Re: [PATCH V1] iommu/sva: Fix crash in iommu_sva_unbind_device()

Next message: Jonathan Cameron: "Re: [PATCH] iio: adc: ade9000: fix wrong macro names in ADE9000_ST_ERROR"
Previous message: Ionut Nechita (Wind River): "[PATCH v4 1/1] PCI/IOV: Add reentrant locking in sriov_add_vfs/sriov_del_vfs for complete serialization"
In reply to: Lizhi Hou: "Re: [PATCH V1] iommu/sva: Fix crash in iommu_sva_unbind_device()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Yi Liu

Date: Sat Feb 28 2026 - 07:07:01 EST

On 2/26/26 06:09, Lizhi Hou wrote:

diff --git a/drivers/iommu/iommu-sva.c b/drivers/iommu/iommu-sva.c
index 07d64908a05f..523b8c65c86f 100644
--- a/drivers/iommu/iommu-sva.c
+++ b/drivers/iommu/iommu-sva.c
@@ -179,6 +179,7 @@ void iommu_sva_unbind_device(struct iommu_sva *handle)
              return;
      }

+     mmgrab(domain->mm);
      iommu_detach_device_pasid(domain, dev, iommu_mm->pasid);
      if (--domain->users == 0) {
              list_del(&domain->next);
@@ -190,6 +191,7 @@ void iommu_sva_unbind_device(struct iommu_sva *handle)
              if (list_empty(&iommu_sva_mms))
                      iommu_sva_present = false;
      }
+     mmdrop(domain->mm);

      mutex_unlock(&iommu_sva_lock);
      kfree(handle);

will moving the below hunk in front of iommu_domain_free() simpler?
Only when (--domain->users == 0), shall the code check if sva_domains
is empty. right?

I am not sure if this can be moved in front of iommu_domain_free(). Will iommu_domain_free() be possible to impact sva_domains?

sva_domains is used to track domains associated with the same mm in the
generic layer. iommu_domain_free() calls vendor iommu driver's free() op
with domain type specific operations. I don't think it should impact the
sva_domains.

iommu_domain_free() calls domain->ops->free(). Could this call back free sva_domain?

I think so. Check intel_mm_free_notifier() as an example.

Regards,
Yi Liu