From: Claude Code Review Bot <claude-review@example.com>
To: dri-devel-reviews@example.com
Subject: Claude review: gpu/buddy: Fix use-after-free in split_block() call sites
Date: Sat, 16 May 2026 14:58:07 +1000 [thread overview]
Message-ID: <review-patch1-20260511164217.150237-2-francois.dugast@intel.com> (raw)
In-Reply-To: <20260511164217.150237-2-francois.dugast@intel.com>
Patch Review
**Assessment: Correct and well-explained fix.**
The commit message clearly describes the two distinct failure modes: (1) use-after-free when the buddy is also free and coalescing frees a block whose `rb` is still linked, and (2) rbtree corruption when `mark_free()` → `rbtree_insert()` is called on a block that's already in the tree.
The root cause is that `split_block()` only calls `mark_split()` (which does `rbtree_remove()`) **after** both child allocations succeed (line 514 of the current tree). On failure, the block remains FREE and linked in the rbtree.
All four err_undo sites are fixed consistently:
```c
+ rbtree_remove(mm, block);
__gpu_buddy_free(mm, block, false);
```
This matches the existing pattern in `__force_merge()` (current tree line 337):
```c
rbtree_remove(mm, block);
...
order = __gpu_buddy_free(mm, block, true);
```
**Nit:** The `alloc_from_freetree` err_undo path has no buddy guard — it unconditionally calls `__gpu_buddy_free` when `tmp != order`. This is fine because the block IS free (failed split left it free) and `__gpu_buddy_free` handles unmerge-able blocks correctly by just calling `mark_free()` at the bottom. But a brief comment like the other three sites' "make sure we merge everything back" would make the asymmetry less surprising.
**Tag concern:** `Assisted-by: GitHub Copilot:claude-sonnet-4.6` — this is not a recognized kernel tag. The kernel community generally uses `Reported-by`, `Suggested-by`, `Reviewed-by`, etc. Some maintainers may object to this. Consider whether this needs a different format or should be a `Link:` or trailer note instead.
**Cc: stable?** This is a real use-after-free bug. If it can be triggered from userspace (large alloc that forces split_block to fail due to memory pressure), it likely warrants a `Cc: stable@vger.kernel.org` tag and a `Fixes:` tag pointing to the commit that introduced the err_undo paths.
---
Generated by Claude Code Patch Reviewer
next prev parent reply other threads:[~2026-05-16 4:58 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-05-11 16:41 [PATCH v2 0/3] gpu/buddy: Per-order free and used block scoreboards Francois Dugast
2026-05-11 16:41 ` [PATCH v2 1/3] gpu/buddy: Fix use-after-free in split_block() call sites Francois Dugast
2026-05-16 4:58 ` Claude Code Review Bot [this message]
2026-05-11 16:41 ` [PATCH v2 2/3] gpu/buddy: Track per-order free blocks with a scoreboard Francois Dugast
2026-05-15 15:50 ` Matthew Auld
2026-05-16 4:58 ` Claude review: " Claude Code Review Bot
2026-05-11 16:41 ` [PATCH v2 3/3] gpu/buddy: Track per-order used " Francois Dugast
2026-05-16 4:58 ` Claude review: " Claude Code Review Bot
2026-05-16 4:58 ` Claude review: gpu/buddy: Per-order free and used block scoreboards Claude Code Review Bot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=review-patch1-20260511164217.150237-2-francois.dugast@intel.com \
--to=claude-review@example.com \
--cc=dri-devel-reviews@example.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox