Commit c7c57327 authored by Alysa Liu's avatar Alysa Liu Committed by Alex Deucher
Browse files

drm/amdgpu: Fix use-after-free race in VM acquire 



Replace non-atomic vm->process_info assignment with cmpxchg()
to prevent race when parent/child processes sharing a drm_file
both try to acquire the same VM after fork().

Reviewed-by: default avatarHarish Kasiviswanathan <Harish.Kasiviswanathan@amd.com>
Signed-off-by: default avatarAlysa Liu <Alysa.Liu@amd.com>
Signed-off-by: default avatarAlex Deucher <alexander.deucher@amd.com>
parent 8de9edb3

drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd_gpuvm.c

+5 −1
Original line number Diff line number Diff line
@@ -1439,7 +1439,10 @@ static int init_kfd_vm(struct amdgpu_vm *vm, void **process_info, 
		*process_info = info;

	}



	vm->process_info = *process_info;

	if (cmpxchg(&vm->process_info, NULL, *process_info) != NULL) {

		ret = -EINVAL;

		goto already_acquired;

	}



	/* Validate page directory and attach eviction fence */

	ret = amdgpu_bo_reserve(vm->root.bo, true);
@@ -1479,6 +1482,7 @@ static int init_kfd_vm(struct amdgpu_vm *vm, void **process_info, 
	amdgpu_bo_unreserve(vm->root.bo);

reserve_pd_fail:

	vm->process_info = NULL;

already_acquired:

	if (info) {

		dma_fence_put(&info->eviction_fence->base);

		*process_info = NULL;