From: Konrad Dybcio <konrad.dybcio@oss.qualcomm.com>
To: Mukesh Ojha <mukesh.ojha@oss.qualcomm.com>,
Rob Clark <robin.clark@oss.qualcomm.com>,
Will Deacon <will@kernel.org>,
"Joerg Roedel (AMD)" <joro@8bytes.org>
Cc: Robin Murphy <robin.murphy@arm.com>,
iommu@lists.linux.dev, linux-arm-msm@vger.kernel.org,
linux-arm-kernel@lists.infradead.org,
linux-kernel@vger.kernel.org
Subject: Re: [PATCH 4/8] iommu/qcom: Fix pgtbl_ops leak in qcom_iommu_init_domain() error path
Date: Tue, 23 Jun 2026 18:09:43 +0200 [thread overview]
Message-ID: <aa1471ac-bd1d-4e1f-b61c-3db86d2e31aa@oss.qualcomm.com> (raw)
In-Reply-To: <20260623122034.1166295-5-mukesh.ojha@oss.qualcomm.com>
On 6/23/26 2:20 PM, Mukesh Ojha wrote:
> alloc_io_pgtable_ops() can succeed and then qcom_scm_restore_sec_cfg()
> can fail for one of the context banks. The goto out_clear_iommu path
> only cleared qcom_domain->iommu; the locally allocated pgtbl_ops was
> never freed, leaking it permanently since qcom_domain->pgtbl_ops is only
> assigned on the success path.
>
> free_io_pgtable_ops() safely handles a NULL argument (covers the case
> where alloc_io_pgtable_ops() itself failed), so add it unconditionally in
> the out_clear_iommu handler.
>
> Signed-off-by: Mukesh Ojha <mukesh.ojha@oss.qualcomm.com>
> ---
> drivers/iommu/arm/arm-smmu/qcom_iommu.c | 1 +
> 1 file changed, 1 insertion(+)
>
> diff --git a/drivers/iommu/arm/arm-smmu/qcom_iommu.c b/drivers/iommu/arm/arm-smmu/qcom_iommu.c
> index 4e714a8e1fac..b6ce85f7f923 100644
> --- a/drivers/iommu/arm/arm-smmu/qcom_iommu.c
> +++ b/drivers/iommu/arm/arm-smmu/qcom_iommu.c
> @@ -314,6 +314,7 @@ static int qcom_iommu_init_domain(struct iommu_domain *domain,
> return 0;
>
> out_clear_iommu:
> + free_io_pgtable_ops(pgtbl_ops);
This label also jumped to when alloc_io_pgtable_ops() succeeds,
but there's a nullcheck inside, so i guess it's fine
Reviewed-by: Konrad Dybcio <konrad.dybcio@oss.qualcomm.com>
Konrad
next prev parent reply other threads:[~2026-06-23 16:09 UTC|newest]
Thread overview: 19+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-23 12:20 [PATCH 0/8] iommu/qcom: Misc Fixes Mukesh Ojha
2026-06-23 12:20 ` [PATCH 1/8] iommu/qcom: Fix inverted fault report check in qcom_iommu_fault() Mukesh Ojha
2026-06-23 16:00 ` Konrad Dybcio
2026-06-23 12:20 ` [PATCH 2/8] iommu/qcom: Fix missing pm_runtime_disable() in qcom_iommu_device_remove() Mukesh Ojha
2026-06-23 16:00 ` Konrad Dybcio
2026-06-23 12:20 ` [PATCH 3/8] iommu/qcom: Check pm_runtime_resume_and_get() return in probe Mukesh Ojha
2026-06-23 16:02 ` Konrad Dybcio
2026-06-23 12:20 ` [PATCH 4/8] iommu/qcom: Fix pgtbl_ops leak in qcom_iommu_init_domain() error path Mukesh Ojha
2026-06-23 16:09 ` Konrad Dybcio [this message]
2026-06-23 12:20 ` [PATCH 5/8] iommu/qcom: Publish pgtbl_ops before releasing init_mutex Mukesh Ojha
2026-06-23 16:15 ` Konrad Dybcio
2026-06-23 12:20 ` [PATCH 6/8] iommu/qcom: Add NULL ctx check in TLB invalidation paths Mukesh Ojha
2026-06-23 16:47 ` Konrad Dybcio
2026-06-23 17:08 ` Robin Murphy
2026-06-24 19:18 ` Mukesh Ojha
2026-06-23 12:20 ` [PATCH 7/8] iommu/qcom: Enable clocks before hardware access in qcom_iommu_ctx_probe() Mukesh Ojha
2026-06-23 16:36 ` Konrad Dybcio
2026-06-23 12:20 ` [PATCH 8/8] iommu/qcom: Document why sec_ptbl allocated flag needs no locking Mukesh Ojha
2026-06-23 16:41 ` Konrad Dybcio
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=aa1471ac-bd1d-4e1f-b61c-3db86d2e31aa@oss.qualcomm.com \
--to=konrad.dybcio@oss.qualcomm.com \
--cc=iommu@lists.linux.dev \
--cc=joro@8bytes.org \
--cc=linux-arm-kernel@lists.infradead.org \
--cc=linux-arm-msm@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=mukesh.ojha@oss.qualcomm.com \
--cc=robin.clark@oss.qualcomm.com \
--cc=robin.murphy@arm.com \
--cc=will@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox