From mboxrd@z Thu Jan 1 00:00:00 1970 From: Claude Code Review Bot To: dri-devel-reviews@example.com Subject: Claude review: drm/xe: gate observation streams with perf_allow_cpu() Date: Mon, 25 May 2026 18:04:51 +1000 Message-ID: In-Reply-To: <20260523013326.129491-3-jhubbard@nvidia.com> References: <20260523013326.129491-1-jhubbard@nvidia.com> <20260523013326.129491-3-jhubbard@nvidia.com> X-Mailer: Claude Code Patch Reviewer Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit MIME-Version: 1.0 Patch Review **Good design:** The introduction of `xe_observation_paranoid_check()` as a single gating function is clean: ```c int xe_observation_paranoid_check(void) { if (!xe_observation_paranoid) return 0; return perf_allow_cpu(); } ``` The `xe_observation_paranoid` sysctl remains as an escape hatch (when cleared, bypass all checks), but when enabled it delegates to the proper perf infrastructure instead of open-coding a partial check. **Good: variable made static.** Since `xe_observation_paranoid` is now only accessed inside `xe_observation.c`, making it `static` and removing the `extern` from the header is the right cleanup: ```c -u32 xe_observation_paranoid = true; +static u32 xe_observation_paranoid = true; ``` **All call sites converted consistently.** The five open-coded sites (1 in `xe_eu_stall.c`, 4 in `xe_oa.c`) are all converted to `xe_observation_paranoid_check()`, and the return value is properly propagated instead of always using `-EACCES`. This is correct because `perf_allow_cpu()` itself returns `-EACCES` on the capability check, so the common case is unchanged, but the LSM hook could return a different error code. **Behavioral change to note:** The `xe_oa_mmap()` path previously checked `xe_observation_paranoid && !perfmon_capable()` at mmap time. Now it calls `perf_allow_cpu()` which also invokes the LSM hook. This is appropriate -- the mmap exposes the same sensitive observation data, so gating it with the same policy is consistent. However, it's worth noting that a process that successfully opened an OA stream might then fail the mmap if the LSM policy changed between open and mmap. This is a theoretical TOCTOU edge case that also exists in the current perf infrastructure and isn't a concern in practice. **Error code subtlety in xe_oa_stream_open_ioctl:** The restructuring of the privileged_op check is clean: ```c - if (privileged_op && xe_observation_paranoid && !perfmon_capable()) { - ... - ret = -EACCES; - goto err_exec_q; + if (privileged_op) { + ret = xe_observation_paranoid_check(); + if (ret) { + ... + goto err_exec_q; + } } ``` This correctly separates the "is this a privileged operation" decision from the "does the caller have permission" decision. **Doc comment:** The function-level comment on `xe_observation_paranoid_check()` is thorough and accurately describes the behavior. It's on the verbose side for kernel style but not objectionable. No blocking issues with this patch. --- Generated by Claude Code Patch Reviewer