If tce_iommu_take_ownership is unable to take ownership of
a specific IOMMU table, the unwinder in the error handler
could attempt to release ownership of an invalid table.
Check validity of each table in the unwinder before attempting
to release ownership. Thanks to Alex Williamson for the initial
observation!
Signed-off-by: Timothy Pearson <tpearson@xxxxxxxxxxxxxxxxxxxxx>
---
drivers/vfio/vfio_iommu_spapr_tce.c | 11 ++++++++---
1 file changed, 8 insertions(+), 3 deletions(-)
diff --git a/drivers/vfio/vfio_iommu_spapr_tce.c b/drivers/vfio/vfio_iommu_spapr_tce.c
index 60a50ce8701e..c012ecb42ebc 100644
--- a/drivers/vfio/vfio_iommu_spapr_tce.c
+++ b/drivers/vfio/vfio_iommu_spapr_tce.c
@@ -1219,10 +1219,15 @@ static int tce_iommu_take_ownership(struct tce_container *container,
rc = iommu_take_ownership(tbl);
if (rc) {
- for (j = 0; j < i; ++j)
- iommu_release_ownership(
- table_group->tables[j]);
+ for (j = 0; j < i; ++j) {
+ struct iommu_table *tbl =
+ table_group->tables[j];
+ if (!tbl || !tbl->it_map)
+ continue;
+
+ iommu_release_ownership(table_group->tables[j]);
+ }
return rc;
}
}
--
2.30.2
