Re: [PATCH v14 net-next 9/9] octeontx2-af: npc: cn20k: Allocate npc_priv and dstats dynamically.

[Ratheesh Kannoth <rkannoth@marvell.com>]

On 2026-05-14 at 11:55:37, Ratheesh Kannoth (rkannoth@marvell.com) wrote:
> Replace the file-scope static npc_priv with a kcalloc'd struct filled
> from hardware bank/subbank geometry at init (num_banks is no longer a
> const compile-time constant; drop init_done and use a non-NULL
> npc_priv pointer for liveness). Thread npc_priv_get() / pointer access
> through the CN20K NPC code paths, extend teardown to kfree the root
> struct on failure and in npc_cn20k_deinit, and adjust MCAM section
> setup to use the discovered subbank count.
>

>>  #include "cn20k/reg.h"
>>  #include "rvu_npc_fs.h"
>>
>> -static struct npc_priv_t npc_priv = {
>> -	.num_banks = MAX_NUM_BANKS,
>> -};
>> +static struct npc_priv_t *npc_priv;
>Since npc_priv and dstats are still declared as global file-scope variables,
>won't probing multiple RVU devices cause these pointers to be overwritten?
>If a second device is probed, the allocations for the first device would be
>leaked and both devices would end up sharing the second device's state.
>On device unbind, devres will automatically free dstats, leaving a dangling
>global pointer. Additionally, npc_cn20k_deinit() explicitly frees npc_priv
>and sets it to NULL.
>If a userspace process reads a debugfs file after device unbind, could it
>cause a NULL pointer dereference on npc_priv or a use-after-free when
>accessing the dstats array?
While a global file-scope pointer introduces a shared-state risk in
drivers that support multiple instances, the structural design and
physical topology of the OcteonTX2 platform eliminate this hazard.

First, the system architecture dictates that exactly one physical RVU
Admin Function (AF) hardware block exists per SoC layout. Because the
hardware platform cannot expose multiple active AF instances, there is
no parallel or sequential device probing sequence to trigger a race
condition, overwrite existing allocations, or cause memory leaks between distinct devices.

Second, the debugfs nodes and the driver's structural life cycle are
fundamentally serialized. When a device unbind occurs, the kernel’s
driver model coordinates the teardown by systematically removing the
associated debugfs entries before finalizing the subsystem de-initialization.
Because the debugfs file operations are unlinked and blocked from further
invocation prior to executing the kfree(npc_priv) routine in
npc_cn20k_deinit(), any userspace read attempt is rejected at the VFS
layer, removing the possibility of a post-unbind NULL pointer dereference
or use-after-free regression.

>>   */
>>  struct npc_priv_t {
>>  	int bank_depth;
>> -	const int num_banks;
>> +	int num_banks;
>>  	int num_subbanks;
>>  	int subbank_depth;
>>  	DECLARE_BITMAP(en_map, MAX_NUM_BANKS *
>Now that num_banks and bank_depth are populated from hardware values
>instead of compile-time constants, do we need to validate them against the
>MAX_NUM_BANKS and MAX_SUBBANK_DEPTH constants?
>Looking at npc_mcam_dstats_show(), it loops based on these hardware values
>and indexes into the dstats array:
>npc_mcam_dstats_show() {
>    ...
>	for (int bank = npc_priv->num_banks - 1; bank >= 0; bank--) {
>		for (int idx = npc_priv->bank_depth - 1; idx >= 0; idx--) {
>            ...
>			if (stats < dstats[0][bank][idx])
>				dstats[0][bank][idx] = 0;
>    ...
>}
>Since dstats is still statically sized using MAX_NUM_BANKS and related
>macros, will this result in out-of-bounds accesses if the hardware returns
>larger values?
>Similarly, the en_map bitmap is sized using these same static constants.
>Could operations like set_bit(index, npc_priv->en_map) in
>npc_cn20k_enable_mcam_entry() corrupt the npc_priv_t structure if the
>hardware dimensions exceed the static bitmap size?

The static definitions for the tracking arrays and bitmaps are based
strictly on the silicon's hard limits, preventing any possibility of
out-of-bounds corruption.

The compile-time constants (MAX_NUM_BANKS, MAX_NUM_SUB_BANKS, and
MAX_SUBBANK_DEPTH) do not represent arbitrary bounds; they define the
absolute, physical maximum limits across all existing and planned SoC
variants for the CN20K hardware profile. The hardware registers cannot
expose configuration dimensions that exceed these maximum architectural limits
because the underlying silicon layout lacks the physical lines or registers
to support larger structures.

Because the statically allocated arrays and bitmaps (like dstats and
en_map) are configured to support this full architectural envelope, the
runtime values assigned to num_banks and bank_depth are structurally
guaranteed to be less than or equal to these maximum limits. As a result,
the loops inside npc_mcam_dstats_show() and bit operations inside
npc_cn20k_enable_mcam_entry() will never cross the boundaries of the
allocated memory footprint, making runtime validation checks redundant.