dmaengine: idxd: Remove improper idxd_free

snits · snits · commit af922b433ca6 · 2025-09-29T07:51:09.000-07:00
JIRA: https://issues.redhat.com/browse/RHEL-114133 Upstream-Status: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git commit f41c538 Author: Yi Sun <yi.sun@intel.com> Date: Tue Jul 29 23:03:12 2025 +0800 dmaengine: idxd: Remove improper idxd_free The call to idxd_free() introduces a duplicate put_device() leading to a reference count underflow: refcount_t: underflow; use-after-free. WARNING: CPU: 15 PID: 4428 at lib/refcount.c:28 refcount_warn_saturate+0xbe/0x110 ... Call Trace: <TASK> idxd_remove+0xe4/0x120 [idxd] pci_device_remove+0x3f/0xb0 device_release_driver_internal+0x197/0x200 driver_detach+0x48/0x90 bus_remove_driver+0x74/0xf0 pci_unregister_driver+0x2e/0xb0 idxd_exit_module+0x34/0x7a0 [idxd] __do_sys_delete_module.constprop.0+0x183/0x280 do_syscall_64+0x54/0xd70 entry_SYSCALL_64_after_hwframe+0x76/0x7e The idxd_unregister_devices() which is invoked at the very beginning of idxd_remove(), already takes care of the necessary put_device() through the following call path: idxd_unregister_devices() -> device_unregister() -> put_device() In addition, when CONFIG_DEBUG_KOBJECT_RELEASE is enabled, put_device() may trigger asynchronous cleanup via schedule_delayed_work(). If idxd_free() is called immediately after, it can result in a use-after-free. Remove the improper idxd_free() to avoid both the refcount underflow and potential memory corruption during module unload. Fixes: d5449ff ("dmaengine: idxd: Add missing idxd cleanup to fix memory leak in remove call") Signed-off-by: Yi Sun <yi.sun@intel.com> Tested-by: Shuai Xue <xueshuai@linux.alibaba.com> Reviewed-by: Dave Jiang <dave.jiang@intel.com> Acked-by: Vinicius Costa Gomes <vinicius.gomes@intel.com> Link: https://lore.kernel.org/r/20250729150313.1934101-2-yi.sun@intel.com Signed-off-by: Vinod Koul <vkoul@kernel.org> (cherry picked from commit f41c538) Signed-off-by: Jerry Snitselaar <jsnitsel@redhat.com>
diff --git a/drivers/dma/idxd/init.c b/drivers/dma/idxd/init.c
@@ -1323,7 +1323,6 @@ static void idxd_remove(struct pci_dev *pdev)
 	idxd_cleanup(idxd);
 	pci_iounmap(pdev, idxd->reg_base);
 	put_device(idxd_confdev(idxd));
-	idxd_free(idxd);
 	pci_disable_device(pdev);
 }
 

Original file line number	Diff line number	Diff line change
`@@ -1323,7 +1323,6 @@ static void idxd_remove(struct pci_dev *pdev)`
`1323`	`1323`	`idxd_cleanup(idxd);`
`1324`	`1324`	`pci_iounmap(pdev, idxd->reg_base);`
`1325`	`1325`	`put_device(idxd_confdev(idxd));`
`1326`		`- idxd_free(idxd);`
`1327`	`1326`	`pci_disable_device(pdev);`
`1328`	`1327`	`}`
`1329`	`1328`