1. Patchew
  2. linux
  3. View series

[PATCH] iommu/iova: Add NULL check in iova_magazine_free()

Lynn Liu posted 1 patch 1 month, 2 weeks ago
There is a newer version of this series
drivers/iommu/iova.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
[PATCH] iommu/iova: Add NULL check in iova_magazine_free()
Posted by Lynn Liu 1 month, 2 weeks ago 
From: lynn <liulynn@google.com>

When iova_domain_init_rcaches() fails to allocate an iova_magazine
during the initialization of per-cpu rcaches, it jumps to out_err and
calls free_iova_rcaches() for cleanup.

In free_iova_rcaches(), the code iterates through all possible CPUs to
free both cpu_rcache->loaded and cpu_rcache->prev. However, if the
original allocation failed mid-way through the CPU loop, the pointers
for the remaining CPUs remain NULL.

Since kmem_cache_free() does not explicitly handle NULL pointers like
kfree() does, passing these NULL pointers leads to a kernel paging
request fault.

Add a NULL check in iova_magazine_free() to safely handle partially
initialized rcaches in error paths.

Signed-off-by: lynn <liulynn@google.com>
---
 drivers/iommu/iova.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/drivers/iommu/iova.c b/drivers/iommu/iova.c
index 18f839721813..e026be5e068b 100644
--- a/drivers/iommu/iova.c
+++ b/drivers/iommu/iova.c
@@ -611,7 +611,8 @@ static struct iova_magazine *iova_magazine_alloc(gfp_t flags)
 
 static void iova_magazine_free(struct iova_magazine *mag)
 {
-	kmem_cache_free(iova_magazine_cache, mag);
+	if (mag)
+		kmem_cache_free(iova_magazine_cache, mag);
 }
 
 static void
-- 
2.53.0.273.g2a3d683680-goog
Re: [PATCH] iommu/iova: Add NULL check in iova_magazine_free()
Posted by Jörg Rödel 2 weeks, 2 days ago 
On Sat, Feb 14, 2026 at 08:09:19AM +0000, Lynn Liu wrote:
> From: lynn <liulynn@google.com>
> 
> When iova_domain_init_rcaches() fails to allocate an iova_magazine
> during the initialization of per-cpu rcaches, it jumps to out_err and
> calls free_iova_rcaches() for cleanup.
> 
> In free_iova_rcaches(), the code iterates through all possible CPUs to
> free both cpu_rcache->loaded and cpu_rcache->prev. However, if the
> original allocation failed mid-way through the CPU loop, the pointers
> for the remaining CPUs remain NULL.
> 
> Since kmem_cache_free() does not explicitly handle NULL pointers like
> kfree() does, passing these NULL pointers leads to a kernel paging
> request fault.
> 
> Add a NULL check in iova_magazine_free() to safely handle partially
> initialized rcaches in error paths.
> 
> Signed-off-by: lynn <liulynn@google.com>
> ---
>  drivers/iommu/iova.c | 3 ++-
>  1 file changed, 2 insertions(+), 1 deletion(-)

Applied, thanks.

Patchew 2.1-devel-ea86937

© 2016 - 2026 Red Hat, Inc.