From: Claude Code Review Bot <claude-review@example.com>
To: dri-devel-reviews@example.com
Subject: Claude review: accel/ivpu: Fix signed integer truncation in IPC receive
Date: Thu, 04 Jun 2026 16:40:23 +1000 [thread overview]
Message-ID: <review-patch1-20260529115453.132291-1-andrzej.kacprowski@linux.intel.com> (raw)
In-Reply-To: <20260529115453.132291-1-andrzej.kacprowski@linux.intel.com>
Patch Review
**Correctness: Good.**
The bug is real. Looking at the kernel tree (`ivpu_ipc.h:38`), `data_size` is declared as `u32`:
```c
struct ivpu_ipc_hdr {
u32 data_addr;
u32 data_size;
...
};
```
The original code at `ivpu_ipc.c:283`:
```c
u32 size = min_t(int, rx_msg->ipc_hdr->data_size, sizeof(*jsm_msg));
```
`min_t(int, ...)` casts both arguments to `int`. If `data_size >= 0x80000000`, the cast to `int` produces a negative value. Since `sizeof(*jsm_msg)` is positive, `min_t` picks the negative value. That negative `int` is then assigned to `u32 size`, wrapping to a very large unsigned value. The `memcpy` at line 291 then overflows `jsm_msg`:
```c
if (jsm_msg)
memcpy(jsm_msg, rx_msg->jsm_msg, size);
```
The fix:
```c
u32 size = min_t(u32, rx_msg->ipc_hdr->data_size, sizeof(*jsm_msg));
```
This is correct — both `data_size` and `sizeof()` are naturally unsigned, so `u32` is the appropriate comparison type. The result is always clamped to at most `sizeof(*jsm_msg)`.
**Commit message:** Clear and accurate. The Fixes tag and stable Cc are appropriate. The `# v6.18+` annotation on the stable Cc indicates this only applies from v6.18 onwards, which matches the referenced commit.
**Minor observation (not a blocking concern):** The `data_size` value comes from firmware, which is a trust boundary. While this fix correctly prevents the overflow, there's no explicit validation that `data_size` is sane (e.g., not wildly larger than expected but still < 0x80000000). The `min_t(u32, ...)` fix handles this case too since it clamps to `sizeof(*jsm_msg)`, so this is a defense-in-depth comment rather than a problem with the patch.
Reviewed-by worthy as-is.
---
Generated by Claude Code Patch Reviewer
next prev parent reply other threads:[~2026-06-04 6:40 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-05-29 11:54 [PATCH] accel/ivpu: Fix signed integer truncation in IPC receive Andrzej Kacprowski
2026-05-29 12:03 ` Wachowski, Karol
2026-06-04 6:40 ` Claude Code Review Bot [this message]
2026-06-04 6:40 ` Claude review: " Claude Code Review Bot
-- strict thread matches above, loose matches on Subject: below --
2026-06-01 16:16 [PATCH v2] " Andrzej Kacprowski
2026-06-04 3:53 ` Claude review: " Claude Code Review Bot
2026-06-04 3:53 ` Claude Code Review Bot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=review-patch1-20260529115453.132291-1-andrzej.kacprowski@linux.intel.com \
--to=claude-review@example.com \
--cc=dri-devel-reviews@example.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox