Revert "drm/amdgpu: fix slab-use-after-free in amdgpu_userq_mgr_fini"

vprosyak · alexdeucher · commit a73345b866ff · 2025-07-07T13:48:50.000-04:00
This reverts commit 5fb9042. The original patch moved `amdgpu_userq_mgr_fini()` to the driver's `postclose` callback, which is called after `drm_gem_release()` in the DRM file cleanup sequence.If a user application crashes or aborts without cleaning up its user queues, 'drm_gem_release()` may free GEM objects that are still referenced by active user queues, leading to use-after-free. By reverting, we ensure that user queues are disabled and cleaned up before any GEM objects are released, preventing this class of bug. However, this reintroduces a race during PCI hot-unplug, where device removal can race with per-file cleanup, leading to use-after-free in suspend/unplug paths. This will be fixed in the next patch. Fixes: 5fb9042 ("drm/amdgpu: fix slab-use-after-free in amdgpu_userq_mgr_fini+0x70c") Signed-off-by: Vitaly Prosyak <vitaly.prosyak@amd.com> Acked-by: Alex Deucher <alexander.deucher@amd.com> Reviewed-by: Christian König <christian.koenig@amd.com> Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_drv.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_drv.c
@@ -2911,6 +2911,20 @@ static int amdgpu_pmops_runtime_idle(struct device *dev)
 	return ret;
 }
 
+static int amdgpu_drm_release(struct inode *inode, struct file *filp)
+{
+	struct drm_file *file_priv = filp->private_data;
+	struct amdgpu_fpriv *fpriv = file_priv->driver_priv;
+
+	if (fpriv) {
+		fpriv->evf_mgr.fd_closing = true;
+		amdgpu_eviction_fence_destroy(&fpriv->evf_mgr);
+		amdgpu_userq_mgr_fini(&fpriv->userq_mgr);
+	}
+
+	return drm_release(inode, filp);
+}
+
 long amdgpu_drm_ioctl(struct file *filp,
 		      unsigned int cmd, unsigned long arg)
 {
@@ -2962,7 +2976,7 @@ static const struct file_operations amdgpu_driver_kms_fops = {
 	.owner = THIS_MODULE,
 	.open = drm_open,
 	.flush = amdgpu_flush,
-	.release = drm_release,
+	.release = amdgpu_drm_release,
 	.unlocked_ioctl = amdgpu_drm_ioctl,
 	.mmap = drm_gem_mmap,
 	.poll = drm_poll,
diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_kms.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_kms.c
@@ -1501,9 +1501,6 @@ void amdgpu_driver_postclose_kms(struct drm_device *dev,
 		amdgpu_vm_bo_del(adev, fpriv->prt_va);
 		amdgpu_bo_unreserve(pd);
 	}
-	fpriv->evf_mgr.fd_closing = true;
-	amdgpu_eviction_fence_destroy(&fpriv->evf_mgr);
-	amdgpu_userq_mgr_fini(&fpriv->userq_mgr);
 
 	amdgpu_ctx_mgr_fini(&fpriv->ctx_mgr);
 	amdgpu_vm_fini(adev, &fpriv->vm);

Original file line number	Diff line number	Diff line change
`@@ -1501,9 +1501,6 @@ void amdgpu_driver_postclose_kms(struct drm_device *dev,`
`1501`	`1501`	`amdgpu_vm_bo_del(adev, fpriv->prt_va);`
`1502`	`1502`	`amdgpu_bo_unreserve(pd);`
`1503`	`1503`	`}`
`1504`		`- fpriv->evf_mgr.fd_closing = true;`
`1505`		`- amdgpu_eviction_fence_destroy(&fpriv->evf_mgr);`
`1506`		`- amdgpu_userq_mgr_fini(&fpriv->userq_mgr);`
`1507`	`1504`
`1508`	`1505`	`amdgpu_ctx_mgr_fini(&fpriv->ctx_mgr);`
`1509`	`1506`	`amdgpu_vm_fini(adev, &fpriv->vm);`