From mboxrd@z Thu Jan 1 00:00:00 1970 From: Claude Code Review Bot To: dri-devel-reviews@example.com Subject: Claude review: accel/rocket: Fix drm_mm UAF on close vs in-flight job Date: Tue, 28 Apr 2026 15:18:19 +1000 Message-ID: In-Reply-To: <20260426103758.1373137-1-gye976@gmail.com> References: <20260426103758.1373137-1-gye976@gmail.com> X-Mailer: Claude Code Patch Reviewer Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Overall Series Review Subject: accel/rocket: Fix drm_mm UAF on close vs in-flight job Author: gyeyoung baek Patches: 1 Reviewed: 2026-04-28T15:18:19.348685 --- This is a single-patch fix for a real use-after-free bug in the `accel/rock= et` NPU driver. The core insight is correct: `drm_mm` and its mutex were em= bedded in `rocket_file_priv`, which is freed in `rocket_postclose()` on fd = close =E2=80=94 but BO destructors running from the scheduler's `free_job` = worker still need to call `drm_mm_remove_node()` against that same allocato= r, causing a UAF. Moving these into the kref-managed `rocket_vm` struct (wh= ich jobs and BOs hold references to) is the right fix. The rename from `rocket_iommu_domain` to `rocket_vm` is clean and improves = clarity. The mechanical changes are consistent across all six files. However, there are two pre-existing bugs that this patch carries forward wi= thout fixing, and one of them interacts with the new code. These should be = addressed either here or in follow-up patches. **Verdict**: Correct fix for the stated UAF, but needs at least the `drm_mm= _insert_node_generic` error-handling issue fixed before merging. --- --- Generated by Claude Code Patch Reviewer