Claude review: accel/qaic: Add overflow check to remap_pfn_range during mmap

[Claude Code Review Bot <claude-review@example.com>]

Patch Review

**Positive aspects:**
- Correctly identifies a real security bug (CWE-787 / out-of-bounds mapping).
- Uses `check_add_overflow()` / `check_sub_overflow()` rather than hand-rolled arithmetic — good practice for kernel code.
- The truncation logic and early-exit on `length == 0` are correct.

**Issues:**

1. **Coding style: missing braces on `else` branch (kernel style violation)**

```c
			if (remap_end > vma->vm_end) {
				if (check_sub_overflow(vma->vm_end, remap_start, &length))
					return -EINVAL;
			} else
				length = sg->length;
```

The kernel coding style (Documentation/process/coding-style.rst §3) requires that if one branch of an `if/else` uses braces, the other must too. The `if` block has braces but the `else` does not. Should be:

```c
			} else {
				length = sg->length;
			}
```

This will trip `checkpatch.pl` warnings.

2. **Comment typo: spurious "so"**

```c
			/* if sg is too large for the VMA, so truncate it to fit */
```

Should be either "if sg is too large for the VMA, truncate it to fit" or "sg is too large for the VMA, so truncate it to fit". Currently it reads as a mashup of both.

3. **`return -EINVAL` inside a `for` loop that iterates over DMA mappings — potential cleanup concern**

The original code jumps to `goto out` on error (which just returns `ret`). The new overflow checks use `return -EINVAL` directly:

```c
			if (check_add_overflow(vma->vm_start, offset, &remap_start))
				return -EINVAL;
			if (check_add_overflow(remap_start, sg->length, &remap_end))
				return -EINVAL;
			...
				if (check_sub_overflow(vma->vm_end, remap_start, &length))
					return -EINVAL;
```

In the current code this is fine because there's no cleanup needed in the `out:` label — it just does `return ret`. However, mixing `return` and `goto out` in the same function is a maintenance hazard; if someone later adds cleanup to the `out:` path (e.g., for partial unmap on error), these early returns would bypass it. Consider changing these to `ret = -EINVAL; goto out;` for consistency.

4. **The overflow checks on `vma->vm_start + offset` are arguably redundant**

`remap_start = vma->vm_start + offset` cannot overflow if the loop is functioning correctly, because `offset` only grows by amounts that were already verified to fit within `[vm_start, vm_end)`. After the truncation, `offset += length` where `length ≤ vma->vm_end - remap_start`, so offset stays bounded. The first `check_add_overflow` is therefore defensive — not harmful, but also not strictly necessary since `offset` is already bounded by prior iterations. The second `check_add_overflow` (for `remap_end`) is more valuable since `sg->length` comes from the scatterlist and is the untrusted quantity.

This isn't a request to remove them — belt-and-suspenders is fine for a security fix — just noting that the real protection comes from the `remap_end > vma->vm_end` comparison and the truncation.

5. **Minor: `sg->length` is `unsigned int`, mixed with `unsigned long` arithmetic**

`check_add_overflow(remap_start, sg->length, &remap_end)` mixes `unsigned long` and `unsigned int`. The `check_add_overflow` macro handles type promotion correctly in modern kernels, so this works, but it's worth noting that `sg->length` is implicitly widened.

**Summary:** The fix is correct and addresses a real vulnerability. The style issues (missing braces, comment typo) should be fixed before merge. Consider using `goto out` instead of direct `return` for consistency with the function's existing error-handling pattern.

---
Generated by Claude Code Patch Reviewer