* Re: [PATCH v2] dma-buf: dma-fence: Fix potential NULL pointer dereference
2026-06-29 7:56 [PATCH v2] dma-buf: dma-fence: Fix potential NULL pointer dereference Philipp Stanner
@ 2026-06-29 8:05 ` sashiko-bot
2026-06-29 8:41 ` Boris Brezillon
` (2 subsequent siblings)
3 siblings, 0 replies; 7+ messages in thread
From: sashiko-bot @ 2026-06-29 8:05 UTC (permalink / raw)
To: Philipp Stanner; +Cc: dri-devel
Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:
- [High] Replacing the signaled-bit check with an `ops` null-check causes driver callbacks to be executed on signaled fences, violating the dma-fence contract and leading to a Use-After-Free.
--
commit f3771b2534b5990287b2b373aaf5a26b9dea2923
Author: Philipp Stanner <phasta@kernel.org>
dma-buf: dma-fence: Fix potential NULL pointer dereference
The patch removes the signaled-bit check in dma_fence_timeline_name() and
dma_fence_driver_name(), replacing it with a check for a non-NULL ops pointer
to prevent potential out-of-order execution issues.
> diff --git a/drivers/dma-buf/dma-fence.c b/drivers/dma-buf/dma-fence.c
> index c7ea1e75d38a2..0a025dfdf131e 100644
> --- a/drivers/dma-buf/dma-fence.c
> +++ b/drivers/dma-buf/dma-fence.c
> @@ -1170,7 +1170,7 @@ const char __rcu *dma_fence_driver_name(struct dma_fence *fence)
>
> /* RCU protection is required for safe access to returned string */
> ops = rcu_dereference(fence->ops);
> - if (!dma_fence_test_signaled_flag(fence))
> + if (ops)
[Severity: High]
Does this expose a use-after-free for signaled fences?
If a fence has a .release or .wait callback,
dma_fence_signal_timestamp_locked() does not set fence->ops to NULL. For
those fences, ops will remain non-NULL indefinitely even after they are
signaled.
By removing the signaled-bit check, won't ops->get_driver_name(fence) be
called on signaled fences? The dma-fence contract states that backing data
can be freed after an RCU grace period once the fence is signaled, so calling
this callback could access freed memory.
> return (const char __rcu *)ops->get_driver_name(fence);
> else
> return (const char __rcu *)"detached-driver";
> @@ -1203,7 +1203,7 @@ const char __rcu *dma_fence_timeline_name(struct dma_fence *fence)
>
> /* RCU protection is required for safe access to returned string */
> ops = rcu_dereference(fence->ops);
> - if (!dma_fence_test_signaled_flag(fence))
> + if (ops)
[Severity: High]
Could this lead to the same use-after-free as above?
Since ops can remain non-NULL for signaled fences that provide a .release
or .wait callback, this allows the ops callback to be executed after the
fence is signaled and its backing data is potentially freed.
> return (const char __rcu *)ops->get_driver_name(fence);
> else
> return (const char __rcu *)"signaled-timeline";
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260629075636.2513214-2-phasta@kernel.org?part=1
^ permalink raw reply [flat|nested] 7+ messages in thread* Re: [PATCH v2] dma-buf: dma-fence: Fix potential NULL pointer dereference
2026-06-29 7:56 [PATCH v2] dma-buf: dma-fence: Fix potential NULL pointer dereference Philipp Stanner
2026-06-29 8:05 ` sashiko-bot
@ 2026-06-29 8:41 ` Boris Brezillon
2026-06-29 8:49 ` Christian König
2026-06-29 9:10 ` Danilo Krummrich
3 siblings, 0 replies; 7+ messages in thread
From: Boris Brezillon @ 2026-06-29 8:41 UTC (permalink / raw)
To: Philipp Stanner
Cc: Sumit Semwal, Christian König, Tvrtko Ursulin,
André Draszik, Danilo Krummrich, Gary Guo, Paul E . McKenney,
Boqun Feng, linux-media, dri-devel, linaro-mm-sig, linux-kernel,
stable
On Mon, 29 Jun 2026 09:56:37 +0200
Philipp Stanner <phasta@kernel.org> wrote:
> The commit mentioned in the fixes tag below introduced a mechanism
> through which fence producers can fully decouple from fence consumers.
> This, desirable, mechanism is based on the fence's signaled-bit as the
> "decoupling point".
>
> A sophisticated interaction between RCU and atomic instructions attempts
> to ensure that fence consumers can still interact with fence producers
> through the dma_fence_ops (callback pointers into the producer).
>
> This is the desired behavior: to check for decoupling, the signaled-bit
> is first checked. If it's not yet signaled, RCU ensures that the ops
> pointer cannot yet be NULL.
>
> Hereby, dma_fence_signal_timestamp_locked() first sets the signaled-bit,
> and then sets the ops pointer to NULL. Readers first load the ops
> pointer, and then check through the signaled-bit whether the pointer can
> legally be accessed.
>
> These set and load operations could occur out of order on weakly ordered
> platforms. This problem can be solved very elegantly by using the ops
> pointer itself as the synchronization point. The pointer is either NULL,
> or cannot become NULL while it is being used thanks to RCU.
>
> Replace the signaled-bit check in dma_fence_timeline_name() and
> dma_fence_driver_name().
>
> Cc: stable@vger.kernel.org
> Fixes: f4cc3ab824d6 ("dma-buf: protected fence ops by RCU v8")
> Signed-off-by: Philipp Stanner <phasta@kernel.org>
Reviewed-by: Boris Brezillon <boris.brezillon@collabora.com>
> ---
> Changes since v1:
> - Use ops pointer instead of memory barriers. (Christian)
> - Rephrase commit message.
> ---
> drivers/dma-buf/dma-fence.c | 4 ++--
> 1 file changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/drivers/dma-buf/dma-fence.c b/drivers/dma-buf/dma-fence.c
> index c7ea1e75d38a..0a025dfdf131 100644
> --- a/drivers/dma-buf/dma-fence.c
> +++ b/drivers/dma-buf/dma-fence.c
> @@ -1170,7 +1170,7 @@ const char __rcu *dma_fence_driver_name(struct dma_fence *fence)
>
> /* RCU protection is required for safe access to returned string */
> ops = rcu_dereference(fence->ops);
> - if (!dma_fence_test_signaled_flag(fence))
> + if (ops)
> return (const char __rcu *)ops->get_driver_name(fence);
> else
> return (const char __rcu *)"detached-driver";
> @@ -1203,7 +1203,7 @@ const char __rcu *dma_fence_timeline_name(struct dma_fence *fence)
>
> /* RCU protection is required for safe access to returned string */
> ops = rcu_dereference(fence->ops);
> - if (!dma_fence_test_signaled_flag(fence))
> + if (ops)
> return (const char __rcu *)ops->get_driver_name(fence);
> else
> return (const char __rcu *)"signaled-timeline";
>
> base-commit: cdeb2ccd993ed8647adbbda2c3b103aa717fd6f7
^ permalink raw reply [flat|nested] 7+ messages in thread* Re: [PATCH v2] dma-buf: dma-fence: Fix potential NULL pointer dereference
2026-06-29 7:56 [PATCH v2] dma-buf: dma-fence: Fix potential NULL pointer dereference Philipp Stanner
2026-06-29 8:05 ` sashiko-bot
2026-06-29 8:41 ` Boris Brezillon
@ 2026-06-29 8:49 ` Christian König
2026-06-29 10:43 ` Philipp Stanner
2026-06-29 9:10 ` Danilo Krummrich
3 siblings, 1 reply; 7+ messages in thread
From: Christian König @ 2026-06-29 8:49 UTC (permalink / raw)
To: Philipp Stanner, Sumit Semwal, Boris Brezillon, Tvrtko Ursulin,
André Draszik, Danilo Krummrich, Gary Guo, Paul E . McKenney,
Boqun Feng
Cc: linux-media, dri-devel, linaro-mm-sig, linux-kernel, stable
On 6/29/26 09:56, Philipp Stanner wrote:
> The commit mentioned in the fixes tag below introduced a mechanism
> through which fence producers can fully decouple from fence consumers.
> This, desirable, mechanism is based on the fence's signaled-bit as the
> "decoupling point".
>
> A sophisticated interaction between RCU and atomic instructions attempts
> to ensure that fence consumers can still interact with fence producers
> through the dma_fence_ops (callback pointers into the producer).
>
> This is the desired behavior: to check for decoupling, the signaled-bit
> is first checked. If it's not yet signaled, RCU ensures that the ops
> pointer cannot yet be NULL.
>
> Hereby, dma_fence_signal_timestamp_locked() first sets the signaled-bit,
> and then sets the ops pointer to NULL. Readers first load the ops
> pointer, and then check through the signaled-bit whether the pointer can
> legally be accessed.
>
> These set and load operations could occur out of order on weakly ordered
> platforms. This problem can be solved very elegantly by using the ops
> pointer itself as the synchronization point. The pointer is either NULL,
> or cannot become NULL while it is being used thanks to RCU.
>
> Replace the signaled-bit check in dma_fence_timeline_name() and
> dma_fence_driver_name().
>
> Cc: stable@vger.kernel.org
> Fixes: f4cc3ab824d6 ("dma-buf: protected fence ops by RCU v8")
> Signed-off-by: Philipp Stanner <phasta@kernel.org>
Reviewed-by: Christian König <christian.koenig@amd.com>
> ---
> Changes since v1:
> - Use ops pointer instead of memory barriers. (Christian)
> - Rephrase commit message.
> ---
> drivers/dma-buf/dma-fence.c | 4 ++--
> 1 file changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/drivers/dma-buf/dma-fence.c b/drivers/dma-buf/dma-fence.c
> index c7ea1e75d38a..0a025dfdf131 100644
> --- a/drivers/dma-buf/dma-fence.c
> +++ b/drivers/dma-buf/dma-fence.c
> @@ -1170,7 +1170,7 @@ const char __rcu *dma_fence_driver_name(struct dma_fence *fence)
>
> /* RCU protection is required for safe access to returned string */
> ops = rcu_dereference(fence->ops);
> - if (!dma_fence_test_signaled_flag(fence))
> + if (ops)
> return (const char __rcu *)ops->get_driver_name(fence);
> else
> return (const char __rcu *)"detached-driver";
> @@ -1203,7 +1203,7 @@ const char __rcu *dma_fence_timeline_name(struct dma_fence *fence)
>
> /* RCU protection is required for safe access to returned string */
> ops = rcu_dereference(fence->ops);
> - if (!dma_fence_test_signaled_flag(fence))
> + if (ops)
> return (const char __rcu *)ops->get_driver_name(fence);
> else
> return (const char __rcu *)"signaled-timeline";
>
> base-commit: cdeb2ccd993ed8647adbbda2c3b103aa717fd6f7
^ permalink raw reply [flat|nested] 7+ messages in thread* Re: [PATCH v2] dma-buf: dma-fence: Fix potential NULL pointer dereference
2026-06-29 8:49 ` Christian König
@ 2026-06-29 10:43 ` Philipp Stanner
2026-06-29 11:25 ` Christian König
0 siblings, 1 reply; 7+ messages in thread
From: Philipp Stanner @ 2026-06-29 10:43 UTC (permalink / raw)
To: Christian König, Philipp Stanner, Sumit Semwal,
Boris Brezillon, Tvrtko Ursulin, André Draszik,
Danilo Krummrich, Gary Guo, Paul E . McKenney, Boqun Feng
Cc: linux-media, dri-devel, linaro-mm-sig, linux-kernel, stable
On Mon, 2026-06-29 at 10:49 +0200, Christian König wrote:
> On 6/29/26 09:56, Philipp Stanner wrote:
> > Cc: stable@vger.kernel.org
> > Fixes: f4cc3ab824d6 ("dma-buf: protected fence ops by RCU v8")
> > Signed-off-by: Philipp Stanner <phasta@kernel.org>
>
> Reviewed-by: Christian König <christian.koenig@amd.com>
As the maintainer you push that one, don't you Christian?
Regards
P.
^ permalink raw reply [flat|nested] 7+ messages in thread* Re: [PATCH v2] dma-buf: dma-fence: Fix potential NULL pointer dereference
2026-06-29 10:43 ` Philipp Stanner
@ 2026-06-29 11:25 ` Christian König
0 siblings, 0 replies; 7+ messages in thread
From: Christian König @ 2026-06-29 11:25 UTC (permalink / raw)
To: phasta, Sumit Semwal, Boris Brezillon, Tvrtko Ursulin,
André Draszik, Danilo Krummrich, Gary Guo, Paul E . McKenney,
Boqun Feng
Cc: linux-media, dri-devel, linaro-mm-sig, linux-kernel, stable
On 6/29/26 12:43, Philipp Stanner wrote:
> On Mon, 2026-06-29 at 10:49 +0200, Christian König wrote:
>> On 6/29/26 09:56, Philipp Stanner wrote:
>>> Cc: stable@vger.kernel.org
>>> Fixes: f4cc3ab824d6 ("dma-buf: protected fence ops by RCU v8")
>>> Signed-off-by: Philipp Stanner <phasta@kernel.org>
>>
>> Reviewed-by: Christian König <christian.koenig@amd.com>
>
> As the maintainer you push that one, don't you Christian?
Already done so, but you based the patch on the wrong branch and I had to manually rebase it to drm-misc-fixes.
Christian.
>
> Regards
> P.
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH v2] dma-buf: dma-fence: Fix potential NULL pointer dereference
2026-06-29 7:56 [PATCH v2] dma-buf: dma-fence: Fix potential NULL pointer dereference Philipp Stanner
` (2 preceding siblings ...)
2026-06-29 8:49 ` Christian König
@ 2026-06-29 9:10 ` Danilo Krummrich
3 siblings, 0 replies; 7+ messages in thread
From: Danilo Krummrich @ 2026-06-29 9:10 UTC (permalink / raw)
To: Philipp Stanner
Cc: Sumit Semwal, Christian König, Boris Brezillon,
Tvrtko Ursulin, André Draszik, Gary Guo, Paul E . McKenney,
Boqun Feng, linux-media, dri-devel, linaro-mm-sig, linux-kernel,
stable
On 6/29/26 9:56 AM, Philipp Stanner wrote:
> The commit mentioned in the fixes tag below introduced a mechanism
> through which fence producers can fully decouple from fence consumers.
> This, desirable, mechanism is based on the fence's signaled-bit as the
> "decoupling point".
>
> A sophisticated interaction between RCU and atomic instructions attempts
> to ensure that fence consumers can still interact with fence producers
> through the dma_fence_ops (callback pointers into the producer).
>
> This is the desired behavior: to check for decoupling, the signaled-bit
> is first checked. If it's not yet signaled, RCU ensures that the ops
> pointer cannot yet be NULL.
>
> Hereby, dma_fence_signal_timestamp_locked() first sets the signaled-bit,
> and then sets the ops pointer to NULL. Readers first load the ops
> pointer, and then check through the signaled-bit whether the pointer can
> legally be accessed.
>
> These set and load operations could occur out of order on weakly ordered
> platforms. This problem can be solved very elegantly by using the ops
> pointer itself as the synchronization point. The pointer is either NULL,
> or cannot become NULL while it is being used thanks to RCU.
>
> Replace the signaled-bit check in dma_fence_timeline_name() and
> dma_fence_driver_name().
>
> Cc: stable@vger.kernel.org
> Fixes: f4cc3ab824d6 ("dma-buf: protected fence ops by RCU v8")
> Signed-off-by: Philipp Stanner <phasta@kernel.org>
Reviewed-by: Danilo Krummrich <dakr@kernel.org>
^ permalink raw reply [flat|nested] 7+ messages in thread