From mboxrd@z Thu Jan 1 00:00:00 1970 From: Claude Code Review Bot To: dri-devel-reviews@example.com Subject: Claude review: misc: fastrpc: fix use-after-free of fastrpc_user in workqueue context Date: Thu, 30 Apr 2026 10:52:17 +1000 Message-ID: In-Reply-To: <20260427074021.3774769-1-anandu.e@oss.qualcomm.com> References: <20260427074021.3774769-1-anandu.e@oss.qualcomm.com> X-Mailer: Claude Code Patch Reviewer Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Overall Series Review Subject: misc: fastrpc: fix use-after-free of fastrpc_user in workqueue con= text Author: Anandu Krishnan E Patches: 1 Reviewed: 2026-04-30T10:52:17.356682 --- This single-patch series adds kref-based reference counting to `fastrpc_use= r` to fix a real use-after-free race: when a user closes the file descripto= r while a DSP invocation is still in flight, `fastrpc_device_release()` fre= es the `fastrpc_user` structure, and then the workqueue-scheduled `fastrpc_= context_free()` dereferences the freed user through `ctx->fl`. The approach= =E2=80=94 have each invoke context take a user reference at allocation and= release it at context free =E2=80=94 is correct in principle and follows t= he existing kref pattern already used for `fastrpc_channel_ctx` and `fastrp= c_invoke_ctx`. However, the patch has two bugs: a **kref initialization ordering issue** a= nd, more seriously, a **use-after-free on the pending context list** in the= new `fastrpc_user_free()`. The latter is a direct consequence of moving th= e pending-list cleanup into the kref release callback without accounting fo= r the fact that contexts freed via the workqueue path are `kfree()`'d witho= ut being removed from `fl->pending`. The result is that `fastrpc_user_free(= )` iterates a list containing already-freed entries =E2=80=94 trading one U= AF for another. The fix is close but needs another revision to address these issues before = it can be merged. --- --- Generated by Claude Code Patch Reviewer