CVE-2026-45981
Description
In the Linux kernel, the following vulnerability has been resolved:
s390/cio: Fix device lifecycle handling in css_alloc_subchannel()
css_alloc_subchannel() calls device_initialize() before setting up the DMA masks. If dma_set_coherent_mask() or dma_set_mask() fails, the error path frees the subchannel structure directly, bypassing the device model reference counting.
Once device_initialize() has been called, the embedded struct device must be released via put_device(), allowing the release callback to free the container structure.
Fix the error path by dropping the initial device reference with put_device() instead of calling kfree() directly.
This ensures correct device lifetime handling and avoids potential use-after-free or double-free issues.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A use-after-free bug in the Linux kernel's s390 CIO subchannel initialization was fixed by replacing a direct kfree() with proper put_device().
Vulnerability
In the Linux kernel's s390 CIO subsystem, css_alloc_subchannel() calls device_initialize() before setting DMA masks. If dma_set_coherent_mask() or dma_set_mask() fails, the error path frees the subchannel structure directly via kfree(), bypassing the device model's reference counting. This violates the kernel's device lifecycle rules because after device_initialize(), the embedded struct device must be released through put_device(). The issue was introduced in an earlier commit and affects kernel versions before the fix at commit f65c75b0b9b5 [1].
Exploitation
To trigger the bug, an attacker needs the ability to trigger the failing DMA mask setup path in css_alloc_subchannel() on an s390 system. This requires local access to provoke subchannel allocation failure, though no specific user interaction or authentication is detailed in the references. The error path is reachable during device initialization when the DMA masks cannot be set (e.g., due to hardware limitations or configuration errors).
Impact
A successful trigger leads to a use-after-free or double-free condition in the kernel, as the freed subchannel structure may be accessed later through dangling references. This could cause a kernel crash (denial of service) or potentially allow privilege escalation if an attacker can control the freed memory. The vulnerability affects the integrity and availability of the system.
Mitigation
The fix was applied in the Linux kernel stable tree with commit f65c75b0b9b5a390bc3beadcde0a6fbc3ad118f7 [1]. Users should update to a kernel version containing this commit. No workarounds are available in the provided reference; the only mitigation is to apply the patch.
References
[1] https://git.kernel.org/stable/c/f65c75b0b9b5a390bc3beadcde0a6fbc3ad118f7
AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
16f65c75b0b9b5s390/cio: Fix device lifecycle handling in css_alloc_subchannel()
1 file changed · +1 −2
drivers/s390/cio/css.c+1 −2 modifieddiff --git a/drivers/s390/cio/css.c b/drivers/s390/cio/css.c index 4c85df7a548ef1..ac24e019020e89 100644 --- a/drivers/s390/cio/css.c +++ b/drivers/s390/cio/css.c @@ -235,7 +235,7 @@ struct subchannel *css_alloc_subchannel(struct subchannel_id schid, return sch; err: - kfree(sch); + put_device(&sch->dev); return ERR_PTR(ret); } -- cgit 1.3-korg
