Re: [PATCH v3] uio: uio_pci_generic_sva: fix double free of devm_kzalloc() memory

[Guangshuo Li]

Hi Greg,

Thanks for the reminder.

This was found by a static analysis tool I designed. After a manual
review, I confirmed the issue and sent the fix.

Would you prefer that I include the “how it was found and tested”
information in the commit message?

Thanks,

Guangshuo

Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx> 于2026年2月26日周四 09:38写道：
>
> On Thu, Feb 26, 2026 at 09:16:32AM +0800, Guangshuo Li wrote:
> > uio_pci_sva allocates struct uio_pci_sva_dev with devm_kzalloc() in
> > probe(), but then calls kfree(udev) both on the probe() error path
> > (label out_free) and again in remove().
> >
> > Because devm_kzalloc() allocations are devres-managed and are freed
> > automatically when the device is detached (including after a failing
> > probe() and during driver unbind), the explicit kfree() can lead to a
> > double free.
> >
> > If probe() fails after devm_kzalloc(), the error path frees udev and
> > devres cleanup will free it again when the core unwinds the partially
> > bound device.  On normal driver removal, remove() frees udev and devres
> > will free it again when the device is detached.
> >
> > Fix by removing the manual kfree() calls and dropping the now-unused
> > label.
> >
> > Fixes: 3397c3cd859a2 ("uio: Add SVA support for PCI devices via uio_pci_generic_sva.c")
> > Cc: stable@xxxxxxxxxxxxxxx
> > Signed-off-by: Guangshuo Li <lgs201920130244@xxxxxxxxx>
> > ---
> > v3:
> >   - Add changelog below the --- line describing changes since v2.
> >
> > v2:
> >   - Reflow commit message to keep lines within 75 characters.
>
> You forgot my question of "how was this found and tested"?
>
> thanks,
>
> greg k-h