From mboxrd@z Thu Jan 1 00:00:00 1970 From: Claude Code Review Bot To: dri-devel-reviews@example.com Subject: Claude review: accel/ethosu: fix integer overflow in dma_length() Date: Mon, 25 May 2026 17:08:43 +1000 Message-ID: In-Reply-To: <20260524051659.70654-1-meatuni001@gmail.com> References: <20260524051659.70654-1-meatuni001@gmail.com> X-Mailer: Claude Code Patch Reviewer Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Overall Series Review Subject: accel/ethosu: fix integer overflow in dma_length() Author: Muhammad Bilal Patches: 3 Reviewed: 2026-05-25T17:08:43.686509 --- This mbox contains three versions (v1, v2, v3) of the same patch fixing ari= thmetic issues in `dma_length()` in the Arm Ethos-U NPU accelerator driver.= Only v3 should be considered for merging =E2=80=94 v1 and v2 are supersede= d. The core issue is real and security-relevant: user-supplied command stream = values feed into unchecked arithmetic that computes `region_size[]`, which = is later used as a bounds check against GEM buffer sizes. Integer wraparoun= d can underreport the true DMA region usage, allowing the NPU hardware to a= ccess memory outside the allocated GEM buffer. The v3 patch correctly addresses four arithmetic hazards: negative stride u= nderflow, multiplication overflow, `len + offset` overflow, and the missing= caller validation of the `U64_MAX` error sentinel. The fix is well-scoped = and uses the standard kernel overflow helpers (`check_mul_overflow`, `check= _add_overflow`). One observation for a possible follow-up: the same `addr + 1` addition at `= ethosu_gem.c:240` in `feat_matrix_length()`, and the `base + length` additi= ons at lines 291=E2=80=93293 and 303=E2=80=93305 in `calc_sizes()`, have no= overflow protection either. These are analogous to the `len + offset` over= flow that v3 fixed in `dma_length()`. --- --- Generated by Claude Code Patch Reviewer