Commit 06e14c36 authored Mar 04, 2026 by Lizhi Hou Committed by Joerg Roedel Mar 17, 2026

iommu/sva: Fix crash in iommu_sva_unbind_device()



domain->mm->iommu_mm can be freed by iommu_domain_free():
  iommu_domain_free()
    mmdrop()
      __mmdrop()
        mm_pasid_drop()
After iommu_domain_free() returns, accessing domain->mm->iommu_mm may
dereference a freed mm structure, leading to a crash.

Fix this by moving the code that accesses domain->mm->iommu_mm to before
the call to iommu_domain_free().

Fixes: e37d5a2d ("iommu/sva: invalidate stale IOTLB entries for kernel address space")
Signed-off-by: Lizhi Hou <lizhi.hou@amd.com>
Reviewed-by: Jason Gunthorpe <jgg@nvidia.com>
Reviewed-by: Yi Liu <yi.l.liu@intel.com>
Reviewed-by: Vasant Hegde <vasant.hegde@amd.com>
Reviewed-by: Lu Baolu <baolu.lu@linux.intel.com>
Signed-off-by: Joerg Roedel <joerg.roedel@amd.com>

parent 45c6a2dc

drivers/iommu/iommu-sva.c

+6 −6

Original line number	Diff line number	Diff line
		@@ -182,15 +182,15 @@ void iommu_sva_unbind_device(struct iommu_sva *handle)
		iommu_detach_device_pasid(domain, dev, iommu_mm->pasid);
		if (--domain->users == 0) {
		list_del(&domain->next);
		iommu_domain_free(domain);
		}

		if (list_empty(&iommu_mm->sva_domains)) {
		list_del(&iommu_mm->mm_list_elm);
		if (list_empty(&iommu_sva_mms))
		iommu_sva_present = false;
		}

		iommu_domain_free(domain);
		}

		mutex_unlock(&iommu_sva_lock);
		kfree(handle);
		}