From: sashiko-bot@kernel.org
To: "Tvrtko Ursulin" <tvrtko.ursulin@igalia.com>
Cc: dri-devel@lists.freedesktop.org
Subject: Re: [PATCH v2] drm/nouveau: Simplify nouveau_cli_work
Date: Fri, 12 Jun 2026 17:33:50 +0000 [thread overview]
Message-ID: <20260612173351.194231F000E9@smtp.kernel.org> (raw)
In-Reply-To: <20260612172227.54893-1-tvrtko.ursulin@igalia.com>
Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:
- [Critical] Replacing the locked fence check (`nouveau_cli_work_ready`) with the lockless `dma_fence_is_signaled()` removes critical synchronization with `dma_fence_signal()`, introducing a race condition that leads to a Use-After-Free of `struct nouveau_cli_work`.
--
commit f14e589461298a55cf7c0a8d50dd778a913dd4fb
Author: Tvrtko Ursulin <tvrtko.ursulin@igalia.com>
drm/nouveau: Simplify nouveau_cli_work
This commit simplifies nouveau_cli_work by removing the
nouveau_cli_work_ready helper and replacing it with a direct call to
dma_fence_is_signaled. It also changes the fence reference release to happen
after the work callback is invoked.
> diff --git a/drivers/gpu/drm/nouveau/nouveau_drm.c b/drivers/gpu/drm/nouveau/nouveau_drm.c
> index e16f59b00f6fa..a6432eede6137 100644
> --- a/drivers/gpu/drm/nouveau/nouveau_drm.c
> +++ b/drivers/gpu/drm/nouveau/nouveau_drm.c
[ ... ]
> @@ -176,9 +160,12 @@ nouveau_cli_work(struct work_struct *w)
> struct nouveau_cli_work *work, *wtmp;
> mutex_lock(&cli->lock);
> list_for_each_entry_safe(work, wtmp, &cli->worker, head) {
> - if (!work->fence || nouveau_cli_work_ready(work->fence)) {
> + struct dma_fence *fence = work->fence;
> +
> + if (!fence || dma_fence_is_signaled(fence)) {
[Severity: Critical]
Can this lockless check introduce a race condition leading to a
use-after-free of the work structure?
The original nouveau_cli_work_ready() acquired the fence spinlock before
checking if the fence was signaled, synchronizing with dma_fence_signal().
By using the lockless dma_fence_is_signaled(), this code can observe the
signaled bit while dma_fence_signal() is still iterating over its local
callback list.
If work->func(work) then deallocates the work structure (for instance, via
kfree in nouveau_gem_object_delete_work()), could the signaling CPU
subsequently trigger a use-after-free when it invokes the callback
(nouveau_cli_work_fence)?
> list_del(&work->head);
> work->func(work);
> + dma_fence_put(fence);
> }
> }
> mutex_unlock(&cli->lock);
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260612172227.54893-1-tvrtko.ursulin@igalia.com?part=1
next prev parent reply other threads:[~2026-06-12 17:33 UTC|newest]
Thread overview: 20+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-12 16:54 [PATCH] drm/nouveau: Simplify nouveau_cli_work Tvrtko Ursulin
2026-06-12 16:54 ` Tvrtko Ursulin
2026-06-12 17:01 ` sashiko-bot
2026-06-12 17:14 ` Philipp Stanner
2026-06-12 17:14 ` Philipp Stanner
2026-06-12 17:18 ` Tvrtko Ursulin
2026-06-12 17:18 ` Tvrtko Ursulin
2026-06-12 17:29 ` Tvrtko Ursulin
2026-06-12 17:29 ` Tvrtko Ursulin
2026-06-12 17:22 ` [PATCH v2] " Tvrtko Ursulin
2026-06-12 17:22 ` Tvrtko Ursulin
2026-06-12 17:33 ` sashiko-bot [this message]
2026-06-15 9:26 ` [PATCH v3] " Tvrtko Ursulin
2026-06-15 9:26 ` Tvrtko Ursulin
2026-06-15 9:31 ` Philipp Stanner
2026-06-15 9:31 ` Philipp Stanner
2026-06-21 15:29 ` Danilo Krummrich
2026-06-21 15:29 ` Danilo Krummrich
2026-06-21 15:30 ` Danilo Krummrich
2026-06-21 15:30 ` Danilo Krummrich
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260612173351.194231F000E9@smtp.kernel.org \
--to=sashiko-bot@kernel.org \
--cc=dri-devel@lists.freedesktop.org \
--cc=sashiko-reviews@lists.linux.dev \
--cc=tvrtko.ursulin@igalia.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.