From: "Gary Guo" <gary@garyguo.net>
To: "Eliot Courtney" <ecourtney@nvidia.com>,
"Gary Guo" <gary@garyguo.net>,
"Danilo Krummrich" <dakr@kernel.org>, <acourbot@nvidia.com>,
<aliceryhl@google.com>
Cc: <nouveau@lists.freedesktop.org>,
<dri-devel@lists.freedesktop.org>,
<rust-for-linux@vger.kernel.org>, <linux-kernel@vger.kernel.org>,
"dri-devel" <dri-devel-bounces@lists.freedesktop.org>
Subject: Re: [PATCH] gpu: nova-core: gsp: fix UB in DmaGspMem pointer accessors
Date: Wed, 11 Mar 2026 12:58:10 +0000 [thread overview]
Message-ID: <DGZYYB7XDN4N.3L7ZRCJSQH2QE@garyguo.net> (raw)
In-Reply-To: <DGYSTBMF931L.3OV1I4IWUW4ON@nvidia.com>
On Tue Mar 10, 2026 at 3:56 AM GMT, Eliot Courtney wrote:
> On Tue Mar 10, 2026 at 11:01 AM JST, Gary Guo wrote:
>>> + pub(in crate::gsp) fn advance_cpu_read_ptr(qs: &CoherentAllocation<GspMem>, count: u32) {
>>> + let rptr = cpu_read_ptr(qs).wrapping_add(count) % MSGQ_NUM_PAGES;
>>> +
>>> + // Ensure read pointer is properly ordered.
>>> + fence(Ordering::SeqCst);
>>> +
>>> + // PANIC: A `dma::CoherentAllocation` always contains at least one element.
>>> + || -> Result {
>>> + dma_write!(qs, [0]?.cpuq.rx.0.readPtr, rptr);
>>> + Ok(())
>>> + }()
>>> + .unwrap()
>>> + }
>>> +
>>> + pub(in crate::gsp) fn cpu_write_ptr(qs: &CoherentAllocation<GspMem>) -> u32 {
>>> + // PANIC: A `dma::CoherentAllocation` always contains at least one element.
>>> + || -> Result<u32> { Ok(dma_read!(qs, [0]?.cpuq.tx.0.writePtr) % MSGQ_NUM_PAGES) }().unwrap()
>>> + }
>>> +
>>> + pub(in crate::gsp) fn advance_cpu_write_ptr(qs: &CoherentAllocation<GspMem>, count: u32) {
>>> + let wptr = cpu_write_ptr(qs).wrapping_add(count) & MSGQ_NUM_PAGES;
>>
>> Not really related to your change, but this `&` probably require a comment, as
>> it has different behaviour compared to `%` given the `MSGQ_NUM_PAGES` is not
>> power of two. I suppose this is actually intended so there's a way to
>> distinguish between empty and full ring buffer?
>>
>> Best,
>> Gary
>
> This is actually incorrect and I have fixed it here[1]. I think it
> should be merged in drm-rust-next now.
Right, I recollect reviewing your series which is why I am confused when I still
see the `&` present, thinking that this must be intentional rather than
accidental.
If this patch is intended to go through -fixes, then we should really land your
series via -fixes too, otherwise it is just causing unnecessary conflicts on
linux-next.
Best,
Gary
>
> [1]: https://lore.kernel.org/all/20260129-nova-core-cmdq1-v3-0-2ede85493a27@nvidia.com/
next prev parent reply other threads:[~2026-03-11 12:58 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-03-09 22:53 [PATCH] gpu: nova-core: gsp: fix UB in DmaGspMem pointer accessors Danilo Krummrich
2026-03-10 2:01 ` Gary Guo
2026-03-10 3:56 ` Eliot Courtney
2026-03-10 11:02 ` Danilo Krummrich
2026-03-11 12:58 ` Gary Guo [this message]
2026-03-11 13:04 ` Danilo Krummrich
2026-03-10 10:58 ` Danilo Krummrich
2026-03-11 12:59 ` Gary Guo
2026-03-11 13:05 ` Danilo Krummrich
2026-03-11 8:01 ` Alexandre Courbot
2026-03-11 19:29 ` Danilo Krummrich
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=DGZYYB7XDN4N.3L7ZRCJSQH2QE@garyguo.net \
--to=gary@garyguo.net \
--cc=acourbot@nvidia.com \
--cc=aliceryhl@google.com \
--cc=dakr@kernel.org \
--cc=dri-devel-bounces@lists.freedesktop.org \
--cc=dri-devel@lists.freedesktop.org \
--cc=ecourtney@nvidia.com \
--cc=linux-kernel@vger.kernel.org \
--cc=nouveau@lists.freedesktop.org \
--cc=rust-for-linux@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox