Re: [PATCH] drm/ttm: Fix UAF on dma-buf attach failure for sg BOs

["Thomas Hellström" <thomas.hellstrom@linux.intel.com>]

On Thu, 2026-06-25 at 11:27 +0530, Nitin Gote wrote:
> When a dma-buf importer creates a ttm_bo_type_sg BO with bo-
> >base.resv
> pointing at the exporter's dma_buf->resv and dma_buf_dynamic_attach()
> fails, no dma_buf reference is held. The exporter can be freed before
> the delayed_delete worker calls dma_resv_lock(bo->base.resv), causing
> a
> use-after-free:
> 
>   Oops: general protection fault, probably for non-canonical address
>         0x6b6b6b6b6b6b6b9c
>   Workqueue: ttm ttm_bo_delayed_delete [ttm]
>   RIP: 0010:mutex_can_spin_on_owner+0x3f/0xc0
> 
> ttm_bo_individualize_resv() skips the resv swap for all sg BOs to
> keep
> the shared resv available for delayed_delete to release the dma-buf
> mapping. A BO whose attach never succeeded has no mapping to release,
> yet it keeps bo->base.resv pointing at the exporter resv that
> delayed_delete later locks once the exporter is gone.
> 
> Fix this by checking bo->base.import_attach, which is only set after
> successful dma_buf_dynamic_attach(). Failed imports now individualize
> normally, so delayed_delete operates on the BO's private _resv. The
> exporter remains alive during individualize as it runs synchronously
> in ttm_bo_release(), while the gem_prime_import caller still holds
> its dma_buf reference.

I think since the bo is published on the LRU, a LRU walk can still grab
a bo reference before the prime_import caller calls put(). So this
doesn't necessarily hold?

> 
> Closes:
> https://gitlab.freedesktop.org/drm/xe/kernel/-/work_items/8023
> Fixes: d99fbd9aab62 ("drm/ttm: Always take the bo delayed cleanup
> path for imported bos")
> Cc: stable@vger.kernel.org # v6.8+
> Cc: Thomas Hellstrom <thomas.hellstrom@linux.intel.com>
> Cc: Christian Konig <christian.koenig@amd.com>
> Cc: Matthew Auld <matthew.auld@intel.com>
> Assisted-by: GitHub_Copilot:claude-sonnet-4.6
> Signed-off-by: Nitin Gote <nitin.r.gote@intel.com>
> ---
> v3:
> - Dropped the xe-side reordering approach since importer_priv must be
>   valid when dma_buf_dynamic_attach() publishes the attachment.
> - Per Christian's suggestion on the v1 thread, keyed the check on
>   import_attach rather than removing the sg guard entirely.
> - Exporter lifetime: individualize runs synchronously inside
>   ttm_bo_release(), called from drm_gem_object_put() in the
>   gem_prime_import error path while drm_gem_prime_fd_to_handle()
>   still holds its dma_buf reference.
> - Fixes both xe and amdgpu in a single TTM patch.
> 
>  drivers/gpu/drm/ttm/ttm_bo.c | 24 +++++++++++++++---------
>  1 file changed, 15 insertions(+), 9 deletions(-)
> 
> diff --git a/drivers/gpu/drm/ttm/ttm_bo.c
> b/drivers/gpu/drm/ttm/ttm_bo.c
> index bcd76f6bb7f0..bf8eaec0e9ca 100644
> --- a/drivers/gpu/drm/ttm/ttm_bo.c
> +++ b/drivers/gpu/drm/ttm/ttm_bo.c
> @@ -196,6 +196,14 @@ static int ttm_bo_individualize_resv(struct
> ttm_buffer_object *bo)
>  	if (bo->base.resv == &bo->base._resv)
>  		return 0;
>  
> +	/*
> +	 * Successfully imported sg BOs need the shared resv for
> dma-buf
> +	 * cleanup. Failed imports have no attachment or mapping and
> can
> +	 * use the private _resv.
> +	 */
> +	if (bo->type == ttm_bo_type_sg && bo->base.import_attach)
> +		return 0;
> +

You would still need to copy the current fences to _resv here, because
otherwise, the object can be premaurely released. It's considered idle
when the fences attached to _resv have all signaled. So this needs to
be moved below the fence duplication below.

Thanks,
Thomas



>  	BUG_ON(!dma_resv_trylock(&bo->base._resv));
>  
>  	r = dma_resv_copy_fences(&bo->base._resv, bo->base.resv);
> @@ -203,15 +211,13 @@ static int ttm_bo_individualize_resv(struct
> ttm_buffer_object *bo)
>  	if (r)
>  		return r;
>  
> -	if (bo->type != ttm_bo_type_sg) {
> -		/* This works because the BO is about to be
> destroyed and nobody
> -		 * reference it any more. The only tricky case is
> the trylock on
> -		 * the resv object while holding the lru_lock.
> -		 */
> -		spin_lock(&bo->bdev->lru_lock);
> -		bo->base.resv = &bo->base._resv;
> -		spin_unlock(&bo->bdev->lru_lock);
> -	}
> +	/* This works because the BO is about to be destroyed and
> nobody
> +	 * references it any more. The only tricky case is the
> trylock on
> +	 * the resv object while holding the lru_lock.
> +	 */
> +	spin_lock(&bo->bdev->lru_lock);
> +	bo->base.resv = &bo->base._resv;
> +	spin_unlock(&bo->bdev->lru_lock);
>  
>  	return r;
>  }