The variable `buf` in `fast_req_dump()` is declared with
`__cleanup(kfree)`, which passes `&buf` (the stack address of the
pointer variable) to kfree() rather than the heap address stored
in `buf`.  This would cause an invalid free of a stack address,
leading to memory corruption or a crash.

`__cleanup(func)` is designed for value-typed variables where the
cleanup function should receive a pointer to the variable.  For
heap-allocated pointers, `__free(kfree)` must be used instead,
since DEFINE_FREE creates a wrapper that correctly dereferences
the pointer before passing it to kfree().

This is the same class of bug recorded in CVE-2026-45959 and fixed by
commit d5abcc33ee76 ("crypto: ccp - Fix a crash due to incorrect
cleanup usage of kfree").

Fixes: ea944d57eac7 ("drm/xe/guc_ct: Cleanup ifdef'ry")
Cc: [email protected]
Signed-off-by: Wentao Liang <[email protected]>
---
 drivers/gpu/drm/xe/xe_guc_ct.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/gpu/drm/xe/xe_guc_ct.c b/drivers/gpu/drm/xe/xe_guc_ct.c
index a11cff7a20be..73867a5cbe3a 100644
--- a/drivers/gpu/drm/xe/xe_guc_ct.c
+++ b/drivers/gpu/drm/xe/xe_guc_ct.c
@@ -116,7 +116,7 @@ static void fast_req_dump(struct xe_guc_ct *ct, u16 fence, 
unsigned int slot)
 {
        struct xe_gt *gt = ct_to_gt(ct);
 #if IS_ENABLED(CONFIG_DRM_XE_DEBUG_GUC)
-       char *buf __cleanup(kfree) = kmalloc(SZ_4K, GFP_NOWAIT);
+       char *buf __free(kfree) = kmalloc(SZ_4K, GFP_NOWAIT);
 
        if (buf && stack_depot_snprint(ct->fast_req[slot].stack, buf, SZ_4K, 0))
                xe_gt_err(gt, "Fence 0x%x was used by action %#04x sent 
at:\n%s\n",
-- 
2.34.1

Reply via email to