git.ipfire.org Git - thirdparty/kernel/stable.git/commit

author	Jason Gunthorpe <jgg@nvidia.com>
	Wed, 17 Sep 2025 18:59:59 +0000 (15:59 -0300)
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	Sun, 12 Oct 2025 11:01:02 +0000 (13:01 +0200)
commit	e3af7df1c5b8dff4a6ecbdff08f72e32fba7d374
tree	5badf5146ebb5d80fddf3736eb0ecf4c25b8b328	tree \| snapshot
parent	97bbf79b53ae71d8373070f543c2cd42d6ccf883	commit \| diff

iommufd: WARN if an object is aborted with an elevated refcount

[ Upstream commit 53d0584eeb2c85a46c83656246d61a89558d74b3 ]

If something holds a refcount then it is at risk of UAFing. For abort
paths we expect the caller to never share the object with a parallel
thread and to clean up any refcounts it obtained on its own.

Add the missing dec inside iommufd_hwpt_paging_alloc() during error unwind
by making iommufd_hw_pagetable_attach/detach() proper pairs.

Link: https://patch.msgid.link/r/2-v1-02cd136829df+31-iommufd_syz_fput_jgg@nvidia.com
Reviewed-by: Kevin Tian <kevin.tian@intel.com>
Reviewed-by: Nicolin Chen <nicolinc@nvidia.com>
Tested-by: Nicolin Chen <nicolinc@nvidia.com>
Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>

drivers/iommu/iommufd/device.c		diff \| blob \| blame \| history
drivers/iommu/iommufd/iommufd_private.h		diff \| blob \| blame \| history
drivers/iommu/iommufd/main.c		diff \| blob \| blame \| history