On Wed, Sep 17, 2025 at 05:01:46PM -0300, Jason Gunthorpe wrote: > Syzkaller found this, fput runs the release from a work queue so the > refcount remains elevated during abort. This is tricky so move more > handling of files into the core code. > > Add a WARN_ON to catch things like this more reliably without relying on > kasn. > > Update the fail_nth test to succeed on 6.17 kernels. > > Jason Gunthorpe (3): > iommufd: Fix race during abort for file descriptors > iommufd: WARN if an object is aborted with an elevated refcount > iommufd/selftest: Update the fail_nth limit > > drivers/iommu/iommufd/device.c | 3 +- > drivers/iommu/iommufd/eventq.c | 9 +---- > drivers/iommu/iommufd/iommufd_private.h | 3 +- > drivers/iommu/iommufd/main.c | 39 +++++++++++++++++-- > .../selftests/iommu/iommufd_fail_nth.c | 2 +- > 5 files changed, 42 insertions(+), 14 deletions(-)
Applied to for-rc Jason
