From mboxrd@z Thu Jan 1 00:00:00 1970 From: Claude Code Review Bot To: dri-devel-reviews@example.com Subject: Claude review: accel/qaic: Add overflow check to remap_pfn_range during mmap Date: Tue, 05 May 2026 09:56:03 +1000 Message-ID: In-Reply-To: <20260430193858.1178641-1-zachary.mckevitt@oss.qualcomm.com> References: <20260430193858.1178641-1-zachary.mckevitt@oss.qualcomm.com> <20260430193858.1178641-1-zachary.mckevitt@oss.qualcomm.com> X-Mailer: Claude Code Patch Reviewer Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Patch Review **Positive aspects:** - Correctly identifies a real security bug (CWE-787 / out-of-bounds mapping= ). - Uses `check_add_overflow()` / `check_sub_overflow()` rather than hand-rol= led arithmetic =E2=80=94 good practice for kernel code. - The truncation logic and early-exit on `length =3D=3D 0` are correct. **Issues:** 1. **Coding style: missing braces on `else` branch (kernel style violation)= ** ```c if (remap_end > vma->vm_end) { if (check_sub_overflow(vma->vm_end, remap_start, &length)) return -EINVAL; } else length =3D sg->length; ``` The kernel coding style (Documentation/process/coding-style.rst =C2=A73) re= quires that if one branch of an `if/else` uses braces, the other must too. = The `if` block has braces but the `else` does not. Should be: ```c } else { length =3D sg->length; } ``` This will trip `checkpatch.pl` warnings. 2. **Comment typo: spurious "so"** ```c /* if sg is too large for the VMA, so truncate it to fit */ ``` Should be either "if sg is too large for the VMA, truncate it to fit" or "s= g is too large for the VMA, so truncate it to fit". Currently it reads as a= mashup of both. 3. **`return -EINVAL` inside a `for` loop that iterates over DMA mappings = =E2=80=94 potential cleanup concern** The original code jumps to `goto out` on error (which just returns `ret`). = The new overflow checks use `return -EINVAL` directly: ```c if (check_add_overflow(vma->vm_start, offset, &remap_start)) return -EINVAL; if (check_add_overflow(remap_start, sg->length, &remap_end)) return -EINVAL; ... if (check_sub_overflow(vma->vm_end, remap_start, &length)) return -EINVAL; ``` In the current code this is fine because there's no cleanup needed in the `= out:` label =E2=80=94 it just does `return ret`. However, mixing `return` a= nd `goto out` in the same function is a maintenance hazard; if someone late= r adds cleanup to the `out:` path (e.g., for partial unmap on error), these= early returns would bypass it. Consider changing these to `ret =3D -EINVAL= ; goto out;` for consistency. 4. **The overflow checks on `vma->vm_start + offset` are arguably redundant= ** `remap_start =3D vma->vm_start + offset` cannot overflow if the loop is fun= ctioning correctly, because `offset` only grows by amounts that were alread= y verified to fit within `[vm_start, vm_end)`. After the truncation, `offse= t +=3D length` where `length =E2=89=A4 vma->vm_end - remap_start`, so offse= t stays bounded. The first `check_add_overflow` is therefore defensive =E2= =80=94 not harmful, but also not strictly necessary since `offset` is alrea= dy bounded by prior iterations. The second `check_add_overflow` (for `remap= _end`) is more valuable since `sg->length` comes from the scatterlist and i= s the untrusted quantity. This isn't a request to remove them =E2=80=94 belt-and-suspenders is fine f= or a security fix =E2=80=94 just noting that the real protection comes from= the `remap_end > vma->vm_end` comparison and the truncation. 5. **Minor: `sg->length` is `unsigned int`, mixed with `unsigned long` arit= hmetic** `check_add_overflow(remap_start, sg->length, &remap_end)` mixes `unsigned l= ong` and `unsigned int`. The `check_add_overflow` macro handles type promot= ion correctly in modern kernels, so this works, but it's worth noting that = `sg->length` is implicitly widened. **Summary:** The fix is correct and addresses a real vulnerability. The sty= le issues (missing braces, comment typo) should be fixed before merge. Cons= ider using `goto out` instead of direct `return` for consistency with the f= unction's existing error-handling pattern. --- Generated by Claude Code Patch Reviewer