* Re: [PATCH v2 2/2] dmaengine: idxd: fix duplicate memory frees on initialization error path [not found] <1782732745-9499-mlmmj-112abde3@vger.kernel.org> @ 2026-06-29 12:11 ` Bogdan Codres 0 siblings, 0 replies; 5+ messages in thread From: Bogdan Codres @ 2026-06-29 12:11 UTC (permalink / raw) To: vinicius.gomes, steve.wahl; +Cc: dmaengine, linux-kernel, Bogdan Codres Hi Vinicius, Steve, Thanks for the heads-up. I'm totally fine with being added as Reported-by: Bogdan Codres <bogdan.codres@windriver.com> on Steve's patch — his fix addresses the same issue I was seeing. You can use my splat ad the reproducer. Regarding the third patch for the dangling ->wq pointer — the idxd->wq = NULL after destroy_workqueue() looks reasonable to me. Best regards, Bogdan ^ permalink raw reply [flat|nested] 5+ messages in thread
* [PATCH v2 1/2] dmaengine: idxd: Do not call destroy_workqueue with null idxd->wq
@ 2026-05-22 20:34 Steve Wahl
2026-05-22 20:34 ` [PATCH v2 2/2] dmaengine: idxd: fix duplicate memory frees on initialization error path Steve Wahl
0 siblings, 1 reply; 5+ messages in thread
From: Steve Wahl @ 2026-05-22 20:34 UTC (permalink / raw)
To: Steve Wahl, Vinicius Costa Gomes, Dave Jiang, Vinod Koul,
Frank Li, dmaengine, linux-kernel
Cc: Russ Anderson, Dimitri Sivanich
Error paths within idxd_pci_probe_alloc and related functions end up
calling destroy_workqueue with a null pointer, from
idxd_conf_device_release via put_device, because that allocation has
not yet occurred when the error is hit.
This was encountered running in a kexec'd kdump kernel with reduced
resources, causing the "Device is HALTED!" branch in
idxd_device_init_reset to be taken.
In idxd_conf_device_release, check that the workqueue has been
allocated before trying to destroy it.
Fixes: 3d33de353b1f ("dmaengine: idxd: Fix not releasing workqueue on .release()")
Signed-off-by: Steve Wahl <steve.wahl@hpe.com>
---
v2: split into two patches as requested by Vinicius Costa
drivers/dma/idxd/sysfs.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/drivers/dma/idxd/sysfs.c b/drivers/dma/idxd/sysfs.c
index 6d251095c350..d5ffc641c856 100644
--- a/drivers/dma/idxd/sysfs.c
+++ b/drivers/dma/idxd/sysfs.c
@@ -1836,7 +1836,8 @@ static void idxd_conf_device_release(struct device *dev)
{
struct idxd_device *idxd = confdev_to_idxd(dev);
- destroy_workqueue(idxd->wq);
+ if (idxd->wq)
+ destroy_workqueue(idxd->wq);
kfree(idxd->groups);
bitmap_free(idxd->wq_enable_map);
kfree(idxd->wqs);
--
2.51.0
^ permalink raw reply related [flat|nested] 5+ messages in thread* [PATCH v2 2/2] dmaengine: idxd: fix duplicate memory frees on initialization error path. 2026-05-22 20:34 [PATCH v2 1/2] dmaengine: idxd: Do not call destroy_workqueue with null idxd->wq Steve Wahl @ 2026-05-22 20:34 ` Steve Wahl 2026-05-22 22:51 ` sashiko-bot 2026-06-27 0:57 ` Vinicius Costa Gomes 0 siblings, 2 replies; 5+ messages in thread From: Steve Wahl @ 2026-05-22 20:34 UTC (permalink / raw) To: Steve Wahl, Vinicius Costa Gomes, Dave Jiang, Vinod Koul, Frank Li, dmaengine, linux-kernel Cc: Russ Anderson, Dimitri Sivanich Error paths within idxd_pci_probe_alloc and related functions end up attempting to free memory already freed from idxd_conf_device_release via put_device. This was encountered running in a kexec'd kdump kernel with reduced resources, causing the "Device is HALTED!" branch in idxd_device_init_reset to be taken. In idxd_free and idxd_alloc, do not attempt to free allocations that will already have been freed. Signed-off-by: Steve Wahl <steve.wahl@hpe.com> --- v2: split into two patches as requested by Vinicius Costa drivers/dma/idxd/init.c | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/drivers/dma/idxd/init.c b/drivers/dma/idxd/init.c