From mboxrd@z Thu Jan  1 00:00:00 1970
From: Claude Code Review Bot <claude-review@example.com>
To: dri-devel-reviews@example.com
Subject: Claude review: accel/qaic: Add overflow check to remap_pfn_range during mmap
Date: Tue, 05 May 2026 09:56:03 +1000
Message-ID: <review-overall-20260430193858.1178641-1-zachary.mckevitt@oss.qualcomm.com>
In-Reply-To: <20260430193858.1178641-1-zachary.mckevitt@oss.qualcomm.com>
References: <20260430193858.1178641-1-zachary.mckevitt@oss.qualcomm.com>
X-Mailer: Claude Code Patch Reviewer
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
MIME-Version: 1.0

Overall Series Review

Subject: accel/qaic: Add overflow check to remap_pfn_range during mmap
Author: Zack McKevitt <zachary.mckevitt@oss.qualcomm.com>
Patches: 1
Reviewed: 2026-05-05T09:56:03.607793

---

This is a single-patch security fix for the QAIC accelerator driver's `mmap` handler. The vulnerability is real: without bounds checking, `remap_pfn_range()` can map memory beyond the VMA boundary when the BO's scatterlist is larger than the mmap'd region. This leads to use-after-free on `munmap()` since the kernel only tears down the VMA-sized region.

The fix is correct in concept and uses the right overflow-checked arithmetic helpers. There are a few style and logic nits worth addressing.

**Verdict: The fix is sound and important. Minor issues below should be addressed before merge.**

---
Generated by Claude Code Patch Reviewer