From 4e8e910db7855d5af906786edd00ab422b7f9d26 Mon Sep 17 00:00:00 2001
From: Abhishek Ojha <abhishek.ojha@savoirfairelinux.com>
Date: Mon, 14 Jul 2025 04:10:19 -0400
Subject: [PATCH] gpu-viv: Fix crash in gckGALDEVICE_Destroy()

The memory pointed to by gal_device->devices[devIndex] was freed via
gcmkVERIFY_OK(gckDEVICE_Destroy(device->os, device)), but the pointer
was still pointing to same location. This left a dangling pointer.

Later, dereferencing gal_device->devices[devIndex] in _DebugfsCleanup()
caused a kernel crash due to invalid memory access.

Fix this by setting gal_device->devices[devIndex] = gcvNULL immediately
after the memory is freed.

Crash log summary:
- Unable to handle kernel paging request at virtual
  address ffff800081b06298

- Kernel paging request at ffff800081b06298 with no valid PTE.
  [ffff800081b06298] pgd=100000013ffff003,p4d=100000013ffff003,
  pud=100000013fffe003, pmd=100000010002a003,pte=0000000000000000

- Faulting instruction: `ldr x20, [x0, #0x12a8]`.
  Code: aa1803e0 528166e2 97d3ba16 f940ee60 (f9494c14) [CRASH LOGS]
  1978:       f9494c14        ldr     x20, [x0, #4760] [DISASSEMBLY]

- Base address (x0) = ffff800081b05000
  x20 = *(x0 + 0x12a8) = *(x0 + 4776) <- fault address ffff800081b06298
  x0 is the address of input argument.

This change prevents dereferencing freed memory and avoids a crash in
_DebugfsCleanup().

Signed-off-by: Abhishek Ojha <abhishek.ojha@savoirfairelinux.com>
---
 .../gpu-viv/hal/os/linux/kernel/gc_hal_kernel_device.c    | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/drivers/mxc/gpu-viv/hal/os/linux/kernel/gc_hal_kernel_device.c b/drivers/mxc/gpu-viv/hal/os/linux/kernel/gc_hal_kernel_device.c
index 6b3c68dc769d..5f4acd4510f8 100644
--- a/drivers/mxc/gpu-viv/hal/os/linux/kernel/gc_hal_kernel_device.c
+++ b/drivers/mxc/gpu-viv/hal/os/linux/kernel/gc_hal_kernel_device.c
@@ -1589,9 +1589,10 @@ _DebugfsCleanup(IN gckGALDEVICE Device)
     }
 #else
     /* TODO. */
-    struct device *dev = (struct device *)Device->devices[0]->dev;
-
-    sysfs_remove_groups(&dev->kobj, Info_groups);
+    if (Device && Device->devices[0] != gcvNULL) {
+        struct device *dev = (struct device *)Device->devices[0]->dev;
+        sysfs_remove_groups(&dev->kobj, Info_groups);
+    }
 #endif
 }
 
@@ -2824,6 +2825,7 @@ gckGALDEVICE_Destroy(gckGALDEVICE gal_device)
 
             gcmkVERIFY_OK(gckDEVICE_Destroy(device->os, device));
 
+            gal_device->devices[devIndex] = gcvNULL;
             device = gcvNULL;
         }