mirror of
https://gitlab.freedesktop.org/mesa/mesa.git
synced 2026-05-18 13:48:06 +02:00
da7ed1c576
In amdvgpu_bo_free(), when the reference count drops to 0, vdrm_flush() is called before removing the bo from the handle_to_vbo hash table. Since vdrm_flush() is a time-consuming operation and is executed outside of the handle_to_vbo_mutex lock, another thread calling amdvgpu_bo_import() can concurrently find this bo in the hash table, increment its refcount, and attempt to use it. Once vdrm_flush() finishes, amdvgpu_bo_free() proceeds to remove the bo and call free(), leaving the importing thread with a dangling pointer, which leads to a use-after-free or double free crash. To fix this race condition, we must remove the bo from the hash table under the lock first. After the bo is safely unlinked and the lock is released, we can then perform the time-consuming vdrm_flush() and the actual memory release. Signed-off-by: zhaqian <zhaqian@amd.com> Part-of: <https://gitlab.freedesktop.org/mesa/mesa/-/merge_requests/41146> |
||
|---|---|---|
| .. | ||
| amdgpu_virtio.c | ||
| amdgpu_virtio.h | ||
| amdgpu_virtio_bo.c | ||
| amdgpu_virtio_device.c | ||
| amdgpu_virtio_private.h | ||
| amdgpu_virtio_proto.h | ||