Re: [PATCH] iommufd: fix refcount leak in iommufd_object_remove()

Next message: Nico Pache: "Re: [PATCH mm-unstable 1/1] mm/khugepaged: fix PMD collapse swap PTE accounting"
Previous message: Frank Li: "Re: [PATCH v2 1/4] dt-bindings: remoteproc: imx_rproc: document optional &quot;memory-region-names&quot;"
In reply to: Wentao Liang: "[PATCH] iommufd: fix refcount leak in iommufd_object_remove()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Jason Gunthorpe

Date: Tue Jun 09 2026 - 13:08:54 EST

On Tue, Jun 09, 2026 at 03:22:43AM +0000, Wentao Liang wrote:

> diff --git a/drivers/iommu/iommufd/main.c b/drivers/iommu/iommufd/main.c
> index 8c6d43601afb..2fe790c2c69e 100644
> --- a/drivers/iommu/iommufd/main.c
> +++ b/drivers/iommu/iommufd/main.c
> @@ -266,8 +266,10 @@ int iommufd_object_remove(struct iommufd_ctx *ictx,
> */
> if (!zerod_wait_cnt) {
> ret = iommufd_object_dec_wait(ictx, obj);
> - if (WARN_ON(ret))
> + if (WARN_ON(ret)) {
> + refcount_dec(&obj->wait_cnt);
> return ret;
> + }

The WARN_ON is a big clue here that the leak was intentional. If we
free the memory we know is still in use something worse will happen.

Jason