Re: [PATCH v2 2/2] dmaengine: idxd: fix duplicate memory frees on initialization error path.

From: Steve Wahl

Date: Mon Jun 29 2026 - 15:17:27 EST


On Mon, Jun 29, 2026 at 11:44:36AM +0000, Codres, Bogdan wrote:
> Hi Vinicius, Steve,
>
> Thanks for the heads-up. I'm totally fine with being added as:
>
> Reported-by: Bogdan Codres <bogdan.codres@xxxxxxxxxxxxx>
>
> on Steve's patch — his fix addresses the same issue I was seeing.
> You can use my splat as the reproducer.
>
> Regarding the third patch for the dangling ->wq pointer — the proposed change looks reasonable to me.
>
> Best regards,
> Bogdan
>
> Ph.D. eng. Bogdan Codres
> Member of Technical Staff in Cloud Platform Engineering, Wind River
>

Hello, everyone,

As there's no code changes (and I even find it remarkable how similar
the two were, I think only the comments differed), I am completely
open to Vinicius just modifying the commit message to include the
parts he wants to see. It would take less time than another round of
posting a patch. But if you need more from me, let me know.

Thanks,

--> Steve

> ________________________________
> From: Codres, Bogdan <Bogdan.Codres@xxxxxxxxxxxxx>
> Sent: Monday, June 29, 2026 14:32
> To: Vinicius Costa Gomes <vinicius.gomes@xxxxxxxxx>; Steve Wahl <steve.wahl@xxxxxxx>; Steve Wahl <steve.wahl@xxxxxxx>; Dave Jiang <dave.jiang@xxxxxxxxx>; Vinod Koul <vkoul@xxxxxxxxxx>; Frank Li <Frank.Li@xxxxxxxxxx>; dmaengine@xxxxxxxxxxxxxxx <dmaengine@xxxxxxxxxxxxxxx>; linux-kernel@xxxxxxxxxxxxxxx <linux-kernel@xxxxxxxxxxxxxxx>
> Cc: Russ Anderson <rja@xxxxxxx>; Dimitri Sivanich <sivanich@xxxxxxx>
> Subject: Re: [PATCH v2 2/2] dmaengine: idxd: fix duplicate memory frees on initialization error path.
>
> Hi Vinicius, Steve,
> Thanks for the heads-up. I'm totally fine with being added as
> Reported-by: Bogdan Codres <bogdan.codres@xxxxxxxxxxxxx>
> on Steve's patch — his fix addresses the same issue I was seeing.
> You can use my splat ad the reproducer.
> Regarding the third patch for the dangling ->wq pointer — the idxd->wq = NULL after destroy_workqueue() looks reasonable to me
> Best regards, Bogdan
>
>
> Best Regards,
>
> Ph.D. eng. Bogdan Codres
>
> Member of Technical Staff in Cloud Platform Engineering, Wind River
>
> ________________________________
> From: Vinicius Costa Gomes <vinicius.gomes@xxxxxxxxx>
> Sent: Saturday, June 27, 2026 3:57
> To: Steve Wahl <steve.wahl@xxxxxxx>; Steve Wahl <steve.wahl@xxxxxxx>; Dave Jiang <dave.jiang@xxxxxxxxx>; Vinod Koul <vkoul@xxxxxxxxxx>; Frank Li <Frank.Li@xxxxxxxxxx>; dmaengine@xxxxxxxxxxxxxxx <dmaengine@xxxxxxxxxxxxxxx>; linux-kernel@xxxxxxxxxxxxxxx <linux-kernel@xxxxxxxxxxxxxxx>
> Cc: Russ Anderson <rja@xxxxxxx>; Dimitri Sivanich <sivanich@xxxxxxx>; Codres, Bogdan <Bogdan.Codres@xxxxxxxxxxxxx>
> Subject: Re: [PATCH v2 2/2] dmaengine: idxd: fix duplicate memory frees on initialization error path.
>
> CAUTION: This email comes from a non Wind River email account!
> Do not click links or open attachments unless you recognize the sender and know the content is safe.
>
> Steve Wahl <steve.wahl@xxxxxxx> writes:
>
> > Error paths within idxd_pci_probe_alloc and related functions end up
> > attempting to free memory already freed from idxd_conf_device_release
> > via put_device.
> >
> > This was encountered running in a kexec'd kdump kernel with reduced
> > resources, causing the "Device is HALTED!" branch in
> > idxd_device_init_reset to be taken.
> >
> > In idxd_free and idxd_alloc, do not attempt to free allocations that
> > will already have been freed.
> >
> > Signed-off-by: Steve Wahl <steve.wahl@xxxxxxx>
> > ---
>
> Bogdan Codres series (but submitted a bit later), tries to fix this
> issue, has a better splat and a reproducer, I think it makes sense to
> add the splat and reproducer here, and add Bogdan as Reported-by (if
> agreed, of course).
>
> I am wondering about adding a third patch for the dangling ->wq pointer, as
> reported by Sashiko would make sense.
>
> Something like this might do the job (totally untested):
>
> diff --git a/drivers/dma/idxd/init.c b/drivers/dma/idxd/init.c
> index f1cfc7790d95..0a74018f31a8 100644
> --- a/drivers/dma/idxd/init.c
> +++ b/drivers/dma/idxd/init.c
> @@ -415,6 +415,7 @@ static void idxd_cleanup_internals(struct idxd_device *idxd)
> idxd_clean_engines(idxd);
> idxd_clean_wqs(idxd);
> destroy_workqueue(idxd->wq);
> + idxd->wq = NULL;
> }
>
> How does it sound?
>
> > v2: split into two patches as requested by Vinicius Costa
> >
> > drivers/dma/idxd/init.c | 10 ++++++----
> > 1 file changed, 6 insertions(+), 4 deletions(-)
> >
> > diff --git a/drivers/dma/idxd/init.c b/drivers/dma/idxd/init.c
> > index f1cfc7790d95..227e323cc5a0 100644
> > --- a/drivers/dma/idxd/init.c
> > +++ b/drivers/dma/idxd/init.c
> > @@ -607,9 +607,6 @@ static void idxd_free(struct idxd_device *idxd)
> > return;
> >
> > put_device(idxd_confdev(idxd));
> > - bitmap_free(idxd->opcap_bmap);
> > - ida_free(&idxd_ida, idxd->id);
> > - kfree(idxd);
> > }
> >
> > static struct idxd_device *idxd_alloc(struct pci_dev *pdev, struct idxd_driver_data *data)
> > @@ -649,8 +646,13 @@ static struct idxd_device *idxd_alloc(struct pci_dev *pdev, struct idxd_driver_d
> > return idxd;
> >
> > err_name:
> > + /*
> > + * once device_initialize(conf_dev) is called,
> > + * put_device(conf_dev) will end up calling
> > + * idxd_conf_device_release() which will free the rest.
> > + */
> > put_device(conf_dev);
> > - bitmap_free(idxd->opcap_bmap);
> > + return NULL;
> > err_opcap:
> > ida_free(&idxd_ida, idxd->id);
> > err_ida:
> > --
> > 2.51.0
> >
>
> --
> Vinicius

--
Steve Wahl, Hewlett Packard Enterprise