Thank you for your contribution! Sashiko AI review found 2 potential issue(s) to consider:
New issues: - [Critical] The patch incorrectly adds `drm_gem_object_put(obj)` to the success path of `qaic_attach_slice_bo_ioctl`, dropping a reference that is supposed to be owned by the `dbc->bo_lists` list, introducing immediate Use-After-Free and Double-Free vulnerabilities. Pre-existing issues: - [High] Concurrent modifications to the `dbc->bo_lists` list are not protected by mutual exclusion, leading to linked list corruption. -- commit bc2c1f25fbb00a819fac019aaf005f851bd75d49 Author: WenTao Liang <[email protected]> accel/qaic: fix GEM object refcount leak in qaic_attach_slice_bo_ioctl This commit attempts to fix a perceived GEM object reference leak by adding a drm_gem_object_put() call in the success path of qaic_attach_slice_bo_ioctl(). > diff --git a/drivers/accel/qaic/qaic_data.c b/drivers/accel/qaic/qaic_data.c > index ef0351b6dc9b5..46842d4a0848e 100644 > --- a/drivers/accel/qaic/qaic_data.c > +++ b/drivers/accel/qaic/qaic_data.c [ ... ] > @@ -1084,6 +1084,7 @@ int qaic_attach_slice_bo_ioctl(struct drm_device *dev, > void *data, struct drm_fi > > bo->sliced = true; > list_add_tail(&bo->bo_list, &bo->dbc->bo_lists); [Severity: High] This is a pre-existing issue, but does this list_add_tail() race with other concurrent list modifications? The dbc->ch_lock only provides a shared read lock via srcu_read_lock(), and bo->lock is a per-BO mutex. If userspace issues concurrent ioctls on the same DBC with different BOs, wouldn't they simultaneously modify dbc->bo_lists without mutual exclusion? > + drm_gem_object_put(obj); [Severity: Critical] Does adding this put call introduce a use-after-free? The original code appears to transfer the GEM reference to the dbc->bo_lists linked list on success, with detach_slice_bo() releasing it later via drm_gem_object_put(&bo->base): detach_slice_bo() { ... list_del(&bo->bo_list); drm_gem_object_put(&bo->base); ... } If we drop the reference early here, couldn't the BO be freed while still linked in dbc->bo_lists, leading to list corruption during later operations? Additionally, if this put drops the final reference, won't the subsequent mutex_unlock(&bo->lock) operate on a destroyed mutex? > srcu_read_unlock(&dbc->ch_lock, rcu_id); > mutex_unlock(&bo->lock); > kfree(slice_ent); -- Sashiko AI review ยท https://sashiko.dev/#/patchset/[email protected]?part=1
