[PATCH v6 4/4] drm/xe: Make dma-fences compliant with the safe access rules
Tvrtko Ursulin
tvrtko.ursulin at igalia.com
Fri Jun 13 07:40:12 UTC 2025
On 12/06/2025 18:49, Lucas De Marchi wrote:
> On Tue, Jun 10, 2025 at 05:42:26PM +0100, Tvrtko Ursulin wrote:
>> Xe can free some of the data pointed to by the dma-fences it exports.
>> Most
>> notably the timeline name can get freed if userspace closes the
>> associated
>> submit queue. At the same time the fence could have been exported to a
>> third party (for example a sync_fence fd) which will then cause an use-
>> after-free on subsequent access.
>>
>> To make this safe we need to make the driver compliant with the newly
>> documented dma-fence rules. Driver has to ensure a RCU grace period
>> between signalling a fence and freeing any data pointed to by said fence.
>>
>> For the timeline name we simply make the queue be freed via kfree_rcu and
>> for the shared lock associated with multiple queues we add a RCU grace
>> period before freeing the per GT structure holding the lock.
>>
>> Signed-off-by: Tvrtko Ursulin <tvrtko.ursulin at igalia.com>
>> Reviewed-by: Matthew Brost <matthew.brost at intel.com>
>
>
> Acked-by: Lucas De Marchi <lucas.demarchi at intel.com>
>
> for merging this through drm-misc tree.
Thanks!
I've now pushed the series drm-misc-next.
Btw there is also an IGT for xe I wrote ages ago^1, if you want to ping
someone to review it or take it over. Might be useful to have permanent
verification the UAF keeps being resolved.
Regards,
Tvrtko
1) https://patchwork.freedesktop.org/patch/642709/?series=146211&rev=2
More information about the Intel-gfx
mailing list