[PATCH 0/6] ACPI/PCC: Preserve platform-populated PCC signatures

[PATCH 0/6] ACPI/PCC: Preserve platform-populated PCC signatures

[Sudeep Holla]

ACPI PCC shared memory layouts reserve the first dword for the PCC
signature. ACPI specification defines the signature as 0x50434300 ORed
with the PCC subspace ID, and ACPI 6.6 clarify that the signature is
populated by the platform and verified by OSPM.

This series centralizes PCC shared memory signature validation in the PCC
mailbox controller and stops PCC users from rewriting the signature before
each command. Clients that previously copied complete local PCC headers
now update only the mutable command/status/flags/length/payload fields.

The final patch also fixes the PCC OperationRegion handler. ACPI defines
a PCC OperationRegion as the shared memory fields that follow the PCC
signature, with the OperationRegion length covering only those fields. The
handler is updated to copy to/from the region after the signature and to
reject regions that do not fit there.

All patches can go independently as there is no strict dependency between
them and posted together for the complete context.

Signed-off-by: Sudeep Holla <sudeep.holla@kernel.org>
---
Sudeep Holla (6):
      mailbox: pcc: Validate shared memory signature on request
      hwmon: xgene: Stop writing PCC shared memory signature
      i2c: xgene-slimpro: Stop writing PCC shared memory signature
      devfreq: hisi_uncore: Preserve PCC shared memory signature
      soc: hisilicon: kunpeng_hccs: Preserve PCC signatures
      ACPI: PCC: Preserve shared memory signature in OpRegion handler

 drivers/acpi/acpi_pcc.c                | 20 ++++++++++++++----
 drivers/devfreq/hisi_uncore_freq.c     | 15 +++++++-------
 drivers/hwmon/xgene-hwmon.c            |  4 ----
 drivers/i2c/busses/i2c-xgene-slimpro.c |  3 ---
 drivers/mailbox/pcc.c                  | 38 +++++++++++++++++++++++++++++-----
 drivers/soc/hisilicon/kunpeng_hccs.c   | 24 ++++++++-------------
 6 files changed, 65 insertions(+), 39 deletions(-)
---
base-commit: 5a66900afbd6b2a063eebad35294038a654de2b0
change-id: 20260627-acpi_pcc_signature-7b70b0633c8f


-- 
Regards,
Sudeep

[PATCH 1/6] mailbox: pcc: Validate shared memory signature on request

[Sudeep Holla]

ACPI defines the PCC shared memory signature as the bitwise OR of
0x50434300 and the PCC subspace ID. The signature is located at byte
offset 0 for the generic, extended and reduced PCC shared memory region
layouts.

Validate the signature when a client requests a PCC mailbox channel, after
mapping the shared memory and before binding the mailbox client. This
keeps PCC shared memory validation in the PCC mailbox controller instead
of duplicating it in individual clients.

ACPI 6.6 added clarification that the signature is populated by the
platform and verified by OSPM.

Cc: Jassi Brar <jassisinghbrar@gmail.com>
Cc: Huisong Li <lihuisong@huawei.com>
Signed-off-by: Sudeep Holla <sudeep.holla@kernel.org>
---
 drivers/mailbox/pcc.c | 38 +++++++++++++++++++++++++++++++++-----
 1 file changed, 33 insertions(+), 5 deletions(-)

diff --git a/drivers/mailbox/pcc.c b/drivers/mailbox/pcc.c
index 636879ae1db7..6fbc17d41774 100644
--- a/drivers/mailbox/pcc.c
+++ b/drivers/mailbox/pcc.c
@@ -345,6 +345,28 @@ static irqreturn_t pcc_mbox_irq(int irq, void *p)
 	return IRQ_HANDLED;
 }
 
+static int pcc_mbox_validate_signature(struct pcc_mbox_chan *pcc_mchan,
+				       int subspace_id)
+{
+	u32 expected_signature = PCC_SIGNATURE | subspace_id;
+	u32 signature;
+
+	if (pcc_mchan->shmem_size < sizeof(signature)) {
+		pr_err("PCC subspace %d shared memory is too small\n",
+		       subspace_id);
+		return -EINVAL;
+	}
+
+	signature = ioread32(pcc_mchan->shmem);
+	if (signature != expected_signature) {
+		pr_err("PCC subspace %d has invalid signature: %#x expected %#x\n",
+		       subspace_id, signature, expected_signature);
+		return -EINVAL;
+	}
+
+	return 0;
+}
+
 /**
  * pcc_mbox_request_channel - PCC clients call this function to
  *		request a pointer to their PCC subspace, from which they
@@ -381,14 +403,20 @@ pcc_mbox_request_channel(struct mbox_client *cl, int subspace_id)
 	if (!pcc_mchan->shmem)
 		return ERR_PTR(-ENXIO);
 
