From nobody Fri Oct 10 09:49:27 2025 Received: from mgamail.intel.com (mgamail.intel.com [198.175.65.18]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id E2FD9288CA5; Tue, 17 Jun 2025 10:27:46 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=198.175.65.18 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1750156068; cv=none; b=UQxKf4m+VMXQp8X4Gn4p7U1NbvjaSc35DY7seH535d5SPtZij0aMMddZUKSqG1AW7mC1qXqNFYlFnSn7HUq1XnyJ9C75XzORKg0pbV7ZQA3fQENX7/s09ZxiexKSK26x4yBGHrO7tgZZUZfYTU9MHuOFbGsEcdrzdVz6q6xU7sQ= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1750156068; c=relaxed/simple; bh=ZAhzd6vRIdEJDBu/+Y3tha+s7kzTjg40RZ1V/SDTreY=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=DeIO/etHIeIhNZWYrXMMA65/yaZmNrPPJD6qnihVdHSSDXn5y3qEJX1OktJYMyxzAjjggP7APAKek3hV/6uI6Qo9V8m64+AEiwTilGRMEQ9Ovw8VYJ/m247ttJtsXkm9ql+dDL4Hee6ikol81cwMQNF4YxChlHPv07gv4k5hTpM= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=intel.com; spf=pass smtp.mailfrom=intel.com; dkim=pass (2048-bit key) header.d=intel.com header.i=@intel.com header.b=Aei5DmAf; arc=none smtp.client-ip=198.175.65.18 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=intel.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=intel.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=intel.com header.i=@intel.com header.b="Aei5DmAf" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=intel.com; i=@intel.com; q=dns/txt; s=Intel; t=1750156067; x=1781692067; h=from:to:cc:subject:date:message-id:in-reply-to: references:mime-version:content-transfer-encoding; bh=ZAhzd6vRIdEJDBu/+Y3tha+s7kzTjg40RZ1V/SDTreY=; b=Aei5DmAfGRHr9H5c3qE+ekyFotEToJFbYORmq6S1dCl4NAFACruMb4Ms D54Euab3AP8DUmvn5LOVwfd0SFVNgLSPblQ8F7AZGbQ0EsjhMyYOdAAbA 2c3Dg2X3Zsk8uDwZcULBLwlSIEzFF9hg+0pY+dF5O557IoHmMSOIce3pH qgBWOwyoH6TCNeQV16brNhygJ+Zsb9ME7Cmk8QomGmHnM4KuT/nehAT/c Yqm3uUiJkp5oGYL+rqcKE88cjSNcu2jO9DZ23V051N6y4A4WiYNqTJzTv tg4yrXK3LCo+FHGiBRPTAp3tkoswD/0mZ2TgKb+sBWQrSZxmg5j9s96bO w==; X-CSE-ConnectionGUID: 1/cJKVGATQ2x++flLS68xQ== X-CSE-MsgGUID: h9lJhRFZSKmRWOmepcVfag== X-IronPort-AV: E=McAfee;i="6800,10657,11465"; a="52462091" X-IronPort-AV: E=Sophos;i="6.16,243,1744095600"; d="scan'208";a="52462091" Received: from orviesa005.jf.intel.com ([10.64.159.145]) by orvoesa110.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 17 Jun 2025 03:27:47 -0700 X-CSE-ConnectionGUID: eZw9hAmURYi0bYo0NQe1CQ== X-CSE-MsgGUID: rlLrsn3aQYCGq+FKW+JZUw== X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="6.16,243,1744095600"; d="scan'208";a="154033950" Received: from ysun46-mobl (HELO YSUN46-MOBL..) ([10.239.96.51]) by orviesa005.jf.intel.com with ESMTP; 17 Jun 2025 03:27:43 -0700 From: Yi Sun To: vinicius.gomes@intel.com, dmaengine@vger.kernel.org, linux-kernel@vger.kernel.org Cc: dave.jiang@intel.com, yi.sun@intel.com, gordon.jin@intel.com, fenghuay@nvidia.com Subject: [PATCH v3 1/2] dmaengine: idxd: Remove improper idxd_free Date: Tue, 17 Jun 2025 18:27:11 +0800 Message-ID: <20250617102712.727333-2-yi.sun@intel.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20250617102712.727333-1-yi.sun@intel.com> References: <20250617102712.727333-1-yi.sun@intel.