[PATCH 2/2] cdx: Fix double free when sysfs file creation fails

Next message: Peter Zijlstra: "Re: [PATCH v2 2/4] sched/rt: Restructure root_domain to reduce cacheline contention"
Previous message: Prasanna Kumar T S M: "[PATCH 1/2] vfio/cdx: Fix NULL pointer dereference in interrupt trigger path"
In reply to: Prasanna Kumar T S M: "[PATCH 1/2] vfio/cdx: Fix NULL pointer dereference in interrupt trigger path"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Prasanna Kumar T S M

Date: Fri Mar 20 2026 - 06:21:28 EST

In cdx_create_res_attr(), if sysfs_create_bin_file() fails, the code
frees res_attr but doesn't set cdx_dev->res_attr[num] to NULL. This
leaves a dangling pointer in the array. Then cdx_destroy_res_attr()
frees the already-freed memory. Fix the double free by initializing
cdx_dev->res_attr[num] after sysfs_create_bin_file() completes.

Fixes: aeda33ab8160 ("cdx: create sysfs bin files for cdx resources")
Cc: stable@xxxxxxxxxxxxxxx
Signed-off-by: Prasanna Kumar T S M <ptsm@xxxxxxxxxxxxxxxxxxx>
---
drivers/cdx/cdx.c | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/drivers/cdx/cdx.c b/drivers/cdx/cdx.c
index 9196dc50a48d..a4e03fb07c4c 100644
--- a/drivers/cdx/cdx.c
+++ b/drivers/cdx/cdx.c
@@ -768,7 +768,6 @@ static int cdx_create_res_attr(struct cdx_device *cdx_dev, int num)

sysfs_bin_attr_init(res_attr);

- cdx_dev->res_attr[num] = res_attr;
sprintf(res_attr_name, "resource%d", num);

res_attr->mmap = cdx_mmap_resource;
@@ -777,8 +776,12 @@ static int cdx_create_res_attr(struct cdx_device *cdx_dev, int num)
res_attr->size = cdx_resource_len(cdx_dev, num);
res_attr->private = (void *)(unsigned long)num;
ret = sysfs_create_bin_file(&cdx_dev->dev.kobj, res_attr);
- if (ret)
+ if (ret) {
kfree(res_attr);
+ return ret;
+ }
+
+ cdx_dev->res_attr[num] = res_attr;

return ret;
}
--
2.49.0