From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 40B3C35898; Thu, 2 Apr 2026 13:52:11 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1775137932; cv=none; b=mXOJkGfBycFlmKDPuQ/owsiCzpoYJ6Sr9eOOiE3Xr3xzDR3a+Rf8u8zXiSACizgbTT1bWMK9q2AI8WoNfqAz/HoS6nEdSDfcPhJAdsiQkIhOpdHC43TLqQWNsIVukj1qVJ2UFHEU4b+uuna1QqWByCwxLoIxuvTs99+GcLl8iEs= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1775137932; c=relaxed/simple; bh=j1nFlbTjW5G0+xsWFfUs/pFocKtHvLXqUGhmlkuoA3A=; h=Date:From:To:Cc:Subject:Message-ID:References:MIME-Version: Content-Type:Content-Disposition:In-Reply-To; b=Q8kmmaCi2aJSJHDNs3xj6edCGQWmh35xznkgHTsmF9RQZZSkB73B7luplUtDVCQaHELrbv5KCMs9wjEtqW4rlqmvJZoS0cH4NnE2WFekTB8e180gY4Or8FsYRIUoilf4EIZGawxk+BhPoYO30btO4Dm8tLyqAjWH6epald1eX5E= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linuxfoundation.org header.i=@linuxfoundation.org header.b=A6zkSczA; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linuxfoundation.org header.i=@linuxfoundation.org header.b="A6zkSczA" Received: by smtp.kernel.org (Postfix) with ESMTPSA id 6DE5BC116C6; Thu, 2 Apr 2026 13:52:11 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1775137931; bh=j1nFlbTjW5G0+xsWFfUs/pFocKtHvLXqUGhmlkuoA3A=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=A6zkSczAudYAcWYEof0EcBFfQnJvxUkba7dRTtu3ZzNKNZ2CjdoGp2E/dsLHWRubw UbJ5G2yWbqA9fE2r+6FJeZCLYmNyXinop9CkxSZ1flhq9/5BwgC9Qil/7WUaiqVzSP hgqqQiehf9BTFWjMjjHkCC6kwIcvdYJe5TX/HK8k= Date: Thu, 2 Apr 2026 15:52:09 +0200 From: Greg Kroah-Hartman To: Guangshuo Li Cc: Yaxing Guo , linux-kernel@vger.kernel.org, stable@vger.kernel.org Subject: Re: [PATCH v4] uio: uio_pci_generic_sva: fix double free of devm_kzalloc() memory Message-ID: <2026040232-ungloved-bonnet-a407@gregkh> References: <20260226153250.18079-1-lgs201920130244@gmail.com> Precedence: bulk X-Mailing-List: stable@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20260226153250.18079-1-lgs201920130244@gmail.com> On Thu, Feb 26, 2026 at 11:32:50PM +0800, Guangshuo Li wrote: > uio_pci_sva allocates struct uio_pci_sva_dev with devm_kzalloc() in > probe(), but then calls kfree(udev) both on the probe() error path > (label out_free) and again in remove(). > > Because devm_kzalloc() allocations are devres-managed and are freed > automatically when the device is detached (including after a failing > probe() and during driver unbind), the explicit kfree() can lead to a > double free. > > If probe() fails after devm_kzalloc(), the error path frees udev and > devres cleanup will free it again when the core unwinds the partially > bound device. On normal driver removal, remove() frees udev and devres > will free it again when the device is detached. > > This issue was identified by a static analysis tool I developed and > confirmed by manual review. Fix by removing the manual kfree() calls > and dropping the now-unused label. > > Fixes: 3397c3cd859a2 ("uio: Add SVA support for PCI devices via uio_pci_generic_sva.c") > Cc: stable@vger.kernel.org > Signed-off-by: Guangshuo Li > --- > v4: > - Add description of how the issue was found and tested. > > v3: > - Add changelog below the --- line describing changes since v2. > > v2: > - Reflow commit message to keep lines within 75 characters. > > drivers/uio/uio_pci_generic_sva.c | 5 +---- > 1 file changed, 1 insertion(+), 4 deletions(-) > > diff --git a/drivers/uio/uio_pci_generic_sva.c b/drivers/uio/uio_pci_generic_sva.c > index 4a46acd994a8..152201047334 100644 > --- a/drivers/uio/uio_pci_generic_sva.c > +++ b/drivers/uio/uio_pci_generic_sva.c > @@ -129,15 +129,13 @@ static int probe(struct pci_dev *pdev, const struct pci_device_id *id) > ret = devm_uio_register_device(&pdev->dev, &udev->info); > if (ret) { > dev_err(&pdev->dev, "Failed to register uio device\n"); > - goto out_free; > + goto out_disable; > } > > pci_set_drvdata(pdev, udev); > > return 0; > > -out_free: > - kfree(udev); > out_disable: > pci_disable_device(pdev); > > @@ -150,7 +148,6 @@ static void remove(struct pci_dev *pdev) > > pci_release_regions(pdev); > pci_disable_device(pdev); > - kfree(udev); > } > > static ssize_t pasid_show(struct device *dev, > -- > 2.43.0 > Breaks the build, how did you test this: CC [M] drivers/uio/uio_pci_generic_sva.o drivers/uio/uio_pci_generic_sva.c:147:26: error: unused variable 'udev' [-Werror,-Wunused-variable] 147 | struct uio_pci_sva_dev *udev = pci_get_drvdata(pdev); | ^~~~ 1 error generated. {sigh}