+	rc = pcc_mbox_validate_signature(pcc_mchan, subspace_id);
+	if (rc)
+		goto err_unmap_shmem;
+
 	rc = mbox_bind_client(chan, cl);
-	if (rc) {
-		iounmap(pcc_mchan->shmem);
-		pcc_mchan->shmem = NULL;
-		return ERR_PTR(rc);
-	}
+	if (rc)
+		goto err_unmap_shmem;
 
 	return pcc_mchan;
+
+err_unmap_shmem:
+	iounmap(pcc_mchan->shmem);
+	pcc_mchan->shmem = NULL;
+	return ERR_PTR(rc);
 }
 EXPORT_SYMBOL_GPL(pcc_mbox_request_channel);
 

-- 
2.43.0

[PATCH 2/6] hwmon: xgene: Stop writing PCC shared memory signature

[Sudeep Holla]

ACPI specification defines the generic PCC shared memory signature as
the PCC base signature ORed with the subspace ID.

ACPI 6.6 added clarification that the signature is populated by the
platform and verified by OSPM.

The PCC mailbox controller now validates the signature when the channel
is requested. Stop rewriting the signature before each command and
leave the platform-populated value intact.

Cc: Guenter Roeck <linux@roeck-us.net>
Cc: linux-hwmon@vger.kernel.org
Signed-off-by: Sudeep Holla <sudeep.holla@kernel.org>
---
 drivers/hwmon/xgene-hwmon.c | 4 ----
 1 file changed, 4 deletions(-)

diff --git a/drivers/hwmon/xgene-hwmon.c b/drivers/hwmon/xgene-hwmon.c
index 11c5d80428cd..38b140c23c88 100644
--- a/drivers/hwmon/xgene-hwmon.c
+++ b/drivers/hwmon/xgene-hwmon.c
@@ -133,10 +133,6 @@ static int xgene_hwmon_pcc_rd(struct xgene_hwmon_dev *ctx, u32 *msg)
 	init_completion(&ctx->rd_complete);
 	ctx->resp_pending = true;
 
-	/* Write signature for subspace */
-	WRITE_ONCE(generic_comm_base->signature,
-		   cpu_to_le32(PCC_SIGNATURE | ctx->mbox_idx));
-
 	/* Write to the shared command region */
 	WRITE_ONCE(generic_comm_base->command,
 		   cpu_to_le16(MSG_TYPE(msg[0]) | PCC_CMD_GENERATE_DB_INTR));

-- 
2.43.0

[PATCH 3/6] i2c: xgene-slimpro: Stop writing PCC shared memory signature

[Sudeep Holla]

ACPI specification defines the generic PCC shared memory signature as
the PCC base signature ORed with the subspace ID.

ACPI 6.6 added clarification that the signature is populated by the
platform and verified by OSPM.

The PCC mailbox controller now validates the signature when the channel
is requested. Stop rewriting the signature before each command and
leave the platform-populated value intact.

Cc: Andi Shyti <andi.shyti@kernel.org>
Cc: linux-i2c@vger.kernel.org
Signed-off-by: Sudeep Holla <sudeep.holla@kernel.org>
---
 drivers/i2c/busses/i2c-xgene-slimpro.c | 3 ---
 1 file changed, 3 deletions(-)

diff --git a/drivers/i2c/busses/i2c-xgene-slimpro.c b/drivers/i2c/busses/i2c-xgene-slimpro.c
index b29dec66b2c3..f77d5b3a863f 100644
--- a/drivers/i2c/busses/i2c-xgene-slimpro.c
+++ b/drivers/i2c/busses/i2c-xgene-slimpro.c
@@ -174,9 +174,6 @@ static void slimpro_i2c_pcc_tx_prepare(struct slimpro_i2c_dev *ctx, u32 *msg)
 	u16 status;
 	int i;
 
-	WRITE_ONCE(generic_comm_base->signature,
-		   cpu_to_le32(PCC_SIGNATURE | ctx->mbox_idx));
-
 	WRITE_ONCE(generic_comm_base->command,
 		   cpu_to_le16(SLIMPRO_MSG_TYPE(msg[0]) | PCC_CMD_GENERATE_DB_INTR));
 

-- 
2.43.0

[PATCH 4/6] devfreq: hisi_uncore: Preserve PCC shared memory signature

[Sudeep Holla]

ACPI specification defines the generic PCC shared memory signature as
the PCC base signature ORed with the subspace ID.

