Re: [PATCH] drm/xe/sync: Fix user fence leak on alloc failure

[Matthew Brost <matthew.brost@intel.com>]

On Thu, Feb 19, 2026 at 01:42:17AM +0000, Shuicheng Lin wrote:
> When dma_fence_chain_alloc() fails, properly release the user fence
> reference to prevent a memory leak.
> 
> The error cleanup path in callers (xe_exec.c, xe_oa.c, xe_vm.c) uses a
> while loop that cleans up syncs from index 0 to num_syncs-1. The failed
> sync at the current index num_syncs is not covered by this loop, so the
> local user_fence_put() is necessary to prevent a leak.
> Set sync->ufence = NULL after the user_fence_put() call to avoid if the
> caller later calls xe_sync_entry_cleanup() on the failed sync, it will
> trigger another user_fence_put() on the already-freed memory, causing
> a use-after-free bug.
> 
> Also remove extra whitespace in function call and comment.
> 
> Fixes: adda4e855ab6 ("drm/xe: Enforce correct user fence signaling order using")
> Cc: Matthew Brost <matthew.brost@intel.com>
> Signed-off-by: Shuicheng Lin <shuicheng.lin@intel.com>
> ---
>  drivers/gpu/drm/xe/xe_sync.c | 9 ++++++---
>  1 file changed, 6 insertions(+), 3 deletions(-)
> 
> diff --git a/drivers/gpu/drm/xe/xe_sync.c b/drivers/gpu/drm/xe/xe_sync.c
> index c8fdcdbd6ae7..c5f71067fcd2 100644
> --- a/drivers/gpu/drm/xe/xe_sync.c
> +++ b/drivers/gpu/drm/xe/xe_sync.c
> @@ -200,8 +200,11 @@ int xe_sync_entry_parse(struct xe_device *xe, struct xe_file *xef,
>  			if (XE_IOCTL_DBG(xe, IS_ERR(sync->ufence)))
>  				return PTR_ERR(sync->ufence);
>  			sync->ufence_chain_fence = dma_fence_chain_alloc();
> -			if (!sync->ufence_chain_fence)
> +			if (!sync->ufence_chain_fence) {
> +				user_fence_put(sync->ufence);
> +				sync->ufence = NULL;
>  				return -ENOMEM;

So there are multiple problems in DRM_XE_SYNC_TYPE_SYNCOBJ,
DRM_XE_SYNC_TYPE_TIMELINE_SYNCOBJ case statements too. e.g., after
drm_syncobj_find is called, we can fail but the reference isn't dropped
to the syncobj.

With above, would it be better if the callers called
xe_sync_entry_cleanup on the current sync even if xe_sync_entry_parse
fails? Or another option is change xe_sync_entry_parse to call
xe_sync_entry_cleanup internally on failure points after any internl
state is setup?

> +			}
>  			sync->ufence_syncobj = ufence_syncobj;
>  		}
>  
> @@ -222,7 +225,7 @@ ALLOW_ERROR_INJECTION(xe_sync_entry_parse, ERRNO);
>  int xe_sync_entry_add_deps(struct xe_sync_entry *sync, struct xe_sched_job *job)
>  {
>  	if (sync->fence)
> -		return  drm_sched_job_add_dependency(&job->drm,
> +		return drm_sched_job_add_dependency(&job->drm,
>  						     dma_fence_get(sync->fence));
>  
>  	return 0;
> @@ -311,7 +314,7 @@ void xe_sync_entry_cleanup(struct xe_sync_entry *sync)
>   *
>   * Get a fence from syncs, exec queue, and VM. If syncs contain in-fences create
>   * and return a composite fence of all in-fences + last fence. If no in-fences
> - * return last fence on  input exec queue. Caller must drop reference to
> + * return last fence on input exec queue. Caller must drop reference to

Keep whitespace changes in a seperate patch please.

Matt

>   * returned fence.
>   *
>   * Return: fence on success, ERR_PTR(-ENOMEM) on failure
> -- 
> 2.50.1
>