From: Robin Murphy <robin.murphy@arm.com>
To: Qian Cai <cai@lca.pw>, Joerg Roedel <joro@8bytes.org>
Cc: Heiko Stuebner <heiko@sntech.de>,
virtualization@lists.linux-foundation.org,
Matthias Brugger <matthias.bgg@gmail.com>,
Thierry Reding <thierry.reding@gmail.com>,
Daniel Drake <drake@endlessm.com>, Will Deacon <will@kernel.org>,
Jean-Philippe Brucker <jean-philippe@linaro.org>,
linux-samsung-soc@vger.kernel.org,
Krzysztof Kozlowski <krzk@kernel.org>,
Jonathan Hunter <jonathanh@nvidia.com>,
linux-rockchip@lists.infradead.org,
Andy Gross <agross@kernel.org>,
jonathan.derrick@intel.com, linux-s390@vger.kernel.org,
linux-arm-msm@vger.kernel.org,
linux-mediatek@lists.infradead.org, linux-tegra@vger.kernel.org,
Bjorn Andersson <bjorn.andersson@linaro.org>,
Gerald Schaefer <gerald.schaefer@de.ibm.com>,
linux-kernel@vger.kernel.org, iommu@lists.linux-foundation.org,
Kukjin Kim <kgene@kernel.org>,
David Woodhouse <dwmw2@infradead.org>
Subject: Re: [PATCH v3 00/34] iommu: Move iommu_group setup to IOMMU core code
Date: Wed, 1 Jul 2020 11:53:07 +0100 [thread overview]
Message-ID: <9b0ef27a-f249-a90b-9899-e53b946f83cc@arm.com> (raw)
In-Reply-To: <20200701004020.GA6221@lca.pw>
On 2020-07-01 01:40, Qian Cai wrote:
> Looks like this patchset introduced an use-after-free on arm-smmu-v3.
>
> Reproduced using mlx5,
>
> # echo 1 > /sys/class/net/enp11s0f1np1/device/sriov_numvfs
> # echo 0 > /sys/class/net/enp11s0f1np1/device/sriov_numvfs
>
> The .config,
> https://github.com/cailca/linux-mm/blob/master/arm64.config
>
> Looking at the free stack,
>
> iommu_release_device->iommu_group_remove_device
>
> was introduced in 07/34 ("iommu: Add probe_device() and release_device()
> call-backs").
Right, iommu_group_remove_device can tear down the group and call
->domain_free before the driver has any knowledge of the last device
going away via the ->release_device call.
I guess the question is do we simply flip the call order in
iommu_release_device() so drivers can easily clean up their internal
per-device state first, or do we now want them to be robust against
freeing domains with devices still nominally attached?
Robin.
_______________________________________________
Linux-mediatek mailing list
Linux-mediatek@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-mediatek
next prev parent reply other threads:[~2020-07-01 10:53 UTC|newest]
Thread overview: 42+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-04-29 13:36 [PATCH v3 00/34] iommu: Move iommu_group setup to IOMMU core code Joerg Roedel
2020-04-29 13:36 ` [PATCH v3 01/34] iommu: Move default domain allocation to separate function Joerg Roedel
2020-04-29 13:36 ` [PATCH v3 02/34] iommu: Add def_domain_type() callback in iommu_ops Joerg Roedel
2020-04-29 13:36 ` [PATCH v3 03/34] iommu/amd: Implement iommu_ops->def_domain_type call-back Joerg Roedel
2020-04-29 13:36 ` [PATCH v3 04/34] iommu/vt-d: Wire up iommu_ops->def_domain_type Joerg Roedel
2020-04-29 23:58 ` Lu Baolu
2020-04-29 13:36 ` [PATCH v3 05/34] iommu/amd: Remove dma_mask check from check_device() Joerg Roedel
2020-04-29 13:36 ` [PATCH v3 06/34] iommu/amd: Return -ENODEV in add_device when device is not handled by IOMMU Joerg Roedel
2020-04-29 13:36 ` [PATCH v3 07/34] iommu: Add probe_device() and release_device() call-backs Joerg Roedel
2020-04-29 13:36 ` [PATCH v3 08/34] iommu: Move default domain allocation to iommu_probe_device() Joerg Roedel
