Syzkaller found this, fput runs the release from a work queue so the refcount remains elevated during abort. This is tricky so move more handling of files into the core code.
Add a WARN_ON to catch things like this more reliably without relying on kasn. Update the fail_nth test to succeed on 6.17 kernels. Jason Gunthorpe (3): iommufd: Fix race during abort for file descriptors iommufd: WARN if an object is aborted with an elevated refcount iommufd/selftest: Update the fail_nth limit drivers/iommu/iommufd/device.c | 3 +- drivers/iommu/iommufd/eventq.c | 9 +---- drivers/iommu/iommufd/iommufd_private.h | 3 +- drivers/iommu/iommufd/main.c | 39 +++++++++++++++++-- .../selftests/iommu/iommufd_fail_nth.c | 2 +- 5 files changed, 42 insertions(+), 14 deletions(-) base-commit: 1046d40b0e78d2cd63f6183629699b629b21f877 -- 2.43.0
