firmware: arm_ffa: Snapshot notifier callbacks under lock - wireguard-linux

diff options

author	Sudeep Holla <sudeep.holla@kernel.org>	2026-04-28 19:33:34 +0100
committer	Sudeep Holla <sudeep.holla@kernel.org>	2026-05-05 16:42:49 +0100
commit	38290b180a4d5746baed796d49f88d56d2f336cd (patch)
tree	65aab1cf0cf6de93141b9128a9ef13a7a41d006f /tools/testing/selftests/dm-verity/git:/ssh:/git@git.zx2c4.com
parent	firmware: arm_ffa: Align RxTx buffer size before mapping (diff)

firmware: arm_ffa: Snapshot notifier callbacks under lock

Both notification handlers currently look up a notifier callback under notify_lock, drop the lock, and then dereference the returned notifier entry. A concurrent unregister can delete and free that entry in the gap, leaving the handler to dereference stale memory. Copy the callback pointer and callback data while notify_lock is still held and invoke the callback only after the lock is dropped. This keeps the existing callback execution model while removing the use-after-free window in both the framework and non-framework notification paths. Fixes: 285a5ea0f542 ("firmware: arm_ffa: Add support for handling framework notifications") Link: https://patch.msgid.link/20260428-ffa_fixes-v2-10-8595ae450034@kernel.org Signed-off-by: Sudeep Holla <sudeep.holla@kernel.org>

Diffstat (limited to 'tools/testing/selftests/dm-verity/git:/ssh:/git@git.zx2c4.com')

0 files changed, 0 insertions, 0 deletions


context:
space:
mode: