> On driver unload any pending descriptors are flushed at the time the interrupt is
> freed:
> idxd_dmaengine_drv_remove() ->
> drv_disable_wq() ->
> idxd_wq_free_irq() ->
> idxd_flush_pending_descs().
>
> If there are any descriptors present that need to be flushed this flow triggers a
> "not present" page fault as below:
>
> BUG: unable to handle page fault for address: ff391c97c70c9040
> #PF: supervisor read access in kernel mode
> #PF: error_code(0x0000) - not-present page
>
> The address that triggers the fault is the address of the descriptor that was freed
> moments earlier via:
> drv_disable_wq()->idxd_wq_free_resources()
>
> Fix the use after free by freeing the descriptors after any possible usage. This is
...
> Fixes: 63c14ae6c161 ("dmaengine: idxd: refactor wq driver enable/disable
> operations")
> Suggested-by: Dave Jiang <dave.jiang@xxxxxxxxx>
> Signed-off-by: Reinette Chatre <reinette.chatre@xxxxxxxxx>
Reviewed-by: Fenghua Yu <fenghua.yu@xxxxxxxxx>
