From nobody Sat Feb 7 08:02:48 2026 Received: from mail-lf1-f45.google.com (mail-lf1-f45.google.com [209.85.167.45]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 794A92848BA for ; Tue, 27 Jan 2026 07:54:17 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.167.45 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1769500459; cv=none; b=TH60OhGsw9COoMxk/oRMLzINraV/+AaUowO/ybJjZ3dI7/d6IVBzbOj+/OaD0HDqCe4ifTqpnYhuPQ+jr8+qz2CP8sdxGSVZPAKP4wC4joGBdA7GdMxU2y2M/BQYyInLUXItwHjbmH35Ebp8IWDHatr9sZo68je+gjnnW6d/m24= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1769500459; c=relaxed/simple; bh=IDj2ME1e/uh0EgNsFknFveieSdaJ1+0AC0j413GLNDo=; h=From:To:Cc:Subject:Date:Message-ID:MIME-Version; b=Wn6KBCoJQcVvPAhTnwAIbkALSX4DjCIOdjHCLKoq5ERvPk9vdjowTqYywxwDHOGKig9vekRVQslHEKmiqAB+wLbNO1uoJ/19vWoxzjOnZbScIhTNpFJ3yLAy8yWlXMHsQP2VmSAsYHUt5IDCkN52G1XZW1Tm0nI6gN0uva4BK9k= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=quora.org; spf=pass smtp.mailfrom=quora.org; dkim=pass (1024-bit key) header.d=quora.org header.i=@quora.org header.b=XU0uhBkJ; arc=none smtp.client-ip=209.85.167.45 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=quora.org Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=quora.org Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=quora.org header.i=@quora.org header.b="XU0uhBkJ" Received: by mail-lf1-f45.google.com with SMTP id 2adb3069b0e04-59dea72099eso4210143e87.0 for ; Mon, 26 Jan 2026 23:54:17 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=quora.org; s=google; t=1769500455; x=1770105255; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=t/TOyUI3EBD5eIFhAEg5gbtYZU0ZFmEHg7GNAgWzwgE=; b=XU0uhBkJzHGqIRZyFlrhhQcdztsht6LD/jPRdOvgvBv4jBDvdDx5ms4Vkk5MA/6m2S C+fzchbpkrn50tagtA2H5XG9F4cEdPrgwSvgtbRy7rwtpGT/xrVZ0MDzXcpgfgu7C0u/ rSJlYZHPY7cZ/SGhI7u2GcgBwaReRQYoVh2L4= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1769500455; x=1770105255; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=t/TOyUI3EBD5eIFhAEg5gbtYZU0ZFmEHg7GNAgWzwgE=; b=UbZqT9hXbup3NfD2w3c1kBRxkfTjJaCSY7LunzBpG6aHhW+ItYcjkg4Yp84aapFHMz kt6e94FiTMy2y8izjvh9gWcJjrxBqbpesDhuPHV0dXS2kkQCw8V0G+ruP4HWZrFE5d6O PKJMzYsJGyWtu7Muq0PgqDxwXuKSz3WAxDuylHobMZa5jN/XOLWlSn86SNFVpM0vKLil FEhwu9VTMQdOwl70om9SuK5J14Wr5Ce5GHmJwb/nEGHWB27u9K+4koO3Gu9dnf2Sac/+ 6JB1G0jtKrcucJ8hhhU+UcV23e0401h/9YpJLQ+6Lj19EiuCNxd3QeAxVawuQbGTWObh kzfA== X-Forwarded-Encrypted: i=1; AJvYcCUjNhk3b11FS5DxlEIW5xUrPCqP/jor9hovhNKn3TzGs9ug7KNdx7je1LYznUt14NGoqp8g3lPiUXBrmbM=@vger.kernel.org X-Gm-Message-State: AOJu0YwLaLZV2UV5/t3gntf9btaNPMJTnlLND4ZmC7CFxdgiMnUEdXIK l/MDofzmoc133QuQRbPwVVf8D3mO5h7XZGmGEubyz0FboH6Ei4mJLs7TNGMRFHoPqLA= X-Gm-Gg: AZuq6aKjJzmhBAB5CIgMO6ZugE2fDqkSWDWTLdoLwfxd00O9x0naLbyf5zOf9rY9Kfr Cz3m3QBTTAhP9yWRKXMisZnH9GRcR2MkJVmsEktkrEkjKlt4UBbNF/LGJVQ4T4kMOQPNSEjuMx0 Z69SNjrY9XTgg1dG0zMF675u0QygF21lcTZtXavD1Z46poFiKgQGezlM6IVpWHmQZgDfCl5LKcw /6Uhm1v/3sbhtFN4CMAzP51DAVyvPQ9iwX1jEDxTSFsHXht5wXsSXl91y1xERQ8AeVVWLUKHgxA 9eYs/vEP8YZpqD4cWfmBpQuJcS+rgmEoIls5Z2ETkr6YrQFx7NKN8aM7f1oLmNkK0cblbTPBkqk PwRJX3m+0Rx/9pGvUSXmjiMzTRkDrcLZoHVr+WLv8uR4sQBSzukE6EheeJZeL3qhhS7yczty5tx GUoqaH5xp1FiNmqcwbabSnloXqS27mvD+5G/lg4NTQrmh9HQBddTMTW9ufoA3iZ+dP/B0j83pav Kxs5ImcAkjYcZSQ9TkUH/aPn8sNxJb7x2fj7NisoaTTtZrmujmJbVYh1AXAcSTJ2q800d5Xpr2g nIn4C4jozjTd6+bXdXVGHOOp0yz47k4ym67RS0oCAEs1Ig7ngOjd1+Nu/Oxvu1u36xo= X-Received: by 2002:a05:6512:2311:b0:59c:bdd8:9d7e with SMTP id 2adb3069b0e04-59e040334admr396059e87.45.1769500455344; Mon, 26 Jan 2026 23:54:15 -0800 (PST) Received: from m5compiler07.. ([141.112.46.27]) by smtp.gmail.com with ESMTPSA id 2adb3069b0e04-59de48df6d3sm3266771e87.1.2026.01.26.23.54.12 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 