From nobody Fri Dec 19 07:49:27 2025 Received: from mgamail.intel.com (mgamail.intel.com [198.175.65.14]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id E0E7A22541D; Sat, 7 Jun 2025 13:06:28 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=198.175.65.14 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1749301590; cv=none; b=LVTWjBl34dG/PUGNejW9kRiRDfNC4/FmL1m4M9+Ef/1QBP0+cwbm0CM1aKFok7m3YEDP322xbQJ3fmfBb7qxFUiLhgTNBaLPdvu1A7hZxjr35XXhx3xdTNR7ByBlrEdsMIKaSyyO0heZATa4DW/34bD967VXOq8FkION61ZE9c4= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1749301590; c=relaxed/simple; bh=TRCBx/dlu/Usj7MGTdFl2eC87AR0McHpxfl7Hi/VT5c=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=YGWq4ep30/cClAaCEcJ1rVnpc42YP2pyyZylS5ZhLR5pvxY4LoY9bngNg+Lm485298fronO25+RbG5qjgn0MLr1dUnEBCXm3FZe+OTtOfWHkrd9DUk48r4760gJ/QMn9NiDQAJPoDhtv6pssnxkTpsxQQOss7s9NGDTW93aHPIw= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=intel.com; spf=pass smtp.mailfrom=intel.com; dkim=pass (2048-bit key) header.d=intel.com header.i=@intel.com header.b=CpZ7oLAP; arc=none smtp.client-ip=198.175.65.14 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=intel.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=intel.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=intel.com header.i=@intel.com header.b="CpZ7oLAP" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=intel.com; i=@intel.com; q=dns/txt; s=Intel; t=1749301589; x=1780837589; h=from:to:cc:subject:date:message-id:in-reply-to: references:mime-version:content-transfer-encoding; bh=TRCBx/dlu/Usj7MGTdFl2eC87AR0McHpxfl7Hi/VT5c=; b=CpZ7oLAPsisKNDyWeP637/4FPG1J1bs+02RDinLsTniJmwZC95ZLj8H2 idFGbn1L+zocDACRi4crUMiDvuGb7To2Pf3QTvzsviaNIMJ6Br5CFnf/N yR0H9yqN31yp/zKkXbOZB7dRjb9rnkbzoa7oLK/kA+ufLi6d9nbnxBGdu 4Fuq4a38m45YbdrDhN3GVHFmh42zhAeHkO/plC9sYfwERe19P3gx64IZc m+PI/iDG+Y6lSS9GtOsvd560xibh2j2B+1GNBwapj5HdLRs2BNDOolkui 2L2ODXERTagOFyjhMLRFBPXIJz2BmNG4XA1h3s6wydx+HQ94okukoZljH A==; X-CSE-ConnectionGUID: znDqTlLpS/qQUSiGPn2v1g== X-CSE-MsgGUID: t1jDaxBuSMCLdy/argRefg== X-IronPort-AV: E=McAfee;i="6800,10657,11457"; a="55242777" X-IronPort-AV: E=Sophos;i="6.16,218,1744095600"; d="scan'208";a="55242777" Received: from orviesa004.jf.intel.com ([10.64.159.144]) by orvoesa106.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 07 Jun 2025 06:06:29 -0700 X-CSE-ConnectionGUID: q5jblasBSD67E45YIRGEQw== X-CSE-MsgGUID: 39mMbY5OS26UA1KPo26CpQ== X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="6.16,218,1744095600"; d="scan'208";a="151074663" Received: from ysun46-mobl (HELO YSUN46-MOBL..) ([10.239.96.51]) by orviesa004.jf.intel.com with ESMTP; 07 Jun 2025 06:06:27 -0700 From: Yi Sun To: vinicius.gomes@intel.com, dmaengine@vger.kernel.org, linux-kernel@vger.kernel.org Cc: yi.sun@intel.com, gordon.jin@intel.com Subject: [PATCH v2 1/2] dmaengine: idxd: Remove improper idxd_free Date: Sat, 7 Jun 2025 21:06:15 +0800 Message-ID: <20250607130616.514984-2-yi.sun@intel.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20250607130616.514984-1-yi.sun@intel.com> References: <20250607130616.514984-1-yi.sun@intel.