From mboxrd@z Thu Jan  1 00:00:00 1970
From: Claude Code Review Bot <claude-review@example.com>
To: dri-devel-reviews@example.com
Subject: Claude review: gpu: host1x: Fix use-after-free in host1x_bo_clear_cached_mappings
Date: Thu, 04 Jun 2026 11:54:03 +1000
Message-ID: <review-patch1-20260603-host1x-bocache-leak-fix-v1-1-494101dbfd30@nvidia.com>
In-Reply-To: <20260603-host1x-bocache-leak-fix-v1-1-494101dbfd30@nvidia.com>
References: <20260603-host1x-bocache-leak-fix-v1-1-494101dbfd30@nvidia.com> <20260603-host1x-bocache-leak-fix-v1-1-494101dbfd30@nvidia.com>
X-Mailer: Claude Code Patch Reviewer
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0

Patch Review

**Bug analysis:**

In `host1x_bo_clear_cached_mappings()` (bus.c, around line 1010), the loop =
body does:

```c
cache =3D mapping->cache;          // line 1011: save cache pointer
if (WARN_ON(!cache))             // line 1012: NULL guard
    continue;

mutex_lock(&mapping->cache->lock);    // line 1015: dereferences mapping->c=
ache
WARN_ON(kref_read(&mapping->ref) !=3D 1);
__host1x_bo_unpin(&mapping->ref);     // line 1017: drops last ref =E2=86=
=92 frees mapping
mutex_unlock(&mapping->cache->lock);  // line 1018: USE-AFTER-FREE
```

The call chain is: `__host1x_bo_unpin()` =E2=86=92 `mapping->bo->ops->unpin=
(mapping)` =E2=86=92 e.g. `tegra_bo_unpin()` which calls `kfree(map)`. Afte=
r that, `mapping` is freed memory, so `mapping->cache->lock` on line 1018 i=
s a use-after-free.

**Fix correctness:**

The fix simply replaces `mapping->cache->lock` with `cache->lock` in both t=
he `mutex_lock` and `mutex_unlock` calls. This is safe because:

1. `cache` is assigned from `mapping->cache` *before* the unpin (line 1011)
2. The cache object outlives the mapping =E2=80=94 it's owned by the host1x=
 device, not the mapping
3. The `list_for_each_entry_safe` macro already saved `tmp` for safe iterat=
ion after the mapping is freed

**Nits:** None. The commit message is clear, properly credits the reporter =
with `Reported-by` and `Closes` tags, and the diff is minimal.

**Note on `WARN_ON(kref_read(&mapping->ref) !=3D 1)`** (line 1016, untouche=
d by this patch): This accesses `mapping->ref` *before* the unpin, so it's =
fine. Just worth noting for anyone reading along =E2=80=94 the access order=
ing is correct.

Reviewed-by worthy as-is.

---
Generated by Claude Code Patch Reviewer