Re: [PATCH v1] dmaengine: idxd: fix double free of wq, engine, and group structs

Next message: Arnaldo Carvalho de Melo: "Re: [PATCH v14 00/32] perf tools: Add evsel to perf_sample"
Previous message: Joshua Crofts: "[PATCH v2 1/2] dt-bindings: iio: light: veml6030: add veml3328"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Vinicius Costa Gomes

Date: Wed May 20 2026 - 17:17:11 EST

Yuho Choi <dbgh9129@xxxxxxxxx> writes:

> The release callbacks for wq, engine, and group devices
> (idxd_conf_wq_release, idxd_conf_engine_release,
> idxd_conf_group_release) each call kfree() on the enclosing struct.
> The setup error paths and cleanup functions also call kfree()
> explicitly after put_device(), producing a double free whenever
> put_device() drops the reference count to zero and fires the release.
>
> In the setup functions, device_initialize() is called before
> device_add(), so the reference count is exactly 1 at the error sites.
> put_device() unconditionally fires the release, which frees the struct;
> the subsequent explicit kfree() then operates on freed memory.
>
> For idxd_setup_wqs(), the wq release callback also owns opcap_bmap
> and wqcfg. The error unwind additionally freed those fields explicitly
> before calling put_device(), causing further double frees on both.
>
> Remove the redundant explicit kfree() calls from all setup error paths
> and cleanup functions for wq, engine, and group structs, delegating
> sole ownership of those allocations to the release callbacks.
>
> Fixes: 7c5dd23e57c1 ("dmaengine: idxd: fix wq conf_dev 'struct device' lifetime")
> Fixes: 75b911309060 ("dmaengine: idxd: fix engine conf_dev lifetime")
> Fixes: defe49f96012 ("dmaengine: idxd: fix group conf_dev lifetime")
> Signed-off-by: Yuho Choi <dbgh9129@xxxxxxxxx>
> ---

Acked-by: Vinicius Costa Gomes <vinicius.gomes@xxxxxxxxx>

Cheers,
--
Vinicius