Commit 6ccbb613 authored May 08, 2026 by James Morse Committed by Catalin Marinas May 14, 2026

arm_mpam: Check whether the config array is allocated before destroying it



__destroy_component_cfg() is called to free the configuration array.
It uses the embedded 'garbage' structure, which means the array has
to be allocated.

If __destroy_component_cfg() is called from mpam_disable() before the
configuration was ever allocated, then a NULL pointer is dereferenced.

Check for this case and return early if the configuration is not
allocated.

__destroy_component_cfg() also frees the mbwu_state as this is allocated
by __allocate_component_cfg(). As the mbwu_state is allocated after
comp->cfg is set, and is also under mpam_list_lock, only the first
pointer needs checking.

Fixes: 3bd04fe7 ("arm_mpam: Extend reset logic to allow devices to be reset any time")
Cc: <stable@vger.kernel.org>
Signed-off-by: James Morse <james.morse@arm.com>
Reviewed-by: Ben Horgan <ben.horgan@arm.com>
Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>

parent f1caff33

drivers/resctrl/mpam_devices.c

+3 −0

Original line number	Diff line number	Diff line
		@@ -2581,6 +2581,9 @@ static void __destroy_component_cfg(struct mpam_component *comp)

		lockdep_assert_held(&mpam_list_lock);

		if (!comp->cfg)
		return;

		add_to_garbage(comp->cfg);
		list_for_each_entry(vmsc, &comp->vmsc, comp_list) {
		msc = vmsc->msc;