1. Patchew
  2. linux
  3. View series

[PATCH V1] accel/amdxdna: Fix VMA access race

Lizhi Hou posted 1 patch 2 weeks, 2 days ago
There is a newer version of this series
drivers/accel/amdxdna/aie2_ctx.c    | 2 --
drivers/accel/amdxdna/amdxdna_gem.c | 7 ++++---
2 files changed, 4 insertions(+), 5 deletions(-)
[PATCH V1] accel/amdxdna: Fix VMA access race
Posted by Lizhi Hou 2 weeks, 2 days ago 
aie2_populate_range() and amdxdna_umap_release() access a saved VMA
pointer that may have already been freed, leading to a potential
use-after-free.

Remove the VMA accesses from these functions to avoid the race.

Fixes: e486147c912f ("accel/amdxdna: Add BO import and export")
Signed-off-by: Lizhi Hou <lizhi.hou@amd.com>
---
 drivers/accel/amdxdna/aie2_ctx.c    | 2 --
 drivers/accel/amdxdna/amdxdna_gem.c | 7 ++++---
 2 files changed, 4 insertions(+), 5 deletions(-)

diff --git a/drivers/accel/amdxdna/aie2_ctx.c b/drivers/accel/amdxdna/aie2_ctx.c
index da89b3701f5b..3e21e2dabe82 100644
--- a/drivers/accel/amdxdna/aie2_ctx.c
+++ b/drivers/accel/amdxdna/aie2_ctx.c
@@ -1023,8 +1023,6 @@ static int aie2_populate_range(struct amdxdna_gem_obj *abo)
 	kref_get(&mapp->refcnt);
 	up_write(&xdna->notifier_lock);
 
-	XDNA_DBG(xdna, "populate memory range %lx %lx",
-		 mapp->vma->vm_start, mapp->vma->vm_end);
 	mm = mapp->notifier.mm;
 	if (!mmget_not_zero(mm)) {
 		amdxdna_umap_put(mapp);
diff --git a/drivers/accel/amdxdna/amdxdna_gem.c b/drivers/accel/amdxdna/amdxdna_gem.c
index 63976c3bcbe0..80dd183ecba9 100644
--- a/drivers/accel/amdxdna/amdxdna_gem.c
+++ b/drivers/accel/amdxdna/amdxdna_gem.c
@@ -271,6 +271,10 @@ static bool amdxdna_hmm_invalidate(struct mmu_interval_notifier *mni,
 	if (range->event == MMU_NOTIFY_UNMAP) {
 		down_write(&xdna->notifier_lock);
 		if (!mapp->unmapped) {
+			if (is_import_bo(abo) && mapp->vma->vm_file &&
+			    mapp->vma->vm_file->f_mapping)
+				mapping_clear_unevictable(mapp->vma->vm_file->f_mapping);
+
 			queue_work(xdna->notifier_wq, &mapp->hmm_unreg_work);
 			mapp->unmapped = true;
 		}
@@ -308,12 +312,9 @@ static void amdxdna_umap_release(struct kref *ref)
 {
 	struct amdxdna_umap *mapp = container_of(ref, struct amdxdna_umap, refcnt);
 	struct amdxdna_gem_obj *abo = mapp->abo;
-	struct vm_area_struct *vma = mapp->vma;
 	struct amdxdna_dev *xdna;
 
 	mmu_interval_notifier_remove(&mapp->notifier);
-	if (is_import_bo(abo) && vma->vm_file && vma->vm_file->f_mapping)
-		mapping_clear_unevictable(vma->vm_file->f_mapping);
 
 	xdna = to_xdna_dev(to_gobj(mapp->abo)->dev);
 	down_write(&xdna->notifier_lock);
-- 
2.34.1

Patchew 2.1-devel-ea86937

© 2016 - 2026 Red Hat, Inc.