[PATCH] drm/amdgpu: fix potential double drop fence reference

Wed Nov 6 09:38:57 UTC 2019

Am 06.11.19 um 10:14 schrieb Pan Bian:
> The object fence is not set to NULL after its reference is dropped. As a
> result, its reference may be dropped again if error occurs after that,
> which may lead to a use after free bug. To avoid the issue, fence is
> explicitly set to NULL after dropping its reference.
>
> Signed-off-by: Pan Bian <bianpan2016 at 163.com>

Acked-by: Christian König <christian.koenig at amd.com>

> ---
>   drivers/gpu/drm/amd/amdgpu/amdgpu_test.c | 2 ++
>   1 file changed, 2 insertions(+)
>
> diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_test.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_test.c
> index b66d29d5ffa2..b158230af8db 100644
> --- a/drivers/gpu/drm/amd/amdgpu/amdgpu_test.c
> +++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_test.c
> @@ -138,6 +138,7 @@ static void amdgpu_do_test_moves(struct amdgpu_device *adev)
>   		}
>   
>   		dma_fence_put(fence);
> +		fence = NULL;
>   
>   		r = amdgpu_bo_kmap(vram_obj, &vram_map);
>   		if (r) {
> @@ -183,6 +184,7 @@ static void amdgpu_do_test_moves(struct amdgpu_device *adev)
>   		}
>   
>   		dma_fence_put(fence);
> +		fence = NULL;
>   
>   		r = amdgpu_bo_kmap(gtt_obj[i], &gtt_map);
>   		if (r) {