[PATCH] drm/amdgpu: fix use-after-unlock in eviction fence destroy
Christian König
christian.koenig at amd.com
Thu May 15 08:59:44 UTC 2025
On 5/15/25 09:49, Arvind Yadav wrote:
> The eviction fence destroy path incorrectly calls dma_fence_put() on
> evf_mgr->ev_fence after releasing the ev_fence_lock. This introduces a
> potential use-after-unlock or race because another thread concurrently
> modifies evf_mgr->ev_fence.
>
> Fix this by grabbing a local reference to evf_mgr->ev_fence under the
> lock and using that for dma_fence_put() after waiting.
>
> Cc: Sunil Khatri <sunil.khatri at amd.com>
> Cc: Alex Deucher <alexander.deucher at amd.com>
> Cc: Christian König <christian.koenig at amd.com>
> Signed-off-by: Arvind Yadav <Arvind.Yadav at amd.com>
Reviewed-by: Christian König <christian.koenig at amd.com>
> ---
> drivers/gpu/drm/amd/amdgpu/amdgpu_eviction_fence.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_eviction_fence.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_eviction_fence.c
> index 1a7469543db5..73b629b5f56f 100644
> --- a/drivers/gpu/drm/amd/amdgpu/amdgpu_eviction_fence.c
> +++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_eviction_fence.c
> @@ -183,7 +183,7 @@ void amdgpu_eviction_fence_destroy(struct amdgpu_eviction_fence_mgr *evf_mgr)
> dma_fence_wait(&ev_fence->base, false);
>
> /* Last unref of ev_fence */
> - dma_fence_put(&evf_mgr->ev_fence->base);
> + dma_fence_put(&ev_fence->base);
> }
>
> int amdgpu_eviction_fence_attach(struct amdgpu_eviction_fence_mgr *evf_mgr,
More information about the amd-gfx
mailing list