drm/amdgpu: fix potential double drop fence reference
authorPan Bian <bianpan2016@163.com>
Wed, 6 Nov 2019 09:14:45 +0000 (17:14 +0800)
committerAlex Deucher <alexander.deucher@amd.com>
Wed, 6 Nov 2019 21:27:48 +0000 (16:27 -0500)
The object fence is not set to NULL after its reference is dropped. As a
result, its reference may be dropped again if error occurs after that,
which may lead to a use after free bug. To avoid the issue, fence is
explicitly set to NULL after dropping its reference.

Acked-by: Christian König <christian.koenig@amd.com>
Signed-off-by: Pan Bian <bianpan2016@163.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
drivers/gpu/drm/amd/amdgpu/amdgpu_test.c

index b66d29d5ffa2c3bfad8d72ca66d4b9739b010bd7..b158230af8db705cfee5d012fb60738bc0cb69e5 100644 (file)
@@ -138,6 +138,7 @@ static void amdgpu_do_test_moves(struct amdgpu_device *adev)
                }
 
                dma_fence_put(fence);
+               fence = NULL;
 
                r = amdgpu_bo_kmap(vram_obj, &vram_map);
                if (r) {
@@ -183,6 +184,7 @@ static void amdgpu_do_test_moves(struct amdgpu_device *adev)
                }
 
                dma_fence_put(fence);
+               fence = NULL;
 
                r = amdgpu_bo_kmap(gtt_obj[i], &gtt_map);
                if (r) {