From: sashiko-bot@kernel.org
To: "Lizhi Hou" <lizhi.hou@amd.com>
Cc: dri-devel@lists.freedesktop.org
Subject: Re: [PATCH V3 2/3] accel/amdxdna: Fix notifier_wq lifetime race during device removal
Date: Thu, 11 Jun 2026 06:03:51 +0000 [thread overview]
Message-ID: <20260611060352.1A5F61F00893@smtp.kernel.org> (raw)
In-Reply-To: <20260611055150.3070216-2-lizhi.hou@amd.com>
Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:
Pre-existing issues:
- [High] Asynchronous work item `amdxdna_hmm_unreg_work` dereferences a potentially freed `vm_area_struct` during MMU notifier release.
--
commit 9bd885c56a90bdf89e66e4a081996397ef692196
Author: Lizhi Hou <lizhi.hou@amd.com>
accel/amdxdna: Fix notifier_wq lifetime race during device removal
This commit fixes a use-after-free race during device removal by converting
notifier_wq to use drmm_alloc_ordered_workqueue. This ensures the workqueue
lifetime is managed by DRM and remains valid until resources are released.
> diff --git a/drivers/accel/amdxdna/amdxdna_pci_drv.c b/drivers/accel/amdxdna/amdxdna_pci_drv.c
> index 470bf4fc744bf..b943c06a451ef 100644
> --- a/drivers/accel/amdxdna/amdxdna_pci_drv.c
> +++ b/drivers/accel/amdxdna/amdxdna_pci_drv.c
[ ... ]
> @@ -389,9 +389,9 @@ static int amdxdna_probe(struct pci_dev *pdev, const struct pci_device_id *id)
> if (ret)
> return ret;
>
> - xdna->notifier_wq = alloc_ordered_workqueue("notifier_wq", WQ_MEM_RECLAIM);
> - if (!xdna->notifier_wq) {
> - ret = -ENOMEM;
> + xdna->notifier_wq = drmm_alloc_ordered_workqueue(ddev, "notifier_wq", WQ_MEM_RECLAIM);
> + if (IS_ERR(xdna->notifier_wq)) {
> + ret = PTR_ERR(xdna->notifier_wq);
[Severity: High]
This is a pre-existing issue, but can the work items queued to this
workqueue trigger a use-after-free on a vm_area_struct?
Looking at drivers/accel/amdxdna/amdxdna_gem.c, when handling an
MMU_NOTIFY_UNMAP event, the hmm_unreg_work is queued to this notifier_wq
to execute asynchronously. The worker eventually calls amdxdna_umap_release()
which dereferences the vma:
if (is_import_bo(abo) && vma->vm_file && vma->vm_file->f_mapping)
mapping_clear_unevictable(vma->vm_file->f_mapping);
Since the work item is asynchronous, couldn't the core memory management
subsystem tear down the mapping and free the vm_area_struct before
amdxdna_umap_release() executes, leading to a use-after-free when accessing
vma->vm_file?
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260611055150.3070216-1-lizhi.hou@amd.com?part=2
next prev parent reply other threads:[~2026-06-11 6:03 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-11 5:51 [PATCH V3 1/3] accel/amdxdna: Fix amdxdna_client lifetime race during device removal Lizhi Hou
2026-06-11 5:51 ` [PATCH V3 2/3] accel/amdxdna: Fix notifier_wq " Lizhi Hou
2026-06-11 6:03 ` sashiko-bot [this message]
2026-06-11 5:51 ` [PATCH V3 3/3] accel/amdxdna: Fix iommu domain " Lizhi Hou
2026-06-11 6:03 ` sashiko-bot
2026-06-11 6:06 ` [PATCH V3 1/3] accel/amdxdna: Fix amdxdna_client " sashiko-bot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260611060352.1A5F61F00893@smtp.kernel.org \
--to=sashiko-bot@kernel.org \
--cc=dri-devel@lists.freedesktop.org \
--cc=lizhi.hou@amd.com \
--cc=sashiko-reviews@lists.linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.