Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:
Pre-existing issues: - [High] The `struct device` objects embedded in `host1x_memory_context` are allocated as a contiguous array and freed synchronously via `kfree(cdl->devs)` on error paths and teardown, violating device lifecycle rules. -- commit a5e361c6f75f05af608f6d934522d035e2ecb31b Author: Mikko Perttunen <[email protected]> gpu: host1x: Correctly parse linear ranges of context devices The previous parsing of the iommu-map property assumed each context device has its own one-length entry in the device tree. This patch updates the logic to support linear ranges by properly summing the lengths. > diff --git a/drivers/gpu/host1x/context.c b/drivers/gpu/host1x/context.c > index d50d41c205617..52ca663902ad1 100644 > --- a/drivers/gpu/host1x/context.c > +++ b/drivers/gpu/host1x/context.c [ ... ] > @@ -34,7 +34,16 @@ int host1x_memory_context_list_init(struct host1x *host1x) > if (err < 0) > return 0; > > - cdl->len = err / 4; > + devs = 0; > + > + for (i = 0; i < err / 4; i++) { > + u32 length; > + > + of_property_read_u32_index(node, "iommu-map", i * 4 + 3, > &length); > + devs += length; > + } > + > + cdl->len = devs; > cdl->devs = kzalloc_objs(*cdl->devs, cdl->len); [Severity: High] This is a pre-existing issue, but allocating struct device objects as a contiguous array and synchronously freeing them can lead to a use-after-free. When host1x_memory_context_list_init() fails later on, it jumps to the unreg_devices label: unreg_devices: while (i--) device_unregister(&cdl->devs[i].dev); kfree(cdl->devs); Calling device_unregister() drops a reference, but does not guarantee the reference count drops to zero immediately. If another subsystem or userspace holds an asynchronous reference, kfree() will prematurely free the entire array while those references are still active. Later, when the final reference is dropped, the kernel will attempt to invoke the host1x_memory_context_release() callback on the already freed memory. Can the individual context devices be allocated separately to allow them to have independent lifecycles managed by their respective release callbacks? -- Sashiko AI review ยท https://sashiko.dev/#/patchset/[email protected]?part=3
