From mboxrd@z Thu Jan  1 00:00:00 1970
From: Claude Code Review Bot <claude-review@example.com>
To: dri-devel-reviews@example.com
Subject: Claude review: drm/amdgpu: Fix potential out-of-bounds access in 'amdgpu_discovery_reg_base_init()'
Date: Wed, 25 Mar 2026 08:02:38 +1000
Message-ID: <review-patch1-20260323071052.4068410-1-1468888505@139.com>
In-Reply-To: <20260323071052.4068410-1-1468888505@139.com>
References: <20260323071052.4068410-1-1468888505@139.com> <20260323071052.4068410-1-1468888505@139.com>
X-Mailer: Claude Code Patch Reviewer
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0

Patch Review

**The fix is correct in principle** =E2=80=94 it moves the bounds check bef=
ore the array write, preventing OOB access. However, there is a subtle beha=
vioral difference from the upstream version:

**Issue 1: `ip->revision &=3D ~0xc0` moved outside the bounds check**

In the original (pre-fix) code:
```c
adev->vcn.vcn_config[adev->vcn.num_vcn_inst] =3D
    ip->revision & 0xc0;
ip->revision &=3D ~0xc0;
if (adev->vcn.num_vcn_inst < AMDGPU_MAX_VCN_INSTANCES)
    adev->vcn.num_vcn_inst++;
```

The `ip->revision &=3D ~0xc0` clearing always happened regardless of bounds=
. In the patched code:
```c
if (adev->vcn.num_vcn_inst < AMDGPU_MAX_VCN_INSTANCES) {
    adev->vcn.vcn_config[adev->vcn.num_vcn_inst] =3D
        ip->revision & 0xc0;
    adev->vcn.num_vcn_inst++;
} else
    ...
ip->revision &=3D ~0xc0;
```

The `ip->revision &=3D ~0xc0` is placed **after** the if/else, so it still =
executes unconditionally in both paths. This is correct and preserves the o=
riginal semantics.

**Issue 2: Missing `inst_mask` updates compared to upstream**

Looking at the current upstream code (drm-next), the fix there also sets `a=
dev->vcn.inst_mask` and `adev->jpeg.inst_mask` inside the bounds-checked bl=
ock, and the field was refactored from `adev->vcn.vcn_config[]` to `adev->v=
cn.inst[].vcn_config`. These differences are expected since this is a 6.1.y=
 backport targeting an older kernel with a different data structure, so thi=
s is fine.

**Issue 3: Style nit =E2=80=94 asymmetric braces**

```c
if (adev->vcn.num_vcn_inst < AMDGPU_MAX_VCN_INSTANCES) {
    ...
} else
    dev_err(...);
```

Per kernel coding style, when one branch of an if/else uses braces, both sh=
ould. This should be:
```c
} else {
    dev_err(...);
}
```

This is a minor style issue that was actually present in the original code =
too (the `else` branch had no braces), so it's not a regression from this p=
atch.

**Verdict**: The backport is functionally correct and appropriate for 6.1.y=
 stable. The OOB fix is sound =E2=80=94 the array write is now properly gua=
rded. The conflict resolution appears to have been done correctly, preservi=
ng the original semantics of always clearing the revision bits. No function=
al concerns.

---
Generated by Claude Code Patch Reviewer