From mboxrd@z Thu Jan  1 00:00:00 1970
From: Claude Code Review Bot <claude-review@example.com>
To: dri-devel-reviews@example.com
Subject: Claude review: Re: [PATCH] accel/ethosu: fix OOB write in ethosu_gem_cmdstream_copy_and_validate()
Date: Mon, 25 May 2026 17:27:28 +1000
Message-ID: <review-patch1-20260523201444.66197-1-meatuni001@gmail.com>
In-Reply-To: <20260523201444.66197-1-meatuni001@gmail.com>
References: <20260523201444.66197-1-meatuni001@gmail.com> <20260523201444.66197-1-meatuni001@gmail.com>
X-Mailer: Claude Code Patch Reviewer
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0

Patch Review

**Commit message quality: Good.** The description clearly explains the vuln=
erable code path, the preconditions for triggering the bug, the impact (use=
rspace-triggerable heap OOB write), and the fix. The Fixes tag and stable C=
C are appropriate.

**Correctness: The fix is correct.**

Looking at the source at `ethosu_gem.c:370-392`:

```c
for (i =3D 0; i < size / 4; i++) {
    ...
    if (get_user(cmds[0], ucmds++))
        return -EFAULT;

    bocmds[i] =3D cmds[0];
    ...
    if (cmd & 0x4000) {
        if (get_user(cmds[1], ucmds++))
            return -EFAULT;

        i++;
        bocmds[i] =3D cmds[1];   /* <-- OOB when i was size/4-1 */
        addr =3D cmd_to_addr(cmds);
    }
```

The patch adds:

```c
        i++;
+       if (i >=3D size / 4)
+           return -EINVAL;
        bocmds[i] =3D cmds[1];
```

This correctly bounds-checks the incremented index before the write. The `>=
=3D` comparison is correct since valid indices are `[0, size/4 - 1]`.

**Minor observations:**

1. **Error code choice:** `-EINVAL` is reasonable here =E2=80=94 the comman=
d stream is malformed (a 64-bit command that doesn't fit in the declared bu=
ffer size). This is consistent with other validation failures in the same f=
ile.

2. **Potential style nit:** The existing code at line 386-387 checks `get_u=
ser()` with braces around the block, while this new bare `if`/`return` has =
no braces. Both are acceptable in kernel style for single-statement bodies,=
 but some maintainers prefer braces when the surrounding code uses them. Th=
is is not a blocking concern.

3. **`size` alignment:** The function trusts that `size` is a multiple of 4=
 (using `size / 4` as the word count). If `size` were, say, 3, then `size /=
 4 =3D=3D 0` and the loop body never executes, so there's no issue from thi=
s patch's perspective. The caller should validate this, but that's a pre-ex=
isting concern unrelated to this fix.

4. **No other 64-bit command paths:** I confirmed that this is the only pla=
ce in the loop where `i` is incremented mid-iteration, so there are no othe=
r similar OOB paths to fix.

**Verdict: Correct fix. Recommend acceptance.**

---
Generated by Claude Code Patch Reviewer