iommu/sva: Fix crash in iommu_sva_unbind_device()

domain->mm->iommu_mm can be freed by iommu_domain_free():
  iommu_domain_free()
    mmdrop()
      __mmdrop()
        mm_pasid_drop()
After iommu_domain_free() returns, accessing domain->mm->iommu_mm may
dereference a freed mm structure, leading to a crash.

Fix this by moving the code that accesses domain->mm->iommu_mm to before
the call to iommu_domain_free().

Fixes: e37d5a2d60a3 ("iommu/sva: invalidate stale IOTLB entries for kernel address space")
Signed-off-by: Lizhi Hou <lizhi.hou@amd.com>
Reviewed-by: Jason Gunthorpe <jgg@nvidia.com>
Reviewed-by: Yi Liu <yi.l.liu@intel.com>
Reviewed-by: Vasant Hegde <vasant.hegde@amd.com>
Reviewed-by: Lu Baolu <baolu.lu@linux.intel.com>
Signed-off-by: Joerg Roedel <joerg.roedel@amd.com>

diff --git a/drivers/iommu/iommu-sva.c b/drivers/iommu/iommu-sva.c
index 07d64908a05fd792f966d8ee202e1983962a3a16..bc7c7232a43e2d5edde679b953e85380413a7f2b 100644 (file)
--- a/drivers/iommu/iommu-sva.c
+++ b/drivers/iommu/iommu-sva.c
@@ -182,13 +182,13 @@ void iommu_sva_unbind_device(struct iommu_sva *handle)
        iommu_detach_device_pasid(domain, dev, iommu_mm->pasid);
        if (--domain->users == 0) {
                list_del(&domain->next);
-               iommu_domain_free(domain);
-       }
+               if (list_empty(&iommu_mm->sva_domains)) {
+                       list_del(&iommu_mm->mm_list_elm);
+                       if (list_empty(&iommu_sva_mms))
+                               iommu_sva_present = false;
+               }
 
-       if (list_empty(&iommu_mm->sva_domains)) {
-               list_del(&iommu_mm->mm_list_elm);
-               if (list_empty(&iommu_sva_mms))
-                       iommu_sva_present = false;
+               iommu_domain_free(domain);
        }
 
        mutex_unlock(&iommu_sva_lock);