Re: [PATCH V2] iommu/sva: Fix crash in iommu_sva_unbind_device()

Next message: Mika Penttil&#xE4;: "Re: [PATCH v5 2/6] mm: Add helper to convert HMM pfn to migrate pfn"
Previous message: Conor Dooley: "Re: [PATCH 1/4] riscv: add UltraRISC SoC family Kconfig support"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Jörg Rödel

Date: Tue Mar 17 2026 - 09:06:58 EST

On Wed, Mar 04, 2026 at 10:18:42PM -0800, Lizhi Hou wrote:
> domain->mm->iommu_mm can be freed by iommu_domain_free():
> iommu_domain_free()
> mmdrop()
> __mmdrop()
> mm_pasid_drop()
> After iommu_domain_free() returns, accessing domain->mm->iommu_mm may
> dereference a freed mm structure, leading to a crash.
>
> Fix this by moving the code that accesses domain->mm->iommu_mm to before
> the call to iommu_domain_free().
>
> Fixes: e37d5a2d60a3 ("iommu/sva: invalidate stale IOTLB entries for kernel address space")
> Signed-off-by: Lizhi Hou <lizhi.hou@xxxxxxx>
> ---
> drivers/iommu/iommu-sva.c | 12 ++++++------
> 1 file changed, 6 insertions(+), 6 deletions(-)

Applied, thanks.