[PATCH 1/1] drm/amdkfd: Correct mmu_notifier_get failure handling
Felix Kuehling
felix.kuehling at amd.com
Thu Jul 21 15:04:31 UTC 2022
Am 2022-07-21 um 09:44 schrieb Philip Yang:
> If process has signal pending, mmu_notifier_get_locked fails and calls
> ops->free_notifier, kfd_process_free_notifier will schedule
> kfd_process_wq_release as process refcount is 1, but process structure
> is already freed. This use after free bug causes system crash with
> different backtrace.
>
> The fix is to increase process refcount and then decrease the refcount
> after mmu_notifier_get success.
>
> Signed-off-by: Philip Yang <Philip.Yang at amd.com>
Reviewed-by: Felix Kuehling <Felix.Kuehling at amd.com>
> ---
> drivers/gpu/drm/amd/amdkfd/kfd_process.c | 6 ++++++
> 1 file changed, 6 insertions(+)
>
> diff --git a/drivers/gpu/drm/amd/amdkfd/kfd_process.c b/drivers/gpu/drm/amd/amdkfd/kfd_process.c
> index fc38a4d81420..d8591721270b 100644
> --- a/drivers/gpu/drm/amd/amdkfd/kfd_process.c
> +++ b/drivers/gpu/drm/amd/amdkfd/kfd_process.c
> @@ -1405,6 +1405,11 @@ static struct kfd_process *create_process(const struct task_struct *thread)
> hash_add_rcu(kfd_processes_table, &process->kfd_processes,
> (uintptr_t)process->mm);
>
> + /* Avoid free_notifier to start kfd_process_wq_release if
> + * mmu_notifier_get failed because of pending signal.
> + */
> + kref_get(&process->ref);
> +
> /* MMU notifier registration must be the last call that can fail
> * because after this point we cannot unwind the process creation.
> * After this point, mmu_notifier_put will trigger the cleanup by
> @@ -1417,6 +1422,7 @@ static struct kfd_process *create_process(const struct task_struct *thread)
> }
> BUG_ON(mn != &process->mmu_notifier);
>
> + kfd_unref_process(process);
> get_task_struct(process->lead_thread);
>
> return process;
More information about the amd-gfx
mailing list