Linux kernel mirror (for testing)
git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel
os
linux
drm/amdgpu: Fix use-after-free race in VM acquire
Replace non-atomic vm->process_info assignment with cmpxchg()
to prevent race when parent/child processes sharing a drm_file
both try to acquire the same VM after fork().
Reviewed-by: Harish Kasiviswanathan <Harish.Kasiviswanathan@amd.com>
Signed-off-by: Alysa Liu <Alysa.Liu@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
authored by
Alysa Liu
and committed by
Alex Deucher
c7c57327
8de9edb3
+5
-1
+5
-1
drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd_gpuvm.c
+5
-1
drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd_gpuvm.c
···
1439
1439
*process_info = info;
1440
1440
}
1441
1441
1442
-
vm->process_info = *process_info;
1442
+
if (cmpxchg(&vm->process_info, NULL, *process_info) != NULL) {
1443
+
ret = -EINVAL;
1444
+
goto already_acquired;
1445
+
}
1443
1446
1444
1447
/* Validate page directory and attach eviction fence */
1445
1448
ret = amdgpu_bo_reserve(vm->root.bo, true);
···
1482
1479
amdgpu_bo_unreserve(vm->root.bo);
1483
1480
reserve_pd_fail:
1484
1481
vm->process_info = NULL;
1482
+
already_acquired:
1485
1483
if (info) {
1486
1484
dma_fence_put(&info->eviction_fence->base);
1487
1485
*process_info = NULL;