From mboxrd@z Thu Jan 1 00:00:00 1970 From: Claude Code Review Bot To: dri-devel-reviews@example.com Subject: Claude review: gpu: host1x: Fix use-after-free in host1x_bo_clear_cached_mappings Date: Thu, 04 Jun 2026 11:54:02 +1000 Message-ID: In-Reply-To: <20260603-host1x-bocache-leak-fix-v1-1-494101dbfd30@nvidia.com> References: <20260603-host1x-bocache-leak-fix-v1-1-494101dbfd30@nvidia.com> X-Mailer: Claude Code Patch Reviewer Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Overall Series Review Subject: gpu: host1x: Fix use-after-free in host1x_bo_clear_cached_mappings Author: Mikko Perttunen Patches: 1 Reviewed: 2026-06-04T11:54:02.847182 --- This is a single-patch fix for a use-after-free bug in `host1x_bo_clear_cac= hed_mappings()`. The bug was introduced by a prerequisite commit ("gpu: hos= t1x: Allow entries in BO caches to be freed") and was reported by Dan Carpe= nter (likely via static analysis / Smatch). The fix is correct, minimal, and obviously right. The `cache` local variabl= e is assigned from `mapping->cache` at the top of the loop iteration (line = 1011), and is used for the NULL check immediately after. However, the `mute= x_lock`/`mutex_unlock` calls then redundantly dereference `mapping->cache` = instead of using the already-saved `cache` local. Since `__host1x_bo_unpin(= )` drops the last kref, and the `unpin` callback (e.g. `tegra_bo_unpin()`) = calls `kfree(map)`, the `mapping` pointer is freed by the time `mutex_unloc= k(&mapping->cache->lock)` executes =E2=80=94 a clear use-after-free. **Verdict: Patch looks good. Recommend applying.** --- Generated by Claude Code Patch Reviewer