index f1cfc7790d95..227e323cc5a0 100644 --- a/drivers/dma/idxd/init.c +++ b/drivers/dma/idxd/init.c @@ -607,9 +607,6 @@ static void idxd_free(struct idxd_device *idxd) return; put_device(idxd_confdev(idxd)); - bitmap_free(idxd->opcap_bmap); - ida_free(&idxd_ida, idxd->id); - kfree(idxd); } static struct idxd_device *idxd_alloc(struct pci_dev *pdev, struct idxd_driver_data *data) @@ -649,8 +646,13 @@ static struct idxd_device *idxd_alloc(struct pci_dev *pdev, struct idxd_driver_d return idxd; err_name: + /* + * once device_initialize(conf_dev) is called, + * put_device(conf_dev) will end up calling + * idxd_conf_device_release() which will free the rest. + */ put_device(conf_dev); - bitmap_free(idxd->opcap_bmap); + return NULL; err_opcap: ida_free(&idxd_ida, idxd->id); err_ida: -- 2.51.0 ^ permalink raw reply related [flat|nested] 5+ messages in thread
* Re: [PATCH v2 2/2] dmaengine: idxd: fix duplicate memory frees on initialization error path. 2026-05-22 20:34 ` [PATCH v2 2/2] dmaengine: idxd: fix duplicate memory frees on initialization error path Steve Wahl @ 2026-05-22 22:51 ` sashiko-bot 2026-06-27 0:57 ` Vinicius Costa Gomes 1 sibling, 0 replies; 5+ messages in thread From: sashiko-bot @ 2026-05-22 22:51 UTC (permalink / raw) To: Steve Wahl; +Cc: dmaengine, Frank.Li, vkoul Thank you for your contribution! Sashiko AI review found 2 potential issue(s) to consider: Pre-existing issues: - [High] Double frees of child objects (workqueues, engines, groups) remain unaddressed in their respective cleanup functions and setup error paths. - [High] Dangling pointers left by `idxd_cleanup_internals()` result in a second wave of double frees when `idxd_conf_device_release()` is triggered. -- commit 4ee711bb61961f88e9ddb1a67af212cce348ee26 Author: Steve Wahl <steve.wahl@hpe.com> dmaengine: idxd: fix duplicate memory frees on initialization error path. This commit removes duplicate memory frees in idxd_alloc() and idxd_free() by relying on the device release callback triggered by put_device() to handle the cleanup of the idxd structure and its internal allocations. > diff --git a/drivers/dma/idxd/init.c b/drivers/dma/idxd/init.c > index f1cfc7790d950..227e323cc5a0b 100644 > --- a/drivers/dma/idxd/init.c > +++ b/drivers/dma/idxd/init.c > @@ -607,9 +607,6 @@ static void idxd_free(struct idxd_device *idxd) > return; > > put_device(idxd_confdev(idxd)); [Severity: High] This is a pre-existing issue, but does idxd_cleanup_internals() leave dangling pointers that could cause a second wave of double frees here? During device initialization in idxd_probe(), if an error occurs after idxd_setup_internals() succeeds (e.g., idxd_device_load_config() fails), idxd_cleanup_internals() is called. This function explicitly frees sub-allocations (idxd->wqs, idxd->engines, idxd->groups) and calls destroy_workqueue(idxd->wq), but it doesn't set these pointers to NULL. When the error propagates back to idxd_pci_probe_alloc(), it calls idxd_free(), which reaches this put_device() call. This triggers the idxd_conf_device_release() callback, which blindly attempts to free the exact same dangling pointers again and calls destroy_workqueue(idxd->wq) a second time. > - bitmap_free(idxd->opcap_bmap); > - ida_free(&idxd_ida, idxd->id); > - kfree(idxd); > } [ ... ] > @@ -649,8 +646,13 @@ static struct idxd_device *idxd_alloc(struct pci_dev *pdev, struct idxd_driver_d > return idxd; > > err_name: > + /* > + * once device_initialize(conf_dev) is called, > + * put_device(conf_dev) will end up calling > + * idxd_conf_device_release() which will free the rest. > + */ > put_device(conf_dev); [Severity: High] This isn't a bug introduced by this patch, but are there similar duplicate frees remaining