[PATCH v2] drm/amdgpu: reject mapping info when BO VA is gone

Next message: Eugenio Perez Martin: "Re: [PATCH] tools/virtio: Remove unsupported --batch option from vhost_net_test"
Previous message: Krzysztof Kozlowski: "Re: [PATCH v2 1/3] dt-bindings: media: qcom: Add JPEG encoder binding"
In reply to: Christian K&#xF6;nig: "Re: [PATCH] drm/amdgpu: reject mapping info for unmapped BOs"
Next in thread: Yousef Alhouseen: "Re: [PATCH v2] drm/amdgpu: reject mapping info when BO VA is gone"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Yousef Alhouseen

Date: Thu Jun 25 2026 - 09:56:05 EST

AMDGPU_GEM_OP_GET_MAPPING_INFO looks up the GEM object from the file
handle and then locks the object and VM before resolving the BO-VA. The
GEM object reference keeps the BO alive, but it does not keep the
per-file handle open.

If a racing close drops the last handle reference in that window,
amdgpu_gem_object_close() can remove the BO-VA before
amdgpu_vm_bo_find() runs. The ioctl then walks the BO-VA mapping lists
unconditionally.

Return -EINVAL if the BO is no longer associated with this VM.

Suggested-by: Christian König <christian.koenig@xxxxxxx>
Signed-off-by: Yousef Alhouseen <alhouseenyousef@xxxxxxxxx>
---
Changes in v2:
- Describe the handle-close race instead of an initially unmapped BO.
- Return -EINVAL instead of -ENOENT.

drivers/gpu/drm/amd/amdgpu/amdgpu_gem.c | 6 ++++++
1 file changed, 6 insertions(+)

diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_gem.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_gem.c
index 212c14d99..6f5b6f4c2 100644
--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_gem.c
+++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_gem.c
@@ -1087,6 +1087,12 @@ int amdgpu_gem_op_ioctl(struct drm_device *dev, void *data,
struct drm_amdgpu_gem_vm_entry *vm_entries;
struct amdgpu_bo_va_mapping *mapping;
int num_mappings = 0;
+
+ if (!bo_va) {
+ r = -EINVAL;
+ goto out_exec;
+ }
+
/*
* num_entries is set as an input to the size of the user-allocated array of
* drm_amdgpu_gem_vm_entry stored at args->value.
--
2.54.0