On Tue, Oct 29, 2024 at 12:30:00PM -0700, Nicolin Chen wrote: > > iommufd_device_unbind() can't fail, and if the object can't be > > destroyed because it has an elevated long term refcount it WARN's: > > > > > > ret = iommufd_object_remove(ictx, obj, obj->id, REMOVE_WAIT_SHORTTERM); > > > > /* > > * If there is a bug and we couldn't destroy the object then we did put > > * back the caller's users refcount and will eventually try to free it > > * again during close. > > */ > > WARN_ON(ret); > > > > So you cannot take long term references on kernel owned objects. Only > > userspace owned objects. > > OK. I think I had got this part. Gao ran into this WARN_ON at v3, > so I added iommufd_object_remove(vdev_id) in unbind() prior to > this iommufd_object_destroy_user(idev->ictx, &idev->obj). Oh I see, so the fix to that is to not take a longterm reference, not to try to destroy a vdev. The alternative ould be to try to unlink the idev from the vdev and leave a zombie vdev, but that didn't look so nice to implement. If we need it we can do it later Jason
