* [PATCH 1/2] soc: xilinx: Fix race condition in event registration
@ 2026-03-17 13:35 Prasanna Kumar T S M
2026-03-17 14:36 ` [PATCH 2/2] soc: xilinx: Shutdown and free rx mailbox channel Prasanna Kumar T S M
0 siblings, 1 reply; 4+ messages in thread
From: Prasanna Kumar T S M @ 2026-03-17 13:35 UTC (permalink / raw)
To: ptsm, michal.simek, jay.buddhabhatti, marco.crivellari,
tejas.patel, rajan.vaja, linux-arm-kernel, linux-kernel
The zynqmp_power driver registers handlers for suspend and subsystem
restart events using register_event(). However, the work structures
(zynqmp_pm_init_suspend_work and zynqmp_pm_init_restart_work) used by
these handlers were allocated and initialized after the registration
call.
This created a race window where, if the firmware triggered an event
immediately after registration but before allocation, the callback
(suspend_event_callback or subsystem_restart_event_callback) would
dereference a NULL pointer in work_pending(), leading to a crash.
Fix this by allocating and initializing the work structures before
registering the events.
Fixes: fcf544ac6439 ("soc: xilinx: Add cb event for subsystem restart")
Signed-off-by: Prasanna Kumar T S M <ptsm@linux.microsoft.com>
---
drivers/soc/xilinx/zynqmp_power.c | 34 +++++++++++++++----------------
1 file changed, 17 insertions(+), 17 deletions(-)
diff --git a/drivers/soc/xilinx/zynqmp_power.c b/drivers/soc/xilinx/zynqmp_power.c
index 9085db1b480a..aa35b63b45a3 100644
--- a/drivers/soc/xilinx/zynqmp_power.c
+++ b/drivers/soc/xilinx/zynqmp_power.c
@@ -303,18 +303,18 @@ static int zynqmp_pm_probe(struct platform_device *pdev)
* is not available to use) or -ENODEV(Xilinx Event Manager not compiled),
* then use ipi-mailbox or interrupt method.
*/
+ zynqmp_pm_init_suspend_work = devm_kzalloc(&pdev->dev,
+ sizeof(struct zynqmp_pm_work_struct),
+ GFP_KERNEL);
+ if (!zynqmp_pm_init_suspend_work)
+ return -ENOMEM;
+
+ INIT_WORK(&zynqmp_pm_init_suspend_work->callback_work,
+ zynqmp_pm_init_suspend_work_fn);
+
ret = register_event(&pdev->dev, PM_INIT_SUSPEND_CB, 0, 0, false,
suspend_event_callback);
if (!ret) {
- zynqmp_pm_init_suspend_work = devm_kzalloc(&pdev->dev,
- sizeof(struct zynqmp_pm_work_struct),
- GFP_KERNEL);
- if (!zynqmp_pm_init_suspend_work)
- return -ENOMEM;
-
- INIT_WORK(&zynqmp_pm_init_suspend_work->callback_work,
- zynqmp_pm_init_suspend_work_fn);
-
ret = zynqmp_pm_get_family_info(&pm_family_code);
if (ret < 0)
return ret;
@@ -326,14 +326,6 @@ static int zynqmp_pm_probe(struct platform_device *pdev)
else
return -ENODEV;
- ret = register_event(&pdev->dev, PM_NOTIFY_CB, node_id, EVENT_SUBSYSTEM_RESTART,
- false, subsystem_restart_event_callback);
- if (ret) {
- dev_err(&pdev->dev, "Failed to Register with Xilinx Event manager %d\n",
- ret);
- return ret;
- }
-
zynqmp_pm_init_restart_work = devm_kzalloc(&pdev->dev,
sizeof(struct zynqmp_pm_work_struct),
GFP_KERNEL);
@@ -342,6 +334,14 @@ static int zynqmp_pm_probe(struct platform_device *pdev)
INIT_WORK(&zynqmp_pm_init_restart_work->callback_work,
zynqmp_pm_subsystem_restart_work_fn);
+
