On 2/12/2026 4:13 PM, Alex Deucher wrote:
On Thu, Feb 12, 2026 at 2:32 PM Chen, Xiaogang<[email protected]> wrote:
[AMD Official Use Only - AMD Internal Distribution Only]
Let parent/child process share same vm will cause multiple issues. There is no
use case or need for that. It should be prevented at uses space, not work
around at this specific place in driver.
I agree that userspace shouldn't to stupid things, but if it does, the
kernel needs to gracefully handle it.
Using same vm for multiple processes will cause multiple issues. Not
only race on vm->process_info. This hacking does not reveal useful
security issue. If parent process wants share its vm to another process
kernel cannot do anything. This sharing just makes driver not work.
People can see multiple errors from this sharing. If driver addresses
every raised issue duo to vm sharing it would be endless.
Xiaogang
Alex
Regards
Xiaogang
From: amd-gfx<[email protected]> On Behalf Of
Kasiviswanathan, Harish
Sent: Thursday, February 12, 2026 12:31 PM
To: Liu, Alysa<[email protected]>;[email protected]
Cc: Deucher, Alexander<[email protected]>
Subject: Re: [PATCH] drm/amdgpu: Fix use-after-free race in VM acquire
[AMD Official Use Only - AMD Internal Distribution Only]
Reviewed-by: Harish Kasiviswanathan<[email protected]>
________________________________
From: Liu, Alysa<[email protected]>
Sent: Thursday, February 5, 2026 11:28 AM
To:[email protected] <[email protected]>
Cc: Deucher, Alexander<[email protected]>; Kasiviswanathan,
Harish<[email protected]>; Liu, Alysa<[email protected]>
Subject: [PATCH] drm/amdgpu: Fix use-after-free race in VM acquire
Replace non-atomic vm->process_info assignment with cmpxchg()
to prevent race when parent/child processes sharing a drm_file
both try to acquire the same VM after fork().
Signed-off-by:[email protected] <[email protected]>
---
drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd_gpuvm.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd_gpuvm.c
b/drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd_gpuvm.c
index 00ea69baa126..f7b2358a0303 100644
--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd_gpuvm.c
+++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd_gpuvm.c
@@ -1432,7 +1432,10 @@ static int init_kfd_vm(struct amdgpu_vm *vm, void
**process_info,
*process_info = info;
}
- vm->process_info = *process_info;
+ if (cmpxchg(&vm->process_info, NULL, *process_info) != NULL) {
+ ret = -EINVAL;
+ goto already_acquired;
+ }
/* Validate page directory and attach eviction fence */
ret = amdgpu_bo_reserve(vm->root.bo, true);
@@ -1472,6 +1475,7 @@ static int init_kfd_vm(struct amdgpu_vm *vm, void
**process_info,
amdgpu_bo_unreserve(vm->root.bo);
reserve_pd_fail:
vm->process_info = NULL;
+already_acquired:
if (info) {
dma_fence_put(&info->eviction_fence->base);
*process_info = NULL;
--
2.34.1
