From mboxrd@z Thu Jan  1 00:00:00 1970
From: Claude Code Review Bot <claude-review@example.com>
To: dri-devel-reviews@example.com
Subject: Claude review: dma-buf: fix order of trace and fput
Date: Sun, 12 Apr 2026 12:31:05 +1000
Message-ID: <review-patch1-20260408122437.1364-1-christian.koenig@amd.com>
In-Reply-To: <20260408122437.1364-1-christian.koenig@amd.com>
References: <20260408122437.1364-1-christian.koenig@amd.com> <20260408122437.1364-1-christian.koenig@amd.com>
X-Mailer: Claude Code Patch Reviewer
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0

Patch Review

**The bug (confirmed):** The `DMA_BUF_TRACE` macro (defined at `drivers/dma=
-buf/dma-buf.c:47`) acquires `dmabuf->name_lock` and then the tracepoint it=
self accesses `dmabuf->exp_name`, `dmabuf->size`, and `dmabuf->file->f_inod=
e->i_ino`. Calling this after `fput()` is a use-after-free if that `fput()`=
 drops the last reference, since the file's release callback will free the =
dma-buf.

**The fix is correct:**

```diff
-	fput(dmabuf->file);
-
 	DMA_BUF_TRACE(trace_dma_buf_put, dmabuf);
+	fput(dmabuf->file);
```

Moving the trace before `fput()` ensures the dmabuf and its file are still =
alive when the tracepoint accesses their fields. The `WARN_ON(!dmabuf || !d=
mabuf->file)` guard above already validates both pointers before we reach t=
his code.

**Tag issue:** The commit message uses `Fixed:` but the standard kernel tag=
 is `Fixes:` (with an 's'). This should be corrected:

```
Fixed: 281a22631423 ("dma-buf: add some tracepoints to debug.")
```
should be:
```
Fixes: 281a22631423 ("dma-buf: add some tracepoints to debug.")
```

Scripts like `scripts/checkpatch.pl` and automated stable-kernel backport t=
ooling rely on the `Fixes:` tag being spelled correctly.

**Minor note:** The commit message says "Only compile tested!" =E2=80=94 th=
is is appreciated transparency, but given how straightforward the reorderin=
g is, the fix is clearly correct by inspection. The tracepoint just needs t=
o read fields before they're potentially freed; there's no subtle ordering =
dependency in the other direction (the trace doesn't need to observe post-f=
put state).

**Verdict:** The fix itself is good =E2=80=94 one clear use-after-free fixe=
d with a minimal, obviously-correct reordering. Just fix `Fixed:` =E2=86=92=
 `Fixes:` before applying.

---
Generated by Claude Code Patch Reviewer