iommu/iova: Add NULL check in iova_magazine_free()

lynn · joergroedel · commit fa8fb60d3637 · 2026-03-17T13:28:37.000+01:00
When iova_domain_init_rcaches() fails to allocate an iova_magazine
during the initialization of per-cpu rcaches, it jumps to out_err and
calls free_iova_rcaches() for cleanup.

In free_iova_rcaches(), the code iterates through all possible CPUs to
free both cpu_rcache-&gt;loaded and cpu_rcache-&gt;prev. However, if the
original allocation failed mid-way through the CPU loop, the pointers
for the remaining CPUs remain NULL.

Since kmem_cache_free() does not explicitly handle NULL pointers like
kfree() does, passing these NULL pointers leads to a kernel paging
request fault.

Add a NULL check in iova_magazine_free() to safely handle partially
initialized rcaches in error paths.

Signed-off-by: lynn &lt;liulynn@google.com&gt;
Signed-off-by: Joerg Roedel &lt;joerg.roedel@amd.com&gt;
diff --git a/drivers/iommu/iova.c b/drivers/iommu/iova.c
@@ -611,7 +611,8 @@ static struct iova_magazine *iova_magazine_alloc(gfp_t flags)
 
 static void iova_magazine_free(struct iova_magazine *mag)
 {
-	kmem_cache_free(iova_magazine_cache, mag);
+	if (mag)
+		kmem_cache_free(iova_magazine_cache, mag);
 }
 
 static void

Original file line number	Diff line number	Diff line change
`@@ -611,7 +611,8 @@ static struct iova_magazine *iova_magazine_alloc(gfp_t flags)`
`611`	`611`
`612`	`612`	`static void iova_magazine_free(struct iova_magazine *mag)`
`613`	`613`	`{`
`614`		`- kmem_cache_free(iova_magazine_cache, mag);`
	`614`	`+ if (mag)`
	`615`	`+ kmem_cache_free(iova_magazine_cache, mag);`
`615`	`616`	`}`
`616`	`617`
`617`	`618`	`static void`