drm/amdkfd: fix UAF race in destroy_queue_cpsch

wait_on_destroy_queue() drops locks to wait for queue resume, allowing
a concurrent destroy to free the queue. Use is_being_destroyed flag to
serialize destruction.

Reviewed-by: Amir Shetaia <Amir.Shetaia@amd.com>
Signed-off-by: Alysa Liu <Alysa.Liu@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>

diff --git a/drivers/gpu/drm/amd/amdkfd/kfd_device_queue_manager.c b/drivers/gpu/drm/amd/amdkfd/kfd_device_queue_manager.c
index cbd6fe8340f7b60651d8c71a097a03311c00942e..c6a2b952303a07ca94647b9bb2f630016a95700d 100644 (file)
--- a/drivers/gpu/drm/amd/amdkfd/kfd_device_queue_manager.c
+++ b/drivers/gpu/drm/amd/amdkfd/kfd_device_queue_manager.c
@@ -2669,6 +2669,9 @@ static int wait_on_destroy_queue(struct device_queue_manager *dqm,
        if (pdd->qpd.is_debug)
                return ret;
 
+       if (q->properties.is_being_destroyed)
+               return -EBUSY;
+
        q->properties.is_being_destroyed = true;
 
        if (pdd->process->debug_trap_enabled && q->properties.is_suspended) {
@@ -2681,6 +2684,9 @@ static int wait_on_destroy_queue(struct device_queue_manager *dqm,
                dqm_lock(dqm);
        }
 
+       if (ret)
+               q->properties.is_being_destroyed = false;
+
        return ret;
 }
 
@@ -2774,7 +2780,7 @@ static int destroy_queue_cpsch(struct device_queue_manager *dqm,
        return retval;
 
 failed_try_destroy_debugged_queue:
-
+       q->properties.is_being_destroyed = false;
        dqm_unlock(dqm);
        return retval;
 }