From mboxrd@z Thu Jan 1 00:00:00 1970 From: Claude Code Review Bot To: dri-devel-reviews@example.com Subject: Claude review: accel/amdxdna: Fix user buffer VMA checking and page pinning locking Date: Sat, 16 May 2026 08:54:21 +1000 Message-ID: In-Reply-To: <20260515155423.743134-1-lizhi.hou@amd.com> References: <20260515155423.743134-1-lizhi.hou@amd.com> X-Mailer: Claude Code Patch Reviewer Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Overall Series Review Subject: accel/amdxdna: Fix user buffer VMA checking and page pinning locki= ng Author: Lizhi Hou Patches: 1 Reviewed: 2026-05-16T08:54:21.992526 --- This is a single-patch fix addressing a real **TOCTOU (time-of-check-time-o= f-use) vulnerability** in the amdxdna accelerator driver's user buffer hand= ling. The core problem was that VMA permission checking (`readonly_va_entry= `) and page pinning (`pin_user_pages_fast`) were done without a common lock= , allowing an attacker to modify the VMA (via `mprotect`, `munmap`/`mmap`, = etc.) between the check and the pin. The fix is well-targeted and correct in its approach: 1. Holds `mmap_read_lock` across **both** the VMA permission check and the = page pinning. 2. Switches from `pin_user_pages_fast` to `pin_user_pages`, which expects t= he caller to already hold `mmap_read_lock`. 3. Adds `VM_MAYWRITE` to the writability check to close a `mprotect`-based = bypass. The error paths are correctly restructured (goto =E2=86=92 break, with unlo= ck before cleanup jump). The locking semantics are consistent with the GUP = API contract. **One minor concern** exists (detailed below) but overall this is a sound s= ecurity fix that should be accepted. --- --- Generated by Claude Code Patch Reviewer