From mboxrd@z Thu Jan  1 00:00:00 1970
From: Claude Code Review Bot <claude-review@example.com>
To: dri-devel-reviews@example.com
Subject: Claude review: dma-buf: fix UAF in dma_buf_fd() tracepoint
Date: Mon, 25 May 2026 17:28:46 +1000
Message-ID: <review-patch1-20260523181446.69525-1-devnexen@gmail.com>
In-Reply-To: <20260523181446.69525-1-devnexen@gmail.com>
References: <20260523181446.69525-1-devnexen@gmail.com> <20260523181446.69525-1-devnexen@gmail.com>
X-Mailer: Claude Code Patch Reviewer
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0

Patch Review

**Correctness: Good.**

The race condition is real and the fix is correct. Looking at the `DMA_BUF_=
TRACE` macro (line 47-54 of `dma-buf.c`):

```c
#define DMA_BUF_TRACE(FUNC, ...)					\
	do {								\
		if (IS_ENABLED(CONFIG_LOCKDEP) || FUNC##_enabled()) {	\
			guard(spinlock)(&dmabuf->name_lock);		\
			FUNC(__VA_ARGS__);				\
		}							\
	} while (0)
```

This takes `dmabuf->name_lock`, so `dmabuf` must be alive when the tracepoi=
nt fires. With `FD_ADD()`, the file is already installed and visible to oth=
er threads, so a racing `close()` can trigger `__fput()` =E2=86=92 release =
=E2=86=92 free before the tracepoint runs.

The fix correctly places the tracepoint in the window between `get_unused_f=
d_flags()` (fd reserved, not yet populated) and `fd_install()` (fd becomes =
live):

```c
fd =3D get_unused_fd_flags(flags);
if (fd < 0)
    return fd;

DMA_BUF_TRACE(trace_dma_buf_fd, dmabuf, fd);

fd_install(fd, dmabuf->file);
```

**Error handling: Correct.** The `fd < 0` check properly handles `get_unuse=
d_fd_flags()` failure and returns the error. No file reference leak since `=
dmabuf->file` hasn't been consumed yet at that point.

**Consistency:** This matches the pattern used by `dma_buf_put()` at line 8=
52, where the tracepoint fires before `fput()` to avoid the same class of U=
AF.

**Commit message: Excellent.** Clear description of the race, the fix mecha=
nism, references to the prior analogous fix, proper Fixes/Cc-stable/Reporte=
d-by tags, and correctly identifies the original commit that introduced the=
 tracepoints as the Fixes target rather than the `FD_ADD()` conversion (sin=
ce the bug predates `FD_ADD()` =E2=80=94 it just became more visible with i=
t).

**Stable tag:** `Cc: stable@vger.kernel.org # 7.0.x` =E2=80=94 appropriate =
since the `FD_ADD()` conversion happened recently and this is the tree wher=
e the regression manifests.

**No issues found.** This is a clean, correct fix ready for merge.

---
Generated by Claude Code Patch Reviewer