From efcc4ebceba0f2884a238f9549916e08c0162abc Mon Sep 17 00:00:00 2001
From: jsg <jsg@openbsd.org>
Date: Thu, 4 Apr 2024 08:14:53 +0000
Subject: [PATCH] drm/amdgpu: fix use-after-free bug

From Vitaly Prosyak
e87e08c94c9541b4e18c4c13f2f605935f512605 in linux-6.6.y/6.6.24
22207fd5c80177b860279653d017474b2812af5e in mainline linux
---
 sys/dev/pci/drm/amd/amdgpu/amdgpu_hmm.c | 20 ++++++++++++++++----
 1 file changed, 16 insertions(+), 4 deletions(-)

diff --git a/sys/dev/pci/drm/amd/amdgpu/amdgpu_hmm.c b/sys/dev/pci/drm/amd/amdgpu/amdgpu_hmm.c
index b806c760ba3..02d4604435b 100644
--- a/sys/dev/pci/drm/amd/amdgpu/amdgpu_hmm.c
+++ b/sys/dev/pci/drm/amd/amdgpu/amdgpu_hmm.c
@@ -129,13 +129,25 @@ static const struct mmu_interval_notifier_ops amdgpu_hmm_hsa_ops = {
  */
 int amdgpu_hmm_register(struct amdgpu_bo *bo, unsigned long addr)
 {
+	int r;
+
 	if (bo->kfd_bo)
-		return mmu_interval_notifier_insert(&bo->notifier, current->mm,
+		r = mmu_interval_notifier_insert(&bo->notifier, current->mm,
 						    addr, amdgpu_bo_size(bo),
 						    &amdgpu_hmm_hsa_ops);
-	return mmu_interval_notifier_insert(&bo->notifier, current->mm, addr,
-					    amdgpu_bo_size(bo),
-					    &amdgpu_hmm_gfx_ops);
+	else
+		r = mmu_interval_notifier_insert(&bo->notifier, current->mm, addr,
+							amdgpu_bo_size(bo),
+							&amdgpu_hmm_gfx_ops);
+	if (r)
+		/*
+		 * Make sure amdgpu_hmm_unregister() doesn't call
+		 * mmu_interval_notifier_remove() when the notifier isn't properly
+		 * initialized.
+		 */
+		bo->notifier.mm = NULL;
+
+	return r;
 }
 
 /**
-- 
2.20.1