[PATCH] drm/xe/guc: Fix invalid kfree() call via __cleanup on pointer

Next message: Bibek Kumar Patro: "Re: [PATCH v2 2/6] iommu/arm-smmu: Add interconnect bandwidth voting support"
Previous message: Mark Brown: "Re: [PATCH 6.1 000/522] 6.1.176-rc1 review"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Wentao Liang

Date: Wed Jun 17 2026 - 10:27:06 EST

The variable `buf` in `fast_req_dump()` is declared with
`__cleanup(kfree)`, which passes `&buf` (the stack address of the
pointer variable) to kfree() rather than the heap address stored
in `buf`. This would cause an invalid free of a stack address,
leading to memory corruption or a crash.

`__cleanup(func)` is designed for value-typed variables where the
cleanup function should receive a pointer to the variable. For
heap-allocated pointers, `__free(kfree)` must be used instead,
since DEFINE_FREE creates a wrapper that correctly dereferences
the pointer before passing it to kfree().

This is the same class of bug recorded in CVE-2026-45959 and fixed by
commit d5abcc33ee76 ("crypto: ccp - Fix a crash due to incorrect
cleanup usage of kfree").

Fixes: ea944d57eac7 ("drm/xe/guc_ct: Cleanup ifdef'ry")
Cc: stable@xxxxxxxxxxxxxxx
Signed-off-by: Wentao Liang <vulab@xxxxxxxxxxx>
---
drivers/gpu/drm/xe/xe_guc_ct.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/gpu/drm/xe/xe_guc_ct.c b/drivers/gpu/drm/xe/xe_guc_ct.c
index a11cff7a20be..73867a5cbe3a 100644
--- a/drivers/gpu/drm/xe/xe_guc_ct.c
+++ b/drivers/gpu/drm/xe/xe_guc_ct.c
@@ -116,7 +116,7 @@ static void fast_req_dump(struct xe_guc_ct *ct, u16 fence, unsigned int slot)
{
struct xe_gt *gt = ct_to_gt(ct);
#if IS_ENABLED(CONFIG_DRM_XE_DEBUG_GUC)
- char *buf __cleanup(kfree) = kmalloc(SZ_4K, GFP_NOWAIT);
+ char *buf __free(kfree) = kmalloc(SZ_4K, GFP_NOWAIT);

if (buf && stack_depot_snprint(ct->fast_req[slot].stack, buf, SZ_4K, 0))
xe_gt_err(gt, "Fence 0x%x was used by action %#04x sent at:\n%s\n",
--
2.34.1