Bug 2347957 (CVE-2022-49133) - CVE-2022-49133 kernel: drm/amdkfd: svm range restore work deadlock when process exit
Summary: CVE-2022-49133 kernel: drm/amdkfd: svm range restore work deadlock when proce...
Keywords:
Status: NEW
Alias: CVE-2022-49133
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Product Security DevOps Team
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2025-02-26 03:12 UTC by OSIDB Bzimport
Modified: 2025-02-27 22:59 UTC (History)
4 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)

Description OSIDB Bzimport 2025-02-26 03:12:38 UTC 
In the Linux kernel, the following vulnerability has been resolved:

drm/amdkfd: svm range restore work deadlock when process exit

kfd_process_notifier_release flush svm_range_restore_work
which calls svm_range_list_lock_and_flush_work to flush deferred_list
work, but if deferred_list work mmput release the last user, it will
call exit_mmap -> notifier_release, it is deadlock with below backtrace.

Move flush svm_range_restore_work to kfd_process_wq_release to avoid
deadlock. Then svm_range_restore_work take task->mm ref to avoid mm is
gone while validating and mapping ranges to GPU.

Workqueue: events svm_range_deferred_list_work [amdgpu]
Call Trace:
 wait_for_completion+0x94/0x100
 __flush_work+0x12a/0x1e0
 __cancel_work_timer+0x10e/0x190
 cancel_delayed_work_sync+0x13/0x20
 kfd_process_notifier_release+0x98/0x2a0 [amdgpu]
 __mmu_notifier_release+0x74/0x1f0
 exit_mmap+0x170/0x200
 mmput+0x5d/0x130
 svm_range_deferred_list_work+0x104/0x230 [amdgpu]
 process_one_work+0x220/0x3c0
Comment 3 Avinash Hanwate 2025-02-27 22:54:32 UTC 
Upstream advisory:
https://lore.kernel.org/linux-cve-announce/2025022606-CVE-2022-49133-d5c9@gregkh/T
Note You need to log in before you can comment on or make changes to this bug.