[PATCH 1/2] soc: xilinx: Fix race condition in event registration

All of lore.kernel.org
 help / color / mirror / Atom feed

* [PATCH 1/2] soc: xilinx: Fix race condition in event registration
@ 2026-03-17 13:34 Prasanna Kumar T S M
  2026-03-18 15:40 ` Michal Simek
  0 siblings, 1 reply; 3+ messages in thread
From: Prasanna Kumar T S M @ 2026-03-17 13:34 UTC (permalink / raw)
  To: ptsm.linux.microsoft.com, michal.simek, jay.buddhabhatti,
	marco.crivellari, tejas.patel, rajan.vaja, linux-arm-kernel,
	linux-kernel

The zynqmp_power driver registers handlers for suspend and subsystem
restart events using register_event(). However, the work structures
(zynqmp_pm_init_suspend_work and zynqmp_pm_init_restart_work) used by
these handlers were allocated and initialized after the registration
call.

This created a race window where, if the firmware triggered an event
immediately after registration but before allocation, the callback
(suspend_event_callback or subsystem_restart_event_callback) would
dereference a NULL pointer in work_pending(), leading to a crash.

Fix this by allocating and initializing the work structures before
registering the events.

Fixes: fcf544ac6439 ("soc: xilinx: Add cb event for subsystem restart")

Signed-off-by: Prasanna Kumar T S M <ptsm@linux.microsoft.com>
---
 drivers/soc/xilinx/zynqmp_power.c | 34 +++++++++++++++----------------
 1 file changed, 17 insertions(+), 17 deletions(-)

diff --git a/drivers/soc/xilinx/zynqmp_power.c b/drivers/soc/xilinx/zynqmp_power.c
index 9085db1b480a..aa35b63b45a3 100644
--- a/drivers/soc/xilinx/zynqmp_power.c
+++ b/drivers/soc/xilinx/zynqmp_power.c
@@ -303,18 +303,18 @@ static int zynqmp_pm_probe(struct platform_device *pdev)
 	 * is not available to use) or -ENODEV(Xilinx Event Manager not compiled),
 	 * then use ipi-mailbox or interrupt method.
 	 */
+	zynqmp_pm_init_suspend_work = devm_kzalloc(&pdev->dev,
+						   sizeof(struct zynqmp_pm_work_struct),
+						   GFP_KERNEL);
+	if (!zynqmp_pm_init_suspend_work)
+		return -ENOMEM;
+
+	INIT_WORK(&zynqmp_pm_init_suspend_work->callback_work,
+		  zynqmp_pm_init_suspend_work_fn);
+
 	ret = register_event(&pdev->dev, PM_INIT_SUSPEND_CB, 0, 0, false,
 			     suspend_event_callback);
 	if (!ret) {
-		zynqmp_pm_init_suspend_work = devm_kzalloc(&pdev->dev,
-							   sizeof(struct zynqmp_pm_work_struct),
-							   GFP_KERNEL);
-		if (!zynqmp_pm_init_suspend_work)
-			return -ENOMEM;
-
-		INIT_WORK(&zynqmp_pm_init_suspend_work->callback_work,
-			  zynqmp_pm_init_suspend_work_fn);
-
 		ret = zynqmp_pm_get_family_info(&pm_family_code);
 		if (ret < 0)
 			return ret;
@@ -326,14 +326,6 @@ static int zynqmp_pm_probe(struct platform_device *pdev)
 		else
 			return -ENODEV;
 
-		ret = register_event(&pdev->dev, PM_NOTIFY_CB, node_id, EVENT_SUBSYSTEM_RESTART,
-				     false, subsystem_restart_event_callback);
-		if (ret) {
-			dev_err(&pdev->dev, "Failed to Register with Xilinx Event manager %d\n",
-				ret);
-			return ret;
-		}
-
 		zynqmp_pm_init_restart_work = devm_kzalloc(&pdev->dev,
 							   sizeof(struct zynqmp_pm_work_struct),
 							   GFP_KERNEL);
@@ -342,6 +334,14 @@ static int zynqmp_pm_probe(struct platform_device *pdev)
 