+ ret = register_event(&pdev->dev, PM_NOTIFY_CB, node_id, EVENT_SUBSYSTEM_RESTART,
+ false, subsystem_restart_event_callback);
+ if (ret) {
+ dev_err(&pdev->dev, "Failed to Register with Xilinx Event manager %d\n",
+ ret);
+ return ret;
+ }
} else if (ret != -EACCES && ret != -ENODEV) {
dev_err(&pdev->dev, "Failed to Register with Xilinx Event manager %d\n", ret);
return ret;
--
2.49.0
^ permalink raw reply related [flat|nested] 4+ messages in thread* [PATCH 2/2] soc: xilinx: Shutdown and free rx mailbox channel
2026-03-17 13:35 [PATCH 1/2] soc: xilinx: Fix race condition in event registration Prasanna Kumar T S M
@ 2026-03-17 14:36 ` Prasanna Kumar T S M
2026-03-18 16:06 ` Michal Simek
0 siblings, 1 reply; 4+ messages in thread
From: Prasanna Kumar T S M @ 2026-03-17 14:36 UTC (permalink / raw)
To: ptsm.linux.microsoft.com, michal.simek, jay.buddhabhatti,
marco.crivellari, tejas.patel, rajan.vaja, linux-arm-kernel,
linux-kernel
A mbox rx channel is requested using mbox_request_channel_byname() in
probe. In remove callback, the rx mailbox channel is cleaned up when the
rx_chan is NULL due to incorrect condition check. The mailbox channel is
not shutdown and it can receive messages even after the device removal.
This leads to use after free. Also the channel resources are not freed.
Fix this by checking the rx_chan correctly.
Fixes: ffdbae28d9d1 ("drivers: soc: xilinx: Use mailbox IPI callback")
Signed-off-by: Prasanna Kumar T S M <ptsm@linux.microsoft.com>
---
drivers/soc/xilinx/zynqmp_power.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/soc/xilinx/zynqmp_power.c b/drivers/soc/xilinx/zynqmp_power.c
index aa35b63b45a3..5086c1e6797e 100644
--- a/drivers/soc/xilinx/zynqmp_power.c
+++ b/drivers/soc/xilinx/zynqmp_power.c
@@ -398,7 +398,7 @@ static void zynqmp_pm_remove(struct platform_device *pdev)
{
sysfs_remove_file(&pdev->dev.kobj, &dev_attr_suspend_mode.attr);
- if (!rx_chan)
+ if (rx_chan)
mbox_free_channel(rx_chan);
}
--
2.49.0
^ permalink raw reply related [flat|nested] 4+ messages in thread* Re: [PATCH 2/2] soc: xilinx: Shutdown and free rx mailbox channel
2026-03-17 14:36 ` [PATCH 2/2] soc: xilinx: Shutdown and free rx mailbox channel Prasanna Kumar T S M
@ 2026-03-18 16:06 ` Michal Simek
2026-03-20 6:06 ` Prasanna Kumar T S M
0 siblings, 1 reply; 4+ messages in thread
From: Michal Simek @ 2026-03-18 16:06 UTC (permalink / raw)
To: Prasanna Kumar T S M, jay.buddhabhatti, marco.crivellari,
tejas.patel, rajan.vaja, linux-arm-kernel, linux-kernel
On 3/17/26 15:36, Prasanna Kumar T S M wrote:
> [Some people who received this message don't often get email from ptsm@linux.microsoft.com. Learn why this is important at https://aka.ms/LearnAboutSenderIdentification ]
>
> A mbox rx channel is requested using mbox_request_channel_byname() in
> probe. In remove callback, the rx mailbox channel is cleaned up when the
> rx_chan is NULL due to incorrect condition check. The mailbox channel is
> not shutdown and it can receive messages even after the device removal.
> This leads to use after free. Also the channel resources are not freed.
> Fix this by checking the rx_chan correctly.
