If tce_iommu_take_ownership is unable to take ownership of a specific IOMMU table, the unwinder in the error handler could attempt to release ownership of an invalid table.
Check validity of each table in the unwinder before attempting to release ownership. Thanks to Alex Williamson for the initial observation! Signed-off-by: Timothy Pearson <[email protected]> --- drivers/vfio/vfio_iommu_spapr_tce.c | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/drivers/vfio/vfio_iommu_spapr_tce.c b/drivers/vfio/vfio_iommu_spapr_tce.c index 60a50ce8701e..c012ecb42ebc 100644 --- a/drivers/vfio/vfio_iommu_spapr_tce.c +++ b/drivers/vfio/vfio_iommu_spapr_tce.c @@ -1219,10 +1219,15 @@ static int tce_iommu_take_ownership(struct tce_container *container, rc = iommu_take_ownership(tbl); if (rc) { - for (j = 0; j < i; ++j) - iommu_release_ownership( - table_group->tables[j]); + for (j = 0; j < i; ++j) { + struct iommu_table *tbl = + table_group->tables[j]; + if (!tbl || !tbl->it_map) + continue; + + iommu_release_ownership(table_group->tables[j]); + } return rc; } } -- 2.30.2
