From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mail-qv1-f43.google.com (mail-qv1-f43.google.com [209.85.219.43]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id BBA4D1C84D7 for ; Thu, 16 Apr 2026 22:20:01 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.219.43 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1776378003; cv=none; b=N2inQ+0k0jAQsHifgP+gsLxA6LQJ1TqlQi7LOwPyKLQBPIwUeAy8wr/INa9bgU+hD+gg5rLR8qHReg0VvsddsucK64v0Fw/iL+KDHlYv9dzkZ9bUYfWGBZf1CpLDEQuPSfA0y7wXHKnXJ2wekQ2S0HReSl9wzkNJSYH60z5Pq1E= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1776378003; c=relaxed/simple; bh=g04gVYoYQ5qLQ0HXn+BkXJNgKoX3hhS4uYX1Ju698og=; h=From:To:Cc:Subject:Date:Message-ID:MIME-Version:Content-Type; b=Cf3Uic6IoAgj6+cwvdvwWqbbU6kdDwTJi3qyF+mcZeyoD2AnjN05so72lO+UfSJPvwA5IP2yyXSW3FK2A5fKFSZtk0dux+FhpH2/8SCmmXRKxIsyakufH7qdtNTJm6q49V03l0y5iTrmT5JRV5wGMQzgyp3QtxlHYhYKFkXIsZw= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=g+UTotIs; arc=none smtp.client-ip=209.85.219.43 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="g+UTotIs" Received: by mail-qv1-f43.google.com with SMTP id 6a1803df08f44-8aca6bd57cfso417736d6.0 for ; Thu, 16 Apr 2026 15:20:01 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1776378001; x=1776982801; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=VqLnb5CKsaCaiuJFzjJfnkJy5snz88dDy+uDsxyQCTM=; b=g+UTotIsjWXzYJ90lz7eEu+fvwTnH64XP0k5FE3QSiZOcp2O9SjhwalY4ngwOqbaqL 05fG2NcHQ/MvIMgU7rtnovvz2uCj1TE0LyqkNmNDm9oavC34kF+NLVwwQKaZm06gUt/o Yn7ry1bZnw7y1+ZF+uxMsykfqGDj8NcRCm0pGVrcPj8cmp9YKiskBgTb8nvT2tXWKtX9 xp86iformhEAO0ljfutfjzKcE5/umDUhqWQbTdLy/3SJ6VXpkrch4JsTqf2fCK1UZR9R YacjKdo8ugTPl54upxL/N+G3yS54rTR8Mn7RkwMZs3zROyvskVCIQLklAdglvPn8f36D kjPg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1776378001; x=1776982801; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=VqLnb5CKsaCaiuJFzjJfnkJy5snz88dDy+uDsxyQCTM=; b=DD9LC32ViB1Z8kk7Fh+r0ZiOKOvuEh63Pqhk1GK+Y/+Bd6IouM+eue4FCPa41eBZpb aiNOKTJtrAeyulz0xn6FruH84jG8W13DhiEBgQo73gKcxpJzNXoQhwpt2A12009gq3rC Ph89kh0Q6c+uR8fe5C7e3r2NiKRcs0q3YzM3gyIYF7iv7aFGeMc+aIPHvIPCcRGJL4LG 4kW3htKGr6QZrRhfkwFodSinxtK3wRuA8zi3VLDRPC5QmHSzvBrpXgMF1Zl1xVY628nt sVPe5fRfJhYHtkqUNSL2Krk0zT2zANhV5KvweXguqou+hepu1JCxIzRhR5eQ4dRFVtUu 06iA== X-Forwarded-Encrypted: i=1; AFNElJ8aTh7BqgBUtl2k1LHYriR/GFUaKB35huyaTsELcBnDGIuTrZNx/bQB+ElmbFD07clVk9IkcRi2axYCPhU=@vger.kernel.org X-Gm-Message-State: AOJu0YzCChSW3KyV1JVuDA6abLJZiUHvVcXC6V6kroRZAsNXGE53ucD7 Fm9fxoGHi/JPo7GLJZxQCTTqoG6EgOU6qr5HD2VpYGRp63wZA5Lf5Vvw X-Gm-Gg: AeBDievHVzP2Y2EiJdMcv99NA/39VP6V/E4ZcAFbpleKO0pS66uBHxSPp+yvpyEKUpq