>
> Fixes: ffdbae28d9d1 ("drivers: soc: xilinx: Use mailbox IPI callback")
> Signed-off-by: Prasanna Kumar T S M <ptsm@linux.microsoft.com>
> ---
> drivers/soc/xilinx/zynqmp_power.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/drivers/soc/xilinx/zynqmp_power.c b/drivers/soc/xilinx/zynqmp_power.c
> index aa35b63b45a3..5086c1e6797e 100644
> --- a/drivers/soc/xilinx/zynqmp_power.c
> +++ b/drivers/soc/xilinx/zynqmp_power.c
> @@ -398,7 +398,7 @@ static void zynqmp_pm_remove(struct platform_device *pdev)
> {
> sysfs_remove_file(&pdev->dev.kobj, &dev_attr_suspend_mode.attr);
>
> - if (!rx_chan)
> + if (rx_chan)
> mbox_free_channel(rx_chan);
Please also clear that global variable because when the driver is re-bound there
will be old reference to rx_chan which shouldn't be there.
if (rx_chan) {
mbox_free_channel(rx_chan);
rx_chan = NULL;
}
And please send both patches as one thread.
Thanks,
Michal
^ permalink raw reply [flat|nested] 4+ messages in thread* Re: [PATCH 2/2] soc: xilinx: Shutdown and free rx mailbox channel
2026-03-18 16:06 ` Michal Simek
@ 2026-03-20 6:06 ` Prasanna Kumar T S M
0 siblings, 0 replies; 4+ messages in thread
From: Prasanna Kumar T S M @ 2026-03-20 6:06 UTC (permalink / raw)
To: Michal Simek, jay.buddhabhatti, marco.crivellari, tejas.patel,
rajan.vaja, linux-arm-kernel, linux-kernel
On 18-03-2026 21:36, Michal Simek wrote:
>
>
> On 3/17/26 15:36, Prasanna Kumar T S M wrote:
>> [Some people who received this message don't often get email from
>> ptsm@linux.microsoft.com. Learn why this is important at https://
>> aka.ms/LearnAboutSenderIdentification ]
>>
>> A mbox rx channel is requested using mbox_request_channel_byname() in
>> probe. In remove callback, the rx mailbox channel is cleaned up when the
>> rx_chan is NULL due to incorrect condition check. The mailbox channel is
>> not shutdown and it can receive messages even after the device removal.
>> This leads to use after free. Also the channel resources are not freed.
>> Fix this by checking the rx_chan correctly.
>>
>> Fixes: ffdbae28d9d1 ("drivers: soc: xilinx: Use mailbox IPI callback")
>> Signed-off-by: Prasanna Kumar T S M <ptsm@linux.microsoft.com>
>> ---
>> drivers/soc/xilinx/zynqmp_power.c | 2 +-
>> 1 file changed, 1 insertion(+), 1 deletion(-)
>>
>> diff --git a/drivers/soc/xilinx/zynqmp_power.c b/drivers/soc/xilinx/
>> zynqmp_power.c
>> index aa35b63b45a3..5086c1e6797e 100644
>> --- a/drivers/soc/xilinx/zynqmp_power.c
>> +++ b/drivers/soc/xilinx/zynqmp_power.c
>> @@ -398,7 +398,7 @@ static void zynqmp_pm_remove(struct
>> platform_device *pdev)
>> {
>> sysfs_remove_file(&pdev->dev.kobj, &dev_attr_suspend_mode.attr);
>>
>> - if (!rx_chan)
>> + if (rx_chan)
>> mbox_free_channel(rx_chan);
>
>
> Please also clear that global variable because when the driver is re-
> bound there will be old reference to rx_chan which shouldn't be there.
>
> if (rx_chan) {
> mbox_free_channel(rx_chan);
> rx_chan = NULL;
> }
>
> And please send both patches as one thread.
>
> Thanks,
> Michal
Hi Michal,
Thanks for the review. Sent v2.
Thanks,
Prasanna
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2026-03-20 6:06 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-03-17 13:35 [PATCH 1/2] soc: xilinx: Fix race condition in event registration Prasanna Kumar T S M
2026-03-17 14:36 ` [PATCH 2/2] soc: xilinx: Shutdown and free rx mailbox channel Prasanna Kumar T S M
2026-03-18 16:06 ` Michal Simek
2026-03-20 6:06 ` Prasanna Kumar T S M
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.