From mboxrd@z Thu Jan  1 00:00:00 1970
From: Claude Code Review Bot <claude-review@example.com>
To: dri-devel-reviews@example.com
Subject: Claude review: accel/ethosu: fix IFM region index out-of-bounds in command stream parser
Date: Mon, 25 May 2026 17:21:01 +1000
Message-ID: <review-patch1-20260523195159.55801-1-meatuni001@gmail.com>
In-Reply-To: <20260523195159.55801-1-meatuni001@gmail.com>
References: <20260523195159.55801-1-meatuni001@gmail.com> <20260523195159.55801-1-meatuni001@gmail.com>
X-Mailer: Claude Code Patch Reviewer
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0

Patch Review

**The bug:** =20
At `ethosu_gem.c:467` (pre-patch), the IFM region was masked with `0x7f`:
```c
case NPU_SET_IFM_REGION:
    st.ifm.region =3D param & 0x7f;
```

This permits values up to 127, but `region_size[]` and `output_region[]` in=
 `struct ethosu_validated_cmdstream_info` (`ethosu_gem.h:12-13`) are both `=
NPU_BASEP_REGION_MAX` (8) elements:
```c
u64 region_size[NPU_BASEP_REGION_MAX];   // 8 entries
bool output_region[NPU_BASEP_REGION_MAX]; // 8 entries
```

The region index is later used as a direct array subscript in `calc_sizes()=
` at `ethosu_gem.c:229`:
```c
info->region_size[fm->region] =3D max(info->region_size[fm->region], addr +=
 1);
```

A userspace-controlled `param > 7` causes a heap buffer overflow.

**The fix is correct:** =20
All other region assignments use `& 0x7`:
- `ethosu_gem.c:507`: `st.ofm.region =3D param & 0x7`
- `ethosu_gem.c:541`: `st.ifm2.region =3D param & 0x7`
- `ethosu_gem.c:569`: `st.weight[0].region =3D param & 0x7`
- `ethosu_gem.c:572`: `st.scale[0].region =3D param & 0x7`
- `ethosu_gem.c:615`: `st.dma.src.region =3D param & 0x7`
- `ethosu_gem.c:622`: `st.dma.dst.region =3D param & 0x7`

The mask `0x7` limits the value to 0=E2=80=937, exactly matching the array =
size of 8.

**Tags:** The `Fixes:` tag and `Cc: stable` are appropriate for a security-=
relevant bug fix.

**Commit message quality:** Excellent =E2=80=94 clearly explains the incons=
istency, the data flow from mask to array subscript, and the impact (heap c=
orruption). This is a well-written single-line fix with a thorough justific=
ation.

**No issues found.** Reviewed-by worthy.

---
Generated by Claude Code Patch Reviewer