From mboxrd@z Thu Jan  1 00:00:00 1970
From: Claude Code Review Bot <claude-review@example.com>
To: dri-devel-reviews@example.com
Subject: Claude review: misc: fastrpc: fix DMA address corruption due to find_vma misuse
Date: Sat, 16 May 2026 09:24:08 +1000
Message-ID: <review-patch1-SYBPR01MB78819393A1F4FA658B2AB076AF042@SYBPR01MB7881.ausprd01.prod.outlook.com>
In-Reply-To: <SYBPR01MB78819393A1F4FA658B2AB076AF042@SYBPR01MB7881.ausprd01.prod.outlook.com>
References: <SYBPR01MB78819393A1F4FA658B2AB076AF042@SYBPR01MB7881.ausprd01.prod.outlook.com> <SYBPR01MB78819393A1F4FA658B2AB076AF042@SYBPR01MB7881.ausprd01.prod.outlook.com>
X-Mailer: Claude Code Patch Reviewer
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0

Patch Review

**Correctness: Good.** The core issue is well-identified. At line 1044 (pos=
t-patch):

```c
vma =3D vma_lookup(current->mm, ctx->args[i].ptr);
if (vma)
    pages[i].addr +=3D (ctx->args[i].ptr & PAGE_MASK) -
                     vma->vm_start;
```

With the old `find_vma()`, if `ctx->args[i].ptr` fell in a hole before the =
returned VMA, `(ctx->args[i].ptr & PAGE_MASK) - vma->vm_start` would produc=
e a large unsigned underflow, corrupting `pages[i].addr`. With `vma_lookup(=
)`, such cases correctly return NULL and the offset is not applied.

**One observation:** When `vma_lookup()` returns NULL (address not in any V=
MA), the code silently proceeds with `pages[i].addr` set to the raw `ctx->m=
aps[i]->dma_addr` without any offset, and continues to compute `pages[i].si=
ze` based on the pointer. This means a bad user-supplied pointer won't caus=
e an immediate error =E2=80=94 it will send a potentially wrong DMA address=
 to the DSP. The existing code had this same "silent fallthrough" behavior =
with `find_vma()` (just the `if (vma)` guard was already there), so this pa=
tch doesn't make it worse, but a follow-up that returns an error when `vma_=
lookup()` returns NULL would be a stronger fix. That said, it's out of scop=
e for this minimal fix and the Fixes/Cc:stable tags are appropriate.

**Commit message: Good.** Clear explanation of the root cause (underflow in=
 the offset calculation), the trigger (address in a gap before the VMA), an=
d the fix (switch to `vma_lookup()`). The Fixes tag correctly references co=
mmit `80f3afd72bd4` which introduced the `find_vma()` usage.

**Tags: Correct.** Cc: stable, Fixes, Reported-by, and Signed-off-by are al=
l present and properly formatted.

**No other issues found.** The patch is a clean one-line change with no sid=
e effects.

---
Generated by Claude Code Patch Reviewer