[PATCH] accel/amdxdna: Fix use-after-free in amdxdna_gem_dmabuf_mmap()

Next message: Anisa Su: "[PATCH v11 10/31] cxl/mem: Configure dynamic capacity interrupts"
Previous message: Anisa Su: "[PATCH v11 23/31] dax/bus: Factor out dev dax resize logic"
Next in thread: Lizhi Hou: "Re: [PATCH] accel/amdxdna: Fix use-after-free in amdxdna_gem_dmabuf_mmap()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Wentao Liang

Date: Thu Jun 25 2026 - 07:33:08 EST

When vm_insert_pages() fails, the error path calls vma->vm_ops->close(vma)
which internally calls drm_gem_vm_close() → drm_gem_object_put(),
releasing the GEM object reference acquired at the start of the function.
However, the close_vma label then falls through to put_obj, which calls
drm_gem_object_put() a second time on the same object.

If the first put releases the last reference, the object is freed and the
second put accesses freed memory, causing a use-after-free.

Fix by returning directly from close_vma instead of falling through to
put_obj, since the close handler already performs all necessary cleanup
including the object put.

Cc: stable@xxxxxxxxxxxxxxx
Fixes: e486147c912f ("accel/amdxdna: Add BO import and export")
Signed-off-by: Wentao Liang <vulab@xxxxxxxxxxx>
---
drivers/accel/amdxdna/amdxdna_gem.c | 1 +
1 file changed, 1 insertion(+)

diff --git a/drivers/accel/amdxdna/amdxdna_gem.c b/drivers/accel/amdxdna/amdxdna_gem.c
index 6e367ddb9e1b..fec9763c518c 100644
--- a/drivers/accel/amdxdna/amdxdna_gem.c
+++ b/drivers/accel/amdxdna/amdxdna_gem.c
@@ -469,6 +469,7 @@ static int amdxdna_gem_dmabuf_mmap(struct dma_buf *dma_buf, struct vm_area_struc

close_vma:
vma->vm_ops->close(vma);
+ return ret;
put_obj:
drm_gem_object_put(gobj);
return ret;
--
2.39.5 (Apple Git-154)