drm/amdgpu: fix use-after-free bug

From Vitaly Prosyak
e87e08c94c9541b4e18c4c13f2f605935f512605 in linux-6.6.y/6.6.24
22207fd5c80177b860279653d017474b2812af5e in mainline linux

diff --git a/sys/dev/pci/drm/amd/amdgpu/amdgpu_hmm.c b/sys/dev/pci/drm/amd/amdgpu/amdgpu_hmm.c
index b806c76..02d4604 100644 (file)
--- a/sys/dev/pci/drm/amd/amdgpu/amdgpu_hmm.c
+++ b/sys/dev/pci/drm/amd/amdgpu/amdgpu_hmm.c
@@ -129,13 +129,25 @@ static const struct mmu_interval_notifier_ops amdgpu_hmm_hsa_ops = {
  */
 int amdgpu_hmm_register(struct amdgpu_bo *bo, unsigned long addr)
 {
+       int r;
+
        if (bo->kfd_bo)
-               return mmu_interval_notifier_insert(&bo->notifier, current->mm,
+               r = mmu_interval_notifier_insert(&bo->notifier, current->mm,
                                                    addr, amdgpu_bo_size(bo),
                                                    &amdgpu_hmm_hsa_ops);
-       return mmu_interval_notifier_insert(&bo->notifier, current->mm, addr,
-                                           amdgpu_bo_size(bo),
-                                           &amdgpu_hmm_gfx_ops);
+       else
+               r = mmu_interval_notifier_insert(&bo->notifier, current->mm, addr,
+                                                       amdgpu_bo_size(bo),
+                                                       &amdgpu_hmm_gfx_ops);
+       if (r)
+               /*
+                * Make sure amdgpu_hmm_unregister() doesn't call
+                * mmu_interval_notifier_remove() when the notifier isn't properly
+                * initialized.
+                */
+               bo->notifier.mm = NULL;
+
+       return r;
 }
 
 /**