Re: [PATCH] accel/amdxdna: Fix use-after-free in amdxdna_gem_dmabuf_mmap()

[Lizhi Hou]

On 6/25/26 04:32, Wentao Liang wrote:
> When vm_insert_pages() fails, the error path calls vma->vm_ops->close(vma)
> which internally calls drm_gem_vm_close() → drm_gem_object_put(),
> releasing the GEM object reference acquired at the start of the function.
> However, the close_vma label then falls through to put_obj, which calls
> drm_gem_object_put() a second time on the same object.
>
> If the first put releases the last reference, the object is freed and the
> second put accesses freed memory, causing a use-after-free.
>
> Fix by returning directly from close_vma instead of falling through to
> put_obj, since the close handler already performs all necessary cleanup
> including the object put.
>
> Cc: stable@xxxxxxxxxxxxxxx
> Fixes: e486147c912f ("accel/amdxdna: Add BO import and export")
> Signed-off-by: Wentao Liang <vulab@xxxxxxxxxxx>
> ---
>   drivers/accel/amdxdna/amdxdna_gem.c | 1 +
>   1 file changed, 1 insertion(+)
>
> diff --git a/drivers/accel/amdxdna/amdxdna_gem.c b/drivers/accel/amdxdna/amdxdna_gem.c
> index 6e367ddb9e1b..fec9763c518c 100644
> --- a/drivers/accel/amdxdna/amdxdna_gem.c
> +++ b/drivers/accel/amdxdna/amdxdna_gem.c
> @@ -469,6 +469,7 @@ static int amdxdna_gem_dmabuf_mmap(struct dma_buf *dma_buf, struct vm_area_struc
>   
>   close_vma:
>   	vma->vm_ops->close(vma);
> +	return ret;
Reviewed-by: Lizhi Hou <lizhi.hou@xxxxxxx>
>   put_obj:
>   	drm_gem_object_put(gobj);
>   	return ret;