From: Claude Code Review Bot <claude-review@example.com>
To: dri-devel-reviews@example.com
Subject: Claude review: drm/amdkfd: fix NULL dereference in get_queue_ids()
Date: Mon, 25 May 2026 17:31:37 +1000 [thread overview]
Message-ID: <review-patch1-20260523165646.25645-1-meatuni001@gmail.com> (raw)
In-Reply-To: <20260523165646.25645-1-meatuni001@gmail.com>
Patch Review
**Correctness: Good**
The original code:
```c
size_t array_size = num_queues * sizeof(uint32_t);
```
computes `array_size` with a bare multiplication that can wrap on 32-bit kernels (where `size_t` is 32 bits). With `num_queues = 0x40000001`, the product `0x100000004` truncates to `0x4`, and `memdup_user()` allocates 4 bytes. `q_array_invalidate()` then writes `num_queues` entries into that 4-byte buffer — heap overflow.
The fix:
```c
size_t array_size;
...
if (check_mul_overflow((size_t)num_queues, sizeof(uint32_t), &array_size))
return ERR_PTR(-EINVAL);
```
is correct. The `(size_t)` cast on `num_queues` ensures all three arguments to `check_mul_overflow()` share the same type, avoiding implicit-type issues with compiler builtins. The `#include <linux/overflow.h>` is appropriate rather than relying on transitive includes.
**Callers handle the error correctly**: Both `suspend_queues()` (`kfd_device_queue_manager.c:3607`) and `resume_queues()` (`kfd_device_queue_manager.c:3503`) check `IS_ERR(queue_ids)` and propagate via `PTR_ERR()`.
**Note on the `copy_to_user()` calls**: The commit message correctly observes that the `num_queues * sizeof(uint32_t)` in `copy_to_user()` (lines 3588, 3704) is safe because it's only reachable after `get_queue_ids()` succeeded with the same `num_queues`, meaning the multiplication was already validated. This is sound reasoning.
**No issues found.**
---
Generated by Claude Code Patch Reviewer
next prev parent reply other threads:[~2026-05-25 7:31 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-05-23 14:26 [PATCH] drm/amdkfd: fix integer overflow in get_queue_ids() Muhammad Bilal
2026-05-23 16:56 ` [PATCH] drm/amdkfd: fix NULL dereference " Muhammad Bilal
2026-05-25 7:31 ` Claude review: " Claude Code Review Bot
2026-05-25 7:31 ` Claude Code Review Bot [this message]
2026-05-25 7:31 ` Claude review: drm/amdkfd: fix integer overflow " Claude Code Review Bot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=review-patch1-20260523165646.25645-1-meatuni001@gmail.com \
--to=claude-review@example.com \
--cc=dri-devel-reviews@example.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox