[PATCH 1/2] soc: xilinx: Fix race condition in event registration

[PATCH 1/2] soc: xilinx: Fix race condition in event registration

[Prasanna Kumar T S M]

The zynqmp_power driver registers handlers for suspend and subsystem
restart events using register_event(). However, the work structures
(zynqmp_pm_init_suspend_work and zynqmp_pm_init_restart_work) used by
these handlers were allocated and initialized after the registration
call.

This created a race window where, if the firmware triggered an event
immediately after registration but before allocation, the callback
(suspend_event_callback or subsystem_restart_event_callback) would
dereference a NULL pointer in work_pending(), leading to a crash.

Fix this by allocating and initializing the work structures before
registering the events.

Fixes: fcf544ac6439 ("soc: xilinx: Add cb event for subsystem restart")

Signed-off-by: Prasanna Kumar T S M <ptsm@linux.microsoft.com>
---
 drivers/soc/xilinx/zynqmp_power.c | 34 +++++++++++++++----------------
 1 file changed, 17 insertions(+), 17 deletions(-)

diff --git a/drivers/soc/xilinx/zynqmp_power.c b/drivers/soc/xilinx/zynqmp_power.c
index 9085db1b480a..aa35b63b45a3 100644
--- a/drivers/soc/xilinx/zynqmp_power.c
+++ b/drivers/soc/xilinx/zynqmp_power.c
@@ -303,18 +303,18 @@ static int zynqmp_pm_probe(struct platform_device *pdev)
 	 * is not available to use) or -ENODEV(Xilinx Event Manager not compiled),
 	 * then use ipi-mailbox or interrupt method.
 	 */
+	zynqmp_pm_init_suspend_work = devm_kzalloc(&pdev->dev,
+						   sizeof(struct zynqmp_pm_work_struct),
+						   GFP_KERNEL);
+	if (!zynqmp_pm_init_suspend_work)
+		return -ENOMEM;
+
+	INIT_WORK(&zynqmp_pm_init_suspend_work->callback_work,
+		  zynqmp_pm_init_suspend_work_fn);
+
 	ret = register_event(&pdev->dev, PM_INIT_SUSPEND_CB, 0, 0, false,
 			     suspend_event_callback);
 	if (!ret) {
-		zynqmp_pm_init_suspend_work = devm_kzalloc(&pdev->dev,
-							   sizeof(struct zynqmp_pm_work_struct),
-							   GFP_KERNEL);
-		if (!zynqmp_pm_init_suspend_work)
-			return -ENOMEM;
-
-		INIT_WORK(&zynqmp_pm_init_suspend_work->callback_work,
-			  zynqmp_pm_init_suspend_work_fn);
-
 		ret = zynqmp_pm_get_family_info(&pm_family_code);
 		if (ret < 0)
 			return ret;
@@ -326,14 +326,6 @@ static int zynqmp_pm_probe(struct platform_device *pdev)
 		else
 			return -ENODEV;
 
-		ret = register_event(&pdev->dev, PM_NOTIFY_CB, node_id, EVENT_SUBSYSTEM_RESTART,
-				     false, subsystem_restart_event_callback);
-		if (ret) {
-			dev_err(&pdev->dev, "Failed to Register with Xilinx Event manager %d\n",
-				ret);
-			return ret;
-		}
-
 		zynqmp_pm_init_restart_work = devm_kzalloc(&pdev->dev,
 							   sizeof(struct zynqmp_pm_work_struct),
 							   GFP_KERNEL);
@@ -342,6 +334,14 @@ static int zynqmp_pm_probe(struct platform_device *pdev)
 
 		INIT_WORK(&zynqmp_pm_init_restart_work->callback_work,
 			  zynqmp_pm_subsystem_restart_work_fn);
+
+		ret = register_event(&pdev->dev, PM_NOTIFY_CB, node_id, EVENT_SUBSYSTEM_RESTART,
+				     false, subsystem_restart_event_callback);
+		if (ret) {
+			dev_err(&pdev->dev, "Failed to Register with Xilinx Event manager %d\n",
+				ret);
+			return ret;
+		}
 	} else if (ret != -EACCES && ret != -ENODEV) {
 		dev_err(&pdev->dev, "Failed to Register with Xilinx Event manager %d\n", ret);
 		return ret;
-- 
2.49.0

