[PATCH 1/1] drm/amdkfd: Correct mmu_notifier_get failure handling

[PATCH 1/1] drm/amdkfd: Correct mmu_notifier_get failure handling

[Philip Yang]

If process has signal pending, mmu_notifier_get_locked fails and calls
ops->free_notifier, kfd_process_free_notifier will schedule
kfd_process_wq_release as process refcount is 1, but process structure
is already freed. This use after free bug causes system crash with
different backtrace.

The fix is to increase process refcount and then decrease the refcount
after mmu_notifier_get success.

Signed-off-by: Philip Yang <Philip.Yang@amd.com>
---
 drivers/gpu/drm/amd/amdkfd/kfd_process.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/drivers/gpu/drm/amd/amdkfd/kfd_process.c b/drivers/gpu/drm/amd/amdkfd/kfd_process.c
index fc38a4d81420..d8591721270b 100644
--- a/drivers/gpu/drm/amd/amdkfd/kfd_process.c
+++ b/drivers/gpu/drm/amd/amdkfd/kfd_process.c
@@ -1405,6 +1405,11 @@ static struct kfd_process *create_process(const struct task_struct *thread)
 	hash_add_rcu(kfd_processes_table, &process->kfd_processes,
 			(uintptr_t)process->mm);
 
+	/* Avoid free_notifier to start kfd_process_wq_release if
+	 * mmu_notifier_get failed because of pending signal.
+	 */
+	kref_get(&process->ref);
+
 	/* MMU notifier registration must be the last call that can fail
 	 * because after this point we cannot unwind the process creation.
 	 * After this point, mmu_notifier_put will trigger the cleanup by
@@ -1417,6 +1422,7 @@ static struct kfd_process *create_process(const struct task_struct *thread)
 	}
 	BUG_ON(mn != &process->mmu_notifier);
 
+	kfd_unref_process(process);
 	get_task_struct(process->lead_thread);
 
 	return process;
-- 
2.35.1

Re: [PATCH 1/1] drm/amdkfd: Correct mmu_notifier_get failure handling

[Felix Kuehling]

Am 2022-07-21 um 09:44 schrieb Philip Yang:
> If process has signal pending, mmu_notifier_get_locked fails and calls
> ops->free_notifier, kfd_process_free_notifier will schedule
> kfd_process_wq_release as process refcount is 1, but process structure
> is already freed. This use after free bug causes system crash with
> different backtrace.
>
> The fix is to increase process refcount and then decrease the refcount
> after mmu_notifier_get success.
>
> Signed-off-by: Philip Yang <Philip.Yang@amd.com>

Reviewed-by: Felix Kuehling <Felix.Kuehling@amd.com>


> ---
>   drivers/gpu/drm/amd/amdkfd/kfd_process.c | 6 ++++++
>   1 file changed, 6 insertions(+)
>
> diff --git a/drivers/gpu/drm/amd/amdkfd/kfd_process.c b/drivers/gpu/drm/amd/amdkfd/kfd_process.c
> index fc38a4d81420..d8591721270b 100644
> --- a/drivers/gpu/drm/amd/amdkfd/kfd_process.c
> +++ b/drivers/gpu/drm/amd/amdkfd/kfd_process.c
> @@ -1405,6 +1405,11 @@ static struct kfd_process *create_process(const struct task_struct *thread)
>   	hash_add_rcu(kfd_processes_table, &process->kfd_processes,
>   			(uintptr_t)process->mm);
>   
> +	/* Avoid free_notifier to start kfd_process_wq_release if
> +	 * mmu_notifier_get failed because of pending signal.
> +	 */
> +	kref_get(&process->ref);
> +
>   	/* MMU notifier registration must be the last call that can fail
>   	 * because after this point we cannot unwind the process creation.
>   	 * After this point, mmu_notifier_put will trigger the cleanup by
> @@ -1417,6 +1422,7 @@ static struct kfd_process *create_process(const struct task_struct *thread)
>   	}
>   	BUG_ON(mn != &process->mmu_notifier);
>   
> +	kfd_unref_process(process);
>   	get_task_struct(process->lead_thread);
>   
>   	return process;