Re: [PATCH v2] drm/ttm: fix NULL deref in ttm_bo_flush_all_fences() after fence ops detach

[Sebastian Brzezinka <sebastian.brzezinka@intel.com>]

On Wed Mar 4, 2026 at 5:28 PM CET, Jani Nikula wrote:
> On Tue, 03 Mar 2026, Christian König <christian.koenig@amd.com> wrote:
>> On 3/3/26 13:26, Sebastian Brzezinka wrote:
>>> Since commit 541c8f2468b9 ("dma-buf: detach fence ops on signal v3"),
>>> fence->ops may be set to NULL via RCU when a fence signals and has no
>>> release/wait ops. ttm_bo_flush_all_fences() was not updated to handle
>>> this and directly dereferences fence->ops->signaled, leading to a NULL
>>> pointer dereference crash:
>>> 
>>> ```
>>> BUG: kernel NULL pointer dereference, address: 0000000000000018
>>> RIP: 0010:ttm_bo_release+0x1bc/0x330 [ttm]
>>> ```
>>> 
>>> Since dma_fence_enable_sw_signaling() already handles the signaled case
>>> internally (it checks DMA_FENCE_FLAG_SIGNALED_BIT before doing anything),
>>> the ops->signaled pre-check is redundant. Simply remove it and call
>>> dma_fence_enable_sw_signaling() unconditionally for each fence.
>>> 
>>> Closes: https://gitlab.freedesktop.org/drm/i915/kernel/-/issues/15759
>>> Fixes: 541c8f2468b9 ("dma-buf: detach fence ops on signal v3")
>>> Cc: Christian König <christian.koenig@amd.com>
>>> Signed-off-by: Sebastian Brzezinka <sebastian.brzezinka@intel.com>
>>
>> Reviewed-by: Christian König <christian.koenig@amd.com>
>>
>> Going to push that to drm-misc-next now.
>
> Christian, did you forget to push or is there still something missing
> here?
>
> Sebastian, for future reference, drm/ttm patches need to be sent to the
> dri-devel mailing list. I bounced the patch there now. See MAINTAINERS
> and/or use scripts/get_maintainer.pl to see where you need to send the
> patches. The intel-gfx list is sufficient for i915 changes only.
>
> BR,
> Jani.
Thanks for the guidance and for bouncing the patch to the correct list.

-- 
Best regards,
Sebastian