From mboxrd@z Thu Jan  1 00:00:00 1970
From: Claude Code Review Bot <claude-review@example.com>
To: dri-devel-reviews@example.com
Subject: Claude review: accel/amdxdna: Fix out-of-bounds memset in command slot handling
Date: Wed, 18 Feb 2026 06:45:36 +1000
Message-ID: <review-overall-20260217185415.1781908-1-lizhi.hou@amd.com>
In-Reply-To: <20260217185415.1781908-1-lizhi.hou@amd.com>
References: <20260217185415.1781908-1-lizhi.hou@amd.com>
X-Mailer: Claude Code Patch Reviewer
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
MIME-Version: 1.0

Overall Series Review

Subject: accel/amdxdna: Fix out-of-bounds memset in command slot handling
Author: Lizhi Hou <lizhi.hou@amd.com>
Patches: 2
Reviewed: 2026-02-18T06:45:36.268063

---

This is a single-patch fix for the `accel/amdxdna` driver that addresses an out-of-bounds memset in four command slot filling functions. The bug was introduced by commit 3d32eb7a5ecf which moved the `memset()` call to occur before validation of available slot space. The fix is straightforward: move each `memset()` call to after the size checks that verify the slot buffer is large enough.

The bug is real and reachable. In the chain execution path (`aie2_cmdlist_chain_exec`), the remaining buffer size (`cmdbuf_abo->mem.size - offset`) shrinks with each iteration as slots are packed sequentially. If the remaining space is smaller than `sizeof(struct cmd_chain_slot_npu)`, the old code would `memset()` past the buffer boundary before the `*size < sizeof(*npu_slot) + ...` check could return `-EINVAL`. The fix is correct and minimal.

No cross-patch concerns since this is a single patch.

---
Generated by Claude Code Patch Reviewer