Re: [PATCH] gpu: nova-core: gsp: fix UB in DmaGspMem pointer accessors

[Danilo Krummrich]

On Mon Mar 9, 2026 at 11:53 PM CET, Danilo Krummrich wrote:

Applied to drm-rust-fixes, thanks!

--- commit ---

commit 0073a17b466684413ac87cf8ff6c19560db44e7a
Author: Danilo Krummrich <dakr@xxxxxxxxxx>
Date:   Mon Mar 9 23:53:24 2026 +0100

    gpu: nova-core: gsp: fix UB in DmaGspMem pointer accessors

    The DmaGspMem pointer accessor methods (gsp_write_ptr, gsp_read_ptr,
    cpu_read_ptr, cpu_write_ptr, advance_cpu_read_ptr,
    advance_cpu_write_ptr) dereference a raw pointer to DMA memory, creating
    an intermediate reference before calling volatile read/write methods.

    This is undefined behavior since DMA memory can be concurrently modified
    by the device.

    Fix this by moving the implementations into a gsp_mem module in fw.rs
    that uses the dma_read!() / dma_write!() macros, making the original
    methods on DmaGspMem thin forwarding wrappers.

    An alternative approach would have been to wrap the shared memory in
    Opaque, but that would have required even more unsafe code.

    Since the gsp_mem module lives in fw.rs (to access firmware-specific
    binding field names), GspMem, Msgq and their relevant fields are
    temporarily widened to pub(super). This will be reverted once IoView
    projections are available.

    Cc: Gary Guo <gary@xxxxxxxxxxx>
    Closes: https://lore.kernel.org/nouveau/DGUT14ILG35P.1UMNRKU93JUM1@xxxxxxxxxx/
    Fixes: 75f6b1de8133 ("gpu: nova-core: gsp: Add GSP command queue bindings and handling")
    Reviewed-by: Alexandre Courbot <acourbot@xxxxxxxxxx>
    Link: https://patch.msgid.link/20260309225408.27714-1-dakr@xxxxxxxxxx
    [ Use pub(super) where possible; replace bitwise-and with modulo
      operator analogous to [1]. - Danilo ]
    Link: https://lore.kernel.org/all/20260129-nova-core-cmdq1-v3-1-2ede85493a27@xxxxxxxxxx/ [1]
    Signed-off-by: Danilo Krummrich <dakr@xxxxxxxxxx>