[PATCH 4/8] iommu/qcom: Fix pgtbl_ops leak in qcom_iommu_init_domain() error path

Next message: Mukesh Ojha: "[PATCH 5/8] iommu/qcom: Publish pgtbl_ops before releasing init_mutex"
Previous message: Mukesh Ojha: "[PATCH 6/8] iommu/qcom: Add NULL ctx check in TLB invalidation paths"
In reply to: Robin Murphy: "Re: [PATCH 6/8] iommu/qcom: Add NULL ctx check in TLB invalidation paths"
Next in thread: Konrad Dybcio: "Re: [PATCH 4/8] iommu/qcom: Fix pgtbl_ops leak in qcom_iommu_init_domain() error path"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Mukesh Ojha

Date: Tue Jun 23 2026 - 08:21:50 EST

alloc_io_pgtable_ops() can succeed and then qcom_scm_restore_sec_cfg()
can fail for one of the context banks. The goto out_clear_iommu path
only cleared qcom_domain->iommu; the locally allocated pgtbl_ops was
never freed, leaking it permanently since qcom_domain->pgtbl_ops is only
assigned on the success path.

free_io_pgtable_ops() safely handles a NULL argument (covers the case
where alloc_io_pgtable_ops() itself failed), so add it unconditionally in
the out_clear_iommu handler.

Signed-off-by: Mukesh Ojha <mukesh.ojha@xxxxxxxxxxxxxxxx>
---
drivers/iommu/arm/arm-smmu/qcom_iommu.c | 1 +
1 file changed, 1 insertion(+)

diff --git a/drivers/iommu/arm/arm-smmu/qcom_iommu.c b/drivers/iommu/arm/arm-smmu/qcom_iommu.c
index 4e714a8e1fac..b6ce85f7f923 100644
--- a/drivers/iommu/arm/arm-smmu/qcom_iommu.c
+++ b/drivers/iommu/arm/arm-smmu/qcom_iommu.c
@@ -314,6 +314,7 @@ static int qcom_iommu_init_domain(struct iommu_domain *domain,
return 0;

out_clear_iommu:
+ free_io_pgtable_ops(pgtbl_ops);
qcom_domain->iommu = NULL;
out_unlock:
mutex_unlock(&qcom_domain->init_mutex);
--
2.53.0