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" The call to idxd_free() introduces a duplicate put_device() leading to a reference count underflow: refcount_t: underflow; use-after-free. WARNING: CPU: 15 PID: 4428 at lib/refcount.c:28 refcount_warn_saturate+0xbe= /0x110 ... Call Trace: idxd_remove+0xe4/0x120 [idxd] pci_device_remove+0x3f/0xb0 device_release_driver_internal+0x197/0x200 driver_detach+0x48/0x90 bus_remove_driver+0x74/0xf0 pci_unregister_driver+0x2e/0xb0 idxd_exit_module+0x34/0x7a0 [idxd] __do_sys_delete_module.constprop.0+0x183/0x280 do_syscall_64+0x54/0xd70 entry_SYSCALL_64_after_hwframe+0x76/0x7e The idxd_unregister_devices() which is invoked at the very beginning of idxd_remove(), already takes care of the necessary put_device() through the following call path: idxd_unregister_devices() -> device_unregister() -> put_device() In addition, when CONFIG_DEBUG_KOBJECT_RELEASE is enabled, put_device() may trigger asynchronous cleanup via schedule_delayed_work(). If idxd_free() is called immediately after, it can result in a use-after-free. Remove the improper idxd_free() to avoid both the refcount underflow and potential memory corruption during module unload. Fixes: d5449ff1b04d ("dmaengine: idxd: Add missing idxd cleanup to fix memo= ry leak in remove call") Signed-off-by: Yi Sun diff --git a/drivers/dma/idxd/init.c b/drivers/dma/idxd/init.c index 80355d03004d..40cc9c070081 100644 Tested-by: Shuai Xue --- a/drivers/dma/idxd/init.c +++ b/drivers/dma/idxd/init.c @@ -1295,7 +1295,6 @@ static void idxd_remove(struct pci_dev *pdev) idxd_cleanup(idxd); pci_iounmap(pdev, idxd->reg_base); put_device(idxd_confdev(idxd)); - idxd_free(idxd); pci_disable_device(pdev); } =20 --=20 2.43.0 From nobody Fri Oct 10 09:49:27 2025 Received: from mgamail.intel.com (mgamail.intel.com [198.175.65.18]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 76600288CA5; Tue, 17 Jun 2025 10:27:52 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=198.175.65.18 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1750156074; cv=none; b=Up/llgG5os7rfxnlKPuh57w05CIPsiEmdgd1mJ0BpdWha9mVBScELHpLbLppRFbLSiQ0fkICI43/2e9T2BeLBxSOzYdeX0TLGrhjb6Hn8l498GGsJffGjNlL1Al8K59pny4EO90MD6ZFQlJHVF6vxL3AaXwayRUvZFNJs/RypkA= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1750156074; c=relaxed/simple; bh=gqV21TcK9Cc3ulZOth7BRdJuQAZrSi3YuwCV5P2/3fY=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=lqmgVOWgKUr3zceXM5FwYyRLDatsv1K5qg8hRDbyz0BW1AxyAul7UoBzQA1Upsd+kDjmmDijGcudH4fOm2OV3ZZzGczOOj2fyqYkvR/sksdfN5hgv4HmKPn4r3VoQ0EBj6H36oPzQ/xQtGTQm+AbHWrTBD6g5yDaOqK9ctWPH5M= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=intel.com; spf=pass smtp.mailfrom=intel.com; dkim=pass (2048-bit key) header.d=intel.com header.i=@intel.com header.b=MVnLnf/j; arc=none smtp.client-ip=198.175.65.18 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=intel.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=intel.