On 1/29/24 18:39, Fenghua Yu wrote:
> file_ida is allocated during cdev open and is freed accordingly
> during cdev release. This sequence is guaranteed by driver file
> operations. Therefore, there is no need to destroy an already empty
> file_ida when the WQ cdev is removed.
>
> Worse, ida_free() in cdev release may happen after destruction of
> file_ida per WQ cdev. This can lead to accessing an id in file_ida
> after it has been destroyed, resulting in a kernel panic.
>
> Remove ida_destroy(&file_ida) to address these issues.
>
> Fixes: e6fd6d7e5f0f ("dmaengine: idxd: add a device to represent the file opened")
> Signed-off-by: Lijun Pan <lijun.pan@xxxxxxxxx>
> Signed-off-by: Fenghua Yu <fenghua.yu@xxxxxxxxx>
Reviewed-by: Dave Jiang <dave.jiang@xxxxxxxxx>
> ---
> drivers/dma/idxd/cdev.c | 1 -
> 1 file changed, 1 deletion(-)
>
> diff --git a/drivers/dma/idxd/cdev.c b/drivers/dma/idxd/cdev.c
> index baa51927675c..3311c920f47a 100644
> --- a/drivers/dma/idxd/cdev.c
> +++ b/drivers/dma/idxd/cdev.c
> @@ -1272,7 +1272,6 @@ void idxd_wq_del_cdev(struct idxd_wq *wq)
> struct idxd_cdev *idxd_cdev;
>
> idxd_cdev = wq->idxd_cdev;
> - ida_destroy(&file_ida);
> wq->idxd_cdev = NULL;
> cdev_device_del(&idxd_cdev->cdev, cdev_dev(idxd_cdev));
> put_device(cdev_dev(idxd_cdev));
