Re: [PATCH 6/8] iommu/qcom: Add NULL ctx check in TLB invalidation paths
From: Robin Murphy
Date: Tue Jun 23 2026 - 13:08:28 EST
On 23/06/2026 1:20 pm, Mukesh Ojha wrote:
to_ctx() returns qcom_iommu->ctxs[asid], which can be NULL if the
corresponding context bank failed to probe or was already removed.
qcom_iommu_tlb_sync(), qcom_iommu_tlb_inv_context(), and
qcom_iommu_tlb_inv_range_nosync() all dereference the returned pointer
directly, risking a NULL pointer dereference.
But if there's no context bank, then how has a domain been allocated in order to permit io-pgtable operations that would eventually call into qcom_flush_ops at all? Can you please clarify whether you've actually observed a real-world issue here, and if so how?
Thanks,
Robin.
Add WARN_ON(!ctx) guards with continue so TLB operations skip
broken context banks without crashing.
Signed-off-by: Mukesh Ojha <mukesh.ojha@xxxxxxxxxxxxxxxx>
---
drivers/iommu/arm/arm-smmu/qcom_iommu.c | 10 ++++++++++
1 file changed, 10 insertions(+)
diff --git a/drivers/iommu/arm/arm-smmu/qcom_iommu.c b/drivers/iommu/arm/arm-smmu/qcom_iommu.c
index 40fb0408dc07..51b60b296bb8 100644
--- a/drivers/iommu/arm/arm-smmu/qcom_iommu.c
+++ b/drivers/iommu/arm/arm-smmu/qcom_iommu.c
@@ -121,6 +121,9 @@ static void qcom_iommu_tlb_sync(void *cookie)
struct qcom_iommu_ctx *ctx = to_ctx(qcom_domain, fwspec->ids[i]);
unsigned int val, ret;
+ if (WARN_ON(!ctx))
+ continue;
+
iommu_writel(ctx, ARM_SMMU_CB_TLBSYNC, 0);
ret = readl_poll_timeout(ctx->base + ARM_SMMU_CB_TLBSTATUS, val,
@@ -138,6 +141,10 @@ static void qcom_iommu_tlb_inv_context(void *cookie)
for (i = 0; i < fwspec->num_ids; i++) {
struct qcom_iommu_ctx *ctx = to_ctx(qcom_domain, fwspec->ids[i]);
+
+ if (WARN_ON(!ctx))
+ continue;
+
iommu_writel(ctx, ARM_SMMU_CB_S1_TLBIASID, ctx->asid);
}
@@ -157,6 +164,9 @@ static void qcom_iommu_tlb_inv_range_nosync(unsigned long iova, size_t size,
struct qcom_iommu_ctx *ctx = to_ctx(qcom_domain, fwspec->ids[i]);
size_t s = size;
+ if (WARN_ON(!ctx))
+ continue;
+
iova = (iova >> 12) << 12;
iova |= ctx->asid;
do {