Linux Kernel AMD GPU Double PASID Release Vulnerability in KFD Process Management

A vulnerability exists in the Linux kernel's handling of process address space identifiers (PASIDs) for compute virtual machines (VMs) in the AMD GPU driver. When the function 'kfd_process_device_init_vm' fails after converting a VM to compute and setting the PASID, the Kernel Fusion Driver (KFD) does not take a reference of the associated DRM file. This can lead to a situation where the DRM close file handler releases the compute PASID before KFD has a chance to properly manage it, causing a NULL pointer dereference and a kernel crash. The issue arises from improper synchronization between the release of PASIDs and the destruction of KFD processes.

Impact

Exploitation of this vulnerability leads to a kernel NULL pointer dereference, causing a system crash. The backtrace indicates that the issue occurs during the post-close handling of DRM files, where a released PASID is accessed, resulting in a NULL pointer dereference and a subsequent kernel crash.

Reproduction

The vulnerability can be reproduced by initializing a KFD process device VM and simulating a failure after the VM has been converted to compute and the PASID has been set. This can be done by manually triggering a failure in the 'kfd_process_device_init_vm' function, which will cause KFD to skip taking a reference of the DRM file. Once the DRM file is closed, the released PASID will be accessed again, leading to a NULL pointer dereference and a kernel crash.

Remediation

The vulnerability has been addressed in upstream Linux kernel commits 1a799c4c190ea9f0e81028e3eb3037ed0ab17ff5 and 89f0d766c9e3fdeafbed6f855d433c2768cde862. Users should upgrade to a version of the Linux kernel that includes these commits.