From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from gabe.freedesktop.org (gabe.freedesktop.org [131.252.210.177]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id 08600EF8FF0 for ; Wed, 4 Mar 2026 14:52:51 +0000 (UTC) Received: from gabe.freedesktop.org (localhost [127.0.0.1]) by gabe.freedesktop.org (Postfix) with ESMTP id 7949510EA29; Wed, 4 Mar 2026 14:52:51 +0000 (UTC) Authentication-Results: gabe.freedesktop.org; dkim=pass (2048-bit key; unprotected) header.d=intel.com header.i=@intel.com header.b="AAb+oN43"; dkim-atps=neutral Received: from mgamail.intel.com (mgamail.intel.com [192.198.163.10]) by gabe.freedesktop.org (Postfix) with ESMTPS id 1CCA710EA29 for ; Wed, 4 Mar 2026 14:52:49 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=intel.com; i=@intel.com; q=dns/txt; s=Intel; t=1772635970; x=1804171970; h=date:from:to:cc:subject:message-id:references: mime-version:content-transfer-encoding:in-reply-to; bh=JFHrHcJAKhwG5I94UdW0T9+XmMEyqcoL07+snzsLNIg=; b=AAb+oN43d4SPye2I8jF69Y2pfaClsv+slm+DbDOqB3CmlKNYxRFD51PO ktzPWTmJ+G3gQMOip9XbhXAP8XYaHT646uYaSFo0xxXQDDxmPLI+I3Gyn weYpJr04smSzCBoqRkXoZGPiIbFm7cld5TNp96Fq0u40uE2GS0oUCrz+w KdJoQ+htFS99g8pbGkBELY1DVY15o16yAfbtsDIDLNJeaCo6zh+mD3Y1y s8nu5hT4sjcVbBsaJSEzehqNHmZ7fu0iwmKFGhQ6vJaYGHkseelGMX03b Yods49BsMYnsNAtLdnK3n/JDquShltsVYLCxm3suqI0tGSjGMzwvSgFcQ A==; X-CSE-ConnectionGUID: deoyo/AHTIm+3Gk0C+6mLg== X-CSE-MsgGUID: oPQI8bTqTG2As6n/nLySxg== X-IronPort-AV: E=McAfee;i="6800,10657,11719"; a="85040825" X-IronPort-AV: E=Sophos;i="6.21,324,1763452800"; d="scan'208";a="85040825" Received: from orviesa004.jf.intel.com ([10.64.159.144]) by fmvoesa104.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 04 Mar 2026 06:52:49 -0800 X-CSE-ConnectionGUID: rH8GxfStQsSAxyr5EDijcg== X-CSE-MsgGUID: uE95lT2KTXWJ0EQ5U6s4+g== X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="6.21,324,1763452800"; d="scan'208";a="222857372" Received: from fpallare-mobl4.ger.corp.intel.com (HELO localhost) ([10.245.245.249]) by orviesa004-auth.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 04 Mar 2026 06:52:47 -0800 Date: Wed, 4 Mar 2026 15:52:43 +0100 From: Andi Shyti To: Sebastian Brzezinka Cc: intel-gfx@lists.freedesktop.org, andi.shyti@linux.intel.com, Christian =?iso-8859-15?Q?K=F6nig?= Subject: Re: [PATCH v2] drm/ttm: fix NULL deref in ttm_bo_flush_all_fences() after fence ops detach Message-ID: References: <1c2f34351b6fb70ab576aeac07987542a4d480b2.1772540459.git.sebastian.brzezinka@intel.com> MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-15 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <1c2f34351b6fb70ab576aeac07987542a4d480b2.1772540459.git.sebastian.brzezinka@intel.com> X-BeenThere: intel-gfx@lists.freedesktop.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Intel graphics driver community testing & development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: intel-gfx-bounces@lists.freedesktop.org Sender: "Intel-gfx" Hi Sebastian, On Tue, Mar 03, 2026 at 01:26:42PM +0100, Sebastian Brzezinka wrote: > Since commit 541c8f2468b9 ("dma-buf: detach fence ops on signal v3"), > fence->ops may be set to NULL via RCU when a fence signals and has no > release/wait ops. ttm_bo_flush_all_fences() was not updated to handle > this and directly dereferences fence->ops->signaled, leading to a NULL > pointer dereference crash: > > ``` > BUG: kernel NULL pointer dereference, address: 0000000000000018 > RIP: 0010:ttm_bo_release+0x1bc/0x330 [ttm] > ``` > > Since dma_fence_enable_sw_signaling() already handles the signaled case > internally (it checks DMA_FENCE_FLAG_SIGNALED_BIT before doing anything), > the ops->signaled pre-check is redundant. Simply remove it and call > dma_fence_enable_sw_signaling() unconditionally for each fence. > > Closes: https://gitlab.freedesktop.org/drm/i915/kernel/-/issues/15759 > Fixes: 541c8f2468b9 ("dma-buf: detach fence ops on signal v3") > Cc: Christian König > Signed-off-by: Sebastian Brzezinka Reviewed-by: Andi Shyti Thanks, Andi