2b2ad7ad4a28s390/cio: Fix device lifecycle handling in css_alloc_subchannel()
1 file changed · +1 −2
drivers/s390/cio/css.c+1 −2 modifieddiff --git a/drivers/s390/cio/css.c b/drivers/s390/cio/css.c index cf2c3c4c590f9b..e5e20ea850aad6 100644 --- a/drivers/s390/cio/css.c +++ b/drivers/s390/cio/css.c @@ -241,7 +241,7 @@ struct subchannel *css_alloc_subchannel(struct subchannel_id schid, return sch; err: - kfree(sch); + put_device(&sch->dev); return ERR_PTR(ret); } -- cgit 1.3-korg
b1d4e6fb2416s390/cio: Fix device lifecycle handling in css_alloc_subchannel()
1 file changed · +1 −2
drivers/s390/cio/css.c+1 −2 modifieddiff --git a/drivers/s390/cio/css.c b/drivers/s390/cio/css.c index 3c499136af6570..4c3fde0bd55125 100644 --- a/drivers/s390/cio/css.c +++ b/drivers/s390/cio/css.c @@ -247,7 +247,7 @@ struct subchannel *css_alloc_subchannel(struct subchannel_id schid, err_lock: kfree(sch->lock); err: - kfree(sch); + put_device(&sch->dev); return ERR_PTR(ret); } -- cgit 1.3-korg
fd295a75d828s390/cio: Fix device lifecycle handling in css_alloc_subchannel()
1 file changed · +1 −2
drivers/s390/cio/css.c+1 −2 modifieddiff --git a/drivers/s390/cio/css.c b/drivers/s390/cio/css.c index 98a14c1f3d6725..85c1734ebfe88c 100644 --- a/drivers/s390/cio/css.c +++ b/drivers/s390/cio/css.c @@ -247,7 +247,7 @@ struct subchannel *css_alloc_subchannel(struct subchannel_id schid, err_lock: kfree(sch->lock); err: - kfree(sch); + put_device(&sch->dev); return ERR_PTR(ret); } -- cgit 1.3-korg
abb6e07f46a7s390/cio: Fix device lifecycle handling in css_alloc_subchannel()
1 file changed · +1 −2
drivers/s390/cio/css.c+1 −2 modifieddiff --git a/drivers/s390/cio/css.c b/drivers/s390/cio/css.c index 3ff46fc694f85e..e50592c3d30ca0 100644 --- a/drivers/s390/cio/css.c +++ b/drivers/s390/cio/css.c @@ -247,7 +247,7 @@ struct subchannel *css_alloc_subchannel(struct subchannel_id schid, err_lock: kfree(sch->lock); err: - kfree(sch); + put_device(&sch->dev); return ERR_PTR(ret); } -- cgit 1.3-korg
f96c5ccf95aes390/cio: Fix device lifecycle handling in css_alloc_subchannel()
1 file changed · +1 −2
drivers/s390/cio/css.c+1 −2 modifieddiff --git a/drivers/s390/cio/css.c b/drivers/s390/cio/css.c index 7b59d20bf7850e..61be7c0550bc41 100644 --- a/drivers/s390/cio/css.c +++ b/drivers/s390/cio/css.c @@ -236,7 +236,7 @@ struct subchannel *css_alloc_subchannel(struct subchannel_id schid, return sch; err: - kfree(sch); + put_device(&sch->dev); return ERR_PTR(ret); } -- cgit 1.3-korg
6715560527e3s390/cio: Fix device lifecycle handling in css_alloc_subchannel()
1 file changed · +1 −2
drivers/s390/cio/css.c+1 −2 modifieddiff --git a/drivers/s390/cio/css.c b/drivers/s390/cio/css.c index be78a57f9bfdef..8a70596a55447c 100644 --- a/drivers/s390/cio/css.c +++ b/drivers/s390/cio/css.c @@ -236,7 +236,7 @@ struct subchannel *css_alloc_subchannel(struct subchannel_id schid, return sch; err: - kfree(sch); + put_device(&sch->dev); return ERR_PTR(ret); } -- cgit 1.3-korg
c35cfbb5341bs390/cio: Fix device lifecycle handling in css_alloc_subchannel()
1 file changed · +1 −2
drivers/s390/cio/css.c+1 −2 modifieddiff --git a/drivers/s390/cio/css.c b/drivers/s390/cio/css.c index 4c85df7a548ef1..ac24e019020e89 100644 --- a/drivers/s390/cio/css.c +++ b/drivers/s390/cio/css.c @@ -235,7 +235,7 @@ struct subchannel *css_alloc_subchannel(struct subchannel_id schid, return sch; err: - kfree(sch); + put_device(&sch->dev); return ERR_PTR(ret); } -- cgit 1.3-korg
