git.ipfire.org Git - thirdparty/kernel/stable.git/commit

author	Lizhi Hou <lizhi.hou@amd.com>
	Thu, 5 Mar 2026 06:18:42 +0000 (22:18 -0800)
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	Wed, 25 Mar 2026 10:13:31 +0000 (11:13 +0100)
commit	f5daaa2c959d9f894fb5b1ab76da8612dd220a0d
tree	ab583149b79c15234ad7720f6f217b95b08d1b04	tree \| snapshot
parent	6fd867fabd65061f29a9ee63d7047adee972b331	commit \| diff

iommu/sva: Fix crash in iommu_sva_unbind_device()

[ Upstream commit 06e14c36e20b48171df13d51b89fe67c594ed07a ]

domain->mm->iommu_mm can be freed by iommu_domain_free():
  iommu_domain_free()
    mmdrop()
      __mmdrop()
        mm_pasid_drop()
After iommu_domain_free() returns, accessing domain->mm->iommu_mm may
dereference a freed mm structure, leading to a crash.

Fix this by moving the code that accesses domain->mm->iommu_mm to before
the call to iommu_domain_free().

Fixes: e37d5a2d60a3 ("iommu/sva: invalidate stale IOTLB entries for kernel address space")
Signed-off-by: Lizhi Hou <lizhi.hou@amd.com>
Reviewed-by: Jason Gunthorpe <jgg@nvidia.com>
Reviewed-by: Yi Liu <yi.l.liu@intel.com>
Reviewed-by: Vasant Hegde <vasant.hegde@amd.com>
Reviewed-by: Lu Baolu <baolu.lu@linux.intel.com>
Signed-off-by: Joerg Roedel <joerg.roedel@amd.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>