DVLGm14kLoRJGgWIYfG3vpO1LqtMTL5pWHwO6UrF0bM/TiZ9eiJjYxj/7DI+/3+SkMAPcKuhHeD 67iah9VbX4IsjAwyO+KBJfAdNYGzWDyaKWgL5+yPwIMHoAOgMO88bx5RRDosZ2kIPKsYOlIsjpi z9N4fl/ExhtPZSkIZLDOEwTvoaHN+K6ckyL0YLNeSkqNFqHaCzmq+N7akvwekTlumwaKr8Syya3 xA4awfuW7kkAnhr1yp7Plim815p+VsemmHaCvCB1JrMcSdE1br4lvJneEBa/bd1wCaN6ZqLhg2o Q1q8E3wSZeYmU7cGiMowtiy7gQvo/1ocliMck4wBpK20r75sWakc2VeoEZSN63HOzTvS0wTC7YT X6MLNDKLxCw/Dj3JP8yiYfHYTI4Hz8AqZmC39bH60MA71+4a1FLc0zTnzHhFR3 X-Received: by 2002:a05:6214:2587:b0:8ac:ab13:8f0a with SMTP id 6a1803df08f44-8b02804d2afmr7367476d6.11.1776378000666; Thu, 16 Apr 2026 15:20:00 -0700 (PDT) Received: from localhost.localdomain ([104.39.116.151]) by smtp.gmail.com with ESMTPSA id 6a1803df08f44-8ae6cb9ee20sm46224366d6.26.2026.04.16.15.19.59 (version=TLS1_3 cipher=TLS_CHACHA20_POLY1305_SHA256 bits=256/256); Thu, 16 Apr 2026 15:19:59 -0700 (PDT) From: Yuho Choi To: Vinicius Costa Gomes , Vinod Koul Cc: Dave Jiang , Frank Li , dmaengine@vger.kernel.org, linux-kernel@vger.kernel.org, Yuho Choi Subject: [PATCH v1] dmaengine: idxd: fix deadlock and double free in idxd_cdev_open() Date: Thu, 16 Apr 2026 18:19:57 -0400 Message-ID: <20260416221957.51250-1-dbgh9129@gmail.com> X-Mailer: git-send-email 2.50.1 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The failed_dev_add and failed_dev_name error paths in idxd_cdev_open() call put_device(fdev) while still holding wq->wq_lock. This triggers idxd_file_dev_release() synchronously, which calls mutex_lock(&wq->wq_lock) — deadlocking on the same mutex. Additionally, the original code fell through from failed_dev_add and failed_dev_name to the failed: label, which called kfree(ctx) a second time after idxd_file_dev_release() had already freed it. The subsequent idxd_xa_pasid_remove(ctx) then uses the freed pointer. Fix both issues by releasing wq_lock before put_device(fdev) and returning immediately, so the release callback acquires the lock without contention and no further cleanup is attempted on the freed context. Fixes: e6fd6d7e5f0fe ("dmaengine: idxd: add a device to represent the file opened") Signed-off-by: Yuho Choi --- drivers/dma/idxd/cdev.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/drivers/dma/idxd/cdev.c b/drivers/dma/idxd/cdev.c index 0366c7cf35020..19a449333782b 100644 --- a/drivers/dma/idxd/cdev.c +++ b/drivers/dma/idxd/cdev.c @@ -307,7 +307,9 @@ static int idxd_cdev_open(struct inode *inode, struct file *filp) failed_dev_add: failed_dev_name: + mutex_unlock(&wq->wq_lock); put_device(fdev); + return rc; failed_ida: failed_set_pasid: if (device_user_pasid_enabled(idxd)) -- 2.50.1 (Apple Git-155)