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" The call to idxd_free() introduces a duplicate put_device() leading to a reference count underflow: refcount_t: underflow; use-after-free. WARNING: CPU: 15 PID: 4428 at lib/refcount.c:28 refcount_warn_saturate+0xbe= /0x110 ... Call Trace: idxd_remove+0xe4/0x120 [idxd] pci_device_remove+0x3f/0xb0 device_release_driver_internal+0x197/0x200 driver_detach+0x48/0x90 bus_remove_driver+0x74/0xf0 pci_unregister_driver+0x2e/0xb0 idxd_exit_module+0x34/0x7a0 [idxd] __do_sys_delete_module.constprop.0+0x183/0x280 do_syscall_64+0x54/0xd70 entry_SYSCALL_64_after_hwframe+0x76/0x7e The idxd_unregister_devices() which is invoked at the very beginning of idxd_remove(), already takes care of the necessary put_device() through the following call path: idxd_unregister_devices() -> device_unregister() -> put_device() In addition, when CONFIG_DEBUG_KOBJECT_RELEASE is enabled, put_device() may trigger asynchronous cleanup via schedule_delayed_work(). If idxd_free() is called immediately after, it can result in a use-after-free. Remove the improper idxd_free() to avoid both the refcount underflow and potential memory corruption during module unload. Fixes: d5449ff1b04d ("dmaengine: idxd: Add missing idxd cleanup to fix memo= ry leak in remove call") Signed-off-by: Yi Sun diff --git a/drivers/dma/idxd/init.c b/drivers/dma/idxd/init.c index 760b7d81fcd8..504aca0fd597 100644 --- a/drivers/dma/idxd/init.c +++ b/drivers/dma/idxd/init.c @@ -1324,7 +1324,6 @@ static void idxd_remove(struct pci_dev *pdev) idxd_cleanup(idxd); pci_iounmap(pdev, idxd->reg_base); put_device(idxd_confdev(idxd)); - idxd_free(idxd); pci_disable_device(pdev); } =20 --=20 2.43.0 From nobody Fri Dec 19 07:49:27 2025 Received: from mgamail.intel.com (mgamail.intel.com [198.175.65.14]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 55C43228CBE; Sat, 7 Jun 2025 13:06:32 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=198.175.65.14 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1749301594; cv=none; b=fCMt+4GnF1tKxfqbju6DOrMArMN9qUeh+4Iv/+xlR2j5svmKsJg/wq0WkzVE3UO27aqBk6kGGtzPMXoDl7GztG9ZIzrNDfiPs2x7Q9ApkuRi1k1o+0koohIX6ipy62yrA23q9QvEm8uuZWJzJsn76YzlS+2TD+zUJaNuCd7h5jM= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1749301594; c=relaxed/simple; bh=MZXxfUSkH1A79O9u48J/QWYARZQdYKawpA/PHmDBm+U=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=XYkYUYWaQ6Uz2KvPYF+6KaJnCl30N0odPAkhIIkKxffT5HB/8M+ERQd/sTDxp3EvhOkuQexN3lJ/nnBy2RFK0Gi5jtY38YMJ2vFjuV41QHbMA2xRRoEDPqJqrdYiwmo6wWxbqUmcaZMKsF3StTDXb8nEvjQV4UrAjDqC/ShqasY= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=intel.com; spf=pass smtp.mailfrom=intel.com; dkim=pass (2048-bit key) header.d=intel.com header.i=@intel.com header.b=D64AA5h1; arc=none smtp.client-ip=198.175.65.14 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=intel.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=intel.