2b2ad7ad4a28s390/cio: Fix device lifecycle handling in css_alloc_subchannel()
1 file changed · +1 −2
drivers/s390/cio/css.c+1 −2 modifieddiff --git a/drivers/s390/cio/css.c b/drivers/s390/cio/css.c index cf2c3c4c590f9b..e5e20ea850aad6 100644 --- a/drivers/s390/cio/css.c +++ b/drivers/s390/cio/css.c @@ -241,7 +241,7 @@ struct subchannel *css_alloc_subchannel(struct subchannel_id schid, return sch; err: - kfree(sch); + put_device(&sch->dev); return ERR_PTR(ret); } -- cgit 1.3-korg
c35cfbb5341bs390/cio: Fix device lifecycle handling in css_alloc_subchannel()
1 file changed · +1 −2
drivers/s390/cio/css.c+1 −2 modifieddiff --git a/drivers/s390/cio/css.c b/drivers/s390/cio/css.c index 4c85df7a548ef1..ac24e019020e89 100644 --- a/drivers/s390/cio/css.c +++ b/drivers/s390/cio/css.c @@ -235,7 +235,7 @@ struct subchannel *css_alloc_subchannel(struct subchannel_id schid, return sch; err: - kfree(sch); + put_device(&sch->dev); return ERR_PTR(ret); } -- cgit 1.3-korg
f65c75b0b9b5s390/cio: Fix device lifecycle handling in css_alloc_subchannel()
1 file changed · +1 −2
drivers/s390/cio/css.c+1 −2 modifieddiff --git a/drivers/s390/cio/css.c b/drivers/s390/cio/css.c index 4c85df7a548ef1..ac24e019020e89 100644 --- a/drivers/s390/cio/css.c +++ b/drivers/s390/cio/css.c @@ -235,7 +235,7 @@ struct subchannel *css_alloc_subchannel(struct subchannel_id schid, return sch; err: - kfree(sch); + put_device(&sch->dev); return ERR_PTR(ret); } -- cgit 1.3-korg
b1d4e6fb2416s390/cio: Fix device lifecycle handling in css_alloc_subchannel()
1 file changed · +1 −2
drivers/s390/cio/css.c+1 −2 modifieddiff --git a/drivers/s390/cio/css.c b/drivers/s390/cio/css.c index 3c499136af6570..4c3fde0bd55125 100644 --- a/drivers/s390/cio/css.c +++ b/drivers/s390/cio/css.c @@ -247,7 +247,7 @@ struct subchannel *css_alloc_subchannel(struct subchannel_id schid, err_lock: kfree(sch->lock); err: - kfree(sch); + put_device(&sch->dev); return ERR_PTR(ret); } -- cgit 1.3-korg
f96c5ccf95aes390/cio: Fix device lifecycle handling in css_alloc_subchannel()
1 file changed · +1 −2
drivers/s390/cio/css.c+1 −2 modifieddiff --git a/drivers/s390/cio/css.c b/drivers/s390/cio/css.c index 7b59d20bf7850e..61be7c0550bc41 100644 --- a/drivers/s390/cio/css.c +++ b/drivers/s390/cio/css.c @@ -236,7 +236,7 @@ struct subchannel *css_alloc_subchannel(struct subchannel_id schid, return sch; err: - kfree(sch); + put_device(&sch->dev); return ERR_PTR(ret); } -- cgit 1.3-korg
6715560527e3s390/cio: Fix device lifecycle handling in css_alloc_subchannel()
1 file changed · +1 −2
drivers/s390/cio/css.c+1 −2 modifieddiff --git a/drivers/s390/cio/css.c b/drivers/s390/cio/css.c index be78a57f9bfdef..8a70596a55447c 100644 --- a/drivers/s390/cio/css.c +++ b/drivers/s390/cio/css.c @@ -236,7 +236,7 @@ struct subchannel *css_alloc_subchannel(struct subchannel_id schid, return sch; err: - kfree(sch); + put_device(&sch->dev); return ERR_PTR(ret); } -- cgit 1.3-korg
abb6e07f46a7s390/cio: Fix device lifecycle handling in css_alloc_subchannel()
1 file changed · +1 −2
