drm/amdkfd: Fix kfd process ref leaking when userptr unmapping

kfd_lookup_process_by_pid hold the kfd process reference to ensure it
doesn't get destroyed while sending the segfault event to user space.

Calling kfd_lookup_process_by_pid as function parameter leaks the kfd
process refcount and miss the NULL pointer check if app process is
already destroyed.

Fixes: 2d274bf7099b ("amd/amdkfd: Trigger segfault for early userptr unmmapping")
Signed-off-by: Philip Yang <Philip.Yang@amd.com>
Reviewed-by: Harish Kasiviswanathan <Harish.Kasiviswanathan@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>

diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd_gpuvm.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd_gpuvm.c
index 7c54fe6b0f5dba4049853e9171277077a1d06c74..83020963dfde46492fd3c3088db2edf98eccaaa7 100644 (file)
--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd_gpuvm.c
+++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd_gpuvm.c
@@ -2586,12 +2586,17 @@ static int update_invalid_user_pages(struct amdkfd_process_info *process_info,
                         * from the KFD, trigger a segmentation fault in VM debug mode.
                         */
                        if (amdgpu_ttm_adev(bo->tbo.bdev)->debug_vm_userptr) {
+                               struct kfd_process *p;
+
                                pr_err("Pid %d unmapped memory before destroying userptr at GPU addr 0x%llx\n",
                                                                pid_nr(process_info->pid), mem->va);
 
                                // Send GPU VM fault to user space
-                               kfd_signal_vm_fault_event_with_userptr(kfd_lookup_process_by_pid(process_info->pid),
-                                                               mem->va);
+                               p = kfd_lookup_process_by_pid(process_info->pid);
+                               if (p) {
+                                       kfd_signal_vm_fault_event_with_userptr(p, mem->va);
+                                       kfd_unref_process(p);
+                               }
                        }
 
                        ret = 0;