Linux Kernel AMDGPU Driver Use-After-Free Vulnerability in Fence Management

A use-after-free vulnerability has been identified in the Linux kernel's AMDGPU driver, specifically within the job submission function for the AMD KFD (Kernel Fusion Driver) interface. The issue arises because the function improperly manages fence references, which are crucial for synchronizing GPU job completion. The vulnerability occurs when the code releases the last reference of a fence before ensuring that the corresponding wait operation has completed. This mismanagement can lead to a situation where the fence is freed while it is still needed, causing a use-after-free condition.

Impact

Exploitation of this vulnerability can lead to a use-after-free condition, where freed memory is accessed, potentially causing memory corruption or allowing for arbitrary code execution.

Reproduction

The vulnerability can be reproduced by submitting a GPU job through the AMD KFD interface in the AMDGPU driver. The job submission process will generate a fence that is intended to synchronize job completion. However, the driver will prematurely release the fence reference before the job has finished, creating a window where the fence can be freed while still in use.

Remediation

Users can upgrade to the latest version of the Linux kernel where this vulnerability has been addressed. The specific commit that fixes this issue is available in the Linux kernel stable tree.