drm/panthor: Fix UAF race between device unplug and FW event processing

[ Upstream commit 7051f6ba968fa69918d72cc26de4d6cf7ea05b90 ]

The function panthor_fw_unplug() will free the FW memory sections.
The problem is that there could still be pending FW events which are yet
not handled at this point. process_fw_events_work() can in this case try
to access said freed memory.

Simply call disable_work_sync() to both drain and prevent future
invocation of process_fw_events_work().

Signed-off-by: Ketil Johnsen <ketil.johnsen@arm.com>
Fixes: de85488138247 ("drm/panthor: Add the scheduler logical block")
Reviewed-by: Liviu Dudau <liviu.dudau@arm.com>
Link: https://patch.msgid.link/20251027140217.121274-1-ketil.johnsen@arm.com
Signed-off-by: Liviu Dudau <liviu.dudau@arm.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>

diff --git a/drivers/gpu/drm/panthor/panthor_sched.c b/drivers/gpu/drm/panthor/panthor_sched.c
index 81ea3a79ab49cfac614ee3cbc310d21c32a8f4a2..1d95decddc273ba942b8de1eed53431fe1a82134 100644 (file)
--- a/drivers/gpu/drm/panthor/panthor_sched.c
+++ b/drivers/gpu/drm/panthor/panthor_sched.c
@@ -3696,6 +3696,7 @@ void panthor_sched_unplug(struct panthor_device *ptdev)
        struct panthor_scheduler *sched = ptdev->scheduler;
 
        cancel_delayed_work_sync(&sched->tick_work);
+       disable_work_sync(&sched->fw_events_work);
 
        mutex_lock(&sched->lock);
        if (sched->pm.has_ref) {