From mboxrd@z Thu Jan  1 00:00:00 1970
From: Claude Code Review Bot <claude-review@example.com>
To: dri-devel-reviews@example.com
Subject: Claude review: Fix use-after-free on framebuffers and property blobs when calling drm_dev_unplug
Date: Sat, 14 Mar 2026 06:45:34 +1000
Message-ID: <review-overall-20260313151728.14990-3-dev@lankhorst.se>
In-Reply-To: <20260313151728.14990-3-dev@lankhorst.se>
References: <20260313151728.14990-3-dev@lankhorst.se>
X-Mailer: Claude Code Patch Reviewer
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0

Overall Series Review

Subject: Fix use-after-free on framebuffers and property blobs when calling=
 drm_dev_unplug
Author: Maarten Lankhorst <dev@lankhorst.se>
Patches: 2
Reviewed: 2026-03-14T06:45:34.233027

---

This single-patch series addresses a real use-after-free bug that occurs du=
ring `drm_dev_unplug` (hot-unplug / module reload) when userspace clients s=
till have open file descriptors. The race is: the device gets torn down via=
 `drm_mode_config_cleanup()` which frees framebuffers and blobs, but then u=
serspace closes its fd and `drm_file_free()` tries to walk the now-freed `f=
ilp_head`/`head_file` lists =E2=80=94 resulting in the oopses shown in the =
commit message.

The approach has the right idea =E2=80=94 skip the fb/blob cleanup in `drm_=
file_free` when the device is already unplugged =E2=80=94 but there are sev=
eral concerns with the implementation.

---
Generated by Claude Code Patch Reviewer