Re: [PATCH v2] drm/ttm: fix NULL deref in ttm_bo_flush_all_fences() after fence ops detach

Wed, 04 Mar 2026 08:28:33 -0800 

On Tue, 03 Mar 2026, Christian König <[email protected]> wrote:
> On 3/3/26 13:26, Sebastian Brzezinka wrote:
>> Since commit 541c8f2468b9 ("dma-buf: detach fence ops on signal v3"),
>> fence->ops may be set to NULL via RCU when a fence signals and has no
>> release/wait ops. ttm_bo_flush_all_fences() was not updated to handle
>> this and directly dereferences fence->ops->signaled, leading to a NULL
>> pointer dereference crash:
>> 
>> ```
>> BUG: kernel NULL pointer dereference, address: 0000000000000018
>> RIP: 0010:ttm_bo_release+0x1bc/0x330 [ttm]
>> ```
>> 
>> Since dma_fence_enable_sw_signaling() already handles the signaled case
>> internally (it checks DMA_FENCE_FLAG_SIGNALED_BIT before doing anything),
>> the ops->signaled pre-check is redundant. Simply remove it and call
>> dma_fence_enable_sw_signaling() unconditionally for each fence.
>> 
>> Closes: https://gitlab.freedesktop.org/drm/i915/kernel/-/issues/15759
>> Fixes: 541c8f2468b9 ("dma-buf: detach fence ops on signal v3")
>> Cc: Christian König <[email protected]>
>> Signed-off-by: Sebastian Brzezinka <[email protected]>
>
> Reviewed-by: Christian König <[email protected]>
>
> Going to push that to drm-misc-next now.

Christian, did you forget to push or is there still something missing
here?

Sebastian, for future reference, drm/ttm patches need to be sent to the
dri-devel mailing list. I bounced the patch there now. See MAINTAINERS
and/or use scripts/get_maintainer.pl to see where you need to send the
patches. The intel-gfx list is sufficient for i915 changes only.

BR,
Jani.


>
> Thanks,
> Christian.
>
>> ---
>>  drivers/gpu/drm/ttm/ttm_bo.c | 6 ++----
>>  1 file changed, 2 insertions(+), 4 deletions(-)
>> 
>> diff --git a/drivers/gpu/drm/ttm/ttm_bo.c b/drivers/gpu/drm/ttm/ttm_bo.c
>> index acb9197db879..0485ad00a3df 100644
>> --- a/drivers/gpu/drm/ttm/ttm_bo.c
>> +++ b/drivers/gpu/drm/ttm/ttm_bo.c
>> @@ -222,10 +222,8 @@ static void ttm_bo_flush_all_fences(struct 
>> ttm_buffer_object *bo)
>>         struct dma_fence *fence;
>> 
>>         dma_resv_iter_begin(&cursor, resv, DMA_RESV_USAGE_BOOKKEEP);
>> -       dma_resv_for_each_fence_unlocked(&cursor, fence) {
>> -               if (!fence->ops->signaled)
>> -                       dma_fence_enable_sw_signaling(fence);
>> -       }
>> +       dma_resv_for_each_fence_unlocked(&cursor, fence)
>> +               dma_fence_enable_sw_signaling(fence);
>>         dma_resv_iter_end(&cursor);
>>  }
>> 
>> --
>> 2.52.0
>> 
>

-- 
Jani Nikula, Intel

Reply via email to