Re: [PATCH] drm/amdkfd: fix UAF race in destroy_queue_cpsch

Thu, 28 May 2026 09:37:33 -0700 

AMD General

Reviewed-​by: Amir Shetaia <[email protected]>


AMIR SHETAIA

Senior Software Development Engineer  |  AMD
Software Platform Architecture Team

----------------------------------------------------------------------------------------------------------------------------------

1 Commerce Valley Drive, Markham, ON L3T 7X6

LinkedIn<https://www.linkedin.com/company/amd>  |  
Instagram<https://www.instagram.com/amd>  |  X<https://www.x.com/amd>  |  
amd.com<http://www.amd.com/>

[Logo, company name  Description automatically generated]







________________________________
From: Liu, Alysa <[email protected]>
Sent: Wednesday, May 27, 2026 11:33 AM
To: [email protected] <[email protected]>
Cc: Shetaia, Amir <[email protected]>; Liu, Alysa <[email protected]>
Subject: [PATCH] drm/amdkfd: fix UAF race in destroy_queue_cpsch

wait_on_destroy_queue() drops locks to wait for queue resume, allowing
a concurrent destroy to free the queue. Use is_being_destroyed flag to
serialize destruction.

Signed-off-by: Alysa Liu <[email protected]>
---
 drivers/gpu/drm/amd/amdkfd/kfd_device_queue_manager.c | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/drivers/gpu/drm/amd/amdkfd/kfd_device_queue_manager.c 
b/drivers/gpu/drm/amd/amdkfd/kfd_device_queue_manager.c
index 4c2378bbdc95..4c383d549ab3 100644
--- a/drivers/gpu/drm/amd/amdkfd/kfd_device_queue_manager.c
+++ b/drivers/gpu/drm/amd/amdkfd/kfd_device_queue_manager.c
@@ -2669,6 +2669,9 @@ static int wait_on_destroy_queue(struct 
device_queue_manager *dqm,
         if (pdd->qpd.is_debug)
                 return ret;

+       if (q->properties.is_being_destroyed)
+               return -EBUSY;
+
         q->properties.is_being_destroyed = true;

         if (pdd->process->debug_trap_enabled && q->properties.is_suspended) {
@@ -2681,6 +2684,9 @@ static int wait_on_destroy_queue(struct 
device_queue_manager *dqm,
                 dqm_lock(dqm);
         }

+       if (ret)
+               q->properties.is_being_destroyed = false;
+
         return ret;
 }

@@ -2774,7 +2780,7 @@ static int destroy_queue_cpsch(struct 
device_queue_manager *dqm,
         return retval;

 failed_try_destroy_debugged_queue:
-
+       q->properties.is_being_destroyed = false;
         dqm_unlock(dqm);
         return retval;
 }
--
2.34.1

Reply via email to