From: sashiko-bot@kernel.org
To: "Vishnu Reddy" <busanna.reddy@oss.qualcomm.com>
Cc: robh@kernel.org, conor+dt@kernel.org, devicetree@vger.kernel.org
Subject: Re: [PATCH v8 01/12] media: iris: Add iris vpu bus support
Date: Wed, 10 Jun 2026 06:46:15 +0000 [thread overview]
Message-ID: <20260610064615.888111F00893@smtp.kernel.org> (raw)
In-Reply-To: <20260610-glymur-v8-1-1c79b9d51fc0@oss.qualcomm.com>
Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:
- [High] Unsafe lifetime assumption for `platform_data` exposes a use-after-free vulnerability during IOMMU deferred probing.
--
commit 9a991f2d1e4dce862e38d602c5406c132a0d5307
Author: Vikash Garodia <vikash.garodia@oss.qualcomm.com>
media: iris: Add iris vpu bus support
On glymur platform, firmware loading needs a separate IOMMU mapping with
its own stream ID. This stream ID is defined in the device tree with the
associated firmware function ID in the iommu-map property. To create this
mapping, a separate child device is needed so the firmware memory can be
isolated in its own IOMMU context.
> diff --git a/drivers/media/platform/qcom/iris/iris_vpu_bus.c b/drivers/media/platform/qcom/iris/iris_vpu_bus.c
> new file mode 100644
> index 0000000000000..e3327b227332a
> --- /dev/null
> +++ b/drivers/media/platform/qcom/iris/iris_vpu_bus.c
> @@ -0,0 +1,61 @@
> +// SPDX-License-Identifier: GPL-2.0-only
> +/*
> + * Copyright (c) Qualcomm Innovation Center, Inc. All rights reserved.
> + */
> +
> +#include <linux/device.h>
> +#include <linux/iris_vpu_bus.h>
> +#include <linux/of_device.h>
> +#include <linux/slab.h>
> +
> +static int iris_vpu_bus_dma_configure(struct device *dev)
> +{
> + const u32 *iommu_fid = (const u32 *)dev_get_platdata(dev);
> +
> + return of_dma_configure_id(dev, dev->parent->of_node, true, iommu_fid);
> +}
[ ... ]
> +struct device *iris_vpu_bus_create_device(struct device *parent_device, const char *name,
> + u64 dma_mask, const u32 *iommu_fid)
> +{
> + struct device *dev;
> + int ret;
> +
> + dev = kzalloc_obj(*dev);
> + if (!dev)
> + return ERR_PTR(-ENOMEM);
> +
> + dev->release = iris_vpu_bus_release_device;
> + dev->bus = &iris_vpu_bus_type;
> + dev->parent = parent_device;
> + dev->coherent_dma_mask = dma_mask;
> + dev->dma_mask = &dev->coherent_dma_mask;
> + dev->platform_data = (void *)iommu_fid;
[Severity: High]
Does this create a use-after-free risk during deferred probing?
If the caller (such as iris_glymur_init_cb_devs()) passes a pointer to a
local stack variable, and the IOMMU driver defers probe,
iris_vpu_bus_dma_configure() will be called again asynchronously when the
IOMMU driver initializes.
Since we store the raw pointer here instead of taking the value or copying
the data, could of_dma_configure_id() dereference invalid stack memory if
the caller's stack frame has already been popped?
> + dev_set_name(dev, "%s", name);
> +
> + ret = device_register(dev);
> + if (ret) {
> + put_device(dev);
> + return ERR_PTR(ret);
> + }
> +
> + return dev;
> +}
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260610-glymur-v8-0-1c79b9d51fc0@oss.qualcomm.com?part=1
next prev parent reply other threads:[~2026-06-10 6:46 UTC|newest]
Thread overview: 22+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-10 6:29 [PATCH v8 00/12] media: iris: Add support for glymur platform Vishnu Reddy
2026-06-10 6:29 ` [PATCH v8 01/12] media: iris: Add iris vpu bus support Vishnu Reddy
2026-06-10 6:46 ` sashiko-bot [this message]
2026-06-10 6:29 ` [PATCH v8 02/12] iommu: Add iris-vpu-bus to iommu_buses Vishnu Reddy
2026-06-10 6:29 ` [PATCH v8 03/12] dt-bindings: media: qcom,glymur-iris: Add glymur video codec Vishnu Reddy
2026-06-10 6:29 ` [PATCH v8 04/12] media: iris: Add context bank hooks for platform specific initialization Vishnu Reddy
2026-06-10 6:40 ` sashiko-bot
2026-06-10 6:29 ` [PATCH v8 05/12] media: iris: Enable Secure PAS support with IOMMU managed by Linux Vishnu Reddy
2026-06-10 6:45 ` sashiko-bot
2026-06-10 6:29 ` [PATCH v8 06/12] media: iris: Replace enum-indexed clock and power domain tables with per-block structures Vishnu Reddy
2026-06-10 6:49 ` sashiko-bot
2026-06-10 6:29 ` [PATCH v8 07/12] media: iris: Add power sequence for glymur Vishnu Reddy
2026-06-10 6:46 ` sashiko-bot
2026-06-10 6:29 ` [PATCH v8 08/12] media: iris: Handle CPU_CS_SCIACMDARG3 register write via program bootup registers hook Vishnu Reddy
2026-06-10 6:40 ` sashiko-bot
2026-06-10 6:29 ` [PATCH v8 09/12] media: iris: Add support to select core for dual core platforms Vishnu Reddy
2026-06-10 6:53 ` sashiko-bot
2026-06-10 6:29 ` [PATCH v8 10/12] media: iris: Add platform data for glymur Vishnu Reddy
2026-06-10 6:54 ` sashiko-bot
2026-06-10 6:29 ` [PATCH v8 11/12] arm64: dts: qcom: glymur: Add iris video node Vishnu Reddy
2026-06-10 8:44 ` Bryan O'Donoghue
2026-06-10 6:29 ` [PATCH v8 12/12] arm64: dts: qcom: glymur-crd: Enable iris video codec node Vishnu Reddy
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260610064615.888111F00893@smtp.kernel.org \
--to=sashiko-bot@kernel.org \
--cc=busanna.reddy@oss.qualcomm.com \
--cc=conor+dt@kernel.org \
--cc=devicetree@vger.kernel.org \
--cc=robh@kernel.org \
--cc=sashiko-reviews@lists.linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.