Patch "iommu: iommufd: fix WARNING in iommufd_device_unbind" has been added to the 6.12-stable tree

Sasha Levin <sashal@xxxxxxxxxx> · Sun, 2 Feb 2025 08:45:30 -0500

This is a note to let you know that I've just added the patch titled

    iommu: iommufd: fix WARNING in iommufd_device_unbind

to the 6.12-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     iommu-iommufd-fix-warning-in-iommufd_device_unbind.patch
and it can be found in the queue-6.12 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.



commit cd8b56d4a331135e05cd94792bcb0b1222e779da
Author: Suraj Sonawane <surajsonawane0215@xxxxxxxxx>
Date:   Sun Nov 24 01:29:00 2024 +0530

    iommu: iommufd: fix WARNING in iommufd_device_unbind
    
    [ Upstream commit d9df72c6acd683adf6dd23c061f3a414ec00b1f8 ]
    
    Fix an issue detected by syzbot:
    
    WARNING in iommufd_device_unbind iommufd: Time out waiting for iommufd object to become free
    
    Resolve a warning in iommufd_device_unbind caused by a timeout while
    waiting for the shortterm_users reference count to reach zero. The
    existing 10-second timeout is insufficient in some scenarios, resulting in
    failures the above warning.
    
    Increase the timeout in iommufd_object_dec_wait_shortterm from 10 seconds
    to 60 seconds to allow sufficient time for the reference count to drop to
    zero. This change prevents premature timeouts and reduces the likelihood
    of warnings during iommufd_device_unbind.
    
    Fixes: 6f9c4d8c468c ("iommufd: Do not UAF during iommufd_put_object()")
    Link: https://patch.msgid.link/r/20241123195900.3176-1-surajsonawane0215@xxxxxxxxx
    Reported-by: syzbot+c92878e123785b1fa2db@xxxxxxxxxxxxxxxxxxxxxxxxx
    Closes: https://syzkaller.appspot.com/bug?extid=c92878e123785b1fa2db
    Tested-by: syzbot+c92878e123785b1fa2db@xxxxxxxxxxxxxxxxxxxxxxxxx
    Signed-off-by: Suraj Sonawane <surajsonawane0215@xxxxxxxxx>
    Signed-off-by: Jason Gunthorpe <jgg@xxxxxxxxxx>
    Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>

diff --git a/drivers/iommu/iommufd/main.c b/drivers/iommu/iommufd/main.c
index b5f5d27ee9634..649fe79d0f0cc 100644
--- a/drivers/iommu/iommufd/main.c
+++ b/drivers/iommu/iommufd/main.c
@@ -130,7 +130,7 @@ static int iommufd_object_dec_wait_shortterm(struct iommufd_ctx *ictx,
 	if (wait_event_timeout(ictx->destroy_wait,
 				refcount_read(&to_destroy->shortterm_users) ==
 					0,
-				msecs_to_jiffies(10000)))
+				msecs_to_jiffies(60000)))
 		return 0;
 
 	pr_crit("Time out waiting for iommufd object to become free\n");







