From: sashiko-bot@kernel.org
To: "WenTao Liang" <vulab@iscas.ac.cn>
Cc: dri-devel@lists.freedesktop.org
Subject: Re: [PATCH] fix: accel/qaic: qaic_attach_slice_bo_ioctl: success path missing drm_gem_object_put
Date: Fri, 26 Jun 2026 12:00:28 +0000 [thread overview]
Message-ID: <20260626120029.18CE21F000E9@smtp.kernel.org> (raw)
In-Reply-To: <20260626114359.32938-1-vulab@iscas.ac.cn>
Thank you for your contribution! Sashiko AI review found 2 potential issue(s) to consider:
New issues:
- [Critical] Reference count underflow and Use-After-Free (UAF) due to premature GEM object release.
Pre-existing issues:
- [High] Concurrent list operations on `dbc->bo_lists` are not synchronized, leading to list corruption.
--
commit 9afead81ed2f91d5b21fa630783b8bff00c9912d
Author: WenTao Liang <vulab@iscas.ac.cn>
fix: accel/qaic: qaic_attach_slice_bo_ioctl: success path missing drm_gem_object_put
This commit adds a drm_gem_object_put() call to the success path of
qaic_attach_slice_bo_ioctl(). It attempts to prevent a perceived GEM
object reference leak.
> diff --git a/drivers/accel/qaic/qaic_data.c b/drivers/accel/qaic/qaic_data.c
> index ef0351b6dc9b5..46842d4a0848e 100644
> --- a/drivers/accel/qaic/qaic_data.c
> +++ b/drivers/accel/qaic/qaic_data.c
> @@ -1084,6 +1084,7 @@ int qaic_attach_slice_bo_ioctl(struct drm_device *dev, void *data, struct drm_fi
>
> bo->sliced = true;
> list_add_tail(&bo->bo_list, &bo->dbc->bo_lists);
[Severity: High]
This isn't a bug introduced by this patch, but are the list operations on
dbc->bo_lists safely synchronized?
Looking at qaic_attach_slice_bo_ioctl() and detach_slice_bo(), they modify
this list using list_add_tail() and list_del(). However, the only shared
lock held appears to be srcu_read_lock(&dbc->ch_lock), which allows
concurrent readers. The mutex_lock(&bo->lock) only protects the specific BO.
Could concurrent ioctl calls for different BOs on the same dbc corrupt the
list?
> + drm_gem_object_put(obj);
[Severity: Critical]
Does adding this drm_gem_object_put() cause a reference count underflow?
The original code appears to intentionally retain this GEM object reference
because list_add_tail() transfers ownership of the BO to dbc->bo_lists.
Later, detach_slice_bo() explicitly drops this list reference:
drivers/accel/qaic/qaic_data.c:detach_slice_bo() {
...
list_del(&bo->bo_list);
drm_gem_object_put(&bo->base);
...
}
If the reference is dropped here during attachment, could the BO be freed
prematurely while still in dbc->bo_lists, leading to a use-after-free
when release_dbc() iterates over the list?
> srcu_read_unlock(&dbc->ch_lock, rcu_id);
> mutex_unlock(&bo->lock);
> kfree(slice_ent);
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260626114359.32938-1-vulab@iscas.ac.cn?part=1
prev parent reply other threads:[~2026-06-26 12:00 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-26 11:43 [PATCH] fix: accel/qaic: qaic_attach_slice_bo_ioctl: success path missing drm_gem_object_put WenTao Liang
2026-06-26 11:43 ` WenTao Liang
2026-06-26 12:00 ` sashiko-bot [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260626120029.18CE21F000E9@smtp.kernel.org \
--to=sashiko-bot@kernel.org \
--cc=dri-devel@lists.freedesktop.org \
--cc=sashiko-reviews@lists.linux.dev \
--cc=vulab@iscas.ac.cn \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.