 		INIT_WORK(&zynqmp_pm_init_restart_work->callback_work,
 			  zynqmp_pm_subsystem_restart_work_fn);
+
+		ret = register_event(&pdev->dev, PM_NOTIFY_CB, node_id, EVENT_SUBSYSTEM_RESTART,
+				     false, subsystem_restart_event_callback);
+		if (ret) {
+			dev_err(&pdev->dev, "Failed to Register with Xilinx Event manager %d\n",
+				ret);
+			return ret;
+		}
 	} else if (ret != -EACCES && ret != -ENODEV) {
 		dev_err(&pdev->dev, "Failed to Register with Xilinx Event manager %d\n", ret);
 		return ret;
-- 
2.49.0


^ permalink raw reply related	[flat|nested] 3+ messages in thread

* [PATCH 1/2] soc: xilinx: Fix race condition in event registration
@ 2026-03-17 13:35 Prasanna Kumar T S M
  0 siblings, 0 replies; 3+ messages in thread
From: Prasanna Kumar T S M @ 2026-03-17 13:35 UTC (permalink / raw)
  To: ptsm, michal.simek, jay.buddhabhatti, marco.crivellari,
	tejas.patel, rajan.vaja, linux-arm-kernel, linux-kernel

The zynqmp_power driver registers handlers for suspend and subsystem
restart events using register_event(). However, the work structures
(zynqmp_pm_init_suspend_work and zynqmp_pm_init_restart_work) used by
these handlers were allocated and initialized after the registration
call.

This created a race window where, if the firmware triggered an event
immediately after registration but before allocation, the callback
(suspend_event_callback or subsystem_restart_event_callback) would
dereference a NULL pointer in work_pending(), leading to a crash.

Fix this by allocating and initializing the work structures before
registering the events.

Fixes: fcf544ac6439 ("soc: xilinx: Add cb event for subsystem restart")

Signed-off-by: Prasanna Kumar T S M <ptsm@linux.microsoft.com>
---
 drivers/soc/xilinx/zynqmp_power.c | 34 +++++++++++++++----------------
 1 file changed, 17 insertions(+), 17 deletions(-)

diff --git a/drivers/soc/xilinx/zynqmp_power.c b/drivers/soc/xilinx/zynqmp_power.c
index 9085db1b480a..aa35b63b45a3 100644
--- a/drivers/soc/xilinx/zynqmp_power.c
+++ b/drivers/soc/xilinx/zynqmp_power.c
@@ -303,18 +303,18 @@ static int zynqmp_pm_probe(struct platform_device *pdev)
 	 * is not available to use) or -ENODEV(Xilinx Event Manager not compiled),
 	 * then use ipi-mailbox or interrupt method.
 	 */
+	zynqmp_pm_init_suspend_work = devm_kzalloc(&pdev->dev,
+						   sizeof(struct zynqmp_pm_work_struct),
+						   GFP_KERNEL);
+	if (!zynqmp_pm_init_suspend_work)
+		return -ENOMEM;
+
+	INIT_WORK(&zynqmp_pm_init_suspend_work->callback_work,
+		  zynqmp_pm_init_suspend_work_fn);
+
 	ret = register_event(&pdev->dev, PM_INIT_SUSPEND_CB, 0, 0, false,
 			     suspend_event_callback);
 	if (!ret) {
-		zynqmp_pm_init_suspend_work = devm_kzalloc(&pdev->dev,
-							   sizeof(struct zynqmp_pm_work_struct),
-							   GFP_KERNEL);
-		if (!zynqmp_pm_init_suspend_work)
-			return -ENOMEM;
-
-		INIT_WORK(&zynqmp_pm_init_suspend_work->callback_work,
-			  zynqmp_pm_init_suspend_work_fn);
-
 		ret = zynqmp_pm_get_family_info(&pm_family_code);
 		if (ret < 0)
 			return ret;
@@ -326,14 +326,6 @@ static int zynqmp_pm_probe(struct platform_device *pdev)
 		else
 			return -ENODEV;
 
