[PATCH] iommufd: fix refcount leak in iommufd_object_remove()

Next message: Drew Fustini: "Re: [PATCH 01/12] dt-bindings: clock: thead: add TH1520 MISC subsys clock controller"
Previous message: Lance Yang: "Re: [PATCH v5 9/9] mm: switch deferred split shrinker to list_lru"
Next in thread: Jason Gunthorpe: "Re: [PATCH] iommufd: fix refcount leak in iommufd_object_remove()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Wentao Liang

Date: Mon Jun 08 2026 - 23:23:29 EST

When iommufd_object_dec_wait() times out it restores the
wait_cnt reference via refcount_inc(), effectively
re-arming the counter. iommufd_object_remove() treats the
-EBUSY return as fatal and bails out without dropping this
re-acquired wait_cnt. As the users counter is already zero
the object will never be freed and the wait_cnt leak pins
the memory.

Release the wait_cnt reference before returning on the two
affected error paths, ensuring that the object can eventually
be torn down.

Cc: stable@xxxxxxxxxxxxxxx
Fixes: ab6bc44159d8 ("iommufd: Rename some shortterm-related identifiers")
Signed-off-by: Wentao Liang <vulab@xxxxxxxxxxx>
---
drivers/iommu/iommufd/main.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/drivers/iommu/iommufd/main.c b/drivers/iommu/iommufd/main.c
index 8c6d43601afb..2fe790c2c69e 100644
--- a/drivers/iommu/iommufd/main.c
+++ b/drivers/iommu/iommufd/main.c
@@ -266,8 +266,10 @@ int iommufd_object_remove(struct iommufd_ctx *ictx,
*/
if (!zerod_wait_cnt) {
ret = iommufd_object_dec_wait(ictx, obj);
- if (WARN_ON(ret))
+ if (WARN_ON(ret)) {
+ refcount_dec(&obj->wait_cnt);
return ret;
+ }
}

iommufd_object_ops[obj->type].destroy(obj);
--
2.34.1