From nobody Mon May 25 06:41:09 2026 Received: from mail-qv1-f46.google.com (mail-qv1-f46.google.com [209.85.219.46]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id AC0CC3A9001 for ; Sun, 17 May 2026 13:18:02 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.219.46 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1779023888; cv=none; b=toBTDfbVFWQLXZp05wM/mMOoJys79og07/KZ/MmNscH9QPFTnF20t227aEj9QjY3e3VjHBu7PbRk4vFcR7/hFa2JDnu9MkE3+OXMLMdeQYwas0D6Z+vtEJjPz/hVL/HycvuhWPM8i6s+/IIQ5uBa+RHKCTBZZ2CiOcNLs3AIT6o= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1779023888; c=relaxed/simple; bh=URAzz3jUC0fboRRexiwSS6WBQwgbA2/OyQ9s8WriWgM=; h=From:To:Cc:Subject:Date:Message-ID:MIME-Version; b=Nkx2Gp9cE1mVQVYiLnM/Qa99zl8+Agm0CPjaVd4Xu1PUnsPQrl7KBDSvQitXamzTbNssfwtrhWb5Eh1Ngm4Hed5hr9AqZR/ptR05DqDKem2I1UJjILnKsKw24NgFSh+mWPLM1BXVcJvdH5Smf0STtCRqSwm/8YM4UDq4mTFVu40= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=Az8aK6NP; arc=none smtp.client-ip=209.85.219.46 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="Az8aK6NP" Received: by mail-qv1-f46.google.com with SMTP id 6a1803df08f44-8acb09ddbf6so32440696d6.2 for ; Sun, 17 May 2026 06:18:01 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1779023880; x=1779628680; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=8qmzV4OG/gwgrFg2WjVRa5yFfeYJiaj+u8zvgWP2oxA=; b=Az8aK6NPwCB4GB/Vx5cuwyH/7iLQWsrE8TlzuY++njwXZowvT3Hnn07Amv5h6Ff9KF QZjheF/h36b1lVtqkm7rSYyUZlasoePNkSeVeGrg1z2IzpYDzHk5UT95kpg8PDNbztKH 3US31vgLjYEP9YHjXV+KN5K7a2Uz68dVqRCcuur8+25baw8rF4ldQ4PouMe8rLy1jKgG l9VIPdyuVbISHVfJTYIhKQju9payttJ9HswUXfdlTU61OHwyAOLudNNBx2vEXspc8hrE edKo5S3+9ZCHypAjTJ8LuS6UT8iRDM9Ikd3lB+cl7KPzJ7xzvWjm3GnPiqfOJaKHPGH3 h+bQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1779023880; x=1779628680; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=8qmzV4OG/gwgrFg2WjVRa5yFfeYJiaj+u8zvgWP2oxA=; b=Pt4FQmjsrDIaQC8MFt3GSq9d2L4ZjYoEiLT1C5iGOsyQcyWXiaURpEPyjc1WFQdjmS OYRnekuNQOEQCt0QSnBi4Ab4vDUCy4EobRuX6QQ/zNgTOt9OAH3J+jRi7yCFrFW/0sS3 WUjcDccEDsu/gCogHS/XbRyQli7BmSKUk7wdA+yrKxsiz6zskAr91SZ9/WM2oGq5Ac6e cMpbaOq8fXH224dlu8aC7iiVyQmmROEhtTO+0WH4Ud8KZAsSdNDZdVmMuPotfLzZR3ru eq/EtFxBm4nAimI4woppGOXp8Ev2aGmdNKa1kkhXdJc9KR8POitup/GP8crEIIIab/Wk DWAg== X-Forwarded-Encrypted: i=1; AFNElJ/dq1IHVAQ5BYYsKDi6pfZipqJGWAzhC6+uy1wJoylvbD2WxyCJI3t9bDdV/2vzQHzHcWZD5QzzCmiJUSo=@vger.kernel.org X-Gm-Message-State: AOJu0Yys86k5c2I3hkOWEF6mq18l2ZgFrU0rl42AWyd4BfbtRoM7GyAl Q6HjEL5IYZ13YLpOnyESCmv032l/bGnXJ2skR7xAiepibzR0H32DZQ2v X-Gm-Gg: Acq92OFWc5UhmLQ6Jxp4O1H0iK3KsMH2iQ0+wtoJkkT9LH22xx/RZIPJAHVhEt1falH eB/oeU/EtF9K1QiZmEf9xvJPL1Bncl+PY/XkaqOt/V4UVSnUfU5E3na9vj+szsrJ1f4TbU4R/1d w+RbS7kr34IrLG5YuE9d6Mu/ZD5X1+gHm0kMuinVpKRVP6q3eWkpIlZrATLTc9U2MKDzklDpEbL SNRUxXy/NhBYICMnu8NJatkhELdKRNXcrmZN5EDIJLlhm5aw16cSlEdyIYoN9cXlUGiBbSMqguH PPt1s4Jo6yczC91981HRTn5vvEnNxPH3Ljayw3uZP+VDEr7ByLnDG0mSajIWLJFTMY7g/+IdiU0 7vBY/pKjStv0b/2fovQBD9AWfB7BB76sFHQQr5hfHFoBLDtBQB26RL6I7G2DeqdObeoB+fFoIaF v8rVQapHQzHjveFi9XDnwxYmoTyIXNEniA9jOU8Cz6ioIgpf/w6G9gXXJvb25xAkkfSFppQvy0N Z6+T9Y53/QkQcPhKLFPeDtcht3TncCrr9gRoCW/I10= X-Received: by 2002:ad4:4211:0:b0:8bd:6baa:6a0c with SMTP id 6a1803df08f44-8ca0f611b62mr138164296d6.11.1779023879979; Sun, 17 May 2026 06:17:59 -0700 (PDT) Received: from server0.tail6e7dd.ts.net (c-68-48-65-54.hsd1.mi.comcast.net. [68.48.65.54]) by smtp.gmail.com with ESMTPSA id 6a1803df08f44-8ca3619c703sm22268846d6.33.2026.05.17.06.17.58 