From mboxrd@z Thu Jan 1 00:00:00 1970 From: Joerg Roedel Subject: Re: [RFC PATCH 17/34] iommu/arm-smmu: Store device instead of group in arm_smmu_s2cr Date: Wed, 8 Apr 2020 16:37:07 +0200 Message-ID: <20200408143707.GK3103@8bytes.org> References: <20200407183742.4344-1-joro@8bytes.org> <20200407183742.4344-18-joro@8bytes.org> <98c10a41-d223-e375-9742-b6471c3dc33c@arm.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Return-path: Content-Disposition: inline In-Reply-To: <98c10a41-d223-e375-9742-b6471c3dc33c@arm.com> Sender: linux-arm-msm-owner@vger.kernel.org To: Robin Murphy Cc: Will Deacon , Marek Szyprowski , Kukjin Kim , Krzysztof Kozlowski , David Woodhouse , Lu Baolu , Andy Gross , Bjorn Andersson , Matthias Brugger , Rob Clark , Heiko Stuebner , Gerald Schaefer , Thierry Reding , Jonathan Hunter , Jean-Philippe Brucker , iommu@lists.linux-foundation.org, linux-kernel@vger.kernel.org, linux-samsung-soc@vger.kernel.org, linux-arm-msm@vger.kernel.org, linux-mediatek@lists.infradead.org List-Id: virtualization@lists.linuxfoundation.org Hi Robin, thanks for looking into this. On Wed, Apr 08, 2020 at 01:09:40PM +0100, Robin Murphy wrote: > For a hot-pluggable bus where logical devices may share Stream IDs (like > fsl-mc), this could happen: > > create device A > iommu_probe_device(A) > iommu_device_group(A) -> alloc group X > create device B > iommu_probe_device(B) > iommu_device_group(A) -> lookup returns group X > ... > iommu_remove_device(A) > delete device A > create device C > iommu_probe_device(C) > iommu_device_group(C) -> use-after-free of A > > Preserving the logical behaviour here would probably look *something* like > the mangled diff below, but I haven't thought it through 100%. Yeah, I think you are right. How about just moving the loop which sets s2crs[idx].group to arm_smmu_device_group()? In that case I can drop this patch and leave the group pointer in place. Regards, Joerg