In the Linux kernel, the following vulnerability has been resolved:
mailbox: mtk-cmdq: Move devmmboxcontrollerregister() after devmpmruntimeenable()
When mtk-cmdq unbinds, a WARNON message with condition pmruntimegetsync() < 0 occurs.
According to the call tracei below: cmdqmboxshutdown mboxfreechannel mboxcontrollerunregister _devmmboxcontrollerunregister ...
The root cause can be deduced to be calling pmruntimegetsync() after calling pmruntimedisable() as observed below: 1. CMDQ driver uses devmmboxcontrollerregister() in cmdqprobe() to bind the cmdq device to the mboxcontroller, so devmmboxcontrollerunregister() will automatically unregister the device bound to the mailbox controller when the device-managed resource is removed. That means devmmboxcontrollerunregister() and cmdqmboxshoutdown() will be called after cmdqremove(). 2. CMDQ driver also uses devmpmruntimeenable() in cmdqprobe() after devmmboxcontrollerregister(), so that devmpmruntimedisable() will be called after cmdqremove(), but before devmmboxcontroller_unregister().
To fix this problem, cmdqprobe() needs to move devmmboxcontrollerregister() after devmpmruntimeenable() to make devmpmruntimedisable() be called after devmmboxcontroller_unregister().