The object fence is not set to NULL after its reference is dropped. As a
result, its reference may be dropped again if error occurs after that,
which may lead to a use after free bug. To avoid the issue, fence is
explicitly set to NULL after dropping its reference.
Signed-off-by: Pan Bian <[email protected]>
---
drivers/gpu/drm/amd/amdgpu/amdgpu_test.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_test.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_test.c
index b66d29d5ffa2..b158230af8db 100644
--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_test.c
+++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_test.c
@@ -138,6 +138,7 @@ static void amdgpu_do_test_moves(struct amdgpu_device *adev)
}
dma_fence_put(fence);
+ fence = NULL;
r = amdgpu_bo_kmap(vram_obj, &vram_map);
if (r) {
@@ -183,6 +184,7 @@ static void amdgpu_do_test_moves(struct amdgpu_device *adev)
}
dma_fence_put(fence);
+ fence = NULL;
r = amdgpu_bo_kmap(gtt_obj[i], >t_map);
if (r) {
--
2.7.4
Am 06.11.19 um 10:14 schrieb Pan Bian:
> The object fence is not set to NULL after its reference is dropped. As a
> result, its reference may be dropped again if error occurs after that,
> which may lead to a use after free bug. To avoid the issue, fence is
> explicitly set to NULL after dropping its reference.
>
> Signed-off-by: Pan Bian <[email protected]>
Acked-by: Christian König <[email protected]>
> ---
> drivers/gpu/drm/amd/amdgpu/amdgpu_test.c | 2 ++
> 1 file changed, 2 insertions(+)
>
> diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_test.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_test.c
> index b66d29d5ffa2..b158230af8db 100644
> --- a/drivers/gpu/drm/amd/amdgpu/amdgpu_test.c
> +++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_test.c
> @@ -138,6 +138,7 @@ static void amdgpu_do_test_moves(struct amdgpu_device *adev)
> }
>
> dma_fence_put(fence);
> + fence = NULL;
>
> r = amdgpu_bo_kmap(vram_obj, &vram_map);
> if (r) {
> @@ -183,6 +184,7 @@ static void amdgpu_do_test_moves(struct amdgpu_device *adev)
> }
>
> dma_fence_put(fence);
> + fence = NULL;
>
> r = amdgpu_bo_kmap(gtt_obj[i], >t_map);
> if (r) {
On Wed, Nov 6, 2019 at 4:39 AM Koenig, Christian
<[email protected]> wrote:
>
> Am 06.11.19 um 10:14 schrieb Pan Bian:
> > The object fence is not set to NULL after its reference is dropped. As a
> > result, its reference may be dropped again if error occurs after that,
> > which may lead to a use after free bug. To avoid the issue, fence is
> > explicitly set to NULL after dropping its reference.
> >
> > Signed-off-by: Pan Bian <[email protected]>
>
> Acked-by: Christian König <[email protected]>
Applied. thanks!
Alex
>
> > ---
> > drivers/gpu/drm/amd/amdgpu/amdgpu_test.c | 2 ++
> > 1 file changed, 2 insertions(+)
> >
> > diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_test.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_test.c
> > index b66d29d5ffa2..b158230af8db 100644
> > --- a/drivers/gpu/drm/amd/amdgpu/amdgpu_test.c
> > +++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_test.c
> > @@ -138,6 +138,7 @@ static void amdgpu_do_test_moves(struct amdgpu_device *adev)
> > }
> >
> > dma_fence_put(fence);
> > + fence = NULL;
> >
> > r = amdgpu_bo_kmap(vram_obj, &vram_map);
> > if (r) {
> > @@ -183,6 +184,7 @@ static void amdgpu_do_test_moves(struct amdgpu_device *adev)
> > }
> >
> > dma_fence_put(fence);
> > + fence = NULL;
> >
> > r = amdgpu_bo_kmap(gtt_obj[i], >t_map);
> > if (r) {
>
> _______________________________________________
> amd-gfx mailing list
> [email protected]
> https://lists.freedesktop.org/mailman/listinfo/amd-gfx