From nobody Fri Apr 3 08:39:29 2026 Received: from mail-pj1-f47.google.com (mail-pj1-f47.google.com [209.85.216.47]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 99319364E82 for ; Wed, 1 Apr 2026 03:30:24 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.216.47 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1775014225; cv=none; b=gZMGCdtx2Qdzogm0kJuK/Ey5cTogcGLpBsAv9pJx7licscO60AC/oFyfLA9xs0k1QdLrwDxUFzEVsiu/AFky04LoZgXo8zvDSLw6KwIbaIUhDIpNhg1MPhAWz72tUDb2SLI9UumBaCugx4S9oVCe7uxXD/uSdG2vSzekQo8UeSI= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1775014225; c=relaxed/simple; bh=hxXLF5lyQ0tyXHzP24s/EoG6WZkR9hY6mbKxFS7/gIc=; h=From:To:Cc:Subject:Date:Message-ID:MIME-Version; b=OCVBA5Mi3gpb6K3XpCnWueyzTdWPLcRRROPVYRsW31fmqHYV+us9i3NsxsvPRKXhjVx/uupy1RDZrN7tb9SlLOuaEljOootW0P+czYZUACNGJTUWjpRg8BFtApSZVJFgYbjCZ6N0o5Qo8MON5yK/sgII3hqJD+P0H9CvPGOblus= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=g0bMMrXp; arc=none smtp.client-ip=209.85.216.47 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="g0bMMrXp" Received: by mail-pj1-f47.google.com with SMTP id 98e67ed59e1d1-354bc7c2c46so3799770a91.0 for ; Tue, 31 Mar 2026 20:30:24 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1775014224; x=1775619024; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=9P47rW39jbyc8421UN3l72weYmCGnxeZ7bLfcFbS7SM=; b=g0bMMrXpwoB/CO/dEnOQ5Rzfz0twtVzdElG2ZCt7mgooDFH4k/cov2vHZyTC9McCEf YZu6EV8mmXa+3uwkKvLO7L3ofKvCHU+Rcf3My5aWxczqhLAiC5ljp865XnTuLsbh7Gpi DdDG03ZyDvVEGnYErKzbAS7HO7rWCDjWE+TKrIVkQKtqTGODFy5qTkazQH0WAmBbaoB+ EFR1z6zptTObM1SD+CxImS20GNDUANpNUxYchy/uZuDWPyvDMikXMm45T0fckSghwsAE Xdip0Q/Za6mh1184u8MEmgdsztcnVLRhpvajS2k6kaJxjqsxacW3r5m8FPNy6iG+vXu9 O93g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1775014224; x=1775619024; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=9P47rW39jbyc8421UN3l72weYmCGnxeZ7bLfcFbS7SM=; b=MRlrl6bxz6l8f/XqnOI2FLXxUhttEFCLnlD3t27KaAaWzY/PPGgGXBnh8s7/HLm+Ec ITZd5Ng30Omw16HgzMJd56+/sJsNFXKn+mw2zuue+Grm4Zj6FBRiMzpDK79xH45vFnyW Dk2/AoHrXf/odSNhhqWLEeSJ/l3IxhauFz3VVgJm6Ry0IHj0J56wSKlQRbVjWfsg9fg1 nazlB/maceFY21s4oDSDerF6PTNJoor85hlSxdUSL1fc3YVf4N5clHAQfxIEDoikE3xm BkY8W8u+8X76Vd46ye+NKCbSiYezfgZyLcKZsEl5S/qlApm0a+/gvBDYbdAjgmebSaey wl9A== X-Forwarded-Encrypted: i=1; AJvYcCXkTfaJXUj4vQ6Dtrf936rajkYo/6ciyfutgO5RO7QaPUUCYtUNuA6KcexacuQ5yHNHvD5Lhih+ij18gFQ=@vger.kernel.org X-Gm-Message-State: AOJu0YyqwG/Vbc4YedCfSgvuQCSXhO9N/5KCaLwrn/fZvaCGsHaPa/XD i74LJ1fJIwUciqtGSfxhLAZuLrXp5GG2oUfH7ih4YBXqQFHQqfYHX3Jh X-Gm-Gg: ATEYQzyd2BYW0Vav895suE1RCjPzEy+QANd0elwdy62WwLlRhK7JkWklnOO/WLWs+2F zLXZ7NzHBPJlKUrrQ3P29eKI+7srdGW6DaGoAbT3AgZWeJ/WA55ji4tMKn9iTaDIQO0lUxos2Lf x1EgAAvG0g2njm5/Tr4BOcSHas+Wszl6dSHXcEPwPXewHv9/d/lc+lrAID6F7TJlO6FBtPK1wux WbBIdJ+OBtB49z6cGd1fAN/T6qnnRZV05PTP/EuJgrtzce1ua3zA1j1viKUdKTe6wuXn5n2FkBE /r8YMj7gueIlOfByL/EeCIwDyIODlcp/RML7B3QZkvy2xxoI4FGJ+766YqTY2elMVeg6TXpzFcF