[PATCH v2] drm/xe/xe_sync: avoid race during ufence signaling

[Matthew Brost]

On Wed, Aug 20, 2025 at 10:39:04AM +0200, Zbigniew Kempczyński wrote:
> Marking ufence as signalled after copy_to_user() is too late.
> Worker thread which signals ufence by memory write might be raced
> with another userspace vm-bind call. In map/unmap scenario unmap
> may still see ufence is not signalled causing -EBUSY. Change the
> order of marking / write to user-fence fixes this issue.
> 
> Fixes: 977e5b82e090 ("drm/xe: Expose user fence from xe_sync_entry")
> Link: https://gitlab.freedesktop.org/drm/xe/kernel/-/issues/5536

Link, I think you want Closes here.

> Signed-off-by: Zbigniew Kempczyński <zbigniew.kempczynski at intel.com>
> Cc: Matthew Brost <matthew.brost at intel.com>

Anyways:

Reviewed-by: Matthew Brost <matthew.brost at intel.com>

> Cc: Matthew Auld <matthew.auld at intel.com>
> ---
>  drivers/gpu/drm/xe/xe_sync.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/drivers/gpu/drm/xe/xe_sync.c b/drivers/gpu/drm/xe/xe_sync.c
> index f87276df18f2..82872a51f098 100644
> --- a/drivers/gpu/drm/xe/xe_sync.c
> +++ b/drivers/gpu/drm/xe/xe_sync.c
> @@ -77,6 +77,7 @@ static void user_fence_worker(struct work_struct *w)
>  {
>  	struct xe_user_fence *ufence = container_of(w, struct xe_user_fence, worker);
>  
> +	WRITE_ONCE(ufence->signalled, 1);
>  	if (mmget_not_zero(ufence->mm)) {
>  		kthread_use_mm(ufence->mm);
>  		if (copy_to_user(ufence->addr, &ufence->value, sizeof(ufence->value)))
> @@ -91,7 +92,6 @@ static void user_fence_worker(struct work_struct *w)
>  	 * Wake up waiters only after updating the ufence state, allowing the UMD
>  	 * to safely reuse the same ufence without encountering -EBUSY errors.
>  	 */
> -	WRITE_ONCE(ufence->signalled, 1);
>  	wake_up_all(&ufence->xe->ufence_wq);
>  	user_fence_put(ufence);
>  }
> -- 
> 2.43.0
>