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=intel.com header.i=@intel.com header.b="D64AA5h1" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=intel.com; i=@intel.com; q=dns/txt; s=Intel; t=1749301593; x=1780837593; h=from:to:cc:subject:date:message-id:in-reply-to: references:mime-version:content-transfer-encoding; bh=MZXxfUSkH1A79O9u48J/QWYARZQdYKawpA/PHmDBm+U=; b=D64AA5h120fb2CwRRJ1P67kNeSxBQpy9+wOBudHuz7e8FdY0rkD8ZEsL BrJ0LH6Y78BeZL+SnaIZH4W0gLi6YOtoa2jZdimD+HMxcvBcBY8/LgQxq gR0+vMM5LolbY8A5LcFBSNRM7sppQMg+yAPfllOH3Ay24OSP1gqF1NoUN 37+feeqLVyMvOjj23lhvvKw0BMVj/BskE2D6eml7FjpLlU7ZOBSNwlZVv B7D4WDR443A3+c97Kap/7NpDfK3wlbxfqXaC+CQFTF/u7VpFQrPXy61qJ YSKn7aWzvXBmocDjsEqXi8QYFp/nmKidWIdw6JYh3LXlaMUrreLcD62fO Q==; X-CSE-ConnectionGUID: Mo4yF/cPQVeE9r/tpA2/UA== X-CSE-MsgGUID: 4c6u7zLqSJeRBkHM12L65Q== X-IronPort-AV: E=McAfee;i="6800,10657,11457"; a="55242778" X-IronPort-AV: E=Sophos;i="6.16,218,1744095600"; d="scan'208";a="55242778" Received: from orviesa004.jf.intel.com ([10.64.159.144]) by orvoesa106.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 07 Jun 2025 06:06:32 -0700 X-CSE-ConnectionGUID: zfpFekLQQFWIrVNFszrPpQ== X-CSE-MsgGUID: j6iCpDsST++BuTxrOtabNQ== X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="6.16,218,1744095600"; d="scan'208";a="151074672" Received: from ysun46-mobl (HELO YSUN46-MOBL..) ([10.239.96.51]) by orviesa004.jf.intel.com with ESMTP; 07 Jun 2025 06:06:31 -0700 From: Yi Sun To: vinicius.gomes@intel.com, dmaengine@vger.kernel.org, linux-kernel@vger.kernel.org Cc: yi.sun@intel.com, gordon.jin@intel.com Subject: [PATCH v2 2/2] dmaengine: idxd: Fix refcount underflow on module unload Date: Sat, 7 Jun 2025 21:06:16 +0800 Message-ID: <20250607130616.514984-3-yi.sun@intel.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20250607130616.514984-1-yi.sun@intel.com> References: <20250607130616.514984-1-yi.sun@intel.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" A recent refactor introduced a misplaced put_device() call, leading to a reference count underflow during module unload. There is no need to add additional put_device() calls for idxd groups, engines, or workqueues. Although commit a409e919ca3 claims:"Note, this also fixes the missing put_device() for idxd groups, engines, and wqs." It appears no such omission existed. The required cleanup is already handled by the call chain: idxd_unregister_devices() -> device_unregister() -> put_device() Extend idxd_cleanup() to perform the necessary cleanup, and remove idxd_cleanup_internals() which was not originally part of the driver unload path and introduced unintended reference count underflow. Fixes: a409e919ca32 ("dmaengine: idxd: Refactor remove call with idxd_clean= up() helper") Signed-off-by: Yi Sun diff --git a/drivers/dma/idxd/init.c b/drivers/dma/idxd/init.c index 504aca0fd597..a5eabeb6a8bd 100644 --- a/drivers/dma/idxd/init.c +++ b/drivers/dma/idxd/init.c @@ -1321,7 +1321,12 @@ static void idxd_remove(struct pci_dev *pdev) device_unregister(idxd_confdev(idxd)); idxd_shutdown(pdev); idxd_device_remove_debugfs(idxd); - idxd_cleanup(idxd); + perfmon_pmu_remove(idxd); + idxd_cleanup_interrupts(idxd); + if (device_pasid_enabled(idxd)) + idxd_disable_system_pasid(idxd); + if (device_user_pasid_enabled(idxd)) + idxd_disable_sva(idxd->pdev); pci_iounmap(pdev, idxd->reg_base); put_device(idxd_confdev(idxd)); pci_disable_device(pdev); --=20 2.43.0