedesktop.org, rust-for-linux@vger.kernel.org,
	dri-devel@lists.freedesktop.org, linux-kernel@vger.kernel.org
Subject: Re: [PATCH v2 4/4] gpu: nova-core: gsp: fix improper indexing in driver_read_area
Date: Wed, 28 Jan 2026 21:18:37 +0900	[thread overview]
Message-ID: <DG07T5OKDVAR.2PJRWMXMGS316@nvidia.com> (raw)
In-Reply-To: <DFYQGXHPBZP7.O34DZ6RTDGU0@garyguo.net>

On Tue Jan 27, 2026 at 3:30 AM JST, Gary Guo wrote:
> On Fri Jan 23, 2026 at 12:12 PM GMT, Eliot Courtney wrote:
>> The current code indexes into `after_rx` using `tx` which is an index
>> for the whole buffer, not the split buffer `after_rx`.
>>
>> Also add more rigorous no-panic proofs.
>>
>> Fixes: 75f6b1de8133 ("gpu: nova-core: gsp: Add GSP command queue bindings and handling")
>> Signed-off-by: Eliot Courtney <ecourtney@nvidia.com>
>> ---
>>  drivers/gpu/nova-core/gsp/cmdq.rs | 19 ++++++++++++++-----
>>  1 file changed, 14 insertions(+), 5 deletions(-)
>>
>> diff --git a/drivers/gpu/nova-core/gsp/cmdq.rs b/drivers/gpu/nova-core/gsp/cmdq.rs
>> index aa8758fc7723..c26396fda29c 100644
>> --- a/drivers/gpu/nova-core/gsp/cmdq.rs
>> +++ b/drivers/gpu/nova-core/gsp/cmdq.rs
>> @@ -1,7 +1,6 @@
>>  // SPDX-License-Identifier: GPL-2.0
>>  
>>  use core::{
>> -    cmp,
>>      mem,
>>      sync::atomic::{
>>          fence,
>> @@ -267,10 +266,20 @@ fn new(dev: &device::Device<device::Bound>) -> Result<Self> {
>>          // PANIC: per the invariant of `cpu_read_ptr`, `rx` is `< MSGQ_NUM_PAGES`.
>>          let (before_rx, after_rx) = gsp_mem.gspq.msgq.data.split_at(rx);
>
> This code doesn't need splitting as it doesn't have the uniqueness issue that
> mutable references have. While you're at it, probably it's chance to simplify
> the code.
>
>>  
>> -        match tx.cmp(&rx) {
>> -            cmp::Ordering::Equal => (&after_rx[0..0], &after_rx[0..0]),
>> -            cmp::Ordering::Greater => (&after_rx[..tx], &before_rx[0..0]),
>> -            cmp::Ordering::Less => (after_rx, &before_rx[..tx]),
>> +        // The area starting at `rx` and ending at `tx - 1` modulo MSGQ_NUM_PAGES, inclusive,
>> +        // belongs to the driver for reading.
>> +        if rx <= tx {
>> +            // The area is contiguous.
>> +            // PANIC:
>> +            // - The index `tx - rx` is non-negative because `rx <= tx` in this branch.
>> +            // - The index does not exceed `after_rx.len()` (which is `MSGQ_NUM_PAGES - rx`)
>> +            //   because `tx < MSGQ_NUM_PAGES` by the `gsp_write_ptr` invariant.
>> +            (&after_rx[..(tx - rx)], &after_rx[0..0])
>
> This can be just `(&data[rx..tx], &[])` without the split.
>
>> +        } else {
>> +            // The area is discontiguous.
>> +            // PANIC: `tx` does not exceed `before_rx.len()` (which equals `rx`) because
>> +            //   `tx < rx` in this branch.
>> +            (after_rx, &before_rx[..tx])
>
> This can be just `(&data[rx..], &data[..tx])` without the split.

Indeed, this is arguably easier to understand.

WARNING: multiple messages have this Message-ID (diff)

From: "Alexandre Courbot" <acourbot@nvidia.com>
To: "Gary Guo" <gary@garyguo.net>
Cc: "Eliot Courtney" <ecourtney@nvidia.com>,
	"Danilo Krummrich" <dakr@kernel.org>,
	"Alice Ryhl" <aliceryhl@google.com>,
	"David Airlie" <airlied@gmail.com>,
	"Simona Vetter" <simona@ffwll.ch>,
	"Alistair Popple" <apopple@nvidia.com>,
	<nouveau@lists.freedesktop.org>, <rust-for-linux@vger.kernel.org>,
	<dri-devel@lists.freedesktop.org>, <linux-kernel@vger.kernel.org>
Subject: Re: [PATCH v2 4/4] gpu: nova-core: gsp: fix improper indexing in driver_read_area
Date: Wed, 28 Jan 2026 21:18:37 +0900	[thread overview]
Message-ID: <DG07T5OKDVAR.2PJRWMXMGS316@nvidia.com> (raw)
In-Reply-To: <DFYQGXHPBZP7.O34DZ6RTDGU0@garyguo.net>

