[PATCH 1/1] drm/xe/xe_sync: avoid race during ufence signaling

Zbigniew Kempczyński zbigniew.kempczynski at intel.com
Tue Aug 19 18:44:04 UTC 2025 

During vm-bind ioctl ops execute fence may be signaled during the call.
If vm-bind syncs to user-fence it creates a race because signaling
happens in the worker. This means control may return from vm-bind
ioctl and consecutive vm-bind operation to same vma (unmap) may happen
on still not signaled user-fence. This finally ends with -EBUSY error
because even if vma operations completed fence still exists but
userspace was unblocked with copy_to_user() call.

Instead of releasing user-fences in workqueue for already signaled
ops put them synchronously in the same vm-bind ioctl call.

Fixes: 977e5b82e090 ("drm/xe: Expose user fence from xe_sync_entry")
Link: https://gitlab.freedesktop.org/drm/xe/kernel/-/issues/5536
Signed-off-by: Zbigniew Kempczyński <zbigniew.kempczynski at intel.com>
Cc: Matthew Brost <matthew.brost at intel.com>
Cc: Matthew Auld <matthew.auld at intel.com>
---
 drivers/gpu/drm/xe/xe_sync.c | 11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

diff --git a/drivers/gpu/drm/xe/xe_sync.c b/drivers/gpu/drm/xe/xe_sync.c
index f87276df18f2..8becc3755649 100644
--- a/drivers/gpu/drm/xe/xe_sync.c
+++ b/drivers/gpu/drm/xe/xe_sync.c
@@ -103,6 +103,15 @@ static void kick_ufence(struct xe_user_fence *ufence, struct dma_fence *fence)
 	dma_fence_put(fence);
 }
 
+static void kick_ufence_sync(struct xe_user_fence *ufence, struct dma_fence *fence)
+{
+	if (copy_to_user(ufence->addr, &ufence->value, sizeof(ufence->value)))
+		XE_WARN_ON("Copy to user failed");
+	WRITE_ONCE(ufence->signalled, 1);
+	user_fence_put(ufence);
+	dma_fence_put(fence);
+}
+
 static void user_fence_cb(struct dma_fence *fence, struct dma_fence_cb *cb)
 {
 	struct xe_user_fence *ufence = container_of(cb, struct xe_user_fence, cb);
@@ -244,7 +253,7 @@ void xe_sync_entry_signal(struct xe_sync_entry *sync, struct dma_fence *fence)
 		err = dma_fence_add_callback(fence, &sync->ufence->cb,
 					     user_fence_cb);
 		if (err == -ENOENT) {
-			kick_ufence(sync->ufence, fence);
+			kick_ufence_sync(sync->ufence, fence);
 		} else if (err) {
 			XE_WARN_ON("failed to add user fence");
 			user_fence_put(sync->ufence);
-- 
2.43.0

More information about the Intel-xe mailing list