On Tue, Oct 25, 2022 at 03:12:16PM -0300, Jason Gunthorpe wrote: > diff --git a/drivers/iommu/iommufd/pages.c b/drivers/iommu/iommufd/pages.c > +static int pfn_reader_user_pin(struct pfn_reader_user *user, > + struct iopt_pages *pages, > + unsigned long start_index, > + unsigned long last_index) > +{ > + bool remote_mm = pages->source_mm != current->mm; > + unsigned long npages; > + uintptr_t uptr; > + long rc; > + > + if (!user->upages) { > + /* All undone in pfn_reader_destroy() */ > + user->upages_len = > + (last_index - start_index + 1) * sizeof(*user->upages); > + user->upages = temp_kmalloc(&user->upages_len, NULL, 0); > + if (!user->upages) > + return -ENOMEM; > + } > + > + if (user->locked == -1) { > + /* > + * The majority of usages will run the map task within the mm > + * providing the pages, so we can optimize into > + * get_user_pages_fast() > + */ > + user->locked = 0; > + if (remote_mm) { > + if (!mmget_not_zero(pages->source_mm)) { > + kfree(user->upages); > + user->upages = NULL; Coverity reports BAD_FREE at user->upages here. In iopt_pages_fill_xarray and iopt_pages_fill_from_mm, user->upages is assigned by shifting the out_pages input of iopt_pages_add_access that could be originated from vfio_pin_pages, I am not sure if the remote_mm and mmget_not_zero value checks can prevent this though.