From mboxrd@z Thu Jan 1 00:00:00 1970 From: Claude Code Review Bot To: dri-devel-reviews@example.com Subject: Claude review: drm/i915/gem: Don't use VMA from wrong VM in EXECBUF Date: Sun, 12 Apr 2026 12:35:35 +1000 Message-ID: In-Reply-To: <20260408110551.84120-1-joonas.lahtinen@linux.intel.com> References: <20260408110551.84120-1-joonas.lahtinen@linux.intel.com> X-Mailer: Claude Code Patch Reviewer Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Overall Series Review Subject: drm/i915/gem: Don't use VMA from wrong VM in EXECBUF Author: Joonas Lahtinen Patches: 2 Reviewed: 2026-04-12T12:35:35.504824 --- This is a single-patch fix for a potential use-after-free bug in the i915 E= XECBUF VMA lookup fast path. The patch is well-analyzed, with thorough comm= it message documentation including Sima's historical analysis of the bug's = origin, exploitability window, and current status. **The core bug:** In `eb_lookup_vma()`, when a VMA is found in the radix tr= ee but belongs to the wrong VM (`vma->vm !=3D vm`), the original code fell = through without setting `vma =3D NULL` or acquiring a reference. This left = `vma` holding a raw pointer from `radix_tree_lookup()`, which would then be= returned to the caller without a refcount via `if (likely(vma)) return vma= ;` =E2=80=94 a potential UAF. **Note on apply failure:** The patch did not apply cleanly because the curr= ent drm-next tree already contains an `else vma =3D NULL;` branch at this l= ocation (lines 901-902), meaning the NULL-assignment part of this fix is al= ready present. The patch is based on an older tree that lacked this `else` = branch entirely. What the patch adds beyond the current tree is the `WARN_O= N_ONCE` diagnostic. **Assessment:** The fix is correct and the code change is trivially small. = The `WARN_ON_ONCE` is a sensible paranoia check per Sima's suggestion, sinc= e proto-contexts should make the condition impossible to trigger on any ker= nel >=3D 5.15ish. The Fixes tag correctly points to the commit that introdu= ced the race window. The patch is suitable for stable backport to cover the= 2019-2021 window where the bug was exploitable. --- --- Generated by Claude Code Patch Reviewer