From mboxrd@z Thu Jan 1 00:00:00 1970 From: Claude Code Review Bot To: dri-devel-reviews@example.com Subject: Claude review: accel/amdxdna: Fix out-of-bounds memset in command slot handling Date: Wed, 18 Feb 2026 06:45:36 +1000 Message-ID: In-Reply-To: <20260217185415.1781908-1-lizhi.hou@amd.com> References: <20260217185415.1781908-1-lizhi.hou@amd.com> <20260217185415.1781908-1-lizhi.hou@amd.com> X-Mailer: Claude Code Patch Reviewer Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit MIME-Version: 1.0 Patch Review The fix is applied consistently across all four affected functions: `aie2_cmdlist_fill_npu_cf`, `aie2_cmdlist_fill_npu_dpu`, `aie2_cmdlist_fill_npu_preempt`, and `aie2_cmdlist_fill_npu_elf`. The pattern in each case is the same. Taking `aie2_cmdlist_fill_npu_cf` as representative: > - memset(npu_slot, 0, sizeof(*npu_slot)); > cmd = amdxdna_cmd_get_payload(cmd_bo, &cmd_len); > if (*size < sizeof(*npu_slot) + cmd_len) > return -EINVAL; > > + memset(npu_slot, 0, sizeof(*npu_slot)); > npu_slot->cu_idx = amdxdna_cmd_get_cu_idx(cmd_bo); The `slot` pointer comes from `cmdbuf_abo->mem.kva + offset` where the available space is `cmdbuf_abo->mem.size - offset`. When multiple commands are chained, `offset` advances with each slot, and the remaining space can become smaller than `sizeof(struct cmd_chain_slot_npu)` (which is 56+ bytes with the packed struct header fields). Writing `sizeof(*npu_slot)` bytes via memset before checking that there is room would corrupt whatever follows the buffer. Moving the memset after the size validation is the correct fix. After the check passes, `*size >= sizeof(*npu_slot) + payload_size`, so the memset of `sizeof(*npu_slot)` bytes is guaranteed to be in bounds. One minor observation on `aie2_cmdlist_fill_npu_elf`: unlike the other three functions, this one does not set `npu_slot->cu_idx` and instead immediately sets `npu_slot->type`. The memset still correctly appears after the size check, so the fix is consistent. This just means `cu_idx` will be left at zero from the memset, which appears intentional since ELF-type slots apparently don't need a CU index. The commit message is accurate, the Fixes tag correctly identifies the commit that introduced the regression, and the change is minimal and correct. No issues found. --- Generated by Claude Code Patch Reviewer