From mboxrd@z Thu Jan  1 00:00:00 1970
From: Claude Code Review Bot <claude-review@example.com>
To: dri-devel-reviews@example.com
Subject: Claude review: misc: fastrpc: keep copied arguments inside the invoke buffer
Date: Wed, 25 Mar 2026 07:05:25 +1000
Message-ID: <review-overall-20260324014459.93364-1-pengpeng@iscas.ac.cn>
In-Reply-To: <20260324014459.93364-1-pengpeng@iscas.ac.cn>
References: <20260324014459.93364-1-pengpeng@iscas.ac.cn>
X-Mailer: Claude Code Patch Reviewer
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
MIME-Version: 1.0

Overall Series Review

Subject: misc: fastrpc: keep copied arguments inside the invoke buffer
Author: Pengpeng Hou <pengpeng@iscas.ac.cn>
Patches: 2
Reviewed: 2026-03-25T07:05:25.189660

---

This is a single-patch series adding bounds validation to `fastrpc_get_args()` in the Qualcomm FastRPC driver. The patch addresses a real issue: the overlap-derived destination pointer (`args - ctx->olaps[oix].offset`) is used for `copy_from_user()` without checking that it remains within the allocated invoke buffer. Since `olaps` values are derived from user-controlled argument pointers/lengths (via `fastrpc_get_buff_overlaps()`), a malicious user could potentially write outside the buffer.

The fix is reasonable and the approach is sound, but there are a couple of issues worth noting.

---
Generated by Claude Code Patch Reviewer