[PATCH] drm/amdgpu: Fix potential dma_fence leak in amdgpu_ttm_clear_buffer

Fri May 30 08:41:54 UTC 2025

[AMD Official Use Only - AMD Internal Distribution Only]

Hi Arun,

This patch is not for the issue we discussed in the other mail.
There is a risk of 'next' fence leak when amdgpu_ttm_fill_mem failed.

Best regards,
Li

> -----Original Message-----
> From: Paneer Selvam, Arunpravin <Arunpravin.PaneerSelvam at amd.com>
> Sent: Friday, May 30, 2025 1:57 PM
> To: Ma, Li <Li.Ma at amd.com>; amd-gfx at lists.freedesktop.org
> Cc: Deucher, Alexander <Alexander.Deucher at amd.com>; Koenig, Christian
> <Christian.Koenig at amd.com>; Yuan, Perry <Perry.Yuan at amd.com>
> Subject: Re: [PATCH] drm/amdgpu: Fix potential dma_fence leak in
> amdgpu_ttm_clear_buffer
>
> Hi Ma,
>
> On 5/29/2025 6:37 PM, Li Ma wrote:
> > The original code did not properly release the dma_fence `next` in case
> > amdgpu_ttm_fill_mem failed during buffer clearing.
> >
> > Signed-off-by: Li Ma <li.ma at amd.com>
> > ---
> >   drivers/gpu/drm/amd/amdgpu/amdgpu_ttm.c | 5 ++++-
> >   1 file changed, 4 insertions(+), 1 deletion(-)
> >
> > diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_ttm.c
> b/drivers/gpu/drm/amd/amdgpu/amdgpu_ttm.c
> > index 9c5df35f05b7..b7284f0a5ac0 100644
> > --- a/drivers/gpu/drm/amd/amdgpu/amdgpu_ttm.c
> > +++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_ttm.c
> > @@ -2296,6 +2296,7 @@ int amdgpu_ttm_clear_buffer(struct amdgpu_bo *bo,
> >     struct amdgpu_device *adev = amdgpu_ttm_adev(bo->tbo.bdev);
> >     struct amdgpu_ring *ring = adev->mman.buffer_funcs_ring;
> >     struct amdgpu_res_cursor cursor;
> > +   struct dma_fence *next = NULL;
> >     u64 addr;
> >     int r = 0;
> >
> > @@ -2311,7 +2312,6 @@ int amdgpu_ttm_clear_buffer(struct amdgpu_bo *bo,
> >
> >     mutex_lock(&adev->mman.gtt_window_lock);
> >     while (cursor.remaining) {
> > -           struct dma_fence *next = NULL;
> >             u64 size;
> >
> >             if (amdgpu_res_cleared(&cursor)) {
> > @@ -2334,10 +2334,13 @@ int amdgpu_ttm_clear_buffer(struct amdgpu_bo *bo,
> >
> >             dma_fence_put(*fence);
> >             *fence = next;
> > +           next = NULL;
> >
> >             amdgpu_res_next(&cursor, size);
> >     }
> >   err:
> > +   if (next)
> > +           dma_fence_put(next);
> Since you are observing use-after-free warning for the compute dispatch
> test in amdgpu_test with this patch,
> can we try the below code in amdgpu_bo_create() function,
>
> r = amdgpu_ttm_clear_buffer(bo, bo->tbo.base.resv, &fence);
>                  if (unlikely(r)) {
>                          if (fence)
>                                  dma_fence_put(fence);
>
>                          goto fail_unreserve;
>                  }
> Regards,
> Arun.
> >     mutex_unlock(&adev->mman.gtt_window_lock);
> >
> >     return r;