Thread (42 messages) 42 messages, 4 authors, 2020-07-09

Re: [PATCH v3 00/34] iommu: Move iommu_group setup to IOMMU core code

From: Robin Murphy <hidden>
Date: 2020-07-01 10:53:15
Also in: linux-arm-msm, linux-iommu, linux-mediatek, linux-rockchip, linux-s390, linux-samsung-soc, linux-tegra, lkml

On 2020-07-01 01:40, Qian Cai wrote:
Looks like this patchset introduced an use-after-free on arm-smmu-v3.

Reproduced using mlx5,

# echo 1 > /sys/class/net/enp11s0f1np1/device/sriov_numvfs
# echo 0 > /sys/class/net/enp11s0f1np1/device/sriov_numvfs

The .config,
https://github.com/cailca/linux-mm/blob/master/arm64.config

Looking at the free stack,

iommu_release_device->iommu_group_remove_device

was introduced in 07/34 ("iommu: Add probe_device() and release_device()
call-backs").
Right, iommu_group_remove_device can tear down the group and call 
->domain_free before the driver has any knowledge of the last device 
going away via the ->release_device call.

I guess the question is do we simply flip the call order in 
iommu_release_device() so drivers can easily clean up their internal 
per-device state first, or do we now want them to be robust against 
freeing domains with devices still nominally attached?

Robin.
Keyboard shortcuts
hback out one level
jnext message in thread
kprevious message in thread
ldrill in
Escclose help / fold thread tree
?toggle this help