On Tue, Oct 29, 2024 at 12:30:00PM -0700, Nicolin Chen wrote:
iommufd_device_unbind() can't fail, and if the object can't be destroyed because it has an elevated long term refcount it WARN's:
ret = iommufd_object_remove(ictx, obj, obj->id, REMOVE_WAIT_SHORTTERM);
/* * If there is a bug and we couldn't destroy the object then we did put * back the caller's users refcount and will eventually try to free it * again during close. */ WARN_ON(ret);
So you cannot take long term references on kernel owned objects. Only userspace owned objects.
OK. I think I had got this part. Gao ran into this WARN_ON at v3, so I added iommufd_object_remove(vdev_id) in unbind() prior to this iommufd_object_destroy_user(idev->ictx, &idev->obj).
Oh I see, so the fix to that is to not take a longterm reference, not to try to destroy a vdev.
The alternative ould be to try to unlink the idev from the vdev and leave a zombie vdev, but that didn't look so nice to implement. If we need it we can do it later
Jason