amdgpu_dma_buf_create_obj() creates the importer BO with obj->resv
pointing at the exporter's dma_buf->resv. If dma_buf_dynamic_attach()
fails, no dma_buf reference is held and the exporter can be freed
before ttm_bo_delayed_delete() runs, causing a UAF on dma_resv_lock().
Switch obj->resv to the BO's private _resv under lru_lock before
dropping the last reference, mirroring ttm_bo_individualize_resv().
The BO carries no fences and is not yet visible to other users, so
the switch is safe.
This is the amdgpu counterpart to the xe fix:
("drm/xe: Fix UAF in xe_gem_prime_import() on attach failure")
Fixes: d99fbd9aab62 ("drm/ttm: Always take the bo delayed cleanup path for
imported bos")
Cc: [email protected] # v6.8+
Cc: Christian Konig <[email protected]>
Cc: Alex Deucher <[email protected]>
Suggested-by: Matthew Auld <[email protected]>
Signed-off-by: Nitin Gote <[email protected]>
---
Hi,
This is the amdgpu counterpart to the xe fix:
("drm/xe: Fix UAF in xe_gem_prime_import() on attach failure")
https://patchwork.freedesktop.org/series/167647/
- Nitin
drivers/gpu/drm/amd/amdgpu/amdgpu_dma_buf.c | 10 ++++++++++
1 file changed, 10 insertions(+)
diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_dma_buf.c
b/drivers/gpu/drm/amd/amdgpu/amdgpu_dma_buf.c
index b33c300e26e2..6a24cf2e3666 100644
--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_dma_buf.c
+++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_dma_buf.c
@@ -568,6 +568,16 @@ struct drm_gem_object *amdgpu_gem_prime_import(struct
drm_device *dev,
attach = dma_buf_dynamic_attach(dma_buf, dev->dev,
&amdgpu_dma_buf_attach_ops, obj);
if (IS_ERR(attach)) {
+ /*
+ * Attach failed with no dma_buf ref held; switch resv to the
BO's
+ * private _resv under lru_lock before the last put, so
+ * ttm_bo_delayed_delete() doesn't dereference the stale
exporter
+ * resv.
+ */
+ spin_lock(&gem_to_amdgpu_bo(obj)->tbo.bdev->lru_lock);
+ obj->resv = &obj->_resv;
+ spin_unlock(&gem_to_amdgpu_bo(obj)->tbo.bdev->lru_lock);
+
drm_gem_object_put(obj);
return ERR_CAST(attach);
}
--
2.50.1
