Bug 2397570 (CVE-2025-39870) - CVE-2025-39870 kernel: dmaengine: idxd: Fix double free in idxd_setup_wqs()
Summary: CVE-2025-39870 kernel: dmaengine: idxd: Fix double free in idxd_setup_wqs()
Keywords:
Status: NEW
Alias: CVE-2025-39870
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
unspecified
unspecified
Target Milestone: ---
Assignee: Product Security DevOps Team
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2025-09-23 07:02 UTC by OSIDB Bzimport
Modified: 2025-11-26 11:19 UTC (History)
0 users

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)

Description OSIDB Bzimport 2025-09-23 07:02:27 UTC 
In the Linux kernel, the following vulnerability has been resolved:

dmaengine: idxd: Fix double free in idxd_setup_wqs()

The clean up in idxd_setup_wqs() has had a couple bugs because the error
handling is a bit subtle.  It's simpler to just re-write it in a cleaner
way.  The issues here are:

1) If "idxd->max_wqs" is <= 0 then we call put_device(conf_dev) when
   "conf_dev" hasn't been initialized.
2) If kzalloc_node() fails then again "conf_dev" is invalid.  It's
   either uninitialized or it points to the "conf_dev" from the
   previous iteration so it leads to a double free.

It's better to free partial loop iterations within the loop and then
the unwinding at the end can handle whole loop iterations.  I also
renamed the labels to describe what the goto does and not where the goto
was located.
Comment 1 Jon Moroney 2025-09-23 17:10:08 UTC 
Upstream advisory:
https://lore.kernel.org/linux-cve-announce/2025092359-CVE-2025-39870-2af3@gregkh/T
Note You need to log in before you can comment on or make changes to this bug.