From mboxrd@z Thu Jan  1 00:00:00 1970
From: Claude Code Review Bot <claude-review@example.com>
To: dri-devel-reviews@example.com
Subject: Claude review: Re: [PATCH] accel/ethosu: fix OOB write in ethosu_gem_cmdstream_copy_and_validate()
Date: Mon, 25 May 2026 17:27:28 +1000
Message-ID: <review-overall-20260523201444.66197-1-meatuni001@gmail.com>
In-Reply-To: <20260523201444.66197-1-meatuni001@gmail.com>
References: <20260523201444.66197-1-meatuni001@gmail.com>
X-Mailer: Claude Code Patch Reviewer
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0

Overall Series Review

Subject: Re: [PATCH] accel/ethosu: fix OOB write in ethosu_gem_cmdstream_co=
py_and_validate()
Author: Muhammad Bilal <meatuni001@gmail.com>
Patches: 2
Reviewed: 2026-05-25T17:27:28.100190

---

This is a single-patch submission fixing a real out-of-bounds write vulnera=
bility in the Arm Ethos-U NPU accelerator driver's command stream parser. T=
he bug analysis in the commit message is correct and well-articulated: when=
 the loop index `i` is at `size/4 - 1` and a 64-bit command is encountered =
(bit 14 set), the post-increment of `i` causes `bocmds[i]` to write one ele=
ment past the DMA-allocated buffer. Since both `size` and buffer contents c=
ome from userspace via ioctl, this is indeed a userspace-triggerable heap O=
OB write =E2=80=94 a legitimate security fix.

The fix itself is correct and minimal. The patch is appropriate for stable =
backporting.

**Verdict: The patch is correct and should be accepted, with one minor styl=
e suggestion.**

---
Generated by Claude Code Patch Reviewer