Re: [PATCH v13 05/17] media: ti: j721e-csi2rx: allocate DMA channel based on context index

[sashiko-bot@kernel.org]

Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:

Pre-existing issues:
- [High] Asymmetric teardown order in device removal causes the context to be destroyed before the async notifier is unregistered, leading to a Use-After-Free.
--

commit 01daa1621b3fa2d32690b729a7af218eef61295a
Author: Pratyush Yadav <p.yadav@ti.com>

media: ti: j721e-csi2rx: allocate DMA channel based on context index

With multiple contexts, there needs to be a different DMA channel for
each context. Earlier, the DMA channel name was hard coded to "rx0" for
the sake of simplicity. Generate the DMA channel name based on its index
and get the channel corresponding to the context.

> diff --git a/drivers/media/platform/ti/j721e-csi2rx/j721e-csi2rx.c b/drivers/media/platform/ti/j721e-csi2rx/j721e-csi2rx.c
> index 4adfae425f192..c781b312cea82 100644
> --- a/drivers/media/platform/ti/j721e-csi2rx/j721e-csi2rx.c
> +++ b/drivers/media/platform/ti/j721e-csi2rx/j721e-csi2rx.c
> @@ -1036,9 +1036,11 @@ static int ti_csi2rx_init_dma(struct ti_csi2rx_ctx *ctx)
>  	struct dma_slave_config cfg = {
>  		.src_addr_width = DMA_SLAVE_BUSWIDTH_16_BYTES,
>  	};
> +	char name[5];
>  	int ret;
>  
> -	ctx->dma.chan = dma_request_chan(ctx->csi->dev, "rx0");
> +	snprintf(name, sizeof(name), "rx%u", ctx->idx);
> +	ctx->dma.chan = dma_request_chan(ctx->csi->dev, name);
>  	if (IS_ERR(ctx->dma.chan))
>  		return PTR_ERR(ctx->dma.chan);
>  

[Severity: High]
This isn't a bug introduced by this patch, but I noticed a potential
use-after-free regression regarding context cleanup during device removal
that was not fixed by subsequent commits in this patch series.

In ti_csi2rx_remove(), ti_csi2rx_cleanup_ctx() is called before
ti_csi2rx_cleanup_notifier():

drivers/media/platform/ti/j721e-csi2rx/j721e-csi2rx.c:ti_csi2rx_remove() {
	...
	for (i = 0; i < TI_CSI2RX_NUM_CTX; i++)
		ti_csi2rx_cleanup_ctx(&csi->ctx[i]);

	ti_csi2rx_cleanup_notifier(csi);
	...
}

If a subdevice probes concurrently and triggers the async notifier completion
callback, the callback will attempt to register video devices for contexts
that have already had their resources (such as mutexes, DMA channels, and
vb2_queues) destroyed by ti_csi2rx_cleanup_ctx().

If userspace opens this newly registered video node, it will access freed
memory and destroyed locks, which could result in a use-after-free or memory
corruption.

Should the async notifier be unregistered before cleaning up the context
resources to ensure proper synchronization?

-- 
Sashiko AI review · https://sashiko.dev/#/patchset/20260520120022.539913-1-r-donadkar@ti.com?part=5