On Thu, 2023-10-19 at 16:23 +0800, Bingbu Cao wrote: > > > > Andreas, > > > > On 10/16/23 5:39 PM, Andreas Helbech Kleist wrote: > > > > On Tue, 2023-10-03 at 12:12 +0200, Andreas Helbech Kleist > > > > wrote: > > > > > > On Thu, 2023-07-27 at 15:15 +0800, > > > > > > bingbu.cao@xxxxxxxxx wrote: > > > > > > > > From: Bingbu Cao <bingbu.cao@xxxxxxxxx> > > > > ... > > > > > > > > +static void ipu6_pci_remove(struct pci_dev *pdev) > > > > > > > > +{ > > > > > > ... > > > > > > > > + ipu6_bus_del_devices(pdev); > > > > > > ... > > > > > > > > + ipu6_mmu_cleanup(isp->psys->mmu); > > > > > > > > + ipu6_mmu_cleanup(isp->isys->mmu); > > > > > > > > > > > > I think ipu6_mmu_cleanup() should be done before > > > > > > ipu6_bus_del_devices() > > > > > > like in the ipu6_pci_probe() error path. > > > > > > > > Thank you for pointing out this issue. > > > > > > Scratch that, it also causes issues (because isys_remove frees > > > > > > stuff in > > > > the MMU). > > > > What stuff in the mmu was freed in isys_remove()? I don't recall exactly, but I think it might happen through the dma_free_attrs() call. You can reproduce the issue by using the kernel/configs/x86_debug.config config fragment, loading the driver and then unbinding the device with something like: echo -n 0000:00:03.0 > /sys/bus/pci/drivers/intel-ipu6/unbind That should give you a use-after-free of isp->psys->mmu and isp->isys- >mmu. > > > > @@ -830,7 +832,7 @@ static void ipu6_pci_remove(struct pci_dev > > > > > > *pdev) > > > > release_firmware(isp->cpd_fw); > > > > > > > > ipu6_mmu_cleanup(isp->psys->mmu); > > > > - ipu6_mmu_cleanup(isp->isys->mmu); > > > > + ipu6_mmu_cleanup(isys_mmu); Looking at this again, the first line line above (isp->psys->mmu) is also problematic because isp->psys has been freed by ipu6_bus_del_devices as well. /Andreas