From: Claude Code Review Bot <claude-review@example.com>
To: dri-devel-reviews@example.com
Subject: Claude review: drm/panthor: Fix a race in the shrinker logic
Date: Thu, 07 May 2026 13:31:55 +1000 [thread overview]
Message-ID: <review-overall-20260506-panthor-shrinker-fixes-v1-0-e7721526de96@collabora.com> (raw)
In-Reply-To: <20260506-panthor-shrinker-fixes-v1-0-e7721526de96@collabora.com>
Overall Series Review
Subject: drm/panthor: Fix a race in the shrinker logic
Author: Boris Brezillon <boris.brezillon@collabora.com>
Patches: 9
Reviewed: 2026-05-07T13:31:55.806526
---
This is a well-analyzed and cleanly structured 3-patch series from Boris Brezillon fixing a real race condition between `drm_gem_lru_remove()` and `drm_gem_lru_scan()` in the DRM GEM LRU/shrinker infrastructure. The core problem: `drm_gem_lru_remove()` reads `obj->lru` without the LRU lock, but `drm_gem_lru_scan()` temporarily moves objects to a stack-allocated `still_in_lru` LRU — if the timing is wrong, `drm_gem_lru_remove()` dereferences a stale pointer to a stack object that no longer exists (UAF).
The series is logically ordered: (1) fix the panthor driver to stop using the racy API, (2) fix a second race in the core `drm_gem_lru_scan()`, (3) remove the racy `drm_gem_lru_remove()` entirely. All three patches have Reviewed-by from the reporter (Chia-I Wu). The approach is sound — rather than trying to make `drm_gem_lru_remove()` safe (which would require external locking that defeats its purpose), the series eliminates the problematic API.
The series looks good to me and ready to merge. One minor concern noted below in Patch 2.
---
Generated by Claude Code Patch Reviewer
prev parent reply other threads:[~2026-05-07 3:31 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-05-06 12:16 [PATCH 0/3] drm/panthor: Fix a race in the shrinker logic Boris Brezillon
2026-05-06 12:16 ` [PATCH 1/3] drm/panthor: Don't use the racy drm_gem_lru_remove() helper Boris Brezillon
2026-05-06 15:40 ` Steven Price
2026-05-06 16:25 ` Boris Brezillon
2026-05-07 3:31 ` Claude review: " Claude Code Review Bot
2026-05-06 12:16 ` [PATCH 2/3] drm/gem: Fix a race between drm_gem_lru_scan() and drm_gem_object_release() Boris Brezillon
2026-05-06 13:21 ` Rob Clark
2026-05-06 14:33 ` Boris Brezillon
2026-05-07 3:31 ` Claude review: " Claude Code Review Bot
2026-05-06 12:16 ` [PATCH 3/3] drm/gem: Stop exposing the racy/unsafe drm_gem_lru_remove() helper Boris Brezillon
2026-05-06 15:40 ` Steven Price
2026-05-07 3:31 ` Claude review: " Claude Code Review Bot
2026-05-07 3:31 ` Claude Code Review Bot [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=review-overall-20260506-panthor-shrinker-fixes-v1-0-e7721526de96@collabora.com \
--to=claude-review@example.com \
--cc=dri-devel-reviews@example.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox