[PATCH v3] drm/amdgpu: reject mapping info when BO VA is gone

From: Yousef Alhouseen

Date: Mon Jun 29 2026 - 11:52:57 EST


AMDGPU_GEM_OP_GET_MAPPING_INFO looks up the GEM object before taking
the object and VM locks. The object reference keeps the BO alive, but a
concurrent handle close can remove the per-file BO VA before
amdgpu_vm_bo_find() runs.

The mapping-list walks then dereference the NULL BO VA. Return -EINVAL
when the BO is no longer associated with the VM.

Suggested-by: Christian König <christian.koenig@xxxxxxx>
Signed-off-by: Yousef Alhouseen <alhouseenyousef@xxxxxxxxx>
---
Changes in v3:
- Generate a clean patch against drm-misc-next instead of stacking on v1.
- Keep only the intended !bo_va guard for the handle-close race.
- Clarify the v2 withdrawal confusion in thread replies.

Changes in v2:
- Describe the handle-close race instead of an initially unmapped BO.
- Return -EINVAL instead of -ENOENT.

drivers/gpu/drm/amd/amdgpu/amdgpu_gem.c | 6 ++++++
1 file changed, 6 insertions(+)

diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_gem.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_gem.c
index 27be5083f2af..83ec994ad36b 100644
--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_gem.c
+++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_gem.c
@@ -1087,6 +1087,12 @@ int amdgpu_gem_op_ioctl(struct drm_device *dev, void *data,
struct drm_amdgpu_gem_vm_entry *vm_entries;
struct amdgpu_bo_va_mapping *mapping;
int num_mappings = 0;
+
+ if (!bo_va) {
+ r = -EINVAL;
+ goto out_exec;
+ }
+
/*
* num_entries is set as an input to the size of the user-allocated array of
* drm_amdgpu_gem_vm_entry stored at args->value.
--
2.54.0