From mboxrd@z Thu Jan 1 00:00:00 1970 From: Claude Code Review Bot To: dri-devel-reviews@example.com Subject: Claude review: drm/xe: gate observation streams with perf_allow_cpu() Date: Mon, 25 May 2026 21:03:40 +1000 Message-ID: In-Reply-To: <20260521024904.331912-3-jhubbard@nvidia.com> References: <20260521024904.331912-1-jhubbard@nvidia.com> <20260521024904.331912-3-jhubbard@nvidia.com> X-Mailer: Claude Code Patch Reviewer Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Patch Review **Design: Good.** The new `xe_observation_paranoid_check()` wrapper is well= -designed: ```c int xe_observation_paranoid_check(void) { if (!xe_observation_paranoid) return 0; return perf_allow_cpu(); } ``` When the xe-specific sysctl is cleared, observation is open to all =E2=80= =94 preserving the existing escape hatch. When set (the default), it defers= to the system-wide perf policy. **Making `xe_observation_paranoid` static:** Good call. Since all access is= now through `xe_observation_paranoid_check()`, there's no need to export t= he variable. The sysctl table in the same file still references it directly= , which is fine. **Call-site conversions:** All five sites are correctly converted: - `xe_eu_stall.c`: 1 site (line 976) - `xe_oa.c`: 4 sites (mmap, stream open, add config, remove config) Each now propagates the actual error code from `perf_allow_cpu()` rather th= an hardcoding `-EACCES`, which is correct behavior. **Behavioral change =E2=80=94 worth documenting to reviewers:** The old check: ```c if (xe_observation_paranoid && !perfmon_capable()) return -EACCES; ``` The new check via `perf_allow_cpu()`: ```c if (sysctl_perf_event_paranoid > 0 && !perfmon_capable()) return -EACCES; return security_perf_event_open(PERF_SECURITY_CPU); ``` This means: 1. If an admin sets `kernel.perf_event_paranoid=3D0` (or `-1`), non-root us= ers gain xe observation access they previously didn't have (previously, onl= y `perfmon_capable()` was checked). The commit message acknowledges this as= the intent. 2. Conversely, LSM policies restricting `PERF_SECURITY_CPU` will now also b= lock xe observation =E2=80=94 a tightening that seems correct. **Potential build issue =E2=80=94 missing `CONFIG_PERF_EVENTS` dependency:*= * The current xe observation code uses `perfmon_capable()` from ``, which is available regardless of `CONFIG_PERF_EVENTS`. After t= his patch, `xe_observation.c` calls `perf_allow_cpu()`, which is only decla= red inside `#ifdef CONFIG_PERF_EVENTS` in `` and only d= efined in `kernel/events/core.c` (guarded by the same config). There is no = stub in the `#else` block. If someone builds a kernel with `CONFIG_DRM_XE= =3Dy` but `CONFIG_PERF_EVENTS=3Dn` (unusual but possible), this will fail t= o link. Consider adding `depends on PERF_EVENTS` or `select PERF_EVENTS` to= `drivers/gpu/drm/xe/Kconfig`, or adding a `#ifndef CONFIG_PERF_EVENTS` fal= lback that returns `-EACCES` unconditionally. **Documentation:** The kerneldoc for `xe_observation_paranoid_check()` and = the updated sysctl_register doc are clear and accurate. **Minor nit:** The `xe_oa_stream_open_ioctl` conversion restructures the co= nditional nicely by pulling `privileged_op` out of the combined `if`: ```c if (privileged_op) { ret =3D xe_observation_paranoid_check(); if (ret) { ... goto err_exec_q; } } ``` This is cleaner than the original three-way `&&`. Good. --- Generated by Claude Code Patch Reviewer