On 2020-04-08 3:37 pm, Joerg Roedel wrote:
Hi Robin,
thanks for looking into this.
On Wed, Apr 08, 2020 at 01:09:40PM +0100, Robin Murphy wrote:
For a hot-pluggable bus where logical devices may share Stream IDs (like
fsl-mc), this could happen:
create device A
iommu_probe_device(A)
iommu_device_group(A) -> alloc group X
create device B
iommu_probe_device(B)
iommu_device_group(A) -> lookup returns group X
...
iommu_remove_device(A)
delete device A
create device C
iommu_probe_device(C)
iommu_device_group(C) -> use-after-free of A
Preserving the logical behaviour here would probably look *something* like
the mangled diff below, but I haven't thought it through 100%.
Yeah, I think you are right. How about just moving the loop which sets
s2crs[idx].group to arm_smmu_device_group()? In that case I can drop
this patch and leave the group pointer in place.
Isn't that exactly what I suggested? :)
I don't recall for sure, but knowing me, that bit of group bookkeeping
is only where it currently is because it cheekily saves iterating the
IDs a second time. I don't think there's any technical reason.
Robin.
