Re: [PATCH v14 net-next 9/9] octeontx2-af: npc: cn20k: Allocate npc_priv and dstats dynamically.

[Paolo Abeni]

On 5/15/26 9:30 AM, Ratheesh Kannoth wrote:
> On 2026-05-14 at 11:55:37, Ratheesh Kannoth (rkannoth@xxxxxxxxxxx) wrote:
>> Replace the file-scope static npc_priv with a kcalloc'd struct filled
>> from hardware bank/subbank geometry at init (num_banks is no longer a
>> const compile-time constant; drop init_done and use a non-NULL
>> npc_priv pointer for liveness). Thread npc_priv_get() / pointer access
>> through the CN20K NPC code paths, extend teardown to kfree the root
>> struct on failure and in npc_cn20k_deinit, and adjust MCAM section
>> setup to use the discovered subbank count.
>>
> 
>>>  #include "cn20k/reg.h"
>>>  #include "rvu_npc_fs.h"
>>>
>>> -static struct npc_priv_t npc_priv = {
>>> -	.num_banks = MAX_NUM_BANKS,
>>> -};
>>> +static struct npc_priv_t *npc_priv;
>> Since npc_priv and dstats are still declared as global file-scope variables,
>> won't probing multiple RVU devices cause these pointers to be overwritten?
>> If a second device is probed, the allocations for the first device would be
>> leaked and both devices would end up sharing the second device's state.
>> On device unbind, devres will automatically free dstats, leaving a dangling
>> global pointer. Additionally, npc_cn20k_deinit() explicitly frees npc_priv
>> and sets it to NULL.
>> If a userspace process reads a debugfs file after device unbind, could it
>> cause a NULL pointer dereference on npc_priv or a use-after-free when
>> accessing the dstats array?
> While a global file-scope pointer introduces a shared-state risk in
> drivers that support multiple instances, the structural design and
> physical topology of the OcteonTX2 platform eliminate this hazard.
> 
> First, the system architecture dictates that exactly one physical RVU
> Admin Function (AF) hardware block exists per SoC layout. Because the
> hardware platform cannot expose multiple active AF instances, there is
> no parallel or sequential device probing sequence to trigger a race
> condition, overwrite existing allocations, or cause memory leaks between distinct devices.

Since at least another revision of this series is needed (see my
previous email), and the code depends on the above H/W constraints,
please document it explicitly somewhere inside the code. A build time or
run time check would possibly be even better.

>> 	for (int bank = npc_priv->num_banks - 1; bank >= 0; bank--) {
>> 		for (int idx = npc_priv->bank_depth - 1; idx >= 0; idx--) {
>>            ...
>> 			if (stats < dstats[0][bank][idx])
>> 				dstats[0][bank][idx] = 0;
>>    ...
>> }
>> Since dstats is still statically sized using MAX_NUM_BANKS and related
>> macros, will this result in out-of-bounds accesses if the hardware returns
>> larger values?
>> Similarly, the en_map bitmap is sized using these same static constants.
>> Could operations like set_bit(index, npc_priv->en_map) in
>> npc_cn20k_enable_mcam_entry() corrupt the npc_priv_t structure if the
>> hardware dimensions exceed the static bitmap size?
> 
> The static definitions for the tracking arrays and bitmaps are based
> strictly on the silicon's hard limits, preventing any possibility of
> out-of-bounds corruption.
> 
> The compile-time constants (MAX_NUM_BANKS, MAX_NUM_SUB_BANKS, and
> MAX_SUBBANK_DEPTH) do not represent arbitrary bounds; they define the
> absolute, physical maximum limits across all existing and planned SoC
> variants for the CN20K hardware profile. The hardware registers cannot
> expose configuration dimensions that exceed these maximum architectural limits
> because the underlying silicon layout lacks the physical lines or registers
> to support larger structures.
A similar remark here.

/P