X6RrvXbvZDT/99izxXkfCudg+V3dil/vPj4N1OqtlkFBOEZ49HWatt651We++FgG3ruESBAOeX3 oywWJWP41oaUvrz3je1Y2u1w== X-Received: by 2002:a17:90b:528c:b0:35d:a0b7:9608 with SMTP id 98e67ed59e1d1-35dc6e7b1d8mr1756731a91.7.1775014223910; Tue, 31 Mar 2026 20:30:23 -0700 (PDT) Received: from lgs.. ([2408:8417:e10:5f85:653:6a84:ffc9:685c]) by smtp.gmail.com with ESMTPSA id 98e67ed59e1d1-35dbe41b11fsm3075358a91.0.2026.03.31.20.30.20 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 31 Mar 2026 20:30:23 -0700 (PDT) From: Guangshuo Li To: Vinicius Costa Gomes , Dave Jiang , Vinod Koul , Dan Carpenter , dmaengine@vger.kernel.org, linux-kernel@vger.kernel.org Cc: Guangshuo Li , stable@vger.kernel.org Subject: [PATCH] dmaengine: idxd: fix double free in idxd_setup_wqs() error path Date: Wed, 1 Apr 2026 11:30:13 +0800 Message-ID: <20260401033013.1434986-1-lgs201920130244@gmail.com> X-Mailer: git-send-email 2.43.0 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" When an error happens after device_initialize(), idxd_setup_wqs() calls put_device(conf_dev). The device release callback idxd_conf_wq_release() frees wq, wq->wqcfg, and wq->opcap_bmap, but the current error paths then free them again directly, causing a double free. Keep the cleanup in idxd_conf_wq_release() after put_device() and avoid freeing those objects again in idxd_setup_wqs(). Fixes: 39aaa337449e7 ("dmaengine: idxd: Fix double free in idxd_setup_wqs()= ") Cc: stable@vger.kernel.org Signed-off-by: Guangshuo Li --- drivers/dma/idxd/init.c | 14 ++++++-------- 1 file changed, 6 insertions(+), 8 deletions(-) diff --git a/drivers/dma/idxd/init.c b/drivers/dma/idxd/init.c index 2acc34b3daff..b782eb3c191d 100644 --- a/drivers/dma/idxd/init.c +++ b/drivers/dma/idxd/init.c @@ -212,7 +212,7 @@ static int idxd_setup_wqs(struct idxd_device *idxd) rc =3D dev_set_name(conf_dev, "wq%d.%d", idxd->id, wq->id); if (rc < 0) { put_device(conf_dev); - kfree(wq); + goto err_unwind; } =20 @@ -226,7 +226,7 @@ static int idxd_setup_wqs(struct idxd_device *idxd) wq->wqcfg =3D kzalloc_node(idxd->wqcfg_size, GFP_KERNEL, dev_to_node(dev= )); if (!wq->wqcfg) { put_device(conf_dev); - kfree(wq); + rc =3D -ENOMEM; goto err_unwind; } @@ -234,9 +234,9 @@ static int idxd_setup_wqs(struct idxd_device *idxd) if (idxd->hw.wq_cap.op_config) { wq->opcap_bmap =3D bitmap_zalloc(IDXD_MAX_OPCAP_BITS, GFP_KERNEL); if (!wq->opcap_bmap) { - kfree(wq->wqcfg); + put_device(conf_dev); - kfree(wq); + rc =3D -ENOMEM; goto err_unwind; } @@ -252,12 +252,10 @@ static int idxd_setup_wqs(struct idxd_device *idxd) err_unwind: while (--i >=3D 0) { wq =3D idxd->wqs[i]; - if (idxd->hw.wq_cap.op_config) - bitmap_free(wq->opcap_bmap); - kfree(wq->wqcfg); + conf_dev =3D wq_confdev(wq); put_device(conf_dev); - kfree(wq); + } bitmap_free(idxd->wq_enable_map); =20 --=20 2.43.0