git.apps.os.sepia.ceph.com Git - ceph-client.git/commit

author	Jason Gunthorpe <jgg@nvidia.com>
	Wed, 17 Sep 2025 18:59:59 +0000 (15:59 -0300)
committer	Jason Gunthorpe <jgg@nvidia.com>
	Fri, 19 Sep 2025 13:34:49 +0000 (10:34 -0300)
commit	53d0584eeb2c85a46c83656246d61a89558d74b3
tree	237c300b208858c1226a817fc4c1626db7dd614c	tree \| snapshot
parent	4e034bf045b12852a24d5d33f2451850818ba0c1	commit \| diff

iommufd: WARN if an object is aborted with an elevated refcount

If something holds a refcount then it is at risk of UAFing. For abort
paths we expect the caller to never share the object with a parallel
thread and to clean up any refcounts it obtained on its own.

Add the missing dec inside iommufd_hwpt_paging_alloc() during error unwind
by making iommufd_hw_pagetable_attach/detach() proper pairs.

Link: https://patch.msgid.link/r/2-v1-02cd136829df+31-iommufd_syz_fput_jgg@nvidia.com
Reviewed-by: Kevin Tian <kevin.tian@intel.com>
Reviewed-by: Nicolin Chen <nicolinc@nvidia.com>
Tested-by: Nicolin Chen <nicolinc@nvidia.com>
Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>

drivers/iommu/iommufd/device.c		diff \| blob \| history
drivers/iommu/iommufd/iommufd_private.h		diff \| blob \| history
drivers/iommu/iommufd/main.c		diff \| blob \| history