Re: [PATCH v9 net-next 6/6] octeontx2-af: npc: Support for custom KPU profile from filesystem

Next message: Konrad Dybcio: "Re: [PATCH v4 1/4] arm64: dts: qcom: sdm845-xiaomi-beryllium: Introduce framebuffer"
Previous message: Krzysztof Kozlowski: "Re: [PATCH 1/3] dt-bindings: iio: accel: add binding for adi,adis16203"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Paolo Abeni

Date: Thu Apr 02 2026 - 04:55:09 EST

On 3/30/26 7:31 AM, Ratheesh Kannoth wrote:
> @@ -1635,9 +1651,9 @@ int npc_cn20k_apply_custom_kpu(struct rvu *rvu,
> }
>
> /* Verify if profile fits the HW */
> - if (fw->kpus > profile->kpus) {
> - dev_warn(rvu->dev, "Not enough KPUs: %d > %ld\n", fw->kpus,
> - profile->kpus);
> + if (fw->kpus > rvu->hw->npc_kpus) {
> + dev_warn(rvu->dev, "Not enough KPUs: %d > %d\n", fw->kpus,
> + rvu->hw->npc_kpus);
> return -EINVAL;
> }

AI review says:

---
The bounds check was changed from profile->kpus (which equals
ARRAY_SIZE(npc_kpu_profiles) = 16) to rvu->hw->npc_kpus (a 5-bit
hardware field, max value 31). Can this cause an out-of-bounds write?

In the subsequent loop at lines 1658-1685 (visible earlier in the
function), the code writes to profile->kpu[kpu].cam[entry] and
profile->kpu[kpu].action[entry], where profile->kpu points to the static
global npc_kpu_profiles[] array that has exactly 16 elements.

If cn20k hardware reports npc_kpus > 16 and the firmware provides
fw->kpus > 16, the new check passes but the loop iterates beyond the
array bounds, corrupting adjacent memory.
---

Also there are several remarks for sashiko, some of them looks valid:

https://sashiko.dev/#/patchset/20260330053105.2722453-1-rkannoth%40marvell.com

please a look.

Thanks,

Paolo