1. Patchew
  2. linux
  3. [PATCH 00/14] iommu: fix device leaks
  4. View patch

[PATCH 11/14] iommu/omap: fix device leaks on probe_device()

Johan Hovold posted 14 patches 4 months, 2 weeks ago
There is a newer version of this series
[PATCH 11/14] iommu/omap: fix device leaks on probe_device()
Posted by Johan Hovold 4 months, 2 weeks ago 
Make sure to drop the reference taken to the iommu platform devices
during probe_device() on errors and when the device is later released.

Fixes: 9d5018deec86 ("iommu/omap: Add support to program multiple iommus")
Fixes: 7d6827748d54 ("iommu/omap: Fix iommu archdata name for DT-based devices")
Cc: stable@vger.kernel.org	# 3.18
Cc: Suman Anna <s-anna@ti.com>
Signed-off-by: Johan Hovold <johan@kernel.org>
---
 drivers/iommu/omap-iommu.c | 27 +++++++++++++++++++--------
 1 file changed, 19 insertions(+), 8 deletions(-)

diff --git a/drivers/iommu/omap-iommu.c b/drivers/iommu/omap-iommu.c
index 6fb93927bdb9..77023d49bd24 100644
--- a/drivers/iommu/omap-iommu.c
+++ b/drivers/iommu/omap-iommu.c
@@ -1636,7 +1636,7 @@ static struct iommu_device *omap_iommu_probe_device(struct device *dev)
 	struct platform_device *pdev;
 	struct omap_iommu *oiommu;
 	struct device_node *np;
-	int num_iommus, i;
+	int num_iommus, i, ret;
 
 	/*
 	 * Allocate the per-device iommu structure for DT-based devices.
@@ -1663,22 +1663,22 @@ static struct iommu_device *omap_iommu_probe_device(struct device *dev)
 	for (i = 0, tmp = arch_data; i < num_iommus; i++, tmp++) {
 		np = of_parse_phandle(dev->of_node, "iommus", i);
 		if (!np) {
-			kfree(arch_data);
-			return ERR_PTR(-EINVAL);
+			ret = -EINVAL;
+			goto err_put_iommus;
 		}
 
 		pdev = of_find_device_by_node(np);
 		if (!pdev) {
 			of_node_put(np);
-			kfree(arch_data);
-			return ERR_PTR(-ENODEV);
+			ret = -ENODEV;
+			goto err_put_iommus;
 		}
 
 		oiommu = platform_get_drvdata(pdev);
 		if (!oiommu) {
 			of_node_put(np);
-			kfree(arch_data);
-			return ERR_PTR(-EINVAL);
+			ret = -EINVAL;
+			goto err_put_iommus;
 		}
 
 		tmp->iommu_dev = oiommu;
@@ -1697,17 +1697,28 @@ static struct iommu_device *omap_iommu_probe_device(struct device *dev)
 	oiommu = arch_data->iommu_dev;
 
 	return &oiommu->iommu;
+
+err_put_iommus:
+	for (tmp = arch_data; tmp->dev; tmp++)
+		put_device(tmp->dev);
+
+	kfree(arch_data);
+
+	return ERR_PTR(ret);
 }
 
 static void omap_iommu_release_device(struct device *dev)
 {
 	struct omap_iommu_arch_data *arch_data = dev_iommu_priv_get(dev);
+	struct omap_iommu_arch_data *tmp;
 
 	if (!dev->of_node || !arch_data)
 		return;
 
-	kfree(arch_data);
+	for (tmp = arch_data; tmp->dev; tmp++)
+		put_device(tmp->dev);
 
