ghsa-ppmr-4j3r-434x
Vulnerability from github
Published
2025-09-15 15:31
Modified
2025-09-15 15:31
Details

In the Linux kernel, the following vulnerability has been resolved:

drm/amdkfd: Fix double release compute pasid

If kfd_process_device_init_vm returns failure after vm is converted to compute vm and vm->pasid set to compute pasid, KFD will not take pdd->drm_file reference. As a result, drm close file handler maybe called to release the compute pasid before KFD process destroy worker to release the same pasid and set vm->pasid to zero, this generates below WARNING backtrace and NULL pointer access.

Add helper amdgpu_amdkfd_gpuvm_set_vm_pasid and call it at the last step of kfd_process_device_init_vm, to ensure vm pasid is the original pasid if acquiring vm failed or is the compute pasid with pdd->drm_file reference taken to avoid double release same pasid.

amdgpu: Failed to create process VM object ida_free called for id=32770 which is not allocated. WARNING: CPU: 57 PID: 72542 at ../lib/idr.c:522 ida_free+0x96/0x140 RIP: 0010:ida_free+0x96/0x140 Call Trace: amdgpu_pasid_free_delayed+0xe1/0x2a0 [amdgpu] amdgpu_driver_postclose_kms+0x2d8/0x340 [amdgpu] drm_file_free.part.13+0x216/0x270 [drm] drm_close_helper.isra.14+0x60/0x70 [drm] drm_release+0x6e/0xf0 [drm] __fput+0xcc/0x280 ____fput+0xe/0x20 task_work_run+0x96/0xc0 do_exit+0x3d0/0xc10

BUG: kernel NULL pointer dereference, address: 0000000000000000 RIP: 0010:ida_free+0x76/0x140 Call Trace: amdgpu_pasid_free_delayed+0xe1/0x2a0 [amdgpu] amdgpu_driver_postclose_kms+0x2d8/0x340 [amdgpu] drm_file_free.part.13+0x216/0x270 [drm] drm_close_helper.isra.14+0x60/0x70 [drm] drm_release+0x6e/0xf0 [drm] __fput+0xcc/0x280 ____fput+0xe/0x20 task_work_run+0x96/0xc0 do_exit+0x3d0/0xc10

Show details on source website

To clipboard 

{
  "affected": [],
  "aliases": [
    "CVE-2022-50303"
  ],
  "database_specific": {
    "cwe_ids": [],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-09-15T15:15:41Z",
    "severity": null
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdkfd: Fix double release compute pasid\n\nIf kfd_process_device_init_vm returns failure after vm is converted to\ncompute vm and vm-\u003epasid set to compute pasid, KFD will not take\npdd-\u003edrm_file reference. As a result, drm close file handler maybe\ncalled to release the compute pasid before KFD process destroy worker to\nrelease the same pasid and set vm-\u003epasid to zero, this generates below\nWARNING backtrace and NULL pointer access.\n\nAdd helper amdgpu_amdkfd_gpuvm_set_vm_pasid and call it at the last step\nof kfd_process_device_init_vm, to ensure vm pasid is the original pasid\nif acquiring vm failed or is the compute pasid with pdd-\u003edrm_file\nreference taken to avoid double release same pasid.\n\n amdgpu: Failed to create process VM object\n ida_free called for id=32770 which is not allocated.\n WARNING: CPU: 57 PID: 72542 at ../lib/idr.c:522 ida_free+0x96/0x140\n RIP: 0010:ida_free+0x96/0x140\n Call Trace:\n  amdgpu_pasid_free_delayed+0xe1/0x2a0 [amdgpu]\n  amdgpu_driver_postclose_kms+0x2d8/0x340 [amdgpu]\n  drm_file_free.part.13+0x216/0x270 [drm]\n  drm_close_helper.isra.14+0x60/0x70 [drm]\n  drm_release+0x6e/0xf0 [drm]\n  __fput+0xcc/0x280\n  ____fput+0xe/0x20\n  task_work_run+0x96/0xc0\n  do_exit+0x3d0/0xc10\n\n BUG: kernel NULL pointer dereference, address: 0000000000000000\n RIP: 0010:ida_free+0x76/0x140\n Call Trace:\n  amdgpu_pasid_free_delayed+0xe1/0x2a0 [amdgpu]\n  amdgpu_driver_postclose_kms+0x2d8/0x340 [amdgpu]\n  drm_file_free.part.13+0x216/0x270 [drm]\n  drm_close_helper.isra.14+0x60/0x70 [drm]\n  drm_release+0x6e/0xf0 [drm]\n  __fput+0xcc/0x280\n  ____fput+0xe/0x20\n  task_work_run+0x96/0xc0\n  do_exit+0x3d0/0xc10",
  "id": "GHSA-ppmr-4j3r-434x",
  "modified": "2025-09-15T15:31:26Z",
  "published": "2025-09-15T15:31:26Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-50303"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/1a799c4c190ea9f0e81028e3eb3037ed0ab17ff5"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/89f0d766c9e3fdeafbed6f855d433c2768cde862"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/a02c07b619899179384fde06f951530438a3512d"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.