Commit 7051f6ba authored by Ketil Johnsen's avatar Ketil Johnsen Committed by Liviu Dudau
Browse files

drm/panthor: Fix UAF race between device unplug and FW event processing 



The function panthor_fw_unplug() will free the FW memory sections.
The problem is that there could still be pending FW events which are yet
not handled at this point. process_fw_events_work() can in this case try
to access said freed memory.

Simply call disable_work_sync() to both drain and prevent future
invocation of process_fw_events_work().

Signed-off-by: default avatarKetil Johnsen <ketil.johnsen@arm.com>
Fixes: de854881 ("drm/panthor: Add the scheduler logical block")
Reviewed-by: default avatarLiviu Dudau <liviu.dudau@arm.com>
Link: https://patch.msgid.link/20251027140217.121274-1-ketil.johnsen@arm.com


Signed-off-by: default avatarLiviu Dudau <liviu.dudau@arm.com>
parent 94a6d20f

drivers/gpu/drm/panthor/panthor_sched.c

+1 −0
Original line number Diff line number Diff line
@@ -3878,6 +3878,7 @@ void panthor_sched_unplug(struct panthor_device *ptdev) 
	struct panthor_scheduler *sched = ptdev->scheduler;



	cancel_delayed_work_sync(&sched->tick_work);

	disable_work_sync(&sched->fw_events_work);



	mutex_lock(&sched->lock);

	if (sched->pm.has_ref) {