On 2020-07-01 01:40, Qian Cai wrote:
Looks like this patchset introduced an use-after-free on arm-smmu-v3. Reproduced using mlx5, # echo 1 > /sys/class/net/enp11s0f1np1/device/sriov_numvfs # echo 0 > /sys/class/net/enp11s0f1np1/device/sriov_numvfs The .config, https://github.com/cailca/linux-mm/blob/master/arm64.config Looking at the free stack, iommu_release_device->iommu_group_remove_device was introduced in 07/34 ("iommu: Add probe_device() and release_device() call-backs").
Right, iommu_group_remove_device can tear down the group and call ->domain_free before the driver has any knowledge of the last device going away via the ->release_device call.
I guess the question is do we simply flip the call order in iommu_release_device() so drivers can easily clean up their internal per-device state first, or do we now want them to be robust against freeing domains with devices still nominally attached?
Robin.