for child objects like workqueues, engines, and groups? While this patch correctly removes the duplicate frees for the main idxd object, the exact same pattern appears to exist for child objects in functions like idxd_setup_wqs(), idxd_setup_engines(), and idxd_setup_groups(), as well as their cleanup counterparts. In those functions, put_device(conf_dev) is called to drop the reference count, which synchronously invokes the device's release callback (e.g., idxd_conf_wq_release()). The callback explicitly frees the inner members and the object itself (kfree(wq)). However, immediately after put_device() returns, the manual cleanup code incorrectly calls kfree() and bitmap_free() on those exact same pointers again. Could this lead to double frees during initialization failure or device removal? > - bitmap_free(idxd->opcap_bmap); > + return NULL; > err_opcap: > ida_free(&idxd_ida, idxd->id); -- Sashiko AI review · https://sashiko.dev/#/patchset/20260522203414.336549-1-steve.wahl@hpe.com?part=2 ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH v2 2/2] dmaengine: idxd: fix duplicate memory frees on initialization error path. 2026-05-22 20:34 ` [PATCH v2 2/2] dmaengine: idxd: fix duplicate memory frees on initialization error path Steve Wahl 2026-05-22 22:51 ` sashiko-bot @ 2026-06-27 0:57 ` Vinicius Costa Gomes [not found] ` <BYAPR11MB36069EC520DCB9DFD6A411EEF8E82@BYAPR11MB3606.namprd11.prod.outlook.com> 1 sibling, 1 reply; 5+ messages in thread From: Vinicius Costa Gomes @ 2026-06-27 0:57 UTC (permalink / raw) To: Steve Wahl, Steve Wahl, Dave Jiang, Vinod Koul, Frank Li, dmaengine, linux-kernel Cc: Russ Anderson, Dimitri Sivanich, bogdan.codres Steve Wahl <steve.wahl@hpe.com> writes: > Error paths within idxd_pci_probe_alloc and related functions end up > attempting to free memory already freed from idxd_conf_device_release > via put_device. > > This was encountered running in a kexec'd kdump kernel with reduced > resources, causing the "Device is HALTED!" branch in > idxd_device_init_reset to be taken. > > In idxd_free and idxd_alloc, do not attempt to free allocations that > will already have been freed. > > Signed-off-by: Steve Wahl <steve.wahl@hpe.com> > --- Bogdan Codres series (but submitted a bit later), tries to fix this issue, has a better splat and a reproducer, I think it makes sense to add the splat and reproducer here, and add Bogdan as Reported-by (if agreed, of course). I am wondering about adding a third patch for the dangling ->wq pointer, as reported by Sashiko would make sense. Something like this might do the job (totally untested): diff --git a/drivers/dma/idxd/init.c b/drivers/dma/idxd/init.c index f1cfc7790d95..0a74018f31a8 100644 --- a/drivers/dma/idxd/init.c +++ b/drivers/dma/idxd/init.c @@ -415,6 +415,7 @@ static void idxd_cleanup_internals(struct idxd_device *idxd) idxd_clean_engines(idxd); idxd_clean_wqs(idxd); destroy_workqueue(idxd->wq); + idxd->wq = NULL; } How does it sound? > v2: split into two patches as requested by Vinicius Costa > > drivers/dma/idxd/init.c | 10 ++++++---- > 1 file changed, 6 insertions(+), 4 deletions(-) > > diff --git a/drivers/dma/idxd/init.c b/drivers/dma/idxd/init.c > index f1cfc7790d95..227e323cc5a0 100644 > --- a/drivers/dma/idxd/init.c > +++ b/drivers/dma/idxd/init.c > @@ -607,9 +607,6 @@ static void idxd_free(struct idxd_device *idxd) > return; > > put_device(idxd_confdev(idxd)); > - bitmap_free(idxd->opcap_bmap); > - ida_free(&idxd_ida, idxd->id); > - kfree(idxd); > } > > static struct idxd_device *idxd_alloc(struct pci_dev *pdev, struct idxd_driver_data *data) > @@ -649,8 +646,13 @@ static struct idxd_device *idxd_alloc(struct pci_dev *pdev, struct idxd_driver_d > return idxd; > > err_name: > + /* > + * once device_initialize(conf_dev) is called, > + * put_device(conf_dev) will end up calling > + * idxd_conf_device_release() which will free the rest. > + */ > put_device(conf_dev); > - bitmap_free(idxd->opcap_bmap); > + return NULL; > err_opcap: > ida_free(&idxd_ida, idxd->id); > err_ida: > -- > 2.51.0 > -- Vinicius ^ permalink raw reply related [flat|nested] 5+ messages in thread