Re: [PATCH 2/2] soc: xilinx: Shutdown and free rx mailbox channel

[Michal Simek]

On 3/17/26 15:36, Prasanna Kumar T S M wrote:
> [Some people who received this message don't often get email from ptsm@linux.microsoft.com. Learn why this is important at https://aka.ms/LearnAboutSenderIdentification ]
> 
> A mbox rx channel is requested using mbox_request_channel_byname() in
> probe. In remove callback, the rx mailbox channel is cleaned up when the
> rx_chan is NULL due to incorrect condition check. The mailbox channel is
> not shutdown and it can receive messages even after the device removal.
> This leads to use after free. Also the channel resources are not freed.
> Fix this by checking the rx_chan correctly.
> 
> Fixes: ffdbae28d9d1 ("drivers: soc: xilinx: Use mailbox IPI callback")
> Signed-off-by: Prasanna Kumar T S M <ptsm@linux.microsoft.com>
> ---
>   drivers/soc/xilinx/zynqmp_power.c | 2 +-
>   1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/drivers/soc/xilinx/zynqmp_power.c b/drivers/soc/xilinx/zynqmp_power.c
> index aa35b63b45a3..5086c1e6797e 100644
> --- a/drivers/soc/xilinx/zynqmp_power.c
> +++ b/drivers/soc/xilinx/zynqmp_power.c
> @@ -398,7 +398,7 @@ static void zynqmp_pm_remove(struct platform_device *pdev)
>   {
>          sysfs_remove_file(&pdev->dev.kobj, &dev_attr_suspend_mode.attr);
> 
> -       if (!rx_chan)
> +       if (rx_chan)
>                  mbox_free_channel(rx_chan);


Please also clear that global variable because when the driver is re-bound there 
will be old reference to rx_chan which shouldn't be there.

          if (rx_chan) {
                  mbox_free_channel(rx_chan);
                  rx_chan = NULL;
          }

And please send both patches as one thread.

Thanks,
Michal

Re: [PATCH 2/2] soc: xilinx: Shutdown and free rx mailbox channel

[Prasanna Kumar T S M]

On 18-03-2026 21:36, Michal Simek wrote:
> 
> 
> On 3/17/26 15:36, Prasanna Kumar T S M wrote:
>> [Some people who received this message don't often get email from 
>> ptsm@linux.microsoft.com. Learn why this is important at https:// 
>> aka.ms/LearnAboutSenderIdentification ]
>>
>> A mbox rx channel is requested using mbox_request_channel_byname() in
>> probe. In remove callback, the rx mailbox channel is cleaned up when the
>> rx_chan is NULL due to incorrect condition check. The mailbox channel is
>> not shutdown and it can receive messages even after the device removal.
>> This leads to use after free. Also the channel resources are not freed.
>> Fix this by checking the rx_chan correctly.
>>
>> Fixes: ffdbae28d9d1 ("drivers: soc: xilinx: Use mailbox IPI callback")
>> Signed-off-by: Prasanna Kumar T S M <ptsm@linux.microsoft.com>
>> ---
>>   drivers/soc/xilinx/zynqmp_power.c | 2 +-
>>   1 file changed, 1 insertion(+), 1 deletion(-)
>>
>> diff --git a/drivers/soc/xilinx/zynqmp_power.c b/drivers/soc/xilinx/ 
>> zynqmp_power.c
>> index aa35b63b45a3..5086c1e6797e 100644
>> --- a/drivers/soc/xilinx/zynqmp_power.c
>> +++ b/drivers/soc/xilinx/zynqmp_power.c
>> @@ -398,7 +398,7 @@ static void zynqmp_pm_remove(struct 
>> platform_device *pdev)
>>   {
>>          sysfs_remove_file(&pdev->dev.kobj, &dev_attr_suspend_mode.attr);
>>
>> -       if (!rx_chan)
>> +       if (rx_chan)
>>                  mbox_free_channel(rx_chan);
> 
> 
> Please also clear that global variable because when the driver is re- 
> bound there will be old reference to rx_chan which shouldn't be there.
> 
>           if (rx_chan) {
>                   mbox_free_channel(rx_chan);
>                   rx_chan = NULL;
>           }
> 
> And please send both patches as one thread.
> 
> Thanks,
> Michal

Hi Michal,

Thanks for the review. Sent v2.

Thanks,
Prasanna