Re: [PATCH 03/11] drm/panthor: Fix UAF on works queued to panthor_cleanup_wq
From: Boris Brezillon
Date: Thu Jun 25 2026 - 10:27:23 EST
On Thu, 25 Jun 2026 14:40:29 +0200
Boris Brezillon <boris.brezillon@xxxxxxxxxxxxx> wrote:
> If we don't drain the panthor_cleanup_wq before
> unregistering/destroying the panthor_device, we might end up with
> cleanup works that are executed after the device is gone.
>
> Add a drain_workqueue() call in panthor_device_unplug() to prevent
> that.
>
> Fixes: de8548813824 ("drm/panthor: Add the scheduler logical block")
> Fixes: 647810ec2476 ("drm/panthor: Add the MMU/VM logical block")
> Reported-by: sashiko-bot@xxxxxxxxxx
> Closes: https://sashiko.dev/#/patchset/20260625-panthor-signal-from-irq-v5-0-8836a74e0ef9@xxxxxxxxxxxxx?part=2
> Signed-off-by: Boris Brezillon <boris.brezillon@xxxxxxxxxxxxx>
> ---
> drivers/gpu/drm/panthor/panthor_device.c | 5 +++++
> 1 file changed, 5 insertions(+)
>
> diff --git a/drivers/gpu/drm/panthor/panthor_device.c b/drivers/gpu/drm/panthor/panthor_device.c
> index 0b25abebb803..a0774e28aa94 100644
> --- a/drivers/gpu/drm/panthor/panthor_device.c
> +++ b/drivers/gpu/drm/panthor/panthor_device.c
> @@ -101,6 +101,11 @@ void panthor_device_unplug(struct panthor_device *ptdev)
> panthor_gpu_unplug(ptdev);
> panthor_pwr_unplug(ptdev);
>
> + /* Make sure works queued to panthor_cleanup_wq are executed
> + * before the device is destroyed.
> + */
> + drain_workqueue(panthor_cleanup_wq);
As shashiko pointed out[1], this doesn't work. __flush_workqueue()
could work, but I'm actually considering moving those work to the
panthor_mmu/panthor_scheduler, so we can easily call
disable_work_sync() when the MMU/scheduler components are torn down.
> +
> pm_runtime_dont_use_autosuspend(ptdev->base.dev);
> pm_runtime_put_sync_suspend(ptdev->base.dev);
>
>
[1]https://sashiko.dev/#/patchset/20260625-panthor-misc-fixes-v1-0-b67ed973fea6@xxxxxxxxxxxxx?part=3