Hi Robin, thanks for looking into this. On Wed, Apr 08, 2020 at 01:09:40PM +0100, Robin Murphy wrote: > For a hot-pluggable bus where logical devices may share Stream IDs (like > fsl-mc), this could happen: > > create device A > iommu_probe_device(A) > iommu_device_group(A) -> alloc group X > create device B > iommu_probe_device(B) > iommu_device_group(A) -> lookup returns group X > ... > iommu_remove_device(A) > delete device A > create device C > iommu_probe_device(C) > iommu_device_group(C) -> use-after-free of A > > Preserving the logical behaviour here would probably look *something* like > the mangled diff below, but I haven't thought it through 100%. Yeah, I think you are right. How about just moving the loop which sets s2crs[idx].group to arm_smmu_device_group()? In that case I can drop this patch and leave the group pointer in place. Regards, Joerg
