From: Vinicius Costa Gomes <vinicius.gomes@intel.com>
Date: Wed, 21 Jan 2026 18:34:29 +0000 (-0800)
Subject: dmaengine: idxd: Fix possible invalid memory access after FLR
X-Git-Tag: v6.19.11~30
X-Git-Url: http://git.ipfire.org/gitweb/?a=commitdiff_plain;h=867d0c801f21370d561420fa32f2ea1a7dc3a22d;p=thirdparty%2Fkernel%2Fstable.git

dmaengine: idxd: Fix possible invalid memory access after FLR

[ Upstream commit d6077df7b75d26e4edf98983836c05d00ebabd8d ]

In the case that the first Function Level Reset (FLR) concludes
correctly, but in the second FLR the scratch area for the saved
configuration cannot be allocated, it's possible for a invalid memory
access to happen.

Always set the deallocated scratch area to NULL after FLR completes.

Fixes: 98d187a98903 ("dmaengine: idxd: Enable Function Level Reset (FLR) for halt")
Reviewed-by: Dave Jiang <dave.jiang@intel.com>
Signed-off-by: Vinicius Costa Gomes <vinicius.gomes@intel.com>
Link: https://patch.msgid.link/20260121-idxd-fix-flr-on-kernel-queues-v3-v3-3-7ed70658a9d1@intel.com
Signed-off-by: Vinod Koul <vkoul@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---

diff --git a/drivers/dma/idxd/init.c b/drivers/dma/idxd/init.c
index 449424242631d..f2b37c63a964c 100644
--- a/drivers/dma/idxd/init.c
+++ b/drivers/dma/idxd/init.c
@@ -1137,6 +1137,7 @@ static void idxd_reset_done(struct pci_dev *pdev)
 	}
 out:
 	kfree(idxd->idxd_saved);
+	idxd->idxd_saved = NULL;
 }
 
 static const struct pci_error_handlers idxd_error_handler = {