ACPI 6.6 added clarification that the signature is populated by the
platform and verified by OSPM.

The PCC mailbox controller now validates the signature when the channel
is requested. Stop copying a complete local PCC header into shared
memory and write only the command, status and payload fields, leaving
the platform-populated signature intact.

Cc: MyungJoo Ham <myungjoo.ham@samsung.com>
Cc: Kyungmin Park <kyungmin.park@samsung.com>
Cc: Chanwoo Choi <cw00.choi@samsung.com>
Cc: Huisong Li <lihuisong@huawei.com>
Cc: linux-pm@vger.kernel.org
Signed-off-by: Sudeep Holla <sudeep.holla@kernel.org>
---
 drivers/devfreq/hisi_uncore_freq.c | 15 +++++++--------
 1 file changed, 7 insertions(+), 8 deletions(-)

diff --git a/drivers/devfreq/hisi_uncore_freq.c b/drivers/devfreq/hisi_uncore_freq.c
index 4d00d813c8ac..7976eb359061 100644
--- a/drivers/devfreq/hisi_uncore_freq.c
+++ b/drivers/devfreq/hisi_uncore_freq.c
@@ -187,7 +187,6 @@ static int hisi_uncore_cmd_send(struct hisi_uncore_freq *uncore,
 				u8 cmd, u32 *data)
 {
 	struct hisi_uncore_pcc_shmem __iomem *addr;
-	struct hisi_uncore_pcc_shmem shmem;
 	struct pcc_mbox_chan *pchan;
 	unsigned int mrtt;
 	s64 time_delta;
@@ -210,13 +209,13 @@ static int hisi_uncore_cmd_send(struct hisi_uncore_freq *uncore,
 	if (mrtt > time_delta)
 		udelay(mrtt - time_delta);
 
-	/* Copy data */
-	shmem.head = (struct acpi_pcct_shared_memory) {
-		.signature = PCC_SIGNATURE | uncore->chan_id,
-		.command = cmd,
-	};
-	shmem.pcc_data.data = *data;
-	memcpy_toio(addr, &shmem, sizeof(shmem));
+	/*
+	 * Copy command and data, leaving the platform-populated signature
+	 * intact.
+	 */
+	iowrite16(cmd, &addr->head.command);
+	iowrite16(0, &addr->head.status);
+	iowrite32(*data, &addr->pcc_data.data);
 
 	/* Ring doorbell */
 	rc = mbox_send_message(pchan->mchan, &cmd);

-- 
2.43.0

[PATCH 5/6] soc: hisilicon: kunpeng_hccs: Preserve PCC signatures

[Sudeep Holla]

ACPI specification defines the generic PCC shared memory signature as
the PCC base signature ORed with the subspace ID.

ACPI 6.6 added clarification that the signature is populated by the
platform and verified by OSPM.

The PCC mailbox controller now validates the signature when the channel
is requested. Stop copying complete local PCC headers into shared
memory and write only the mutable command, status, flags and length
fields, leaving the platform-populated signatures intact.

Cc: Huisong Li <lihuisong@huawei.com>
Signed-off-by: Sudeep Holla <sudeep.holla@kernel.org>
---
 drivers/soc/hisilicon/kunpeng_hccs.c | 24 +++++++++---------------
 1 file changed, 9 insertions(+), 15 deletions(-)

diff --git a/drivers/soc/hisilicon/kunpeng_hccs.c b/drivers/soc/hisilicon/kunpeng_hccs.c
index 0cc2953d59a5..0e5e48e46eba 100644
--- a/drivers/soc/hisilicon/kunpeng_hccs.c
+++ b/drivers/soc/hisilicon/kunpeng_hccs.c
@@ -270,14 +270,11 @@ static inline void hccs_fill_pcc_shared_mem_region(struct hccs_dev *hdev,
 						   void __iomem *comm_space,
 						   u16 space_size)
 {
-	struct acpi_pcct_shared_memory tmp = {
-		.signature = PCC_SIGNATURE | hdev->chan_id,
-		.command = cmd,
-		.status = 0,
-	};
+	struct acpi_pcct_shared_memory __iomem *comm_base;
 
