Re: [PATCH] drm/nouveau: Simplify nouveau_cli_work

[sashiko-bot@kernel.org]

Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:
- [Critical] The patch introduces a use-after-free vulnerability by reading `work->fence` after calling `work->func(work)`, which frees the `work` structure.
--

commit 5f500d0384ad49806cf724c1cd7f76a580d6bc42
Author: Tvrtko Ursulin <tvrtko.ursulin@igalia.com>

drm/nouveau: Simplify nouveau_cli_work

This patch simplifies the nouveau_cli_work function by removing the
nouveau_cli_work_ready wrapper. As part of this cleanup, the
dma_fence_put() call is moved to execute after the work callback
has been invoked.

> diff --git a/drivers/gpu/drm/nouveau/nouveau_drm.c b/drivers/gpu/drm/nouveau/nouveau_drm.c
> index e16f59b00f6fa..a3e38a30fbdab 100644
> --- a/drivers/gpu/drm/nouveau/nouveau_drm.c
> +++ b/drivers/gpu/drm/nouveau/nouveau_drm.c
[ ... ]
> @@ -176,9 +160,10 @@ nouveau_cli_work(struct work_struct *w)
>  	struct nouveau_cli_work *work, *wtmp;
>  	mutex_lock(&cli->lock);
>  	list_for_each_entry_safe(work, wtmp, &cli->worker, head) {
> -		if (!work->fence || nouveau_cli_work_ready(work->fence)) {
> +		if (!work->fence || dma_fence_is_signaled(work->fence)) {
>  			list_del(&work->head);
>  			work->func(work);
> +			dma_fence_put(work->fence);

[Severity: Critical]
Does moving dma_fence_put() after work->func() introduce a use-after-free
here?

Looking at the callback implementation in nouveau_gem_object_delete_work()
(in drivers/gpu/drm/nouveau/nouveau_gem.c), the work structure is freed:

nouveau_gem_object_delete_work(...)
{
	...
	nouveau_gem_object_delete(work->vma);
	kfree(work);
}

If the callback frees the work structure, accessing work->fence immediately
afterwards in dma_fence_put() would read from freed memory.

>  		}
>  	}
>  	mutex_unlock(&cli->lock);

-- 
Sashiko AI review · https://sashiko.dev/#/patchset/20260612165409.54447-1-tvrtko.ursulin@igalia.com?part=1