Thank you for your contribution! Sashiko AI review found 4 potential issue(s) to consider:
Pre-existing issues: - [Critical] Caching the `vm_area_struct` pointer in the MMU interval notifier leads to Use-After-Free on `munmap()`. - [High] The patch incompletely fixes a Use-After-Free of `amdxdna_client` during device removal. The UAF remains in the standard GEM mmap path, IOCTLs, and GEM destruction callbacks. - [High] Double put of DRM GEM object reference on the error path in `amdxdna_insert_pages`. - [High] Premature destruction of `notifier_wq` leads to Use-After-Free when unmapping VMAs after device removal. -- commit 4a66abc4067bb1f72f27f8b25d0d1de298787835 Author: Lizhi Hou <[email protected]> accel/amdxdna: Fix amdxdna_client accessing race in amdxdna_drm_gem_mmap() amdxdna_drm_gem_mmap() can be called after drm_dev_unplug() during device removal. In that case, the mmap path may access amdxdna_client after it has been freed, leading to a use-after-free. Guard the mmap path with drm_dev_enter()/drm_dev_exit() and return an error if the device is already unplugged. > diff --git a/drivers/accel/amdxdna/amdxdna_pci_drv.c > b/drivers/accel/amdxdna/amdxdna_pci_drv.c > index a22c986f1b331..c18ddad9f6459 100644 > --- a/drivers/accel/amdxdna/amdxdna_pci_drv.c > +++ b/drivers/accel/amdxdna/amdxdna_pci_drv.c > @@ -253,15 +253,24 @@ static int amdxdna_drm_gem_mmap(struct file *filp, > struct vm_area_struct *vma) > { > struct drm_file *drm_filp = filp->private_data; > struct amdxdna_client *client = drm_filp->driver_priv; > - struct amdxdna_dev *xdna = client->xdna; > + struct amdxdna_dev *xdna; > + int ret, idx; > > if (likely(vma->vm_pgoff >= DRM_FILE_PAGE_OFFSET_START)) > return drm_gem_mmap(filp, vma); > [Severity: High] This is a pre-existing issue, but does this bypass of drm_dev_enter() leave the use-after-free unresolved for standard GEM mmaps? The patch adds drm_dev_enter() below this check, but if the condition (vma->vm_pgoff >= DRM_FILE_PAGE_OFFSET_START) is met, it calls drm_gem_mmap() which eventually calls amdxdna_gem_obj_mmap() without the device removal protection. Since amdxdna_remove() frees all client structures regardless of open file descriptors, abo->client becomes a dangling pointer here. Additionally, do the IOCTL handlers (like amdxdna_drm_config_hwctx_ioctl in drivers/accel/amdxdna/amdxdna_ctx.c) and GEM destruction callbacks (like amdxdna_gem_del_bo_usage in drivers/accel/amdxdna/amdxdna_gem.c) also need drm_dev_enter() protection? They appear to extract and dereference filp->driver_priv without synchronization. > - if (!xdna->dev_info->ops->mmap) > - return -EOPNOTSUPP; > + if (!drm_dev_enter(drm_filp->minor->dev, &idx)) > + return -ENODEV; [ ... ] [Severity: High] This isn't a bug introduced by this patch, but could the error path in amdxdna_insert_pages() lead to a double put of the GEM object reference? In drivers/accel/amdxdna/amdxdna_gem.c:amdxdna_insert_pages(), if page insertion fails: if (ret) { XDNA_ERR(xdna, "Failed insert pages %d", ret); vma->vm_ops->close(vma); return ret; } For shmem GEM objects, calling close() drops the object reference. When this error returns to drm_gem_mmap_obj(), it executes its error cleanup path which calls drm_gem_object_put() again, causing the same reference to be dropped twice. [Severity: High] This isn't a bug introduced by this patch, but is it safe to destroy the notifier_wq during device removal? In drivers/accel/amdxdna/amdxdna_pci_drv.c:amdxdna_remove(): destroy_workqueue(xdna->notifier_wq); If userspace retains mapped VMAs after the device is removed, a subsequent munmap() will trigger amdxdna_hmm_invalidate() in drivers/accel/amdxdna/amdxdna_gem.c, which queues work to the destroyed workqueue: queue_work(xdna->notifier_wq, &mapp->hmm_unreg_work); Can this lead to a use-after-free if the workqueue was already freed? [Severity: Critical] This isn't a bug introduced by this patch, but does caching the vm_area_struct pointer lead to a use-after-free during munmap()? In drivers/accel/amdxdna/amdxdna_gem.c:amdxdna_hmm_register(), the vma pointer is cached: mapp->vma = vma; The core MM subsystem can split or free VMA objects independently. When munmap() is called, the notifier queues amdxdna_hmm_unreg_work() to run asynchronously. By the time amdxdna_umap_release() runs, the core MM has already freed the VMA, but the driver dereferences it: if (is_import_bo(abo) && vma->vm_file && vma->vm_file->f_mapping) Does this need to be tracked differently to avoid accessing a freed VMA? -- Sashiko AI review ยท https://sashiko.dev/#/patchset/[email protected]?part=2