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=intel.com header.i=@intel.com header.b="MVnLnf/j" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=intel.com; i=@intel.com; q=dns/txt; s=Intel; t=1750156073; x=1781692073; h=from:to:cc:subject:date:message-id:in-reply-to: references:mime-version:content-transfer-encoding; bh=gqV21TcK9Cc3ulZOth7BRdJuQAZrSi3YuwCV5P2/3fY=; b=MVnLnf/j4EmQI2rTMgah4O4yMqXX5u/9oaKlU9B3FMsNKNxfiwb+KM9Y MIDc1o/iMPPUH449AY7w+sRG1BEJ61parNnZwaGa5wYVqzSU9YcMtKivG Z796oXkdgg371B6oDRy5U3wp9Eze6fktBE7wB+9N3pWpPbwpbolZUlw/z 3Mfm9Zt0tOE0THLbT3XkPiaRldumA1Ye1wWXgXViwdCUHXx8sBMs6C0Xz T3kfQjQTYZwlcPC+NtKuffcWmnqrDynC5mduqBdIqVZ61q1D8aNjdsk/n Q50pUSPkyIKQK2JGgEwZshYbNPTz8wyH95Cu38KS8J1Dgb4MnP+GGD7JF Q==; X-CSE-ConnectionGUID: IBUGp3h8StSt+jwt0GWJWw== X-CSE-MsgGUID: ochE/QEaTFe2R6xyVIOhIg== X-IronPort-AV: E=McAfee;i="6800,10657,11465"; a="52462100" X-IronPort-AV: E=Sophos;i="6.16,243,1744095600"; d="scan'208";a="52462100" Received: from orviesa005.jf.intel.com ([10.64.159.145]) by orvoesa110.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 17 Jun 2025 03:27:53 -0700 X-CSE-ConnectionGUID: lwt4GzZNQpG3EDFu5X4pPQ== X-CSE-MsgGUID: UzK3sOE6T+WPbk/BM/Nabg== X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="6.16,243,1744095600"; d="scan'208";a="154033970" Received: from ysun46-mobl (HELO YSUN46-MOBL..) ([10.239.96.51]) by orviesa005.jf.intel.com with ESMTP; 17 Jun 2025 03:27:50 -0700 From: Yi Sun To: vinicius.gomes@intel.com, dmaengine@vger.kernel.org, linux-kernel@vger.kernel.org Cc: dave.jiang@intel.com, yi.sun@intel.com, gordon.jin@intel.com, fenghuay@nvidia.com Subject: [PATCH v3 2/2] dmaengine: idxd: Fix refcount underflow on module unload Date: Tue, 17 Jun 2025 18:27:12 +0800 Message-ID: <20250617102712.727333-3-yi.sun@intel.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20250617102712.727333-1-yi.sun@intel.com> References: <20250617102712.727333-1-yi.sun@intel.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" A recent refactor introduced a misplaced put_device() call, leading to a reference count underflow during module unload. There is no need to add additional put_device() calls for idxd groups, engines, or workqueues. Although commit a409e919ca3 claims:"Note, this also fixes the missing put_device() for idxd groups, engines, and wqs." It appears no such omission existed. The required cleanup is already handled by the call chain: idxd_unregister_devices() -> device_unregister() -> put_device() Extend idxd_cleanup() to perform the necessary cleanup, and remove idxd_cleanup_internals() which was not originally part of the driver unload path and introduced unintended reference count underflow. Fixes: a409e919ca32 ("dmaengine: idxd: Refactor remove call with idxd_clean= up() helper") Signed-off-by: Yi Sun diff --git a/drivers/dma/idxd/init.c b/drivers/dma/idxd/init.c index 40cc9c070081..40f4bf446763 100644 Tested-by: Shuai Xue --- a/drivers/dma/idxd/init.c +++ b/drivers/dma/idxd/init.c @@ -1292,7 +1292,10 @@ static void idxd_remove(struct pci_dev *pdev) device_unregister(idxd_confdev(idxd)); idxd_shutdown(pdev); idxd_device_remove_debugfs(idxd); - idxd_cleanup(idxd); + perfmon_pmu_remove(idxd); + idxd_cleanup_interrupts(idxd); + if (device_pasid_enabled(idxd)) + idxd_disable_system_pasid(idxd); pci_iounmap(pdev, idxd->reg_base); put_device(idxd_confdev(idxd)); pci_disable_device(pdev); --=20 2.43.0