[PATCH] gpu: host1x: Fix device reference leak in host1x_device_parse_dt() error path

[PATCH] gpu: host1x: Fix device reference leak in host1x_device_parse_dt() error path

[Guangshuo Li]

After device_initialize(), the embedded struct device in struct
host1x_device should be released through the device core with
put_device().

In host1x_device_add(), if host1x_device_parse_dt() fails, the current
error path frees the object directly with kfree(device). That bypasses
the normal device lifetime handling and leaks the reference held on the
embedded struct device.

Fix this by using put_device() in the host1x_device_parse_dt() failure
path.

Fixes: f4c5cf88fbd50 ("gpu: host1x: Provide a proper struct bus_type")
Signed-off-by: Guangshuo Li <lgs201920130244@gmail.com>
---
 drivers/gpu/host1x/bus.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/gpu/host1x/bus.c b/drivers/gpu/host1x/bus.c
index 723a80895cd4..f97567e6ae87 100644
--- a/drivers/gpu/host1x/bus.c
+++ b/drivers/gpu/host1x/bus.c
@@ -452,7 +452,7 @@ static int host1x_device_add(struct host1x *host1x,
 
 	err = host1x_device_parse_dt(device, driver);
 	if (err < 0) {
-		kfree(device);
+		put_device(&device->dev);
 		return err;
 	}
 
-- 
2.43.0

Claude review: gpu: host1x: Fix device reference leak in host1x_device_parse_dt() error path

[Claude Code Review Bot]

Overall Series Review

Subject: gpu: host1x: Fix device reference leak in host1x_device_parse_dt() error path
Author: Guangshuo Li <lgs201920130244@gmail.com>
Patches: 1
Reviewed: 2026-04-13T19:12:54.751886

---

This is a single-patch fix for a device reference handling bug in the host1x bus driver. The analysis is correct and the fix is appropriate. After `device_initialize()` sets up the embedded `struct device` (including refcount = 1 and kobject internals), the proper teardown path is `put_device()`, not a raw `kfree()`. The patch is minimal, well-targeted, and the commit message adequately explains the rationale.

**Verdict: The patch is correct and should be accepted.**

---

---
Generated by Claude Code Patch Reviewer

Claude review: gpu: host1x: Fix device reference leak in host1x_device_parse_dt() error path

[Claude Code Review Bot]

Patch Review

**Analysis of the bug:**

In `host1x_device_add()` (bus.c:454), the allocation and initialization sequence is:

```c
device = kzalloc_obj(*device);           // line 462
device_initialize(&device->dev);          // line 466 — refcount=1, kobject init'd
...
device->dev.release = host1x_device_release;  // line 479

err = host1x_device_parse_dt(device, driver);
if (err < 0) {
    kfree(device);   // BUG: bypasses device core teardown
    return err;
}
```

After `device_initialize()`, the device's kobject and refcount are live. Calling `kfree()` directly skips kobject cleanup and the `.release` callback.

**The fix is correct.** Replacing `kfree(device)` with `put_device(&device->dev)` drops the refcount to zero, which invokes `host1x_device_release()` (bus.c:446). That callback calls `__host1x_device_del(device)` then `kfree(device)`, following the proper device lifecycle.

**Safety of `__host1x_device_del()` in this partially-initialized state:** All the lists and mutexes it touches (`subdevs_lock`, `subdevs`, `active`, `clients_lock`, `clients`, `list`) are initialized at lines 468–474, before `host1x_device_parse_dt()` is called. The `device->list` hasn't been added to `host1x->devices` yet (that happens at line 492, after the error check), but `INIT_LIST_HEAD` makes it self-referential, so `list_del_init()` is a safe no-op.

**Additional benefit:** `host1x_device_parse_dt()` calls `host1x_subdev_add()` which may have already added subdevices to `device->subdevs` before a later `host1x_subdev_add()` call fails (note the existing `/* XXX cleanup? */` comment at bus.c:63). With the old `kfree(device)`, those partially-added subdevices and their `of_node_get()` references would be leaked. With `put_device()`, `__host1x_device_del()` iterates `device->subdevs` and calls `host1x_subdev_del()` on each, properly cleaning them up.

**Minor nit on the commit message:** The description says "leaks the reference held on the embedded struct device," which is slightly imprecise — there's no *external* holder leaking a reference. The real issue is that `kfree()` bypasses the device core's lifetime management (kobject teardown) after `device_initialize()`. This is a cosmetic observation and doesn't affect the correctness of the patch.

**Fixes tag:** References `f4c5cf88fbd50` ("gpu: host1x: Provide a proper struct bus_type"), which is the commit that introduced `device_initialize()` in this code path. Appropriate.

**Reviewed-by worthy:** Yes. Clean, correct, minimal fix.

---
Generated by Claude Code Patch Reviewer