Race condition / ToCTOU / Potential use-after-free in AMDGPU user queue VA validation
Description
The patch fixes a TOCTOU race in amdgpu_userq_input_va_validate where the kernel could validate a user-queue virtual address without the root bo reservation being held by the caller. Previously, validation could occur after releasing or without proper locking, enabling a race that could lead to use-after-free or unauthorized access to the root buffer object. The fix enforces that the caller holds the root.bo reservation during validation via dma_resv_assert_held and adjusts reservation handling in the create path to hold and release the reservation explicitly.
In short: without this fix, a malicious user could race with the VA validation to abuse the user queue mapping, potentially causing memory corruption or escalation in a GPU context.
Commit Details
Author: Sunil Khatri
Date: 2026-04-08 16:04 UTC
Message:
drm/amdgpu/userq: hold root bo lock in caller of input_va_validate
Caller should hold the reservation lock for root.bo in func
amdgpu_userq_input_va_validate.
Signed-off-by: Sunil Khatri <sunil.khatri@amd.com>
Reviewed-by: Christian König <christian.koenig@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Triage Assessment
Vulnerability Type: Race condition / Potential use-after-free
Confidence: HIGH
Reasoning:
The patch changes locking discipline around root.bo reservation during user queue VA validation. By requiring the caller to hold the root.bo reservation and asserting it, it prevents TOCTOU/race conditions where validation could occur without proper protection, potentially leading to use-after-free or unauthorized access. This is a synchronization-related security fix (race condition/privilege impact) rather than a pure refactor or performance change.
Verification Assessment
Vulnerability Type: Race condition / ToCTOU / Potential use-after-free in AMDGPU user queue VA validation
Confidence: HIGH
Affected Versions: 7.0-rc5 and earlier (pre-patch).
Code Diff
diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_userq.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_userq.c
index d460cb48592081..31510d7fc0e90e 100644
--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_userq.c
+++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_userq.c
@@ -239,13 +239,12 @@ int amdgpu_userq_input_va_validate(struct amdgpu_device *adev,
u64 size;
int r = 0;
+ /* Caller must hold vm->root.bo reservation */
+ dma_resv_assert_held(queue->vm->root.bo->tbo.base.resv);
+
user_addr = (addr & AMDGPU_GMC_HOLE_MASK) >> AMDGPU_GPU_PAGE_SHIFT;
size = expected_size >> AMDGPU_GPU_PAGE_SHIFT;
- r = amdgpu_bo_reserve(vm->root.bo, false);
- if (r)
- return r;
-
va_map = amdgpu_vm_bo_lookup_mapping(vm, user_addr);
if (!va_map) {
r = -EINVAL;
@@ -255,13 +254,11 @@ int amdgpu_userq_input_va_validate(struct amdgpu_device *adev,
if (user_addr >= va_map->start &&
va_map->last - user_addr + 1 >= size) {
amdgpu_userq_buffer_va_list_add(queue, va_map, user_addr);
- amdgpu_bo_unreserve(vm->root.bo);
return 0;
}
r = -EINVAL;
out_err:
- amdgpu_bo_unreserve(vm->root.bo);
return r;
}
@@ -773,13 +770,20 @@ amdgpu_userq_create(struct drm_file *filp, union drm_amdgpu_userq *args)
db_info.doorbell_offset = args->in.doorbell_offset;
queue->userq_mgr = uq_mgr;
+
/* Validate the userq virtual address.*/
+ r = amdgpu_bo_reserve(fpriv->vm.root.bo, false);
+ if (r)
+ goto free_queue;
+
if (amdgpu_userq_input_va_validate(adev, queue, args->in.queue_va, args->in.queue_size) ||
amdgpu_userq_input_va_validate(adev, queue, args->in.rptr_va, AMDGPU_GPU_PAGE_SIZE) ||
amdgpu_userq_input_va_validate(adev, queue, args->in.wptr_va, AMDGPU_GPU_PAGE_SIZE)) {
r = -EINVAL;
+ amdgpu_bo_unreserve(fpriv->vm.root.bo);
goto clean_mapping;
}
+ amdgpu_bo_unreserve(fpriv->vm.root.bo);
/* Convert relative doorbell offset into absolute doorbell index */
index = amdgpu_userq_get_doorbell_index(uq_mgr, &db_info, filp);
@@ -863,6 +867,7 @@ amdgpu_userq_create(struct drm_file *filp, union drm_amdgpu_userq *args)
amdgpu_bo_reserve(fpriv->vm.root.bo, true);
amdgpu_userq_buffer_vas_list_cleanup(adev, queue);
amdgpu_bo_unreserve(fpriv->vm.root.bo);
+free_queue:
kfree(queue);
return r;
}
diff --git a/drivers/gpu/drm/amd/amdgpu/mes_userqueue.c b/drivers/gpu/drm/amd/amdgpu/mes_userqueue.c
index faac21ee5739c0..2fc39a6938f6db 100644
--- a/drivers/gpu/drm/amd/amdgpu/mes_userqueue.c
+++ b/drivers/gpu/drm/amd/amdgpu/mes_userqueue.c
@@ -322,8 +322,14 @@ static int mes_userq_mqd_create(struct amdgpu_usermode_queue *queue,
goto free_mqd;
}
+ r = amdgpu_bo_reserve(queue->vm->root.bo, false);
+ if (r) {
+ kfree(compute_mqd);
+ goto free_mqd;
+ }
r = amdgpu_userq_input_va_validate(adev, queue, compute_mqd->eop_va,
2048);
+ amdgpu_bo_unreserve(queue->vm->root.bo);
if (r) {
kfree(compute_mqd);
goto free_mqd;
@@ -365,14 +371,22 @@ static int mes_userq_mqd_create(struct amdgpu_usermode_queue *queue,
userq_props->tmz_queue =
mqd_user->flags & AMDGPU_USERQ_CREATE_FLAGS_QUEUE_SECURE;
+ r = amdgpu_bo_reserve(queue->vm->root.bo, false);
+ if (r) {
+ kfree(mqd_gfx_v11);
+ goto free_mqd;
+ }
r = amdgpu_userq_input_va_validate(adev, queue, mqd_gfx_v11->shadow_va,
shadow_info.shadow_size);
if (r) {
+ amdgpu_bo_unreserve(queue->vm->root.bo);
kfree(mqd_gfx_v11);
goto free_mqd;
}
+
r = amdgpu_userq_input_va_validate(adev, queue, mqd_gfx_v11->csa_va,
shadow_info.csa_size);
+ amdgpu_bo_unreserve(queue->vm->root.bo);
if (r) {
kfree(mqd_gfx_v11);
goto free_mqd;
@@ -394,8 +408,15 @@ static int mes_userq_mqd_create(struct amdgpu_usermode_queue *queue,
r = -ENOMEM;
goto free_mqd;
}
+
+ r = amdgpu_bo_reserve(queue->vm->root.bo, false);
+ if (r) {
+ kfree(mqd_sdma_v11);
+ goto free_mqd;
+ }
r = amdgpu_userq_input_va_validate(adev, queue, mqd_sdma_v11->csa_va,
32);
+ amdgpu_bo_unreserve(queue->vm->root.bo);
if (r) {
kfree(mqd_sdma_v11);
goto free_mqd;