On Tue Jan 27, 2026 at 3:30 AM JST, Gary Guo wrote:
> On Fri Jan 23, 2026 at 12:12 PM GMT, Eliot Courtney wrote:
>> The current code indexes into `after_rx` using `tx` which is an index
>> for the whole buffer, not the split buffer `after_rx`.
>>
>> Also add more rigorous no-panic proofs.
>>
>> Fixes: 75f6b1de8133 ("gpu: nova-core: gsp: Add GSP command queue bindings and handling")
>> Signed-off-by: Eliot Courtney <ecourtney@nvidia.com>
>> ---
>>  drivers/gpu/nova-core/gsp/cmdq.rs | 19 ++++++++++++++-----
>>  1 file changed, 14 insertions(+), 5 deletions(-)
>>
>> diff --git a/drivers/gpu/nova-core/gsp/cmdq.rs b/drivers/gpu/nova-core/gsp/cmdq.rs
>> index aa8758fc7723..c26396fda29c 100644
>> --- a/drivers/gpu/nova-core/gsp/cmdq.rs
>> +++ b/drivers/gpu/nova-core/gsp/cmdq.rs
>> @@ -1,7 +1,6 @@
>>  // SPDX-License-Identifier: GPL-2.0
>>  
>>  use core::{
>> -    cmp,
>>      mem,
>>      sync::atomic::{
>>          fence,
>> @@ -267,10 +266,20 @@ fn new(dev: &device::Device<device::Bound>) -> Result<Self> {
>>          // PANIC: per the invariant of `cpu_read_ptr`, `rx` is `< MSGQ_NUM_PAGES`.
>>          let (before_rx, after_rx) = gsp_mem.gspq.msgq.data.split_at(rx);
>
> This code doesn't need splitting as it doesn't have the uniqueness issue that
> mutable references have. While you're at it, probably it's chance to simplify
> the code.
>
>>  
>> -        match tx.cmp(&rx) {
>> -            cmp::Ordering::Equal => (&after_rx[0..0], &after_rx[0..0]),
>> -            cmp::Ordering::Greater => (&after_rx[..tx], &before_rx[0..0]),
>> -            cmp::Ordering::Less => (after_rx, &before_rx[..tx]),
>> +        // The area starting at `rx` and ending at `tx - 1` modulo MSGQ_NUM_PAGES, inclusive,
>> +        // belongs to the driver for reading.
>> +        if rx <= tx {
>> +            // The area is contiguous.
>> +            // PANIC:
>> +            // - The index `tx - rx` is non-negative because `rx <= tx` in this branch.
>> +            // - The index does not exceed `after_rx.len()` (which is `MSGQ_NUM_PAGES - rx`)
>> +            //   because `tx < MSGQ_NUM_PAGES` by the `gsp_write_ptr` invariant.
>> +            (&after_rx[..(tx - rx)], &after_rx[0..0])
>
> This can be just `(&data[rx..tx], &[])` without the split.
>
>> +        } else {
>> +            // The area is discontiguous.
>> +            // PANIC: `tx` does not exceed `before_rx.len()` (which equals `rx`) because
>> +            //   `tx < rx` in this branch.
>> +            (after_rx, &before_rx[..tx])
>
> This can be just `(&data[rx..], &data[..tx])` without the split.

Indeed, this is arguably easier to understand.

next prev parent reply	other threads:[~2026-01-28 12:18 UTC|newest]

Thread overview: 25+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-01-23 12:12 [PATCH v2 0/4] gpu: nova-core: gsp: fix command queue ring buffer bugs Eliot Courtney
2026-01-23 12:12 ` [PATCH v2 1/4] gpu: nova-core: gsp: fix incorrect advancing of write pointer Eliot Courtney
2026-01-23 12:12 ` [PATCH v2 2/4] gpu: nova-core: gsp: clarify comments about invariants and pointer roles Eliot Courtney
2026-01-26 18:04   ` Gary Guo
2026-01-26 18:04     ` Gary Guo
2026-01-28  4:35     ` Eliot Courtney
2026-01-28  4:35       ` Eliot Courtney
2026-01-28  8:17       ` Alexandre Courbot
2026-01-28  8:17         ` Alexandre Courbot
2026-01-28 10:46         ` Danilo Krummrich
2026-01-28 10:46           ` Danilo Krummrich
2026-01-23 12:12 ` [PATCH v2 3/4] gpu: nova-core: gsp: fix improper handling of empty slot in cmdq Eliot Courtney
2026-01-26 18:26   ` Gary Guo
2026-01-26 18:26     ` Gary Guo
2026-01-28 11:42     ` Alexandre Courbot
2026-01-28 11:42       ` Alexandre Courbot
2026-01-28 11:39   ` Alexandre Courbot
2026-01-28 11:39     ` Alexandre Courbot
2026-01-23 12:12 ` [PATCH v2 4/4] gpu: nova-core: gsp: fix improper indexing in driver_read_area Eliot Courtney
2026-01-26 18:30   ` Gary Guo
2026-01-26 18:30     ` Gary Guo
2026-01-28 12:18     ` Alexandre Courbot [this message]
2026-01-28 12:18       ` Alexandre Courbot
2026-01-28 11:57   ` Alexandre Courbot
2026-01-28 11:57     ` Alexandre Courbot

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=DG07T5OKDVAR.2PJRWMXMGS316@nvidia.com \
    --to=acourbot@nvidia.com \
    --cc=aliceryhl@google.com \
    --cc=apopple@nvidia.com \
    --cc=dakr@kernel.org \
    --cc=dri-devel@lists.freedesktop.org \
    --cc=ecourtney@nvidia.com \
    --cc=gary@garyguo.net \
    --cc=linux-kernel@vger.kernel.org \
    --cc=nouveau@lists.freedesktop.org \
    --cc=rust-for-linux@vger.kernel.org \
    --cc=simona@ffwll.ch \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.