iommufd: Destroy the pages content after detaching from dmabuf

Sashiko points out this has gotten out of order, the mutex could still be
in use through the dmabuf invalidation callbacks. Don't destroy any of the
pages content until the dmabuf is fully detached.

Fixes: 71db84a092c3 ("iommufd: Add DMABUF to iopt_pages")
Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>

diff --git a/drivers/iommu/iommufd/pages.c b/drivers/iommu/iommufd/pages.c
index 7b64002e54b9a2bef150560633decaa5a0138699..03c8379bbc347e4790d280b06cf4b7c565cdcf6c 100644 (file)
--- a/drivers/iommu/iommufd/pages.c
+++ b/drivers/iommu/iommufd/pages.c
@@ -1656,10 +1656,6 @@ void iopt_release_pages(struct kref *kref)
        WARN_ON(!RB_EMPTY_ROOT(&pages->domains_itree.rb_root));
        WARN_ON(pages->npinned);
        WARN_ON(!xa_empty(&pages->pinned_pfns));
-       mmdrop(pages->source_mm);
-       mutex_destroy(&pages->mutex);
-       put_task_struct(pages->source_task);
-       free_uid(pages->source_user);
        if (iopt_is_dmabuf(pages) && pages->dmabuf.attach) {
                struct dma_buf *dmabuf = pages->dmabuf.attach->dmabuf;
 
@@ -1672,6 +1668,10 @@ void iopt_release_pages(struct kref *kref)
        } else if (pages->type == IOPT_ADDRESS_FILE) {
                fput(pages->file);
        }
+       mmdrop(pages->source_mm);
+       mutex_destroy(&pages->mutex);
+       put_task_struct(pages->source_task);
+       free_uid(pages->source_user);
        kfree(pages);
 }