Re: [PATCH] gpu: nova-core: gsp: fix UB in DmaGspMem pointer accessors

Next message: Devang Vyas: "[PATCH v3] EDAC/amd64: Add support for family 19h, models 40h-4fh"
Previous message: Wesley Atwell: "[PATCH net 2/7] tcp: preserve rcv_wnd snapshot when updating advertised windows"
In reply to: Danilo Krummrich: "Re: [PATCH] gpu: nova-core: gsp: fix UB in DmaGspMem pointer accessors"
Next in thread: Danilo Krummrich: "Re: [PATCH] gpu: nova-core: gsp: fix UB in DmaGspMem pointer accessors"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Alexandre Courbot

Date: Wed Mar 11 2026 - 04:07:36 EST

On Tue Mar 10, 2026 at 7:53 AM JST, Danilo Krummrich wrote:
> The DmaGspMem pointer accessor methods (gsp_write_ptr, gsp_read_ptr,
> cpu_read_ptr, cpu_write_ptr, advance_cpu_read_ptr,
> advance_cpu_write_ptr) dereference a raw pointer to DMA memory, creating
> an intermediate reference before calling volatile read/write methods.
>
> This is undefined behavior since DMA memory can be concurrently modified
> by the device.
>
> Fix this by moving the implementations into a gsp_mem module in fw.rs
> that uses the dma_read!() / dma_write!() macros, making the original
> methods on DmaGspMem thin forwarding wrappers.
>
> An alternative approach would have been to wrap the shared memory in
> Opaque, but that would have required even more unsafe code.
>
> Since the gsp_mem module lives in fw.rs (to access firmware-specific
> binding field names), GspMem, Msgq, DmaGspMem and their relevant fields
> are temporarily widened to pub(in crate::gsp). This will be reverted
> once IoView projections are available.
>
> Cc: Gary Guo <gary@xxxxxxxxxxx>
> Closes: https://lore.kernel.org/nouveau/DGUT14ILG35P.1UMNRKU93JUM1@xxxxxxxxxx/
> Fixes: 75f6b1de8133 ("gpu: nova-core: gsp: Add GSP command queue bindings and handling")
> Signed-off-by: Danilo Krummrich <dakr@xxxxxxxxxx>

Thanks, this also removes 10 unsafe statements, which is *very* nice on
top of fixing the UB.

Reviewed-by: Alexandre Courbot <acourbot@xxxxxxxxxx>