[PATCH 6.6.y] dmaengine: idxd: Fix leaking event log memory

The Linux Kernel Mailing List
 help / color / mirror / Atom feed

* [PATCH 6.6.y] dmaengine: idxd: Fix leaking event log memory
@ 2026-05-07  4:04 Wenshan Lan
  2026-05-09  2:08 ` Sasha Levin
  0 siblings, 1 reply; 3+ messages in thread
From: Wenshan Lan @ 2026-05-07  4:04 UTC (permalink / raw)
  To: gregkh, sashal, stable
  Cc: linux-kernel, Vinicius Costa Gomes, Dave Jiang, Vinod Koul,
	Wenshan Lan

From: Vinicius Costa Gomes <vinicius.gomes@intel.com>

[ Upstream commit ee66bc29578391c9b48523dc9119af67bd5c7c0f ]

During the device remove process, the device is reset, causing the
configuration registers to go back to their default state, which is
zero. As the driver is checking if the event log support was enabled
before deallocating, it will fail if a reset happened before.

Do not check if the support was enabled, the check for 'idxd->evl'
being valid (only allocated if the HW capability is available) is
enough.

Fixes: 244da66cda35 ("dmaengine: idxd: setup event log configuration")
Reviewed-by: Dave Jiang <dave.jiang@intel.com>
Signed-off-by: Vinicius Costa Gomes <vinicius.gomes@intel.com>
Link: https://patch.msgid.link/20260121-idxd-fix-flr-on-kernel-queues-v3-v3-10-7ed70658a9d1@intel.com
Signed-off-by: Vinod Koul <vkoul@kernel.org>
[ Minor context conflict resolved. ]
Signed-off-by: Wenshan Lan <jetlan9@163.com>
---
 drivers/dma/idxd/device.c | 4 ----
 1 file changed, 4 deletions(-)

diff --git a/drivers/dma/idxd/device.c b/drivers/dma/idxd/device.c
index 44bbeb3acd14..10e54a050ea9 100644
--- a/drivers/dma/idxd/device.c
+++ b/drivers/dma/idxd/device.c
@@ -810,10 +810,6 @@ static void idxd_device_evl_free(struct idxd_device *idxd)
 	struct device *dev = &idxd->pdev->dev;
 	struct idxd_evl *evl = idxd->evl;
 
-	gencfg.bits = ioread32(idxd->reg_base + IDXD_GENCFG_OFFSET);
-	if (!gencfg.evl_en)
-		return;
-
 	mutex_lock(&evl->lock);
 	gencfg.evl_en = 0;
 	iowrite32(gencfg.bits, idxd->reg_base + IDXD_GENCFG_OFFSET);
-- 
2.43.0


^ permalink raw reply related	[flat|nested] 3+ messages in thread

* Re: [PATCH 6.6.y] dmaengine: idxd: Fix leaking event log memory
  2026-05-07  4:04 [PATCH 6.6.y] dmaengine: idxd: Fix leaking event log memory Wenshan Lan
@ 2026-05-09  2:08 ` Sasha Levin
  2026-05-09  2:16   ` Wenshan Lan
  0 siblings, 1 reply; 3+ messages in thread
From: Sasha Levin @ 2026-05-09  2:08 UTC (permalink / raw)
  To: gregkh, stable
  Cc: Sasha Levin, linux-kernel, Vinicius Costa Gomes, Dave Jiang,
	Vinod Koul, Wenshan Lan

On Thu, May 07, 2026 at 12:04:15PM +0800, Wenshan Lan wrote:
> From: Vinicius Costa Gomes <vinicius.gomes@intel.com>
>
> [ Upstream commit ee66bc29578391c9b48523dc9119af67bd5c7c0f ]
>
> -	gencfg.bits = ioread32(idxd->reg_base + IDXD_GENCFG_OFFSET);
> -	if (!gencfg.evl_en)
> -		return;
> -
>  	mutex_lock(&evl->lock);

This drops the only thing that protects no-evl-capable hardware
(idxd->evl == NULL) from dereferencing evl in idxd_device_evl_free().
On 6.6, idxd_init_evl() returns 0 without allocating evl when
hw.gen_cap.evl_support == 0, and idxd_device_evl_free() is still
reachable in that path, so taking ee66bc29 alone will introduce a
NULL deref on hardware without event-log support.

The required prerequisite is upstream commit 52d2edea0d63c
("dmaengine: idxd: Fix crash when the event log is disabled"), which
adds the "if (!evl) return;" guard at the top of idxd_device_evl_free().
It landed as patch 2 of the same v3 series and is missing from 6.6.y.

Could you resend as a 2-patch series with 52d2edea0d63c as the
prerequisite? Then I'm happy to queue both for 6.6.y.

--
Thanks,
Sasha

^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: [PATCH 6.6.y] dmaengine: idxd: Fix leaking event log memory
  2026-05-09  2:08 ` Sasha Levin
@ 2026-05-09  2:16   ` Wenshan Lan
  0 siblings, 0 replies; 3+ messages in thread
From: Wenshan Lan @ 2026-05-09  2:16 UTC (permalink / raw)
  To: Sasha Levin, gregkh, stable
  Cc: linux-kernel, Vinicius Costa Gomes, Dave Jiang, Vinod Koul


On 5/9/2026 10:08 AM, Sasha Levin wrote:
> On Thu, May 07, 2026 at 12:04:15PM +0800, Wenshan Lan wrote:
>> From: Vinicius Costa Gomes <vinicius.gomes@intel.com>
>>
>> [ Upstream commit ee66bc29578391c9b48523dc9119af67bd5c7c0f ]
>>
>> -	gencfg.bits = ioread32(idxd->reg_base + IDXD_GENCFG_OFFSET);
>> -	if (!gencfg.evl_en)
>> -		return;
>> -
>>   	mutex_lock(&evl->lock);
> This drops the only thing that protects no-evl-capable hardware
> (idxd->evl == NULL) from dereferencing evl in idxd_device_evl_free().
> On 6.6, idxd_init_evl() returns 0 without allocating evl when
> hw.gen_cap.evl_support == 0, and idxd_device_evl_free() is still
> reachable in that path, so taking ee66bc29 alone will introduce a
> NULL deref on hardware without event-log support.
>
> The required prerequisite is upstream commit 52d2edea0d63c
> ("dmaengine: idxd: Fix crash when the event log is disabled"), which
> adds the "if (!evl) return;" guard at the top of idxd_device_evl_free().
> It landed as patch 2 of the same v3 series and is missing from 6.6.y.
>
> Could you resend as a 2-patch series with 52d2edea0d63c as the
> prerequisite? Then I'm happy to queue both for 6.6.y.

Thank you for your review. I will resend v2.

Wenshan Lan

>
> --
> Thanks,
> Sasha


^ permalink raw reply	[flat|nested] 3+ messages in thread

end of thread, other threads:[~2026-05-09  2:17 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-05-07  4:04 [PATCH 6.6.y] dmaengine: idxd: Fix leaking event log memory Wenshan Lan
2026-05-09  2:08 ` Sasha Levin
2026-05-09  2:16   ` Wenshan Lan

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox