Re: [PATCH 4/8] iommu/qcom: Fix pgtbl_ops leak in qcom_iommu_init_domain() error path

Next message: Christian Brauner: "Re: [PATCH v2] bpf: have bpf_real_data_inode() take a struct file"
Previous message: Julian Braha: "Re: [PATCH v14 4/4] crypto: spacc - Add SPAcc Kconfig and Makefile"
In reply to: Mukesh Ojha: "[PATCH 4/8] iommu/qcom: Fix pgtbl_ops leak in qcom_iommu_init_domain() error path"
Next in thread: Mukesh Ojha: "[PATCH 5/8] iommu/qcom: Publish pgtbl_ops before releasing init_mutex"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Konrad Dybcio

Date: Tue Jun 23 2026 - 12:10:39 EST

On 6/23/26 2:20 PM, Mukesh Ojha wrote:
> alloc_io_pgtable_ops() can succeed and then qcom_scm_restore_sec_cfg()
> can fail for one of the context banks. The goto out_clear_iommu path
> only cleared qcom_domain->iommu; the locally allocated pgtbl_ops was
> never freed, leaking it permanently since qcom_domain->pgtbl_ops is only
> assigned on the success path.
>
> free_io_pgtable_ops() safely handles a NULL argument (covers the case
> where alloc_io_pgtable_ops() itself failed), so add it unconditionally in
> the out_clear_iommu handler.
>
> Signed-off-by: Mukesh Ojha <mukesh.ojha@xxxxxxxxxxxxxxxx>
> ---
> drivers/iommu/arm/arm-smmu/qcom_iommu.c | 1 +
> 1 file changed, 1 insertion(+)
>
> diff --git a/drivers/iommu/arm/arm-smmu/qcom_iommu.c b/drivers/iommu/arm/arm-smmu/qcom_iommu.c
> index 4e714a8e1fac..b6ce85f7f923 100644
> --- a/drivers/iommu/arm/arm-smmu/qcom_iommu.c
> +++ b/drivers/iommu/arm/arm-smmu/qcom_iommu.c
> @@ -314,6 +314,7 @@ static int qcom_iommu_init_domain(struct iommu_domain *domain,
> return 0;
>
> out_clear_iommu:
> + free_io_pgtable_ops(pgtbl_ops);

This label also jumped to when alloc_io_pgtable_ops() succeeds,
but there's a nullcheck inside, so i guess it's fine

Reviewed-by: Konrad Dybcio <konrad.dybcio@xxxxxxxxxxxxxxxx>

Konrad