From mboxrd@z Thu Jan 1 00:00:00 1970 From: Claude Code Review Bot To: dri-devel-reviews@example.com Subject: Claude review: fbdev: omap2: fix use-after-free in omapfb_mmap Date: Thu, 04 Jun 2026 13:05:53 +1000 Message-ID: In-Reply-To: <20260602080415.171378-1-zenghongling@kylinos.cn> References: <20260602080415.171378-1-zenghongling@kylinos.cn> X-Mailer: Claude Code Patch Reviewer Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Overall Series Review Subject: fbdev: omap2: fix use-after-free in omapfb_mmap Author: Hongling Zeng Patches: 1 Reviewed: 2026-06-04T13:05:53.596691 --- This is a single patch fixing a real use-after-free race condition in the o= mapfb driver's `mmap` path. The analysis in the commit message is accurate = and well-explained: `omapfb_mmap()` takes a reference to `rg` via `omapfb_g= et_mem_region(ofbi->region)`, but then calls `omapfb_get_region_paddr(ofbi)= ` which re-dereferences `ofbi->region` =E2=80=94 a pointer that can be chan= ged concurrently by `OMAPFB_SETUP_PLANE`. This means `start` and `len` can = come from a different region than the one whose `map_count` gets incremente= d, allowing the actual mapped region to be freed. The fix is correct in principle: it reads `start` and `len` directly from `= rg` (the locked region) rather than going through helpers that re-read `ofb= i->region`. This ensures all values are consistent with the region being re= ference-counted. **Verdict: The patch is correct and should be accepted**, with one minor ob= servation below. --- Generated by Claude Code Patch Reviewer