[PATCH v2] gpu: host1x: Fix device reference leak in host1x_device_parse_dt() error path

[PATCH v2] gpu: host1x: Fix device reference leak in host1x_device_parse_dt() error path

[Guangshuo Li]

After device_initialize(), the embedded struct device in struct
host1x_device should be released through the device core with
put_device().

In host1x_device_add(), if host1x_device_parse_dt() fails, the current
error path frees the object directly with kfree(device). That bypasses
the normal device lifetime handling and leaks the reference held on the
embedded struct device.

Fix this by using put_device() in the host1x_device_parse_dt() failure
path.

Fixes: f4c5cf88fbd50 ("gpu: host1x: Provide a proper struct bus_type")
Cc: stable@vger.kernel.org
Signed-off-by: Guangshuo Li <lgs201920130244@gmail.com>
---
v2:
  - add Cc: stable@vger.kernel.org

 drivers/gpu/host1x/bus.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/gpu/host1x/bus.c b/drivers/gpu/host1x/bus.c
index 723a80895cd4..f97567e6ae87 100644
--- a/drivers/gpu/host1x/bus.c
+++ b/drivers/gpu/host1x/bus.c
@@ -452,7 +452,7 @@ static int host1x_device_add(struct host1x *host1x,
 
 	err = host1x_device_parse_dt(device, driver);
 	if (err < 0) {
-		kfree(device);
+		put_device(&device->dev);
 		return err;
 	}
 
-- 
2.43.0

Claude review: gpu: host1x: Fix device reference leak in host1x_device_parse_dt() error path

[Claude Code Review Bot]

Overall Series Review

Subject: gpu: host1x: Fix device reference leak in host1x_device_parse_dt() error path
Author: Guangshuo Li <lgs201920130244@gmail.com>
Patches: 1
Reviewed: 2026-04-13T19:07:35.144042

---

This is a single-patch series that fixes a legitimate device reference leak in the host1x driver. The analysis is correct: after `device_initialize()` is called, the proper way to free the device is through `put_device()`, not `kfree()`. The fix itself is sound — `put_device()` will invoke `host1x_device_release()`, which calls `__host1x_device_del()` and then `kfree()`.

The release path is safe in this context: `__host1x_device_del()` iterates `device->active` (empty at this point since no clients have been registered), `device->subdevs` (may contain entries added by `host1x_device_parse_dt()` before it failed — these get properly cleaned up via `host1x_subdev_del()`), `device->clients` (empty), and calls `list_del_init(&device->list)` (safe since `INIT_LIST_HEAD` was called). So `put_device()` correctly tears down any partial state that `host1x_device_parse_dt()` may have built up.

**Verdict: The patch is correct and suitable for merging.**

---

---
Generated by Claude Code Patch Reviewer

Claude review: gpu: host1x: Fix device reference leak in host1x_device_parse_dt() error path

[Claude Code Review Bot]

Patch Review

**Correctness: Good.** The commit message accurately describes the problem. After `device_initialize()` at `bus.c:466`, the embedded `struct device` holds a reference count of 1. Using `kfree()` directly bypasses the device core's lifetime management. Switching to `put_device()` is the right fix — it will decrement the refcount to 0 and invoke the `host1x_device_release` callback set at `bus.c:479`, which calls `__host1x_device_del()` followed by `kfree()`.

**Release callback safety:** The `__host1x_device_del()` function (`bus.c:398`) is safe to call in this early failure state:
- `device->active` — empty, since no subdevices have been registered with clients. The loop at line 406 is a no-op.
- `device->subdevs` — may have entries from the partially-completed `host1x_device_parse_dt()`. These are properly cleaned up by `host1x_subdev_del()` at line 427-428, which does `list_del()`, `of_node_put()`, and `kfree()`. This is actually a secondary fix: the old `kfree(device)` code would also leak any subdevices that were added before `host1x_device_parse_dt()` failed.
- `device->clients` — empty, loop at line 436 is a no-op.
- `list_del_init(&device->list)` at line 443 — safe because `INIT_LIST_HEAD(&device->list)` was called at line 473. Calling `list_del_init` on a self-linked list node is a no-op.

**Pre-existing issue worth noting:** `host1x_device_parse_dt()` (`bus.c:88`) and `host1x_subdev_add()` (`bus.c:39`) have their own cleanup gap — when `host1x_subdev_add()` fails mid-recursion at line 62-64 (note the `/* XXX cleanup? */` comment), already-added subdevices from earlier iterations are left on the list without cleanup. However, with this patch applied, those orphaned subdevices are now properly freed through the `put_device()` → `host1x_device_release()` → `__host1x_device_del()` path, which iterates and frees all entries on `device->subdevs`. So this patch incidentally fixes that leak too.

**Minor nits:**
- The commit message title says "in host1x_device_parse_dt() error path" — it would be slightly more precise as "in host1x_device_add() error path" since the fix is in `host1x_device_add()`, not in `host1x_device_parse_dt()` itself. But this is a cosmetic quibble.
- The Fixes tag references `f4c5cf88fbd50`, which introduced `device_initialize()` usage. This is appropriate.

**Reviewed-by recommendation:** This patch is straightforward, correct, and appropriate for stable backport.

---
Generated by Claude Code Patch Reviewer