From: Yunfei Wang <yf.wang@xxxxxxxxxxxx> In __arm_v7s_alloc_table function: iommu call kmem_cache_alloc to allocate page table, this function allocate memory may fail, when kmem_cache_alloc fails to allocate table, call virt_to_phys will be abnomal and return unexpected phys and goto out_free, then call kmem_cache_free to release table will trigger KE, __get_free_pages and free_pages have similar problem, so add error handle for page table allocation failure. Fixes: 29859aeb8a6ea ("iommu/io-pgtable-arm-v7s: Abort allocation when table address overflows the PTE") Signed-off-by: Yunfei Wang <yf.wang@xxxxxxxxxxxx> Cc: <stable@xxxxxxxxxxxxxxx> # 5.10.* --- V2: Cc stable@xxxxxxxxxxxxxxx 1. This patch needs to be merged stable branch, add stable@xxxxxxxxxxxxxxx in mail list. 2. There is No new code change in V2. --- drivers/iommu/io-pgtable-arm-v7s.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/drivers/iommu/io-pgtable-arm-v7s.c b/drivers/iommu/io-pgtable-arm-v7s.c index bfb6acb651e5..d84240308f4b 100644 --- a/drivers/iommu/io-pgtable-arm-v7s.c +++ b/drivers/iommu/io-pgtable-arm-v7s.c @@ -246,6 +246,12 @@ static void *__arm_v7s_alloc_table(int lvl, gfp_t gfp, __GFP_ZERO | ARM_V7S_TABLE_GFP_DMA, get_order(size)); else if (lvl == 2) table = kmem_cache_zalloc(data->l2_tables, gfp); + + if (!table) { + dev_err(dev, "Page table allocation failure lvl:%d\n", lvl); + return NULL; + } + phys = virt_to_phys(table); if (phys != (arm_v7s_iopte)phys) { /* Doesn't fit in PTE */ -- 2.18.0