From: Yuho Choi <dbgh9129@gmail.com>
To: Vinicius Costa Gomes <vinicius.gomes@intel.com>,
Vinod Koul <vkoul@kernel.org>
Cc: Dave Jiang <dave.jiang@intel.com>, Frank Li <Frank.Li@kernel.org>,
dmaengine@vger.kernel.org, linux-kernel@vger.kernel.org,
Yuho Choi <dbgh9129@gmail.com>
Subject: [PATCH v2] dmaengine: idxd: fix deadlock and double free in idxd_cdev_open()
Date: Fri, 15 May 2026 10:26:23 -0400 [thread overview]
Message-ID: <20260515142623.793549-1-dbgh9129@gmail.com> (raw)
The failed_dev_add and failed_dev_name error paths in idxd_cdev_open()
drop the file-device reference while still holding wq->wq_lock. If this
is the last reference, put_device(fdev) runs idxd_file_dev_release(),
which takes wq->wq_lock again and deadlocks.
Those error paths also fall through into the later ctx cleanup labels
after idxd_file_dev_release() has already freed ctx. This can make
idxd_xa_pasid_remove(ctx) operate on freed memory and can later free ctx
again at the failed label.
Use scoped put_device() cleanup for fdev and return from the fdev setup
failure path after unlocking wq->wq_lock. Take the WQ reference before
fdev can be released so idxd_file_dev_release() always balances a
matching idxd_wq_get().
Fixes: e6fd6d7e5f0fe ("dmaengine: idxd: add a device to represent the file opened")
Signed-off-by: Yuho Choi <dbgh9129@gmail.com>
---
Changes in v2:
- Use __free(put_device) for the file-device reference.
- Take the WQ reference before fdev can be released so the release
callback's idxd_wq_put() has a matching idxd_wq_get().
drivers/dma/idxd/cdev.c | 8 +++++---
1 file changed, 5 insertions(+), 3 deletions(-)
diff --git a/drivers/dma/idxd/cdev.c b/drivers/dma/idxd/cdev.c
index 0366c7cf3502..18ff29118d12 100644
--- a/drivers/dma/idxd/cdev.c
+++ b/drivers/dma/idxd/cdev.c
@@ -216,7 +216,7 @@ static int idxd_cdev_open(struct inode *inode, struct file *filp)
struct idxd_user_context *ctx;
struct idxd_device *idxd;
struct idxd_wq *wq;
- struct device *dev, *fdev;
+ struct device *dev, *fdev __free(put_device) = NULL;
int rc = 0;
struct iommu_sva *sva = NULL;
unsigned int pasid;
@@ -289,6 +289,7 @@ static int idxd_cdev_open(struct inode *inode, struct file *filp)
fdev->bus = &dsa_bus_type;
fdev->type = &idxd_cdev_file_type;
+ idxd_wq_get(wq);
rc = dev_set_name(fdev, "file%d", ctx->id);
if (rc < 0) {
dev_warn(dev, "set name failure\n");
@@ -301,13 +302,14 @@ static int idxd_cdev_open(struct inode *inode, struct file *filp)
goto failed_dev_add;
}
- idxd_wq_get(wq);
+ fdev = NULL;
mutex_unlock(&wq->wq_lock);
return 0;
failed_dev_add:
failed_dev_name:
- put_device(fdev);
+ mutex_unlock(&wq->wq_lock);
+ return rc;
failed_ida:
failed_set_pasid:
if (device_user_pasid_enabled(idxd))
--
2.43.0
next reply other threads:[~2026-05-15 14:26 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-05-15 14:26 Yuho Choi [this message]
2026-05-15 15:08 ` [PATCH v2] dmaengine: idxd: fix deadlock and double free in idxd_cdev_open() sashiko-bot
2026-05-15 15:53 ` Dave Jiang
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260515142623.793549-1-dbgh9129@gmail.com \
--to=dbgh9129@gmail.com \
--cc=Frank.Li@kernel.org \
--cc=dave.jiang@intel.com \
--cc=dmaengine@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=vinicius.gomes@intel.com \
--cc=vkoul@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.