From mboxrd@z Thu Jan 1 00:00:00 1970 From: Claude Code Review Bot To: dri-devel-reviews@example.com Subject: Claude review: gpu/drm/drm_syncobj: fix syncobj refcount leak on invalid flags in find_fence Date: Mon, 25 May 2026 16:51:16 +1000 Message-ID: In-Reply-To: <20260525023324.3883862-1-vulab@iscas.ac.cn> References: <20260525023324.3883862-1-vulab@iscas.ac.cn> <20260525023324.3883862-1-vulab@iscas.ac.cn> X-Mailer: Claude Code Patch Reviewer Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Patch Review **The flags check (first hunk) =E2=80=94 there IS a real refcount leak here= , but the fix is wrong:** The patch author correctly identifies that when `drm_syncobj_find()` return= s a valid (non-NULL) syncobj and then the flags check fails, the original `= return -EINVAL` leaks the reference. That much is a real bug. However, the fix converts this to `goto out`, which unconditionally calls `= drm_syncobj_put(syncobj)`. The problem is that `syncobj` may be NULL =E2=80= =94 `drm_syncobj_find()` can return NULL for an invalid handle. In that cas= e, `goto out` calls `drm_syncobj_put(NULL)`, which dereferences `NULL->refc= ount` via `kref_put()`: ```c static inline void drm_syncobj_put(struct drm_syncobj *obj) { kref_put(&obj->refcount, drm_syncobj_free); // NULL deref if obj is NU= LL } ``` So the flags check fix trades a refcount leak for a potential kernel NULL p= ointer dereference (which is worse). **The `!syncobj` check (second hunk) =E2=80=94 actively introduces a crash:= ** The original code: ```c if (!syncobj) return -ENOENT; ``` This is **correct as-is** =E2=80=94 if `syncobj` is NULL, there is no refer= ence to release, so returning directly is the right thing to do. The patch = changes this to: ```c if (!syncobj) { ret =3D -ENOENT; goto out; } ``` This is a **clear NULL pointer dereference bug**. When `syncobj` is NULL, j= umping to `out` calls `drm_syncobj_put(NULL)`, which will crash the kernel. **Correct fix would be:** The flags check should be moved **before** the `drm_syncobj_find()` call, o= r the `out` label needs to be guarded with a NULL check: ```c out: if (syncobj) drm_syncobj_put(syncobj); return ret; ``` Alternatively, simply reorder the flags check to come before the `drm_synco= bj_find()` call so no reference has been taken yet. **Verdict: NAK.** The patch introduces a NULL pointer dereference that is s= trictly worse than the refcount leak it attempts to fix. The `!syncobj` got= o is an unconditional crasher. The Cc: stable tag makes this especially con= cerning, as it would propagate a crashing bug into stable kernels. --- Generated by Claude Code Patch Reviewer