[parent not found: <BYAPR11MB36069EC520DCB9DFD6A411EEF8E82@BYAPR11MB3606.namprd11.prod.outlook.com>]
[parent not found: <BYAPR11MB36068CF244AA0940E39D3B50F8E82@BYAPR11MB3606.namprd11.prod.outlook.com>]
* Re: [PATCH v2 2/2] dmaengine: idxd: fix duplicate memory frees on initialization error path. [not found] ` <BYAPR11MB36068CF244AA0940E39D3B50F8E82@BYAPR11MB3606.namprd11.prod.outlook.com> @ 2026-06-29 19:02 ` Steve Wahl 0 siblings, 0 replies; 5+ messages in thread From: Steve Wahl @ 2026-06-29 19:02 UTC (permalink / raw) To: Vinicius Costa Gomes Cc: Codres, Bogdan, Steve Wahl, Dave Jiang, Vinod Koul, Frank Li, dmaengine@vger.kernel.org, linux-kernel@vger.kernel.org, Russ Anderson, Dimitri Sivanich On Mon, Jun 29, 2026 at 11:44:36AM +0000, Codres, Bogdan wrote: > Hi Vinicius, Steve, > > Thanks for the heads-up. I'm totally fine with being added as: > > Reported-by: Bogdan Codres <bogdan.codres@windriver.com> > > on Steve's patch — his fix addresses the same issue I was seeing. > You can use my splat as the reproducer. > > Regarding the third patch for the dangling ->wq pointer — the proposed change looks reasonable to me. > > Best regards, > Bogdan > > Ph.D. eng. Bogdan Codres > Member of Technical Staff in Cloud Platform Engineering, Wind River > Hello, everyone, As there's no code changes (and I even find it remarkable how similar the two were, I think only the comments differed), I am completely open to Vinicius just modifying the commit message to include the parts he wants to see. It would take less time than another round of posting a patch. But if you need more from me, let me know. Thanks, --> Steve > ________________________________ > From: Codres, Bogdan <Bogdan.Codres@windriver.com> > Sent: Monday, June 29, 2026 14:32 > To: Vinicius Costa Gomes <vinicius.gomes@intel.com>; Steve Wahl <steve.wahl@hpe.com>; Steve Wahl <steve.wahl@hpe.com>; Dave Jiang <dave.jiang@intel.com>; Vinod Koul <vkoul@kernel.org>; Frank Li <Frank.Li@kernel.org>; dmaengine@vger.kernel.org <dmaengine@vger.kernel.org>; linux-kernel@vger.kernel.org <linux-kernel@vger.kernel.org> > Cc: Russ Anderson <rja@hpe.com>; Dimitri Sivanich <sivanich@hpe.com> > Subject: Re: [PATCH v2 2/2] dmaengine: idxd: fix duplicate memory frees on initialization error path. > > Hi Vinicius, Steve, > Thanks for the heads-up. I'm totally fine with being added as > Reported-by: Bogdan Codres <bogdan.codres@windriver.com> > on Steve's patch — his fix addresses the same issue I was seeing. > You can use my splat ad the reproducer. > Regarding the third patch for the dangling ->wq pointer — the idxd->wq = NULL after destroy_workqueue() looks reasonable to me > Best regards, Bogdan > > > Best Regards, > > Ph.D. eng. Bogdan Codres > > Member of Technical Staff in Cloud Platform Engineering, Wind River > > ________________________________ > From: Vinicius Costa Gomes <vinicius.gomes@intel.com> > Sent: Saturday, June 27, 2026 3:57 > To: Steve Wahl <steve.wahl@hpe.com>; Steve Wahl <steve.wahl@hpe.com>; Dave Jiang <dave.jiang@intel.com>; Vinod Koul <vkoul@kernel.org>; Frank Li <Frank.Li@kernel.org>; dmaengine@vger.kernel.org <dmaengine@vger.kernel.org>; linux-kernel@vger.kernel.org <linux-kernel@vger.kernel.org> > Cc: Russ Anderson <rja@hpe.com>; Dimitri Sivanich <sivanich@hpe.com>; Codres, Bogdan <Bogdan.Codres@windriver.com> > Subject: Re: [PATCH v2 2/2] dmaengine: idxd: fix duplicate memory frees on initialization error path. > > CAUTION: This email comes from a non Wind River email account! > Do not click links or open attachments unless you recognize the sender and know the content is safe. > > Steve Wahl <steve.wahl@hpe.com> writes: > > > Error paths within idxd_pci_probe_alloc and related functions end up > > attempting to free memory already freed from idxd_conf_device_release > > via put_device. > > > > This was encountered running in a kexec'd kdump kernel with reduced > > resources, causing the "Device is HALTED!" branch in > > idxd_device_init_reset to be taken. > > > > In idxd_free and idxd_alloc, do not attempt to free allocations that > > will already have been freed. > > > > Signed-off-by: Steve Wahl <steve.wahl@hpe.com> > > --- > > Bogdan Codres series (but submitted a bit later), tries to fix this > issue, has a better splat and a reproducer, I think it makes sense to > add the splat and reproducer here, and add Bogdan as Reported-by (if > agreed, of course). > > I am wondering about adding a third patch for the dangling ->wq pointer, as > reported by Sashiko would make sense. > > Something like this might do the job (totally untested): > > diff --git a/drivers/dma/idxd/init.c b/drivers/dma/idxd/init.c > index f1cfc7790d95..0a74018f31a8 100644 > --- a/drivers/dma/idxd/init.c > +++ b/drivers/dma/idxd/init.c > @@ -415,6 +415,7 @@ static void idxd_cleanup_internals(struct idxd_device *idxd) > idxd_clean_engines(idxd); > idxd_clean_wqs(idxd); > destroy_workqueue(idxd->wq); > + idxd->wq = NULL; > } > > How does it sound? > > > v2: split into two patches as requested by Vinicius Costa > > > > drivers/dma/idxd/init.c | 10 ++++++---- > > 1 file changed, 6 insertions(+), 4 deletions(-) > > > > diff --git a/drivers/dma/idxd/init.c b/drivers/dma/idxd/init.c > > index f1cfc7790d95..227e323cc5a0 100644 > > --- a/drivers/dma/idxd/init.c > > +++ b/drivers/dma/idxd/init.c > > @@ -607,9 +607,6 @@ static void idxd_free(struct idxd_device *idxd) > > return; > > > > put_device(idxd_confdev(idxd)); > > - bitmap_free(idxd->opcap_bmap); > > - ida_free(&idxd_ida, idxd->id); > > - kfree(idxd); > > } > > > > static struct idxd_device *idxd_alloc(struct pci_dev *pdev, struct idxd_driver_data *data) > > @@ -649,8 +646,13 @@ static struct idxd_device *idxd_alloc(struct pci_dev *pdev, struct idxd_driver_d > > return idxd; > > > > err_name: > > + /* > > + * once device_initialize(conf_dev) is called, > > + * put_device(conf_dev) will end up calling > > + * idxd_conf_device_release() which will free the rest. > > + */ > > put_device(conf_dev); > > - bitmap_free(idxd->opcap_bmap); > > + return NULL; > > err_opcap: > > ida_free(&idxd_ida, idxd->id); > > err_ida: > > -- > > 2.51.0 > > > > -- > Vinicius -- Steve Wahl, Hewlett Packard Enterprise ^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2026-06-29 19:17 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
[not found] <1782732745-9499-mlmmj-112abde3@vger.kernel.org>
2026-06-29 12:11 ` [PATCH v2 2/2] dmaengine: idxd: fix duplicate memory frees on initialization error path Bogdan Codres
2026-05-22 20:34 [PATCH v2 1/2] dmaengine: idxd: Do not call destroy_workqueue with null idxd->wq Steve Wahl
2026-05-22 20:34 ` [PATCH v2 2/2] dmaengine: idxd: fix duplicate memory frees on initialization error path Steve Wahl
2026-05-22 22:51 ` sashiko-bot
2026-06-27 0:57 ` Vinicius Costa Gomes
[not found] ` <BYAPR11MB36069EC520DCB9DFD6A411EEF8E82@BYAPR11MB3606.namprd11.prod.outlook.com>
[not found] ` <BYAPR11MB36068CF244AA0940E39D3B50F8E82@BYAPR11MB3606.namprd11.prod.outlook.com>
2026-06-29 19:02 ` Steve Wahl
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox