From: sashiko-bot@kernel.org
To: "Philipp Stanner" <phasta@kernel.org>
Cc: dri-devel@lists.freedesktop.org
Subject: Re: [PATCH] dma-buf: dma-fence: Fix potential NULL pointer dereference
Date: Fri, 26 Jun 2026 10:16:46 +0000 [thread overview]
Message-ID: <20260626101647.171571F00A3A@smtp.kernel.org> (raw)
In-Reply-To: <20260626100442.2202221-2-phasta@kernel.org>
Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:
Pre-existing issues:
- [High] TOCTOU race condition in DRM CRTC fence operations triggers a kernel panic via BUG_ON.
--
commit 00a837e98e1d45bf6a3df4ddad52336211392885
Author: Philipp Stanner <phasta@kernel.org>
dma-buf: dma-fence: Fix potential NULL pointer dereference
This commit adds memory barriers to the fence signaling and name retrieval
functions. It ensures that the signaled bit is set before the ops pointer
is cleared, and that readers correctly order the ops pointer load before
checking the signaled bit to safely handle decoupled fences.
> diff --git a/drivers/dma-buf/dma-fence.c b/drivers/dma-buf/dma-fence.c
> index c7ea1e75d38a2..2e80b01499de8 100644
> --- a/drivers/dma-buf/dma-fence.c
> +++ b/drivers/dma-buf/dma-fence.c
[ ... ]
> @@ -1170,6 +1182,12 @@ const char __rcu *dma_fence_driver_name(struct dma_fence *fence)
>
> /* RCU protection is required for safe access to returned string */
> ops = rcu_dereference(fence->ops);
> + /*
> + * Fully order the dereference above with the flag check. Otherwise,
> + * ops could be dereferenced as a NULL pointer. The barrier's
> + * counterpart is in dma_fence_signal_timestamp_locked().
> + */
> + smp_rmb();
> if (!dma_fence_test_signaled_flag(fence))
> return (const char __rcu *)ops->get_driver_name(fence);
[Severity: High]
This is a pre-existing issue, but can this lead to a kernel panic during
concurrent fence signaling?
If a concurrent thread signals the fence after the flag is checked here,
the ops pointer can be set to NULL. When the callback resolves to
drm_crtc_fence_get_driver_name() in the drm crtc code, it calls
fence_to_crtc(), which re-reads the ops pointer:
drivers/gpu/drm/drm_crtc.c:fence_to_crtc() {
BUG_ON(rcu_access_pointer(fence->ops) != &drm_crtc_fence_ops);
return container_of(fence->extern_lock, struct drm_crtc, fence_lock);
}
Since the decoupling mechanism can set the ops pointer to NULL, won't this
BUG_ON trigger and crash the system? Do the fence callbacks need to be
updated to avoid re-reading the ops pointer?
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260626100442.2202221-2-phasta@kernel.org?part=1
next prev parent reply other threads:[~2026-06-26 10:16 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-26 10:04 [PATCH] dma-buf: dma-fence: Fix potential NULL pointer dereference Philipp Stanner
2026-06-26 10:16 ` sashiko-bot [this message]
2026-06-26 12:21 ` Christian König
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260626101647.171571F00A3A@smtp.kernel.org \
--to=sashiko-bot@kernel.org \
--cc=dri-devel@lists.freedesktop.org \
--cc=phasta@kernel.org \
--cc=sashiko-reviews@lists.linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.