-		ret = register_event(&pdev->dev, PM_NOTIFY_CB, node_id, EVENT_SUBSYSTEM_RESTART,
-				     false, subsystem_restart_event_callback);
-		if (ret) {
-			dev_err(&pdev->dev, "Failed to Register with Xilinx Event manager %d\n",
-				ret);
-			return ret;
-		}
-
 		zynqmp_pm_init_restart_work = devm_kzalloc(&pdev->dev,
 							   sizeof(struct zynqmp_pm_work_struct),
 							   GFP_KERNEL);
@@ -342,6 +334,14 @@ static int zynqmp_pm_probe(struct platform_device *pdev)
 
 		INIT_WORK(&zynqmp_pm_init_restart_work->callback_work,
 			  zynqmp_pm_subsystem_restart_work_fn);
+
+		ret = register_event(&pdev->dev, PM_NOTIFY_CB, node_id, EVENT_SUBSYSTEM_RESTART,
+				     false, subsystem_restart_event_callback);
+		if (ret) {
+			dev_err(&pdev->dev, "Failed to Register with Xilinx Event manager %d\n",
+				ret);
+			return ret;
+		}
 	} else if (ret != -EACCES && ret != -ENODEV) {
 		dev_err(&pdev->dev, "Failed to Register with Xilinx Event manager %d\n", ret);
 		return ret;
-- 
2.49.0



^ permalink raw reply related	[flat|nested] 3+ messages in thread

* Re: [PATCH 1/2] soc: xilinx: Fix race condition in event registration
  2026-03-17 13:34 [PATCH 1/2] soc: xilinx: Fix race condition in event registration Prasanna Kumar T S M
@ 2026-03-18 15:40 ` Michal Simek
  0 siblings, 0 replies; 3+ messages in thread
From: Michal Simek @ 2026-03-18 15:40 UTC (permalink / raw)
  To: Prasanna Kumar T S M, jay.buddhabhatti, marco.crivellari,
	tejas.patel, rajan.vaja, linux-arm-kernel, linux-kernel



On 3/17/26 14:34, Prasanna Kumar T S M wrote:
> [Some people who received this message don't often get email from ptsm@linux.microsoft.com. Learn why this is important at https://aka.ms/LearnAboutSenderIdentification ]
> 
> The zynqmp_power driver registers handlers for suspend and subsystem
> restart events using register_event(). However, the work structures
> (zynqmp_pm_init_suspend_work and zynqmp_pm_init_restart_work) used by
> these handlers were allocated and initialized after the registration
> call.
> 
> This created a race window where, if the firmware triggered an event
> immediately after registration but before allocation, the callback
> (suspend_event_callback or subsystem_restart_event_callback) would
> dereference a NULL pointer in work_pending(), leading to a crash.
> 
> Fix this by allocating and initializing the work structures before
> registering the events.
> 
> Fixes: fcf544ac6439 ("soc: xilinx: Add cb event for subsystem restart")
> 

please remove empty line above.