26 Jan 2026 23:54:14 -0800 (PST) From: Daniel J Blueman To: dmaengine@vger.kernel.org, linux-kernel@vger.kernel.org, Vinod Koul , Dave Jiang , Vinicius Costa Gomes Cc: Daniel J Blueman , Scott Hamilton , stable@vger.kernel.org Subject: [PATCH] idxd: Fix Intel Data Streaming Accelerator double-free on error path Date: Tue, 27 Jan 2026 07:52:07 +0000 Message-ID: <20260127075210.3584849-1-daniel@quora.org> X-Mailer: git-send-email 2.43.0 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" During IDXD driver probe unwind from an earlier resource allocation failure, multiple use-after-free codepaths are taken leading to attempted double-free of ID allocator entries and memory allocations, eg: ida_free called for id=3D64 which is not allocated. WARNING: lib/idr.c:594 at ida_free+0x1af/0x1f4, CPU#900: kworker/900:1/11863 ... Call Trace: ? ida_destroy+0x258/0x258 idxd_pci_probe_alloc+0x342e/0x348c ? multi_u64_to_bmap+0xc9/0xc9 ? queued_read_unlock+0x1e/0x1e ? __schedule+0x2e43/0x2ee6 ? idxd_reset_done+0x12ca/0x12ca idxd_pci_probe+0x15/0x17 ... Fix this by releasing these allocations only after use and once. Validated on 8 socket and 16 socket (XNC node controller) Intel Saphire Rapids XCC systems with no KASAN, Kmemleak or lockdep reports. Signed-off-by: Daniel J Blueman Cc: stable@vger.kernel.org --- drivers/dma/idxd/init.c | 21 +-------------------- drivers/dma/idxd/sysfs.c | 1 - 2 files changed, 1 insertion(+), 21 deletions(-) diff --git a/drivers/dma/idxd/init.c b/drivers/dma/idxd/init.c index 2acc34b3daff..5d2b869df745 100644 --- a/drivers/dma/idxd/init.c +++ b/drivers/dma/idxd/init.c @@ -167,13 +167,9 @@ static void idxd_clean_wqs(struct idxd_device *idxd) wq =3D idxd->wqs[i]; if (idxd->hw.wq_cap.op_config) bitmap_free(wq->opcap_bmap); - kfree(wq->wqcfg); conf_dev =3D wq_confdev(wq); put_device(conf_dev); - kfree(wq); } - bitmap_free(idxd->wq_enable_map); - kfree(idxd->wqs); } =20 static int idxd_setup_wqs(struct idxd_device *idxd) @@ -277,9 +273,7 @@ static void idxd_clean_engines(struct idxd_device *idxd) engine =3D idxd->engines[i]; conf_dev =3D engine_confdev(engine); put_device(conf_dev); - kfree(engine); } - kfree(idxd->engines); } =20 static int idxd_setup_engines(struct idxd_device *idxd) @@ -341,9 +335,7 @@ static void idxd_clean_groups(struct idxd_device *idxd) for (i =3D 0; i < idxd->max_groups; i++) { group =3D idxd->groups[i]; put_device(group_confdev(group)); - kfree(group); } - kfree(idxd->groups); } =20 static int idxd_setup_groups(struct idxd_device *idxd) @@ -590,17 +582,6 @@ static void idxd_read_caps(struct idxd_device *idxd) idxd->hw.iaa_cap.bits =3D ioread64(idxd->reg_base + IDXD_IAACAP_OFFSET); } =20 -static void idxd_free(struct idxd_device *idxd) -{ - if (!idxd) - return; - - put_device(idxd_confdev(idxd)); - bitmap_free(idxd->opcap_bmap); - ida_free(&idxd_ida, idxd->id); - kfree(idxd); -} - static struct idxd_device *idxd_alloc(struct pci_dev *pdev, struct idxd_dr= iver_data *data) { struct device *dev =3D &pdev->dev; @@ -1239,7 +1220,7 @@ int idxd_pci_probe_alloc(struct idxd_device *idxd, st= ruct pci_dev *pdev, err: pci_iounmap(pdev, idxd->reg_base); err_iomap: - idxd_free(idxd); + put_device(idxd_confdev(idxd)); err_idxd_alloc: pci_disable_device(pdev); return rc; diff --git a/drivers/dma/idxd/sysfs.c b/drivers/dma/idxd/sysfs.c index 9f0701021af0..819f2024ba0b 100644 --- a/drivers/dma/idxd/sysfs.c +++ b/drivers/dma/idxd/sysfs.c @@ -1818,7 +1818,6 @@ static void idxd_conf_device_release(struct device *d= ev) kfree(idxd->engines); kfree(idxd->evl); kmem_cache_destroy(idxd->evl_cache); - ida_free(&idxd_ida, idxd->id); bitmap_free(idxd->opcap_bmap); kfree(idxd); } --=20 2.43.0