2020-04-29 13:36 ` [PATCH v3 09/34] iommu: Keep a list of allocated groups in __iommu_probe_device() Joerg Roedel
2020-04-29 13:36 ` [PATCH v3 10/34] iommu: Move new probe_device path to separate function Joerg Roedel
2020-04-29 13:36 ` [PATCH v3 11/34] iommu: Split off default domain allocation from group assignment Joerg Roedel
2020-04-29 13:36 ` [PATCH v3 12/34] iommu: Move iommu_group_create_direct_mappings() out of iommu_group_add_device() Joerg Roedel
2020-04-29 13:36 ` [PATCH v3 13/34] iommu: Export bus_iommu_probe() and make is safe for re-probing Joerg Roedel
2020-04-29 13:36 ` [PATCH v3 14/34] iommu/amd: Remove dev_data->passthrough Joerg Roedel
2020-04-29 13:36 ` [PATCH v3 15/34] iommu/amd: Convert to probe/release_device() call-backs Joerg Roedel
2020-04-29 13:36 ` [PATCH v3 16/34] iommu/vt-d: " Joerg Roedel
2020-04-30 0:07 ` Lu Baolu
2020-04-29 13:36 ` [PATCH v3 17/34] iommu/arm-smmu: " Joerg Roedel
2020-04-29 13:36 ` [PATCH v3 18/34] iommu/pamu: " Joerg Roedel
2020-04-29 13:36 ` [PATCH v3 19/34] iommu/s390: " Joerg Roedel
2020-04-29 13:36 ` [PATCH v3 20/34] iommu/virtio: " Joerg Roedel
2020-04-29 13:36 ` [PATCH v3 21/34] iommu/msm: " Joerg Roedel
2020-04-29 13:37 ` [PATCH v3 22/34] iommu/mediatek: " Joerg Roedel
2020-04-29 13:37 ` [PATCH v3 23/34] iommu/mediatek-v1 " Joerg Roedel
2020-04-29 13:37 ` [PATCH v3 24/34] iommu/qcom: " Joerg Roedel
2020-04-29 13:37 ` [PATCH v3 25/34] iommu/rockchip: " Joerg Roedel
2020-04-29 13:37 ` [PATCH v3 26/34] iommu/tegra: " Joerg Roedel
2020-04-29 13:37 ` [PATCH v3 27/34] iommu/renesas: " Joerg Roedel
2020-04-29 13:37 ` [PATCH v3 28/34] iommu/omap: Remove orphan_dev tracking Joerg Roedel
2020-04-29 13:37 ` [PATCH v3 29/34] iommu/omap: Convert to probe/release_device() call-backs Joerg Roedel
2020-04-29 13:37 ` [PATCH v3 30/34] iommu/exynos: Use first SYSMMU in controllers list for IOMMU core Joerg Roedel
2020-04-29 13:37 ` [PATCH v3 31/34] iommu/exynos: Convert to probe/release_device() call-backs Joerg Roedel
2020-04-29 13:37 ` [PATCH v3 32/34] iommu: Remove add_device()/remove_device() code-paths Joerg Roedel
2020-04-29 13:37 ` [PATCH v3 33/34] iommu: Move more initialization to __iommu_probe_device() Joerg Roedel
2020-04-29 13:37 ` [PATCH v3 34/34] iommu: Unexport iommu_group_get_for_dev() Joerg Roedel
2020-05-05 12:37 ` [PATCH v3 00/34] iommu: Move iommu_group setup to IOMMU core code Joerg Roedel
2020-07-01 0:40 ` Qian Cai
2020-07-01 10:53 ` Robin Murphy [this message]
2020-07-04 0:17 ` Qian Cai
2020-07-09 15:24 ` Joerg Roedel
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=9b0ef27a-f249-a90b-9899-e53b946f83cc@arm.com \
--to=robin.murphy@arm.com \
--cc=agross@kernel.org \
--cc=bjorn.andersson@linaro.org \
--cc=cai@lca.pw \
--cc=drake@endlessm.com \
--cc=dwmw2@infradead.org \
--cc=gerald.schaefer@de.ibm.com \
--cc=heiko@sntech.de \
--cc=iommu@lists.linux-foundation.org \
--cc=jean-philippe@linaro.org \
--cc=jonathan.derrick@intel.com \
--cc=jonathanh@nvidia.com \
--cc=joro@8bytes.org \
--cc=kgene@kernel.org \
--cc=krzk@kernel.org \
--cc=linux-arm-msm@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mediatek@lists.infradead.org \
--cc=linux-rockchip@lists.infradead.org \
--cc=linux-s390@vger.kernel.org \
--cc=linux-samsung-soc@vger.kernel.org \
--cc=linux-tegra@vger.kernel.org \
--cc=matthias.bgg@gmail.com \
--cc=thierry.reding@gmail.com \
--cc=virtualization@lists.linux-foundation.org \
--cc=will@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).