From 058345d356166a6dfe6e1a6a91ae88dd53316795 Mon Sep 17 00:00:00 2001 From: jsg Date: Fri, 20 Mar 2026 00:19:58 +0000 Subject: [PATCH] drm/amdgpu: Fix use-after-free race in VM acquire From Alysa Liu 7885eb335d8f9e9942925d57e300a85e3f82ded4 in linux-6.18.y/6.18.19 2c1030f2e84885cc58bffef6af67d5b9d2e7098f in mainline linux --- sys/dev/pci/drm/amd/amdgpu/amdgpu_amdkfd_gpuvm.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/sys/dev/pci/drm/amd/amdgpu/amdgpu_amdkfd_gpuvm.c b/sys/dev/pci/drm/amd/amdgpu/amdgpu_amdkfd_gpuvm.c index de8efcc88a6..1dedae5372c 100644 --- a/sys/dev/pci/drm/amd/amdgpu/amdgpu_amdkfd_gpuvm.c +++ b/sys/dev/pci/drm/amd/amdgpu/amdgpu_amdkfd_gpuvm.c @@ -1421,7 +1421,10 @@ static int init_kfd_vm(struct amdgpu_vm *vm, void **process_info, *process_info = info; } - vm->process_info = *process_info; + if (cmpxchg(&vm->process_info, NULL, *process_info) != NULL) { + ret = -EINVAL; + goto already_acquired; + } /* Validate page directory and attach eviction fence */ ret = amdgpu_bo_reserve(vm->root.bo, true); @@ -1461,6 +1464,7 @@ validate_pd_fail: amdgpu_bo_unreserve(vm->root.bo); reserve_pd_fail: vm->process_info = NULL; +already_acquired: if (info) { dma_fence_put(&info->eviction_fence->base); *process_info = NULL;