Re: [PATCH v13 08/17] media: ti: j721e-csi2rx: get number of contexts from device tree

[sashiko-bot@kernel.org]

Thank you for your contribution! Sashiko AI review found 2 potential issue(s) to consider:

Pre-existing issues:
- [High] The V4L2 async notifier is unregistered after video contexts are destroyed, creating a race condition where the notifier can trigger and access freed contexts.
- [High] The driver uses `devm_kzalloc` for its main structure but exposes video devices to userspace, leading to a Use-After-Free if the device is unbound while file handles remain open.
--

commit 9a0321175e1c07f7aebfefcee8f80ac7be62df13
Author: Pratyush Yadav <p.yadav@ti.com>
Subject: media: ti: j721e-csi2rx: get number of contexts from device tree

This commit updates the driver to determine the number of DMA contexts
dynamically from the device tree's DMA channels, rather than hardcoding it
to 1. It adds validation against the maximum supported contexts and iterates
up to this dynamic count.

> diff --git a/drivers/media/platform/ti/j721e-csi2rx/j721e-csi2rx.c b/drivers/media/platform/ti/j721e-csi2rx/j721e-csi2rx.c
> index e01d95eab19c3..26a8eaa98b3da 100644
> --- a/drivers/media/platform/ti/j721e-csi2rx/j721e-csi2rx.c
> +++ b/drivers/media/platform/ti/j721e-csi2rx/j721e-csi2rx.c
[ ... ]
> @@ -1345,8 +1347,9 @@ static int ti_csi2rx_init_ctx(struct ti_csi2rx_ctx *ctx)
>  
>  static int ti_csi2rx_probe(struct platform_device *pdev)
>  {
> +	struct device_node *np = pdev->dev.of_node;
>  	struct ti_csi2rx_dev *csi;
> -	int ret, i;
> +	int ret = 0, i, count;
>  
>  	csi = devm_kzalloc(&pdev->dev, sizeof(*csi), GFP_KERNEL);

[Severity: High]
This is a pre-existing issue, but does using devm_kzalloc() for the main
structure cause a use-after-free if userspace holds a file descriptor open
during unbind?

The ti_csi2rx_dev structure embeds the video devices which are exposed to
userspace with video_device_release_empty. If userspace keeps a file
descriptor open when the device is unbound, devm will free the structure.

Later access or closure of the file descriptor by userspace could access the
freed video device and destroyed mutex.

[ ... ]
> @@ -1410,7 +1430,7 @@ static void ti_csi2rx_remove(struct platform_device *pdev)
>  	struct ti_csi2rx_dev *csi = platform_get_drvdata(pdev);
>  	unsigned int i;
>  
> -	for (i = 0; i < TI_CSI2RX_NUM_CTX; i++)
> +	for (i = 0; i < csi->num_ctx; i++)
>  		ti_csi2rx_cleanup_ctx(&csi->ctx[i]);
>  
>  	ti_csi2rx_cleanup_notifier(csi);

[Severity: High]
This is a pre-existing issue, but could unregistering the async notifier
after cleaning up the contexts create a race condition?

The contexts are cleaned up via ti_csi2rx_cleanup_ctx() which destroys
the mutex, unregisters the video device, and releases the DMA channel.

If a sensor driver probes concurrently, the V4L2 async matching could
trigger csi_async_notifier_complete() before the notifier is unregistered.
This could cause csi_async_notifier_complete() to register a video device
using a destroyed mutex and released DMA channels, leading to panics if
userspace accesses it.

-- 
Sashiko AI review · https://sashiko.dev/#/patchset/20260520120022.539913-1-r-donadkar@ti.com?part=8