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 17 May 2026 06:17:59 -0700 (PDT) From: Michael Bommarito To: Alex Deucher , Christian Koenig , David Francis , Sumit Semwal , David Airlie , Simona Vetter , amd-gfx@lists.freedesktop.org, dri-devel@lists.freedesktop.org, linux-kernel@vger.kernel.org, linux-media@vger.kernel.org, linaro-mm-sig@lists.linaro.org Cc: Ziyi Guo Subject: [PATCH] drm/amdgpu: fix lock leak on ENOMEM in AMDGPU_GEM_OP_GET_MAPPING_INFO Date: Sun, 17 May 2026 09:17:42 -0400 Message-ID: <20260517131742.3435209-1-michael.bommarito@gmail.com> X-Mailer: git-send-email 2.53.0 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" The AMDGPU_GEM_OP_GET_MAPPING_INFO branch of amdgpu_gem_op_ioctl() holds three cleanup-tracked resources before calling kvcalloc(): the drm_gem_object reference from drm_gem_object_lookup(), the drm_exec lock on the looked-up GEM via drm_exec_lock_obj(), and the drm_exec lock on the per-process VM root page directory via amdgpu_vm_lock_pd(). All three are released by the out_exec label that every other error path in this function jumps to. The kvcalloc() failure path returns -ENOMEM directly, skipping out_exec and leaking all three. The leaked per-process VM root PD dma_resv lock is the load-bearing leak: any subsequent operation on the same VM (further GEM ops, command-submission, eviction, TTM shrinker callbacks) blocks on the held lock. DRM_IOCTL_AMDGPU_GEM_OP is DRM_AUTH | DRM_RENDER_ALLOW, so this is an unprivileged-local denial of service against the caller's GPU context, reachable by any process with /dev/dri/renderD* access. Route the failure through out_exec so drm_exec_fini() and drm_gem_object_put() run. Reproduced on stock 7.0.0-10, Ryzen 7 5700U / Radeon Vega (Lucienne): the failing ioctl returns -ENOMEM and a second GET_MAPPING_INFO on the same fd then blocks in drm_exec_lock_obj() on the leaked dma_resv. SIGKILL on the caller does not reap the task; the fd-release path during process exit goes through amdgpu_gem_object_close() -> drm_exec_prepare_obj() on the same lock, leaving the task in D state until the box is rebooted. The patched kernel was not rebuilt and re-tested on this hardware; the fix is mechanical. Tested on a single Lucienne / Vega box only. Ziyi Guo posted an independent INT_MAX-bound check for args->num_entries in the same branch [1]; the two patches are complementary and can land in either order. Fixes: 4d82724f7f2b ("drm/amdgpu: Add mapping info option for GEM_OP ioctl") Cc: stable@vger.kernel.org Link: https://lore.kernel.org/all/20260208000255.4073363-1-n7l8m4@u.northwe= stern.edu/ # [1] Signed-off-by: Michael Bommarito Assisted-by: Claude:claude-opus-4-7 --- drivers/gpu/drm/amd/amdgpu/amdgpu_gem.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_gem.c b/drivers/gpu/drm/amd/= amdgpu/amdgpu_gem.c index 9ef80bca4102..8224fb499fdf 100644 --- a/drivers/gpu/drm/amd/amdgpu/amdgpu_gem.c +++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_gem.c @@ -1091,8 +1091,10 @@ int amdgpu_gem_op_ioctl(struct drm_device *dev, void= *data, * be retried. */ vm_entries =3D kvcalloc(args->num_entries, sizeof(*vm_entries), GFP_KERN= EL); - if (!vm_entries) - return -ENOMEM; + if (!vm_entries) { + r =3D -ENOMEM; + goto out_exec; + } =20 amdgpu_vm_bo_va_for_each_valid_mapping(bo_va, mapping) { if (num_mappings < args->num_entries) { --=20 2.53.0