From mboxrd@z Thu Jan  1 00:00:00 1970
From: Claude Code Review Bot <claude-review@example.com>
To: dri-devel-reviews@example.com
Subject: Claude review: accel/rocket: fix NULL dereference and integer overflow in rocket_job_push()
Date: Mon, 25 May 2026 17:04:16 +1000
Message-ID: <review-overall-20260524155716.90955-1-meatuni001@gmail.com>
In-Reply-To: <20260524155716.90955-1-meatuni001@gmail.com>
References: <20260524155716.90955-1-meatuni001@gmail.com>
X-Mailer: Claude Code Patch Reviewer
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0

Overall Series Review

Subject: accel/rocket: fix NULL dereference and integer overflow in rocket_=
job_push()
Author: Muhammad Bilal <meatuni001@gmail.com>
Patches: 1
Reviewed: 2026-05-25T17:04:16.545445

---

This is a single-patch fix for the `accel/rocket` driver addressing two rea=
l bugs in `rocket_job_push()`: a missing NULL check after `kvmalloc_array()=
` and a potential u32 overflow when summing userspace-controlled `in_bo_cou=
nt` and `out_bo_count`. Both bugs are legitimate =E2=80=94 `in_bo_count` an=
d `out_bo_count` are directly assigned from userspace IOCTL fields (`job->i=
n_bo_handle_count`, `job->out_bo_handle_count`) at `rocket_job.c:573` and `=
:580` with no bounds checking, so the overflow path is reachable.

The fix is correct, minimal, and well-targeted. The commit message is clear=
 and accurately describes both issues. The `Fixes:` tag and `Cc: stable` ar=
e appropriate.

**Verdict: Patch looks good.** One minor nit below, but nothing blocking.

---
Generated by Claude Code Patch Reviewer