[PATCH v3 00/34] iommu: Move iommu_group setup to IOMMU core code
Robin Murphy
robin.murphy at arm.com
Wed Jul 1 06:53:07 EDT 2020
On 2020-07-01 01:40, Qian Cai wrote:
> Looks like this patchset introduced an use-after-free on arm-smmu-v3.
>
> Reproduced using mlx5,
>
> # echo 1 > /sys/class/net/enp11s0f1np1/device/sriov_numvfs
> # echo 0 > /sys/class/net/enp11s0f1np1/device/sriov_numvfs
>
> The .config,
> https://github.com/cailca/linux-mm/blob/master/arm64.config
>
> Looking at the free stack,
>
> iommu_release_device->iommu_group_remove_device
>
> was introduced in 07/34 ("iommu: Add probe_device() and release_device()
> call-backs").
Right, iommu_group_remove_device can tear down the group and call
->domain_free before the driver has any knowledge of the last device
going away via the ->release_device call.
I guess the question is do we simply flip the call order in
iommu_release_device() so drivers can easily clean up their internal
per-device state first, or do we now want them to be robust against
freeing domains with devices still nominally attached?
Robin.
More information about the Linux-mediatek
mailing list