From mboxrd@z Thu Jan 1 00:00:00 1970 From: Claude Code Review Bot To: dri-devel-reviews@example.com Subject: Claude review: fbdev: defio: Disconnect deferred I/O from the lifetime of struct fb_info Date: Tue, 05 May 2026 08:15:16 +1000 Message-ID: In-Reply-To: <20260504141938.2378270-1-sashal@kernel.org> References: <20260504141938.2378270-1-sashal@kernel.org> X-Mailer: Claude Code Patch Reviewer Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Overall Series Review Subject: fbdev: defio: Disconnect deferred I/O from the lifetime of struct = fb_info Author: Sasha Levin Patches: 1 Reviewed: 2026-05-05T08:15:16.910081 --- This is a single patch being backported to 6.18.y stable from upstream comm= it `9ded47ad003f`. It introduces a reference-counted `struct fb_deferred_io= _state` to decouple the lifetime of deferred I/O state from `struct fb_info= `, fixing a long-standing use-after-free on device hot-unplug while userspa= ce still holds active framebuffer mappings. The design is sound: a kref-managed state object is allocated at `fb_deferr= ed_io_init()`, each VMA takes a reference via `vm_ops->open/close`, and the= info pointer is NULLed under mutex during cleanup so that subsequent fault= /mkwrite accesses return `VM_FAULT_SIGBUS` instead of accessing freed memor= y. The stable backport adaptation (`kzalloc_obj` =E2=86=92 `kzalloc(sizeof(*fb= defio_state), GFP_KERNEL)`) is correctly noted. The pagereflist, open_count= , and mapping remain in their original locations (`fb_deferred_io` / `fb_in= fo`), which is appropriate for a minimal backport =E2=80=94 drm-next has si= nce moved those into the state struct in follow-up commits. **Recommendation: Acceptable for stable.** The patch is a faithful minimal = backport of an important fix. The concerns noted below are either pre-exist= ing in the upstream code or relate to follow-up work not included in this b= ackport. --- --- Generated by Claude Code Patch Reviewer