> Signed-off-by: Prasanna Kumar T S M <ptsm@linux.microsoft.com>
> ---
>   drivers/soc/xilinx/zynqmp_power.c | 34 +++++++++++++++----------------
>   1 file changed, 17 insertions(+), 17 deletions(-)
> 
> diff --git a/drivers/soc/xilinx/zynqmp_power.c b/drivers/soc/xilinx/zynqmp_power.c
> index 9085db1b480a..aa35b63b45a3 100644
> --- a/drivers/soc/xilinx/zynqmp_power.c
> +++ b/drivers/soc/xilinx/zynqmp_power.c
> @@ -303,18 +303,18 @@ static int zynqmp_pm_probe(struct platform_device *pdev)
>           * is not available to use) or -ENODEV(Xilinx Event Manager not compiled),
>           * then use ipi-mailbox or interrupt method.
>           */
> +       zynqmp_pm_init_suspend_work = devm_kzalloc(&pdev->dev,
> +                                                  sizeof(struct zynqmp_pm_work_struct),
> +                                                  GFP_KERNEL);
> +       if (!zynqmp_pm_init_suspend_work)
> +               return -ENOMEM;
> +
> +       INIT_WORK(&zynqmp_pm_init_suspend_work->callback_work,
> +                 zynqmp_pm_init_suspend_work_fn);
> +
>          ret = register_event(&pdev->dev, PM_INIT_SUSPEND_CB, 0, 0, false,
>                               suspend_event_callback);
>          if (!ret) {
> -               zynqmp_pm_init_suspend_work = devm_kzalloc(&pdev->dev,
> -                                                          sizeof(struct zynqmp_pm_work_struct),
> -                                                          GFP_KERNEL);
> -               if (!zynqmp_pm_init_suspend_work)
> -                       return -ENOMEM;
> -
> -               INIT_WORK(&zynqmp_pm_init_suspend_work->callback_work,
> -                         zynqmp_pm_init_suspend_work_fn);
> -
>                  ret = zynqmp_pm_get_family_info(&pm_family_code);
>                  if (ret < 0)
>                          return ret;
> @@ -326,14 +326,6 @@ static int zynqmp_pm_probe(struct platform_device *pdev)
>                  else
>                          return -ENODEV;
> 
> -               ret = register_event(&pdev->dev, PM_NOTIFY_CB, node_id, EVENT_SUBSYSTEM_RESTART,
> -                                    false, subsystem_restart_event_callback);
> -               if (ret) {
> -                       dev_err(&pdev->dev, "Failed to Register with Xilinx Event manager %d\n",
> -                               ret);
> -                       return ret;
> -               }
> -
>                  zynqmp_pm_init_restart_work = devm_kzalloc(&pdev->dev,
>                                                             sizeof(struct zynqmp_pm_work_struct),
>                                                             GFP_KERNEL);
> @@ -342,6 +334,14 @@ static int zynqmp_pm_probe(struct platform_device *pdev)
> 
>                  INIT_WORK(&zynqmp_pm_init_restart_work->callback_work,
>                            zynqmp_pm_subsystem_restart_work_fn);
> +
> +               ret = register_event(&pdev->dev, PM_NOTIFY_CB, node_id, EVENT_SUBSYSTEM_RESTART,
> +                                    false, subsystem_restart_event_callback);
> +               if (ret) {
> +                       dev_err(&pdev->dev, "Failed to Register with Xilinx Event manager %d\n",
> +                               ret);
> +                       return ret;
> +               }
>          } else if (ret != -EACCES && ret != -ENODEV) {
>                  dev_err(&pdev->dev, "Failed to Register with Xilinx Event manager %d\n", ret);
>                  return ret;
> --
> 2.49.0
> 


the same change should happen also for
  else if (of_property_present(pdev->dev.of_node, "mboxes")) {


diff --git a/drivers/soc/xilinx/zynqmp_power.c b/drivers/soc/xilinx/zynqmp_power.c
index 5086c1e6797e..98bac07f73d1 100644
--- a/drivers/soc/xilinx/zynqmp_power.c
+++ b/drivers/soc/xilinx/zynqmp_power.c
@@ -346,15 +346,6 @@ static int zynqmp_pm_probe(struct platform_device *pdev)
                 dev_err(&pdev->dev, "Failed to Register with Xilinx Event 
manager %d\n", ret);
                 return ret;
         } else if (of_property_present(pdev->dev.of_node, "mboxes")) {
-               zynqmp_pm_init_suspend_work =
-                       devm_kzalloc(&pdev->dev,
-                                    sizeof(struct zynqmp_pm_work_struct),
-                                    GFP_KERNEL);
-               if (!zynqmp_pm_init_suspend_work)
-                       return -ENOMEM;
-
-               INIT_WORK(&zynqmp_pm_init_suspend_work->callback_work,
-                         zynqmp_pm_init_suspend_work_fn);
                 client = devm_kzalloc(&pdev->dev, sizeof(*client), GFP_KERNEL);
                 if (!client)
                         return -ENOMEM;

Thanks,
Michal





^ permalink raw reply related	[flat|nested] 3+ messages in thread

end of thread, other threads:[~2026-03-18 15:41 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-03-17 13:34 [PATCH 1/2] soc: xilinx: Fix race condition in event registration Prasanna Kumar T S M
2026-03-18 15:40 ` Michal Simek
  -- strict thread matches above, loose matches on Subject: below --
2026-03-17 13:35 Prasanna Kumar T S M

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.