Re: [PATCH v3] gpu: nova-core: gsp: fix undefined behavior in command queue code

Next message: Zi Yan: "Re: [PATCH v1 00/10] Remove READ_ONLY_THP_FOR_FS Kconfig"
Previous message: Li Ming: "[PATCH] dma-fence: Dereference correct dma_fence in dma_fence_chain_find_seqno()"
In reply to: Gary Guo: "Re: [PATCH v3] gpu: nova-core: gsp: fix undefined behavior in command queue code"
Next in thread: kernel test robot: "Re: [PATCH v3] gpu: nova-core: gsp: fix undefined behavior in command queue code"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Danilo Krummrich

Date: Fri Mar 27 2026 - 10:35:15 EST

On Thu Mar 26, 2026 at 6:43 AM CET, Alexandre Courbot wrote:
> + // - Since `data` was created from a valid pointer, both `tail_slice` and `wrap_slice` are
> + // pointers to valid arrays.
> + // - The area starting at `tx` and ending at `rx - 2` modulo `MSGQ_NUM_PAGES`,
> + // inclusive, belongs to the driver for writing and is not accessed concurrently by
> + // the GSP.
> + // - The caller holds a reference to `self` for as long as the returned slices are live,
> + // meaning the CPU write pointer cannot be advanced and thus that the returned area
> + // remains exclusive to the CPU for the duration of the slices.
> + (unsafe { &mut *tail_slice }, unsafe { &mut *wrap_slice })

I think this does miss the justification for tail_slice and wrap_slice to not
overlap, i.e. don't we need something like:

- `tail_slice` and `wrap_slice` point to non-overlapping sub-ranges of `data` in all
branches (in the `rx <= tx` case, `wrap_slice` ends at `rx - 1` which is strictly less
than `tx` where `tail_slice` starts; in the other cases one of the slices is empty),
so creating two `&mut` references from them does not violate aliasing rules.

With this considered,

Reviewed-by: Danilo Krummrich <dakr@xxxxxxxxxx>