Re: [PATCH] fbnic: close fw_log race between users and teardown

Next message: Boris Brezillon: "Re: [RFC PATCH 2/4] rust: sync: Add dma_fence abstractions"
Previous message: Dmitry Baryshkov: "Re: [PATCH 1/1] arm64: dts: qcom: monaco-evk: Add Mezzanine"
In reply to: Lee Trager: "Re: [PATCH] fbnic: close fw_log race between users and teardown"
Next in thread: Alexander H Duyck: "Re: [PATCH] fbnic: close fw_log race between users and teardown"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Chengfeng Ye

Date: Tue Feb 10 2026 - 07:31:19 EST

> > Concurrent teardown in
> > fbnic_fw_log_free() could clear and free the log buffer after the check
> > because there is no proper synchronization, leading to list traversal or
> > buffer access on freed memory.
>
> fbnic_fw_log_free() is only called when the driver is removed, after
> DebugFS has been disabled. Before freeing the buffer the driver sends an
> explicit message to firmware to stop sending new message.
>

Yes, the more noteworthy case is that an in-flight IRQ already starts
in response to one firmware message previously sent before stopping
the firmware.

Thanks,
Chengfeng