git.ipfire.org Git - thirdparty/kernel/linux.git/commit

author	Mario Limonciello <mario.limonciello@amd.com>
	Sat, 13 Jun 2026 02:22:04 +0000 (21:22 -0500)
committer	Alex Deucher <alexander.deucher@amd.com>
	Wed, 17 Jun 2026 22:19:37 +0000 (18:19 -0400)
commit	8fa5655da368d0306c03e9dc9cda8ae2a7840926
tree	42d7e34100783b353d695e54f6bbaa9c7697b013	tree \| snapshot
parent	f896e86273dbbebb5eac966b4a201b5c62a02e9a	commit \| diff

drm/amdkfd: fix list_del corruption in kfd_criu_resume_svm

The cleanup tail of kfd_criu_resume_svm() walks
svms->criu_svm_metadata_list and kfree()s each struct criu_svm_metadata
without removing it from the list. The list head is left pointing at
freed kmalloc-96 objects.

A second AMDKFD_IOC_CRIU_OP from the same process re-enters: list_empty()
reads the dangling ->next (use-after-free), the loop walks freed entries,
and each is kfree()'d again (double-free). This is reachable by an
unprivileged render-group user via /dev/kfd with no capabilities required.

Add list_del() before the kfree() so the list is properly emptied. The
list_for_each_entry_safe() iterator already caches the next pointer, so
unlinking during the walk is safe.

Fixes: 2a909ae71871 ("drm/amdkfd: CRIU resume shared virtual memory ranges")
Reviewed-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Mario Limonciello <mario.limonciello@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
(cherry picked from commit 6322d278a298e2c1430b9d2697743d3a04b788b1)