drm/amdkfd: fix UAF race in destroy_queue_cpsch

author Alysa Liu <Alysa.Liu@amd.com>

Wed, 27 May 2026 15:31:35 +0000 (11:31 -0400)

committer Alex Deucher <alexander.deucher@amd.com>

Wed, 3 Jun 2026 18:46:55 +0000 (14:46 -0400)
author Alysa Liu <Alysa.Liu@amd.com>
Wed, 27 May 2026 15:31:35 +0000 (11:31 -0400)
committer Alex Deucher <alexander.deucher@amd.com>
Wed, 3 Jun 2026 18:46:55 +0000 (14:46 -0400)
diff --git a/drivers/gpu/drm/amd/amdkfd/kfd_device_queue_manager.c b/drivers/gpu/drm/amd/amdkfd/kfd_device_queue_manager.c

index 0d7296c739ed7bb942c13e9b4dd044657578f040..0a408f95baac85d5d4a04d5373c6be25d291b391 100644 (file)
--- a/drivers/gpu/drm/amd/amdkfd/kfd_device_queue_manager.c
+++ b/drivers/gpu/drm/amd/amdkfd/kfd_device_queue_manager.c
@@ -2502,6 +2502,9 @@ static int wait_on_destroy_queue(struct device_queue_manager *dqm,
         if (pdd->qpd.is_debug)
                 return ret;
  
+       if (q->properties.is_being_destroyed)
+               return -EBUSY;
+
         q->properties.is_being_destroyed = true;
  
         if (pdd->process->debug_trap_enabled && q->properties.is_suspended) {
@@ -2514,6 +2517,9 @@ static int wait_on_destroy_queue(struct device_queue_manager *dqm,
                 dqm_lock(dqm);
         }
  
+       if (ret)
+               q->properties.is_being_destroyed = false;
+
         return ret;
  }
  
@@ -2607,7 +2613,7 @@ static int destroy_queue_cpsch(struct device_queue_manager *dqm,
         return retval;
  
  failed_try_destroy_debugged_queue:
-
+       q->properties.is_being_destroyed = false;
         dqm_unlock(dqm);
         return retval;
  }
author	Alysa Liu <Alysa.Liu@amd.com>
	Wed, 27 May 2026 15:31:35 +0000 (11:31 -0400)
committer	Alex Deucher <alexander.deucher@amd.com>
	Wed, 3 Jun 2026 18:46:55 +0000 (14:46 -0400)