From: sashiko-bot@kernel.org
To: "Geetha sowjanya" <gakula@marvell.com>
Cc: robh@kernel.org, devicetree@vger.kernel.org,
linux-perf-users@vger.kernel.org, conor+dt@kernel.org
Subject: Re: [PATCH v2 2/3] perf: marvell: Add CN20K LLC-TAD PMU support
Date: Fri, 12 Jun 2026 10:26:42 +0000 [thread overview]
Message-ID: <20260612102643.613251F00A3A@smtp.kernel.org> (raw)
In-Reply-To: <20260612095746.19679-3-gakula@marvell.com>
Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:
- [Medium] Inconsistent masking of `event_idx` between validation and execution allows userspace to induce an aborted hardware programming state or bypass MPAM filters.
--
commit 13a14a3d137a1e1e8ddf65c82eb4ff187ff64ca5
Author: Geetha sowjanya <gakula@marvell.com>
perf: marvell: Add CN20K LLC-TAD PMU support
This commit adds support for the LLC Tag-and-Data (TAD) PMU on Marvell
CN20K SoCs. It introduces a new PMU profile, extended event maps, and
specific register base offsets.
> diff --git a/drivers/perf/marvell_cn10k_tad_pmu.c b/drivers/perf/marvell_cn10k_tad_pmu.c
> index af706b890bf17..e43598a52859e 100644
> --- a/drivers/perf/marvell_cn10k_tad_pmu.c
> +++ b/drivers/perf/marvell_cn10k_tad_pmu.c
[ ... ]
> @@ -85,8 +89,15 @@ static void tad_pmu_start_counter(struct tad_pmu *pmu,
> if (use_mpam && event_idx > 0x19 && event_idx < 0x21) {
> partid_filter = TAD_PRF_MATCH_PARTID | TAD_PRF_PARTID_NS |
> ((u64)partid << 11);
> +
> + if (pdata->id == TAD_PMU_V3)
> + partid_filter = TAD_PRF_MATCH_PARTID | TAD_PRF_MATCH_MPAMNS |
> + ((u64)partid << 10);
> }
>
> + /* CN10K support events 0:24*/
> + if (pdata->id == TAD_PMU_V1 && event_idx >= 0x25)
> + return;
[Severity: Medium]
In tad_pmu_event_init(), the event configuration is validated using a masked
value:
tad_pmu_event_init() {
...
u32 event_idx = (u32)(event->attr.config & GENMASK(7, 0));
...
}
However, in tad_pmu_start_counter(), event_idx is assigned directly from the
unmasked event->attr.config.
If a user provides an event configuration with upper bits set (e.g., 0x124),
it will pass the masked initialization checks, but won't it fail the unmasked
bounds checks here?
For V1 hardware, an unmasked config like 0x124 would evaluate as >= 0x25 and
trigger this new early return after clearing the counter but before
programming it, leaving the hardware in an aborted state.
Similarly, for V3 hardware, wouldn't the unmasked event_idx fail the
MPAM filter condition (event_idx > 0x19 && event_idx < 0x21) earlier in this
function, causing the counter to incorrectly bypass the filter and record all
partition IDs?
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260612095746.19679-1-gakula@marvell.com?part=2
next prev parent reply other threads:[~2026-06-12 10:26 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-12 9:57 [PATCH v2 0/3] perf: marvell: LLC-TAD PMU MPAM filtering support Geetha sowjanya
2026-06-12 9:57 ` [PATCH v2 1/3] perf: marvell: Add MPAM partid filtering to CN10K TAD PMU Geetha sowjanya
2026-06-12 10:14 ` sashiko-bot
2026-06-12 9:57 ` [PATCH v2 2/3] perf: marvell: Add CN20K LLC-TAD PMU support Geetha sowjanya
2026-06-12 10:26 ` sashiko-bot [this message]
2026-06-12 9:57 ` [PATCH v2 3/3] dt-bindings: perf: marvell: add CN20K TAD " Geetha sowjanya
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260612102643.613251F00A3A@smtp.kernel.org \
--to=sashiko-bot@kernel.org \
--cc=conor+dt@kernel.org \
--cc=devicetree@vger.kernel.org \
--cc=gakula@marvell.com \
--cc=linux-perf-users@vger.kernel.org \
--cc=robh@kernel.org \
--cc=sashiko-reviews@lists.linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox