Re: [PATCH v5 05/16] media: iris: add vpu op hook to disable ARP buffer

[sashiko-bot@kernel.org]

Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:

Pre-existing issues:
- [High] Permanent memory leak of DMA buffers in `iris_core_init()` on hardware response timeout, which can be repeatedly triggered from userspace.
--

commit 3a7fc135bf016aef8f9196cb8a7b617066640e5c
Author: Dikshita Agarwal <dikshita.agarwal@oss.qualcomm.com>

media: iris: add vpu op hook to disable ARP buffer

This patch adds an optional disable_arp callback to the VPU operations
to disable the ARP internal buffer on AR50LT platforms. The callback is
invoked during the core initialization and power management resume paths.

> diff --git a/drivers/media/platform/qcom/iris/iris_core.c b/drivers/media/platform/qcom/iris/iris_core.c
> index 52bf56e517f91..bd22076f35576 100644
> --- a/drivers/media/platform/qcom/iris/iris_core.c
> +++ b/drivers/media/platform/qcom/iris/iris_core.c
[ ... ]
> @@ -78,6 +79,9 @@ int iris_core_init(struct iris_core *core)
>  	if (ret)
>  		goto error_unload_fw;
>  
> +	if (vpu_ops->disable_arp)
> +		vpu_ops->disable_arp(core);
> +
>  	core->iris_firmware_data->init_hfi_ops(core);
>  
>  	ret = iris_hfi_core_init(core);

[Severity: High]
This is a pre-existing issue, but could the error handling in
iris_core_init() permanently leak DMA buffers?

If iris_wait_for_system_response() times out at the end of this function,
it sets the state to IRIS_CORE_ERROR and returns a timeout error, but the
DMA memory allocated earlier by iris_hfi_queues_init() is not freed.

A subsequent initialization attempt would then trigger this path:

    } else if (core->state == IRIS_CORE_ERROR) {
        ret = -EINVAL;
        goto error;
    }
    ...
error:
    core->state = IRIS_CORE_DEINIT;

This transitions the state to IRIS_CORE_DEINIT and still does not free
the memory.

If a third initialization call is made, iris_core_init() proceeds with
normal setup because the state is now IRIS_CORE_DEINIT. It will call
iris_hfi_queues_init() again, overwriting core->iface_q_table_vaddr and
core->sfr_vaddr, leaking the previously allocated contiguous DMA memory.

Is there a missing cleanup path for the DMA queues when a system response
timeout occurs, or should the transition from IRIS_CORE_ERROR explicitly
handle freeing these resources?

-- 
Sashiko AI review · https://sashiko.dev/#/patchset/20260616-iris-ar50lt-v5-0-583b42770b6a@oss.qualcomm.com?part=5