On Thu, Mar 16, 2023 at 03:39:27PM +0200, Leon Romanovsky wrote: > From: Patrisious Haddad <phaddad@xxxxxxxxxx> > > Previously when destroying a DCT, if the firmware function for the > destruction failed, the common resource would have been destroyed > either way, since it was destroyed before the firmware object. > Which leads to kernel warning "refcount_t: underflow" which indicates > possible use-after-free. > Which is triggered when we try to destroy the common resource for the > second time and execute refcount_dec_and_test(&common->refcount). > > So, currently before destroying the common resource we check its > refcount and continue with the destruction only if it isn't zero. This seems super sketchy If the destruction fails why not set the refcount back to 1? Jason