-	memcpy_toio(hdev->cl_info.pcc_chan->shmem, (void *)&tmp,
-		    sizeof(struct acpi_pcct_shared_memory));
+	comm_base = hdev->cl_info.pcc_chan->shmem;
+	iowrite16(cmd, &comm_base->command);
+	iowrite16(0, &comm_base->status);
 
 	/* Copy the message to the PCC comm space */
 	memcpy_toio(comm_space, (void *)desc, space_size);
@@ -289,15 +286,12 @@ static inline void hccs_fill_ext_pcc_shared_mem_region(struct hccs_dev *hdev,
 						       void __iomem *comm_space,
 						       u16 space_size)
 {
-	struct acpi_pcct_ext_pcc_shared_memory tmp = {
-		.signature = PCC_SIGNATURE | hdev->chan_id,
-		.flags = PCC_CMD_COMPLETION_NOTIFY,
-		.length = HCCS_PCC_SHARE_MEM_BYTES,
-		.command = cmd,
-	};
+	struct acpi_pcct_ext_pcc_shared_memory __iomem *comm_base;
 
-	memcpy_toio(hdev->cl_info.pcc_chan->shmem, (void *)&tmp,
-		    sizeof(struct acpi_pcct_ext_pcc_shared_memory));
+	comm_base = hdev->cl_info.pcc_chan->shmem;
+	iowrite32(PCC_CMD_COMPLETION_NOTIFY, &comm_base->flags);
+	iowrite32(HCCS_PCC_SHARE_MEM_BYTES, &comm_base->length);
+	iowrite32(cmd, &comm_base->command);
 
 	/* Copy the message to the PCC comm space */
 	memcpy_toio(comm_space, (void *)desc, space_size);

-- 
2.43.0

[PATCH 6/6] ACPI: PCC: Preserve shared memory signature in OpRegion handler

[Sudeep Holla]

ACPI defines a PCC OperationRegion as the shared memory fields that
follow the PCC signature. The OperationRegion length is likewise the
total size of the fields that succeed the signature in shared memory.

ACPI 6.6 adds clarification that the PCC shared memory signature is
populated by the platform and verified by OSPM.

The PCC address space handler currently copies the OperationRegion
buffer to and from the start of the PCC shared memory region. That can
overwrite or expose the signature at byte offset 0, and it also misses
the last 4 bytes of the actual PCC OperationRegion data.

Offset OperationRegion copies by the size of the signature and reject
regions that do not fit in the shared memory after that signature.

Cc: "Rafael J. Wysocki" <rafael@kernel.org>
Fixes: 77e2a04745ff ("ACPI: PCC: Implement OperationRegion handler for the PCC Type 3 subtype")
Signed-off-by: Sudeep Holla <sudeep.holla@kernel.org>
---
 drivers/acpi/acpi_pcc.c | 20 ++++++++++++++++----
 1 file changed, 16 insertions(+), 4 deletions(-)

diff --git a/drivers/acpi/acpi_pcc.c b/drivers/acpi/acpi_pcc.c
index 438c67189511..9881c9ee293d 100644
--- a/drivers/acpi/acpi_pcc.c
+++ b/drivers/acpi/acpi_pcc.c
@@ -28,6 +28,7 @@
  * to PCC commands
  */
 #define PCC_CMD_WAIT_RETRIES_NUM	500ULL
+#define PCC_SIGNATURE_SIZE		sizeof(u32)
 
 struct pcc_data {
 	struct pcc_mbox_chan *pcc_chan;
@@ -74,6 +75,14 @@ acpi_pcc_address_space_setup(acpi_handle region_handle, u32 function,
 	}
 
