From mboxrd@z Thu Jan 1 00:00:00 1970 From: Claude Code Review Bot To: dri-devel-reviews@example.com Subject: Claude review: drm/amdgpu: fix use-after-free in userq signal/wait IOCTLs Date: Tue, 10 Mar 2026 12:44:42 +1000 Message-ID: In-Reply-To: <20260309022229.63071-1-chenyuan_mi@163.com> References: <20260309022229.63071-1-chenyuan_mi@163.com> X-Mailer: Claude Code Patch Reviewer Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Overall Series Review Subject: drm/amdgpu: fix use-after-free in userq signal/wait IOCTLs Author: Chenyuan Mi Patches: 5 Reviewed: 2026-03-10T12:44:42.922557 --- This 2-patch series aims to fix use-after-free bugs in the amdgpu userqueue= signal and wait IOCTLs by adding mutex protection around queue lookups. Th= e identified race conditions are real: without lifetime protection, a concu= rrent `AMDGPU_USERQ_OP_FREE` can destroy a queue between `xa_load()` and su= bsequent dereferences. **However, these patches are based on an older version of the code and are = already superseded by changes in the current drm-next tree.** The current t= ree (as seen at `amdgpu_userq_fence.c:522` and `:866`) has replaced the raw= `xa_load()` calls with `amdgpu_userq_get()`/`amdgpu_userq_put()`, which us= e `kref` refcounting to protect the queue lifetime. This refcounting approa= ch is a better fix =E2=80=94 it takes a reference under the xa_lock, preven= ting the queue from being freed while in use, without needing to hold `user= q_mutex` across the entire operation. **Recommendation: NAK =E2=80=94 these patches are not needed against curren= t drm-next.** --- Generated by Claude Code Patch Reviewer