in line 1503, "dma_fence_put(fence);" drop the reference to fence and may
cause fence to be released. However, fence is used subsequently in line
1510 "fence->error". This may result in an use-after-free bug.
It can be fixed by recording fence->error in an variable before dropping
the reference to fence and referencing it after dropping.
Signed-off-by: lwt105 <3061522931@xxxxxx>
---
drivers/gpu/drm/amd/amdgpu/amdgpu_cs.c | 7 ++++---
1 file changed, 4 insertions(+), 3 deletions(-)
diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_cs.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_cs.c
index 30fa1f61e0e5..99d03180e113 100644
--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_cs.c
+++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_cs.c
@@ -1486,7 +1486,7 @@ static int amdgpu_cs_wait_all_fences(struct amdgpu_device *adev,
struct drm_amdgpu_fence *fences)
{
uint32_t fence_count = wait->in.fence_count;
- unsigned int i;
+ unsigned int i, error;
long r = 1;
for (i = 0; i < fence_count; i++) {
@@ -1500,6 +1500,7 @@ static int amdgpu_cs_wait_all_fences(struct amdgpu_device *adev,
continue;
r = dma_fence_wait_timeout(fence, true, timeout);
+ error = fence->error;
dma_fence_put(fence);
if (r < 0)
return r;
@@ -1507,8 +1508,8 @@ static int amdgpu_cs_wait_all_fences(struct amdgpu_device *adev,
if (r == 0)
break;
- if (fence->error)
- return fence->error;
+ if (error)
+ return error;
}
memset(wait, 0, sizeof(*wait));
--
2.25.1