 	pcc_chan = data->pcc_chan;
+	if (pcc_chan->shmem_size < PCC_SIGNATURE_SIZE ||
+	    ctx->length > pcc_chan->shmem_size - PCC_SIGNATURE_SIZE) {
+		pr_err("PCC channel-%d shared memory is too small.\n",
+		       ctx->subspace_id);
+		ret = AE_AML_REGION_LIMIT;
+		goto err_free_channel;
+	}
+
 	if (!pcc_chan->mchan->mbox->txdone_irq) {
 		pr_err("This channel-%d does not support interrupt.\n",
 		       ctx->subspace_id);
@@ -97,14 +106,17 @@ acpi_pcc_address_space_handler(u32 function, acpi_physical_address addr,
 			       u32 bits, acpi_integer *value,
 			       void *handler_context, void *region_context)
 {
-	int ret;
 	struct pcc_data *data = region_context;
+	void __iomem *pcc_opregion;
 	u64 usecs_lat;
+	int ret;
+
+	pcc_opregion = data->pcc_chan->shmem + PCC_SIGNATURE_SIZE;
 
 	reinit_completion(&data->done);
 
-	/* Write to Shared Memory */
-	memcpy_toio(data->pcc_chan->shmem, (void *)value, data->ctx.length);
+	/* Write to the PCC OperationRegion after the shared memory signature. */
+	memcpy_toio(pcc_opregion, (void *)value, data->ctx.length);
 
 	ret = mbox_send_message(data->pcc_chan->mchan, NULL);
 	if (ret < 0)
@@ -125,7 +137,7 @@ acpi_pcc_address_space_handler(u32 function, acpi_physical_address addr,
 
 	mbox_chan_txdone(data->pcc_chan->mchan, ret);
 
-	memcpy_fromio(value, data->pcc_chan->shmem, data->ctx.length);
+	memcpy_fromio(value, pcc_opregion, data->ctx.length);
 
 	return AE_OK;
 }

-- 
2.43.0

Re: [PATCH 2/6] hwmon: xgene: Stop writing PCC shared memory signature

[sashiko-bot]

Thank you for your contribution! Sashiko AI review found 4 potential issue(s) to consider:

Pre-existing issues:
- [High] Use-After-Free and Race Condition in Module Teardown
- [High] Asynchronous Alarms Erroneously Intercepted as Synchronous Responses
- [High] Endianness Corruption and Direct I/O Memory Dereference
- [High] Hardware State Machine Race via Improper PCC Memory Ordering
--

commit b2acc53f504dcc4234ad2b3494e6b67787941414
Author: Sudeep Holla <sudeep.holla@kernel.org>
Subject: hwmon: xgene: Stop writing PCC shared memory signature

This commit stops rewriting the generic PCC shared memory signature before each
command in xgene_hwmon_pcc_rd(). This ensures the platform-populated signature
is preserved as per ACPI 6.6 clarifications.

> diff --git a/drivers/hwmon/xgene-hwmon.c b/drivers/hwmon/xgene-hwmon.c
> index 11c5d80428cdf..38b140c23c88e 100644
> --- a/drivers/hwmon/xgene-hwmon.c
> +++ b/drivers/hwmon/xgene-hwmon.c
> @@ -133,10 +133,6 @@ static int xgene_hwmon_pcc_rd(struct xgene_hwmon_dev *ctx, u32 *msg)
>  	init_completion(&ctx->rd_complete);
>  	ctx->resp_pending = true;
>  
> -	/* Write signature for subspace */
> -	WRITE_ONCE(generic_comm_base->signature,
> -		   cpu_to_le32(PCC_SIGNATURE | ctx->mbox_idx));
> -
>  	/* Write to the shared command region */
>  	WRITE_ONCE(generic_comm_base->command,
>  		   cpu_to_le16(MSG_TYPE(msg[0]) | PCC_CMD_GENERATE_DB_INTR));

While reviewing this patch, I noticed a few pre-existing issues in this file.

drivers/hwmon/xgene-hwmon.c:xgene_hwmon_pcc_rd()

	/* Write to the shared command region */
	WRITE_ONCE(generic_comm_base->command,
		   cpu_to_le16(MSG_TYPE(msg[0]) | PCC_CMD_GENERATE_DB_INTR));

	/* Flip CMD COMPLETE bit */
	val = le16_to_cpu(READ_ONCE(generic_comm_base->status));
	val &= ~PCC_STATUS_CMD_COMPLETE;
	WRITE_ONCE(generic_comm_base->status, cpu_to_le16(val));

	/* Copy the message to the PCC comm space */
	for (i = 0; i < sizeof(struct slimpro_resp_msg) / 4; i++)
		WRITE_ONCE(ptr[i], cpu_to_le32(msg[i]));

[Severity: High]
This isn't a bug introduced by this patch, but does this ordering violate the
ACPI PCC specification?

