Re: [PATCH 6.6.y] dmaengine: idxd: Fix leaking event log memory

Next message: Sergey Senozhatsky: "Re: [PATCH v2] zram: fix use-after-free in zram_writeback_endio"
Previous message: Sanjay Chitroda: "Re: [PATCH v3 0/1] dt-bindings: iio: dds: Add AD9832/AD9835 binding"
In reply to: Sasha Levin: "Re: [PATCH 6.6.y] dmaengine: idxd: Fix leaking event log memory"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Wenshan Lan

Date: Fri May 08 2026 - 22:17:48 EST

On 5/9/2026 10:08 AM, Sasha Levin wrote:

On Thu, May 07, 2026 at 12:04:15PM +0800, Wenshan Lan wrote:

From: Vinicius Costa Gomes <vinicius.gomes@xxxxxxxxx>

[ Upstream commit ee66bc29578391c9b48523dc9119af67bd5c7c0f ]

- gencfg.bits = ioread32(idxd->reg_base + IDXD_GENCFG_OFFSET);
- if (!gencfg.evl_en)
- return;
-
mutex_lock(&evl->lock);

This drops the only thing that protects no-evl-capable hardware
(idxd->evl == NULL) from dereferencing evl in idxd_device_evl_free().
On 6.6, idxd_init_evl() returns 0 without allocating evl when
hw.gen_cap.evl_support == 0, and idxd_device_evl_free() is still
reachable in that path, so taking ee66bc29 alone will introduce a
NULL deref on hardware without event-log support.

The required prerequisite is upstream commit 52d2edea0d63c
("dmaengine: idxd: Fix crash when the event log is disabled"), which
adds the "if (!evl) return;" guard at the top of idxd_device_evl_free().
It landed as patch 2 of the same v3 series and is missing from 6.6.y.

Could you resend as a 2-patch series with 52d2edea0d63c as the
prerequisite? Then I'm happy to queue both for 6.6.y.

Thank you for your review. I will resend v2.

Wenshan Lan

--
Thanks,
Sasha