Re: [PATCH V2] iommu/sva: Fix crash in iommu_sva_unbind_device()

[Baolu Lu]

On 3/5/26 14:18, Lizhi Hou wrote:
> domain->mm->iommu_mm can be freed by iommu_domain_free():
>    iommu_domain_free()
>      mmdrop()
>        __mmdrop()
>          mm_pasid_drop()
> After iommu_domain_free() returns, accessing domain->mm->iommu_mm may
> dereference a freed mm structure, leading to a crash.
>
> Fix this by moving the code that accesses domain->mm->iommu_mm to before
> the call to iommu_domain_free().
>
> Fixes: e37d5a2d60a3 ("iommu/sva: invalidate stale IOTLB entries for kernel address space")
> Signed-off-by: Lizhi Hou<lizhi.hou@xxxxxxx>

Reviewed-by: Lu Baolu <baolu.lu@xxxxxxxxxxxxxxx>