It appears we write the command register and clear the PCC_STATUS_CMD_COMPLETE
bit before actually writing the payload to the PCC communication space in the
loop.

Could this allow the platform management processor, if it's polling the status
bit, to observe the command as ready and execute it using stale or partially
written payload data before the loop finishes?


drivers/hwmon/xgene-hwmon.c:xgene_hwmon_pcc_rx_cb()

	struct acpi_pcct_shared_memory __iomem *generic_comm_base =
							ctx->pcc_chan->shmem;
...
	msg = generic_comm_base + 1;
...
			ctx->sync_msg.msg = ((u32 *)msg)[0];
			ctx->sync_msg.param1 = ((u32 *)msg)[1];
			ctx->sync_msg.param2 = ((u32 *)msg)[2];

[Severity: High]
This is a pre-existing issue, but is it safe to directly cast and dereference
the __iomem pointer generic_comm_base + 1 as a native u32 *?

The PCC shared memory specification relies on little-endian encoding. Since
X-Gene supports big-endian architectures, wouldn't directly dereferencing the
native pointer cause the fields to be byte-swapped on big-endian systems,
potentially failing all MSG_TYPE checks and causing synchronous commands to
unconditionally timeout?


drivers/hwmon/xgene-hwmon.c:xgene_hwmon_rx_cb()

	/* Check for sync query */
	if (ctx->resp_pending &&
	    ((MSG_TYPE(((u32 *)msg)[0]) == MSG_TYPE_ERR) ||
	     (MSG_TYPE(((u32 *)msg)[0]) == MSG_TYPE_DBG &&
	      MSG_SUBTYPE(((u32 *)msg)[0]) == DBG_SUBTYPE_SENSOR_READ) ||
	     (MSG_TYPE(((u32 *)msg)[0]) == MSG_TYPE_PWRMGMT &&
	      MSG_SUBTYPE(((u32 *)msg)[0]) == PWRMGMT_SUBTYPE_TPC &&
	      TPC_CMD(((u32 *)msg)[0]) == TPC_ALARM))) {
		/* Check if platform completes command */
...
			ctx->sync_msg.msg = ((u32 *)msg)[0];
...
			/* Operation waiting for response */
			complete(&ctx->rd_complete);
			return;

[Severity: High]
This is a pre-existing issue, but does this conditional block improperly
intercept asynchronous alarms?

If a thermal alarm (TPC_ALARM) fires while a lengthy synchronous sensor read
is pending (ctx->resp_pending is true), it looks like the driver would match
the TPC_ALARM event, complete the read with the alarm data, and return early.

Wouldn't this cause the async alarm to be silently lost instead of being
routed to the async workqueue, while simultaneously causing the active sensor
reading to evaluate to corrupted values? This identical logic appears in
both xgene_hwmon_pcc_rx_cb() and xgene_hwmon_rx_cb().


drivers/hwmon/xgene-hwmon.c:xgene_hwmon_remove()

static void xgene_hwmon_remove(struct platform_device *pdev)
{
	struct xgene_hwmon_dev *ctx = platform_get_drvdata(pdev);

	cancel_work_sync(&ctx->workq);
	hwmon_device_unregister(ctx->hwmon_dev);
	kfifo_free(&ctx->async_msg_fifo);
	if (acpi_disabled)
		mbox_free_channel(ctx->mbox_chan);
	else
		pcc_mbox_free_channel(ctx->pcc_chan);
}

[Severity: High]
This is a pre-existing issue, but is there a race condition during module
teardown here?

We call kfifo_free(&ctx->async_msg_fifo) and cancel_work_sync(&ctx->workq)
before disabling the hardware mailbox interrupts with mbox_free_channel() or
pcc_mbox_free_channel().

If a late hardware interrupt arrives after the structures are freed but before
the channel is disabled, wouldn't the RX callback (xgene_hwmon_rx_cb or
xgene_hwmon_pcc_rx_cb) enqueue data into the freed async_msg_fifo and
schedule work on the canceled workq, leading to a use-after-free and
potential crash?

-- 
Sashiko AI review · https://sashiko.dev/#/patchset/20260627-acpi_pcc_signature-v1-0-c1b7268d4fdc@kernel.org?part=2