+	kfree(arch_data);
 }
 
 static int omap_iommu_of_xlate(struct device *dev, const struct of_phandle_args *args)
-- 
2.49.1
Re: [PATCH 11/14] iommu/omap: fix device leaks on probe_device()
Posted by Robin Murphy 4 months, 1 week ago 
On 2025-09-25 1:27 pm, Johan Hovold wrote:
> Make sure to drop the reference taken to the iommu platform devices
> during probe_device() on errors and when the device is later released.
> 
> Fixes: 9d5018deec86 ("iommu/omap: Add support to program multiple iommus")
> Fixes: 7d6827748d54 ("iommu/omap: Fix iommu archdata name for DT-based devices")
> Cc: stable@vger.kernel.org	# 3.18
> Cc: Suman Anna <s-anna@ti.com>
> Signed-off-by: Johan Hovold <johan@kernel.org>
> ---
>   drivers/iommu/omap-iommu.c | 27 +++++++++++++++++++--------
>   1 file changed, 19 insertions(+), 8 deletions(-)
> 
> diff --git a/drivers/iommu/omap-iommu.c b/drivers/iommu/omap-iommu.c
> index 6fb93927bdb9..77023d49bd24 100644
> --- a/drivers/iommu/omap-iommu.c
> +++ b/drivers/iommu/omap-iommu.c
> @@ -1636,7 +1636,7 @@ static struct iommu_device *omap_iommu_probe_device(struct device *dev)
>   	struct platform_device *pdev;
>   	struct omap_iommu *oiommu;
>   	struct device_node *np;
> -	int num_iommus, i;
> +	int num_iommus, i, ret;
>   
>   	/*
>   	 * Allocate the per-device iommu structure for DT-based devices.
> @@ -1663,22 +1663,22 @@ static struct iommu_device *omap_iommu_probe_device(struct device *dev)
>   	for (i = 0, tmp = arch_data; i < num_iommus; i++, tmp++) {
>   		np = of_parse_phandle(dev->of_node, "iommus", i);
>   		if (!np) {
> -			kfree(arch_data);
> -			return ERR_PTR(-EINVAL);
> +			ret = -EINVAL;
> +			goto err_put_iommus;
>   		}
>   
>   		pdev = of_find_device_by_node(np);
>   		if (!pdev) {
>   			of_node_put(np);
> -			kfree(arch_data);
> -			return ERR_PTR(-ENODEV);
> +			ret = -ENODEV;
> +			goto err_put_iommus;
>   		}
>   
>   		oiommu = platform_get_drvdata(pdev);
>   		if (!oiommu) {
>   			of_node_put(np);
> -			kfree(arch_data);
> -			return ERR_PTR(-EINVAL);
> +			ret = -EINVAL;
> +			goto err_put_iommus;
>   		}
>   
>   		tmp->iommu_dev = oiommu;
> @@ -1697,17 +1697,28 @@ static struct iommu_device *omap_iommu_probe_device(struct device *dev)
>   	oiommu = arch_data->iommu_dev;
>   
>   	return &oiommu->iommu;
> +
> +err_put_iommus:
> +	for (tmp = arch_data; tmp->dev; tmp++)
> +		put_device(tmp->dev);

This should just pair with the of_node_put() calls (other than the first 
one, of course), i.e. do it in the success path as well and drop the 
release_device change below. It doesn't serve any purpose for client 
devices to hold additional references on the IOMMU device when those are 
strictly within the lifetime of the IOMMU driver being bound to it anyway.

Thanks,
Robin.

> +
> +	kfree(arch_data);
> +
> +	return ERR_PTR(ret);
>   }
>   
>   static void omap_iommu_release_device(struct device *dev)
>   {
>   	struct omap_iommu_arch_data *arch_data = dev_iommu_priv_get(dev);
> +	struct omap_iommu_arch_data *tmp;
>   
>   	if (!dev->of_node || !arch_data)
>   		return;
>   
> -	kfree(arch_data);
> +	for (tmp = arch_data; tmp->dev; tmp++)
> +		put_device(tmp->dev);
>   
> +	kfree(arch_data);
>   }
>   
>   static int omap_iommu_of_xlate(struct device *dev, const struct of_phandle_args *args)
Re: [PATCH 11/14] iommu/omap: fix device leaks on probe_device()
Posted by Johan Hovold 4 months, 1 week ago 
On Thu, Oct 02, 2025 at 01:05:08PM +0100, Robin Murphy wrote:
> On 2025-09-25 1:27 pm, Johan Hovold wrote:

> > @@ -1663,22 +1663,22 @@ static struct iommu_device *omap_iommu_probe_device(struct device *dev)
> >   	for (i = 0, tmp = arch_data; i < num_iommus; i++, tmp++) {
> >   		np = of_parse_phandle(dev->of_node, "iommus", i);
> >   		if (!np) {
> > -			kfree(arch_data);
> > -			return ERR_PTR(-EINVAL);
> > +			ret = -EINVAL;
> > +			goto err_put_iommus;
> >   		}
> >   
> >   		pdev = of_find_device_by_node(np);
> >   		if (!pdev) {
> >   			of_node_put(np);
> > -			kfree(arch_data);
> > -			return ERR_PTR(-ENODEV);
> > +			ret = -ENODEV;
> > +			goto err_put_iommus;
> >   		}
> >   
> >   		oiommu = platform_get_drvdata(pdev);
> >   		if (!oiommu) {
> >   			of_node_put(np);
> > -			kfree(arch_data);
> > -			return ERR_PTR(-EINVAL);
> > +			ret = -EINVAL;
> > +			goto err_put_iommus;
> >   		}
> >   
> >   		tmp->iommu_dev = oiommu;
> > @@ -1697,17 +1697,28 @@ static struct iommu_device *omap_iommu_probe_device(struct device *dev)
> >   	oiommu = arch_data->iommu_dev;
> >   
> >   	return &oiommu->iommu;
> > +
> > +err_put_iommus:
> > +	for (tmp = arch_data; tmp->dev; tmp++)
> > +		put_device(tmp->dev);
> 
> This should just pair with the of_node_put() calls (other than the first 
> one, of course), i.e. do it in the success path as well and drop the 
> release_device change below. It doesn't serve any purpose for client 
> devices to hold additional references on the IOMMU device when those are 
> strictly within the lifetime of the IOMMU driver being bound to it anyway.

I kept the reference until release() (even if not strictly needed) as I
mistakenly thought the driver was using the arch data device pointer
directly.

Turns out that one has never been used so I'll drop it as well as part
of v2.

Johan

Patchew 2.1-devel-b67e4c2

© 2016 - 2026 Red Hat, Inc.