From mboxrd@z Thu Jan 1 00:00:00 1970 From: Claude Code Review Bot To: dri-devel-reviews@example.com Subject: Claude review: drm/v3d: Introduce struct v3d_submit and convert CL/TFU/CSD ioctls Date: Sat, 16 May 2026 15:59:28 +1000 Message-ID: In-Reply-To: <20260510-v3d-sched-misc-fixes-v2-8-ca4aba343ef6@igalia.com> References: <20260510-v3d-sched-misc-fixes-v2-0-ca4aba343ef6@igalia.com> <20260510-v3d-sched-misc-fixes-v2-8-ca4aba343ef6@igalia.com> X-Mailer: Claude Code Patch Reviewer Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Patch Review This is the core abstraction patch. `struct v3d_submit` groups `v3d_dev`, `= file_priv`, `drm_exec`, and a fixed-size jobs array. **Concern: Missing bounds check in v3d_submit_add_job()** `v3d_submit_add_job()` does: ```c submit->jobs[submit->job_count++] =3D job; ``` without checking `submit->job_count < V3D_MAX_JOBS_PER_SUBMISSION`. All cur= rent callers respect the limit (CL submits at most 3, CSD 2, TFU 1, CPU ind= irect CSD 3), but a missing bounds check on a stack-allocated fixed-size ar= ray is a latent buffer overflow waiting for someone to add a fourth job. I'= d recommend adding: ```c if (submit->job_count >=3D V3D_MAX_JOBS_PER_SUBMISSION) return -EINVAL; ``` **CSD ioctl manually adds jobs to the array**: In the CSD ioctl, after call= ing the old `v3d_setup_csd_jobs_and_bos()`: ```c submit.jobs[submit.job_count++] =3D &job->base; submit.jobs[submit.job_count++] =3D clean_job; ``` These jobs were created by the old `v3d_job_init()` path, not by `v3d_submi= t_add_job()`. This is a transitional state that gets cleaned up in patch 10= =E2=80=94 acceptable for bisectability. --- Generated by Claude Code Patch Reviewer