From mboxrd@z Thu Jan  1 00:00:00 1970
From: Claude Code Review Bot <claude-review@example.com>
To: dri-devel-reviews@example.com
Subject: Claude review: drm/atomic: Return user readable error in atomic_ioctl
Date: Wed, 01 Apr 2026 07:55:28 +1000
Message-ID: <review-patch5-20260331-atomic-v11-5-6a1df7ec5af8@intel.com>
In-Reply-To: <20260331-atomic-v11-5-6a1df7ec5af8@intel.com>
References: <20260331-atomic-v11-0-6a1df7ec5af8@intel.com> <20260331-atomic-v11-5-6a1df7ec5af8@intel.com>
X-Mailer: Claude Code Patch Reviewer
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
MIME-Version: 1.0

Patch Review

**`error_code_ptr` used uninitialized:**
```c
if (!arg->reserved)
    drm_dbg_atomic(dev, "memory not allocated...\n");
else
    error_code_ptr = (struct drm_mode_atomic_err_code __user *)
                     (unsigned long)arg->reserved;
```
When `arg->reserved == 0`, `error_code_ptr` is uninitialized. Later:
```c
if (ret < 0 && arg->reserved) {
    if (copy_to_user(error_code_ptr, ...))
```
The `arg->reserved` check guards the usage, so technically safe, but `error_code_ptr` is still declared without initialization. Set it to `NULL` at declaration.

**Debug message is backwards:** When `!arg->reserved` (i.e., userspace didn't provide a pointer), the code prints a debug message saying "memory not allocated for drm_atomic error reporting". This will fire on **every single atomic ioctl call** from any userspace that doesn't use this feature, which is essentially all current userspace. This is extremely noisy and should be removed.

**`memset` uses wrong sizeof:**
```c
memset(&state->error_code, 0, sizeof(*error_code_ptr));
```
This should be `sizeof(state->error_code)`. Using `sizeof(*error_code_ptr)` happens to be the same size but is semantically wrong and will break if `error_code_ptr`'s type ever diverges.

**`copy_to_user` on `-EDEADLK`:** The error reporting happens before the deadlock retry logic:
```c
out:
    if (ret < 0 && arg->reserved) {
        if (copy_to_user(error_code_ptr, &state->error_code, ...))
            ret = -EFAULT;
    }
    ...
    if (ret == -EDEADLK) {
        drm_atomic_state_clear(state);
        ret = drm_modeset_backoff(&ctx);
        if (!ret) goto retry;
    }
```
On `-EDEADLK`, this will copy a stale/meaningless error report to userspace, then retry. If the retry succeeds, userspace gets `ret=0` but has stale error data written to their buffer. Move the `copy_to_user` after the deadlock retry handling.

**Overwriting `-EFAULT` with `-EDEADLK` handling:** If `copy_to_user` fails and sets `ret = -EFAULT`, the deadlock check `if (ret == -EDEADLK)` won't match, so at least it won't loop, but the original error is lost.

---

---
Generated by Claude Code Patch Reviewer