From mboxrd@z Thu Jan 1 00:00:00 1970 From: Claude Code Review Bot To: dri-devel-reviews@example.com Subject: Claude review: accel: ethosu: Validate SRAM size on submit Date: Sat, 16 May 2026 11:22:19 +1000 Message-ID: In-Reply-To: <20260513185434.1667045-1-robh@kernel.org> References: <20260513185434.1667045-1-robh@kernel.org> <20260513185434.1667045-1-robh@kernel.org> X-Mailer: Claude Code Patch Reviewer Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Patch Review **Correctness:** The core logic change is sound. Before this patch, the SRA= M region bypass in the loop at line ~417 checked: ```c if (!job->region_bo_handles[i] && (!cmd_info->region_size[i] || (i =3D=3D ETHOSU_SRAM_REGION && job->sram= _size))) continue; ``` This allowed any SRAM region through as long as userspace set `job->sram_si= ze` to nonzero =E2=80=94 but `job->sram_size` comes directly from the `stru= ct drm_ethosu_job` ioctl argument and can be anything. The new code instead= validates against `edev->npu_info.sram_size`, which is set from `gen_pool_= size()` during driver probe (`ethosu_drv.c:284`), making it trustworthy. **Edge case =E2=80=94 no SRAM configured:** When the device has no SRAM poo= l, `edev->npu_info.sram_size` is initialized to 0 (`ethosu_drv.c:278`). The= new condition `cmd_info->region_size[i] <=3D edev->npu_info.sram_size` wil= l only pass when `region_size[i]` is also 0, which was already handled by t= he `!cmd_info->region_size[i]` check above. So a nonzero SRAM region reques= t on a device without SRAM will correctly be rejected. Good. **Interaction with the earlier `job->sram_size` checks:** The existing vali= dation at lines 377-381 still checks `job->sram_size` against `edev->npu_in= fo.sram_size` and uses `job->sram_size` to guard HW register writes at line= 60. Those uses remain valid =E2=80=94 `job->sram_size` is bounded by the c= heck at line 380, and is used to decide whether to program the SRAM base ad= dress, not to set a size limit. The new check is complementary, validating = the *command stream's* declared region size, which is a separate trust boun= dary. **Minor nit =E2=80=94 trailing whitespace:** Line 428 in the patched file (= `edev->npu_info.sram_size);`) appears to have a trailing space after the co= mma on the line above: ```c i, cmd_info->region_size[i],=20 edev->npu_info.sram_size); ``` There's a trailing space after the `,` before the newline continuation. Thi= s would likely trigger `checkpatch.pl --strict` warnings. Not a functional = issue. **Format specifier correctness:** `region_size[i]` is `u64` (from `ethosu_g= em.h:12`), printed with `%llu` =E2=80=94 correct. `sram_size` is `__u32` (f= rom `ethosu_accel.h:81`), printed with `%u` =E2=80=94 correct. **Overall:** This is a clean, well-scoped security fix. The commit message = accurately describes the problem and the approach. Reviewed-by worthy with = or without the whitespace nit fix. --- Generated by Claude Code Patch Reviewer