[PATCH] drm/amdgpu: Fix potential dma_fence leak in amdgpu_ttm_clear_buffer

[Christian König]

On 5/29/25 15:07, Li Ma wrote:
> The original code did not properly release the dma_fence `next` in case
> amdgpu_ttm_fill_mem failed during buffer clearing.

NAK, that is completely intentional.

We must return the fence even on a partial failed clear or otherwise the already submitted clears could work with freed up memory.

That's also why the *fence pointer is initialized with the stub fence before the loop.

Regards,
Christian.

> 
> Signed-off-by: Li Ma <li.ma at amd.com>
> ---
>  drivers/gpu/drm/amd/amdgpu/amdgpu_ttm.c | 5 ++++-
>  1 file changed, 4 insertions(+), 1 deletion(-)
> 
> diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_ttm.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_ttm.c
> index 9c5df35f05b7..b7284f0a5ac0 100644
> --- a/drivers/gpu/drm/amd/amdgpu/amdgpu_ttm.c
> +++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_ttm.c
> @@ -2296,6 +2296,7 @@ int amdgpu_ttm_clear_buffer(struct amdgpu_bo *bo,
>  	struct amdgpu_device *adev = amdgpu_ttm_adev(bo->tbo.bdev);
>  	struct amdgpu_ring *ring = adev->mman.buffer_funcs_ring;
>  	struct amdgpu_res_cursor cursor;
> +	struct dma_fence *next = NULL;
>  	u64 addr;
>  	int r = 0;
>  
> @@ -2311,7 +2312,6 @@ int amdgpu_ttm_clear_buffer(struct amdgpu_bo *bo,
>  
>  	mutex_lock(&adev->mman.gtt_window_lock);
>  	while (cursor.remaining) {
> -		struct dma_fence *next = NULL;
>  		u64 size;
>  
>  		if (amdgpu_res_cleared(&cursor)) {
> @@ -2334,10 +2334,13 @@ int amdgpu_ttm_clear_buffer(struct amdgpu_bo *bo,
>  
>  		dma_fence_put(*fence);
>  		*fence = next;
> +		next = NULL;
>  
>  		amdgpu_res_next(&cursor, size);
>  	}
>  err:
> +	if (next)
> +		dma_fence_put(next);
>  	mutex_unlock(&adev->mman.gtt_window_lock);
>  
>  	return r;