From mboxrd@z Thu Jan  1 00:00:00 1970
From: Claude Code Review Bot <claude-review@example.com>
To: dri-devel-reviews@example.com
Subject: Claude review: dma-buf: fix UAF in dma_buf_fd() tracepoint
Date: Mon, 25 May 2026 17:28:46 +1000
Message-ID: <review-overall-20260523181446.69525-1-devnexen@gmail.com>
In-Reply-To: <20260523181446.69525-1-devnexen@gmail.com>
References: <20260523181446.69525-1-devnexen@gmail.com>
X-Mailer: Claude Code Patch Reviewer
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0

Overall Series Review

Subject: dma-buf: fix UAF in dma_buf_fd() tracepoint
Author: David Carlier <devnexen@gmail.com>
Patches: 1
Reviewed: 2026-05-25T17:28:46.572678

---

This is a single-patch fix for a real UAF (use-after-free) bug in the dma-b=
uf subsystem, reported by syzbot. The analysis is correct: `FD_ADD()` atomi=
cally allocates an fd and installs the file, meaning the fd is live and clo=
seable before the `DMA_BUF_TRACE()` tracepoint runs. A racing `close()` on =
the fd can free the `dma_buf`, and then the tracepoint dereferences `dmabuf=
->name_lock` =E2=80=94 slab-use-after-free.

The fix is sound: split `FD_ADD()` back into `get_unused_fd_flags()` + `fd_=
install()`, placing the tracepoint between them. While the fd slot is reser=
ved but has a NULL file pointer, a concurrent `close()` returns `-EBADF` wi=
thout entering `__fput()`, so the `dma_buf` remains alive during the trace.=
 This is the same pattern already used for the `dma_buf_put()` tracepoint (=
commit 2d76319c4cbb).

The patch is clean, minimal, well-explained, and appropriate for stable bac=
kport. No concerns.

---
Generated by Claude Code Patch Reviewer