Re: [RFC PATCH 17/34] iommu/arm-smmu: Store device instead of group in arm_smmu_s2cr

[Robin Murphy]

On 2020-04-08 3:37 pm, Joerg Roedel wrote:
> Hi Robin,
>
> thanks for looking into this.
>
> On Wed, Apr 08, 2020 at 01:09:40PM +0100, Robin Murphy wrote:
> > For a hot-pluggable bus where logical devices may share Stream IDs (like
> > fsl-mc), this could happen:
> >
> >    create device A
> >    iommu_probe_device(A)
> >      iommu_device_group(A) -> alloc group X
> >    create device B
> >    iommu_probe_device(B)
> >      iommu_device_group(A) -> lookup returns group X
> >    ...
> >    iommu_remove_device(A)
> >    delete device A
> >    create device C
> >    iommu_probe_device(C)
> >      iommu_device_group(C) -> use-after-free of A
> >
> > Preserving the logical behaviour here would probably look *something* like
> > the mangled diff below, but I haven't thought it through 100%.
>
> Yeah, I think you are right. How about just moving the loop which sets
> s2crs[idx].group to arm_smmu_device_group()? In that case I can drop
> this patch and leave the group pointer in place.

Isn't that exactly what I suggested? :)

I don't recall for sure, but knowing me, that bit of group bookkeeping 
is only where it currently is because it cheekily saves iterating the 
IDs a second time. I don't think there's any technical reason.

Robin.