Hi Robin,
thanks for looking into this.
On Wed, Apr 08, 2020 at 01:09:40PM +0100, Robin Murphy wrote:
> For a hot-pluggable bus where logical devices may share Stream IDs (like
> fsl-mc), this could happen:
>
> create device A
> iommu_probe_device(A)
> iommu_device_group(A) -> alloc group X
> create device B
> iommu_probe_device(B)
> iommu_device_group(A) -> lookup returns group X
> ...
> iommu_remove_device(A)
> delete device A
> create device C
> iommu_probe_device(C)
> iommu_device_group(C) -> use-after-free of A
>
> Preserving the logical behaviour here would probably look *something* like
> the mangled diff below, but I haven't thought it through 100%.
Yeah, I think you are right. How about just moving the loop which sets
s2crs[idx].group to arm_smmu_device_group()? In that case I can drop
this patch and leave the group pointer in place.
Regards,
Joerg
_______________________________________________
Virtualization mailing list
[email protected]
https://lists.linuxfoundation.org/mailman/listinfo/virtualization
