[PATCH] dmaengine: idxd: Fix saved engines array leak in config save

DMA Engine development
 help / color / mirror / Atom feed

* [PATCH] dmaengine: idxd: Fix saved engines array leak in config save
@ 2026-04-19 14:08 Guangshuo Li
  2026-04-20  5:59 ` Frank Li
  0 siblings, 1 reply; 2+ messages in thread
From: Guangshuo Li @ 2026-04-19 14:08 UTC (permalink / raw)
  To: Vinicius Costa Gomes, Dave Jiang, Vinod Koul, Frank Li,
	Fenghua Yu, dmaengine, linux-kernel
  Cc: Guangshuo Li, stable

idxd_device_config_save() uses cleanup.h helpers for temporary
allocations while saving device configuration. The saved_groups and
saved_wqs pointer arrays are declared with __free(kfree), and ownership
is transferred to idxd_saved with no_free_ptr() on the success path.

The saved_engines pointer array follows the same ownership pattern on the
success path, but it is not declared with __free(kfree). As a result, if
an error happens after saved_engines is allocated, idxd_free_saved()
frees the saved engine objects but not the saved_engines array itself.

This leaks saved_engines on error paths such as:
  - failure to allocate an individual saved engine
  - failure to allocate saved_wq_enable_map
  - failure to allocate saved_wqs
  - failure to allocate an individual saved WQ

Declare saved_engines with __free(kfree) so the array is released
automatically on failure, matching saved_groups and saved_wqs. The success
path is unchanged because ownership is already transferred with
no_free_ptr().

Fixes: 6078a315aec1 ("dmaengine: idxd: Add idxd_device_config_save() and idxd_device_config_restore() helpers")
Cc: stable@vger.kernel.org
Signed-off-by: Guangshuo Li <lgs201920130244@gmail.com>
---
 drivers/dma/idxd/init.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/dma/idxd/init.c b/drivers/dma/idxd/init.c
index f1cfc7790d95..02210f16d391 100644
--- a/drivers/dma/idxd/init.c
+++ b/drivers/dma/idxd/init.c
@@ -880,7 +880,7 @@ static int idxd_device_config_save(struct idxd_device *idxd,
 		saved_groups[i] = no_free_ptr(saved_group);
 	}

-	struct idxd_engine **saved_engines =
+	struct idxd_engine **saved_engines __free(kfree) =
 			kcalloc_node(idxd->max_engines,
 				     sizeof(struct idxd_engine *),
 				     GFP_KERNEL, dev_to_node(dev));
-- 
2.43.0

^ permalink raw reply related	[flat|nested] 2+ messages in thread

* Re: [PATCH] dmaengine: idxd: Fix saved engines array leak in config save
  2026-04-19 14:08 [PATCH] dmaengine: idxd: Fix saved engines array leak in config save Guangshuo Li
@ 2026-04-20  5:59 ` Frank Li
  0 siblings, 0 replies; 2+ messages in thread
From: Frank Li @ 2026-04-20  5:59 UTC (permalink / raw)
  To: Guangshuo Li
  Cc: Vinicius Costa Gomes, Dave Jiang, Vinod Koul, Frank Li,
	Fenghua Yu, dmaengine, linux-kernel, stable

On Sun, Apr 19, 2026 at 10:08:39PM +0800, Guangshuo Li wrote:
> idxd_device_config_save() uses cleanup.h helpers for temporary
> allocations while saving device configuration. The saved_groups and
> saved_wqs pointer arrays are declared with __free(kfree), and ownership
> is transferred to idxd_saved with no_free_ptr() on the success path.
>
> The saved_engines pointer array follows the same ownership pattern on the
> success path, but it is not declared with __free(kfree). As a result, if
> an error happens after saved_engines is allocated, idxd_free_saved()
> frees the saved engine objects but not the saved_engines array itself.
>
> This leaks saved_engines on error paths such as:
>   - failure to allocate an individual saved engine
>   - failure to allocate saved_wq_enable_map
>   - failure to allocate saved_wqs
>   - failure to allocate an individual saved WQ
>
> Declare saved_engines with __free(kfree) so the array is released
> automatically on failure, matching saved_groups and saved_wqs. The success
> path is unchanged because ownership is already transferred with
> no_free_ptr().
>
> Fixes: 6078a315aec1 ("dmaengine: idxd: Add idxd_device_config_save() and idxd_device_config_restore() helpers")
> Cc: stable@vger.kernel.org
> Signed-off-by: Guangshuo Li <lgs201920130244@gmail.com>
> ---
>  drivers/dma/idxd/init.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/drivers/dma/idxd/init.c b/drivers/dma/idxd/init.c
> index f1cfc7790d95..02210f16d391 100644
> --- a/drivers/dma/idxd/init.c
> +++ b/drivers/dma/idxd/init.c
> @@ -880,7 +880,7 @@ static int idxd_device_config_save(struct idxd_device *idxd,
>  		saved_groups[i] = no_free_ptr(saved_group);
>  	}
>
> -	struct idxd_engine **saved_engines =
> +	struct idxd_engine **saved_engines __free(kfree) =
>  			kcalloc_node(idxd->max_engines,
>  				     sizeof(struct idxd_engine *),
>  				     GFP_KERNEL, dev_to_node(dev));

The follow code have problem.

saved_engines[i] = no_free_ptr(saved_engine);

if (...)
        return -ENOMEM;

there should not have an error branch after no_free_ptr(), you mix to use
manual and auto alloc()/free(), which may cause hidden problem.

Frank

> --
> 2.43.0
>

^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2026-04-20  5:59 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-04-19 14:08 [PATCH] dmaengine: idxd: Fix saved engines array leak in config save Guangshuo Li
2026-04-20  5:59 ` Frank Li

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox