From: Claude Code Review Bot <claude-review@example.com>
To: dri-devel-reviews@example.com
Subject: Claude review: Re: [PATCH] accel/ethosu: fix OOB write in ethosu_gem_cmdstream_copy_and_validate()
Date: Mon, 25 May 2026 17:27:28 +1000 [thread overview]
Message-ID: <review-patch1-20260523201444.66197-1-meatuni001@gmail.com> (raw)
In-Reply-To: <20260523201444.66197-1-meatuni001@gmail.com>
Patch Review
**Commit message quality: Good.** The description clearly explains the vulnerable code path, the preconditions for triggering the bug, the impact (userspace-triggerable heap OOB write), and the fix. The Fixes tag and stable CC are appropriate.
**Correctness: The fix is correct.**
Looking at the source at `ethosu_gem.c:370-392`:
```c
for (i = 0; i < size / 4; i++) {
...
if (get_user(cmds[0], ucmds++))
return -EFAULT;
bocmds[i] = cmds[0];
...
if (cmd & 0x4000) {
if (get_user(cmds[1], ucmds++))
return -EFAULT;
i++;
bocmds[i] = cmds[1]; /* <-- OOB when i was size/4-1 */
addr = cmd_to_addr(cmds);
}
```
The patch adds:
```c
i++;
+ if (i >= size / 4)
+ return -EINVAL;
bocmds[i] = cmds[1];
```
This correctly bounds-checks the incremented index before the write. The `>=` comparison is correct since valid indices are `[0, size/4 - 1]`.
**Minor observations:**
1. **Error code choice:** `-EINVAL` is reasonable here — the command stream is malformed (a 64-bit command that doesn't fit in the declared buffer size). This is consistent with other validation failures in the same file.
2. **Potential style nit:** The existing code at line 386-387 checks `get_user()` with braces around the block, while this new bare `if`/`return` has no braces. Both are acceptable in kernel style for single-statement bodies, but some maintainers prefer braces when the surrounding code uses them. This is not a blocking concern.
3. **`size` alignment:** The function trusts that `size` is a multiple of 4 (using `size / 4` as the word count). If `size` were, say, 3, then `size / 4 == 0` and the loop body never executes, so there's no issue from this patch's perspective. The caller should validate this, but that's a pre-existing concern unrelated to this fix.
4. **No other 64-bit command paths:** I confirmed that this is the only place in the loop where `i` is incremented mid-iteration, so there are no other similar OOB paths to fix.
**Verdict: Correct fix. Recommend acceptance.**
---
Generated by Claude Code Patch Reviewer
next prev parent reply other threads:[~2026-05-25 7:27 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-05-23 19:08 [PATCH] accel/ethosu: fix OOB write in ethosu_gem_cmdstream_copy_and_validate() Muhammad Bilal
2026-05-23 20:14 ` Muhammad Bilal
2026-05-25 7:27 ` Claude Code Review Bot [this message]
2026-05-25 7:27 ` Claude review: " Claude Code Review Bot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=review-patch1-20260523201444.66197-1-meatuni001@gmail.com \
--to=claude-review@example.com \
--cc=dri-devel-reviews@example.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox