git.ipfire.org Git - thirdparty/kernel/linux.git/commit

author	Sunil Khatri <sunil.khatri@amd.com>
	Mon, 2 Mar 2026 13:20:46 +0000 (18:50 +0530)
committer	Alex Deucher <alexander.deucher@amd.com>
	Wed, 4 Mar 2026 16:50:56 +0000 (11:50 -0500)
commit	4952189b284d4d847f92636bb42dd747747129c0
tree	ad7fb4dfa3864e2ef99f84a0f0210c8e44ebf3d6	tree \| snapshot
parent	c7c573275ec20db05be769288a3e3bb2250ec618	commit \| diff

drm/amdgpu/userq: refcount userqueues to avoid any race conditions

To avoid race condition and avoid UAF cases, implement kref
based queues and protect the below operations using xa lock
a. Getting a queue from xarray
b. Increment/Decrement it's refcount

Every time some one want to access a queue, always get via
amdgpu_userq_get to make sure we have locks in place and get
the object if active.

A userqueue is destroyed on the last refcount is dropped which
typically would be via IOCTL or during fini.

v2: Add the missing drop in one the condition in the signal ioclt [Alex]

v3: remove the queue from the xarray first in the free queue ioctl path
    [Christian]

- Pass queue to the amdgpu_userq_put directly.
- make amdgpu_userq_put xa_lock free since we are doing put for each get
  only and final put is done via destroy and we remove the queue from xa
  with lock.
- use userq_put in fini too so cleanup is done fully.

v4: Use xa_erase directly rather than doing load and erase in free
    ioctl. Also remove some of the error logs which could be exploited
    by the user to flood the logs [Christian]

Signed-off-by: Sunil Khatri <sunil.khatri@amd.com>
Reviewed-by: Christian König <christian.koenig@amd.com>
Reviewed-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>

drivers/gpu/drm/amd/amdgpu/amdgpu_userq.c		diff \| blob \| blame \| history
drivers/gpu/drm/amd/amdgpu/amdgpu_userq.h		diff \| blob \| blame \| history
drivers/gpu/drm/amd/amdgpu/amdgpu_userq_fence.c		diff \| blob \| blame \| history