Re: [PATCH net] octeontx2-af: npc: Fix size of entry2cntr_map

From: Jakub Kicinski

Date: Tue Jun 09 2026 - 20:30:08 EST

This is an AI-generated review of your patch. The human sending this
email has considered the AI review valid, or at least plausible.
---
octeontx2-af: npc: Fix size of entry2cntr_map

octeontx2-af: Fix out of bound access in entry2counter array.
KASAN prints below splat. This is caused by allocating counter for
reserved mcam entry for cpt 2nd pass entry. But mcam->entry2cntr_map
is not allocated for reserved entries.

[ ... ]

> diff --git a/drivers/net/ethernet/marvell/octeontx2/af/rvu_npc.c b/drivers/net/ethernet/marvell/octeontx2/af/rvu_npc.c
> index d301a3f0f87a8..12f525b5df7bb 100644
> --- a/drivers/net/ethernet/marvell/octeontx2/af/rvu_npc.c
> +++ b/drivers/net/ethernet/marvell/octeontx2/af/rvu_npc.c
> @@ -2181,7 +2181,7 @@ int npc_mcam_rsrcs_init(struct rvu *rvu, int blkaddr)
> /* Alloc memory for MCAM entry to counter mapping and for tracking
> * counter's reference count.
> */
> - mcam->entry2cntr_map = kcalloc(mcam->bmap_entries, sizeof(u16),
> + mcam->entry2cntr_map = kcalloc(mcam->total_entries, sizeof(u16),
> GFP_KERNEL);

[Severity: High]
Now that entry2cntr_map is allocated to total_entries to allow counters on
reserved entries, do the cleanup loops also need to be updated?

Looking at __npc_mcam_free_counter() and
rvu_mbox_handler_npc_mcam_unmap_counter(), they appear to only iterate up to
mcam->bmap_entries and search the unreserved bitmap:

__npc_mcam_free_counter() {
...
while (entry < mcam->bmap_entries) {
if (!mcam->cntr_refcnt[req->cntr])
break;
index = find_next_bit(mcam->bmap, mcam->bmap_entries, entry);
...
}

Does this skip unmapping counters that are attached to reserved MCAM entries?

If so, could the hardware STAT_ACT register remain active and leak the
counter's reference count, causing cross-tenant statistics corruption when
the counter is later reallocated?

> if (!mcam->entry2cntr_map)
> goto free_cntr_map;

--
pw-bot: cr