drivers/s390/cio/css.c+1 −2 modifieddiff --git a/drivers/s390/cio/css.c b/drivers/s390/cio/css.c index 3ff46fc694f85e..e50592c3d30ca0 100644 --- a/drivers/s390/cio/css.c +++ b/drivers/s390/cio/css.c @@ -247,7 +247,7 @@ struct subchannel *css_alloc_subchannel(struct subchannel_id schid, err_lock: kfree(sch->lock); err: - kfree(sch); + put_device(&sch->dev); return ERR_PTR(ret); } -- cgit 1.3-korg
fd295a75d828s390/cio: Fix device lifecycle handling in css_alloc_subchannel()
1 file changed · +1 −2
drivers/s390/cio/css.c+1 −2 modifieddiff --git a/drivers/s390/cio/css.c b/drivers/s390/cio/css.c index 98a14c1f3d6725..85c1734ebfe88c 100644 --- a/drivers/s390/cio/css.c +++ b/drivers/s390/cio/css.c @@ -247,7 +247,7 @@ struct subchannel *css_alloc_subchannel(struct subchannel_id schid, err_lock: kfree(sch->lock); err: - kfree(sch); + put_device(&sch->dev); return ERR_PTR(ret); } -- cgit 1.3-korg
Vulnerability mechanics
Root cause
"Improper device lifecycle management: after device_initialize(), the error path calls kfree() instead of put_device(), bypassing reference counting."
Attack vector
An attacker cannot directly trigger this bug from userspace; it is a local error path issue that occurs when `dma_set_coherent_mask()` or `dma_set_mask()` fails during subchannel allocation on s390 hardware. If either DMA mask setup call fails, the error path frees the subchannel structure directly with `kfree()` after `device_initialize()` has already been called, violating the device model's lifecycle contract. This can lead to use-after-free or double-free conditions if another reference to the device is still held elsewhere [patch_id=2660759].
Affected code
The bug is in `css_alloc_subchannel()` in `drivers/s390/cio/css.c`. The function calls `device_initialize()` on the embedded `struct device` before setting up DMA masks, but the error path (label `err:`) used `kfree(sch)` instead of `put_device(&sch->dev)`, bypassing the device model's reference counting [patch_id=2660759].
What the fix does
The patch replaces `kfree(sch)` with `put_device(&sch->dev)` in the `err:` label of `css_alloc_subchannel()` [patch_id=2660759]. After `device_initialize()` has been called, the kernel's device model requires that the initial reference be dropped via `put_device()`, which invokes the release callback to free the container structure. Using `kfree()` directly bypasses this mechanism and can lead to use-after-free or double-free. The one-line change ensures proper device lifecycle handling.
Preconditions
- inputThe s390 hardware or emulation must cause dma_set_coherent_mask() or dma_set_mask() to fail during subchannel allocation
- authNo special privileges required; the bug is in a kernel allocation path reachable during normal device discovery
Generated on May 27, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
8- git.kernel.org/stable/c/2b2ad7ad4a28ffdb9f94e6d979b88a5b12b71681nvd
- git.kernel.org/stable/c/6715560527e343a387e4a0d2e6c401748e89fa55nvd
- git.kernel.org/stable/c/abb6e07f46a740cda4f07d1b561ae4eaa7a1df42nvd
- git.kernel.org/stable/c/b1d4e6fb241672850296956c4d782a69363a3807nvd
- git.kernel.org/stable/c/c35cfbb5341ba05ad1b4476ffc3c21cc3ff8f603nvd
- git.kernel.org/stable/c/f65c75b0b9b5a390bc3beadcde0a6fbc3ad118f7nvd
- git.kernel.org/stable/c/f96c5ccf95ae5f27218c1ce2d6a3ad2d3e105424nvd
- git.kernel.org/stable/c/fd295a75d828c11acfcc6869c2a12cdaaf9b7722nvd
News mentions
0No linked articles in our index yet.