Commit 20659d31 authored by Matthew Brost's avatar Matthew Brost Committed by Lucas De Marchi
Browse files

drm/xe: Use local fence in error path of xe_migrate_clear 



The intent of the error path in xe_migrate_clear is to wait on locally
generated fence and then return. The code is waiting on m->fence which
could be the local fence but this is only stable under the job mutex
leading to a possible UAF. Fix code to wait on local fence.

Fixes: dd08ebf6 ("drm/xe: Introduce a new DRM driver for Intel GPUs")
Cc: stable@vger.kernel.org
Signed-off-by: default avatarMatthew Brost <matthew.brost@intel.com>
Reviewed-by: default avatarMatthew Auld <matthew.auld@intel.com>
Link: https://lore.kernel.org/r/20250311182915.3606291-1-matthew.brost@intel.com


(cherry picked from commit 762b7e95)
Signed-off-by: default avatarLucas De Marchi <lucas.demarchi@intel.com>
parent 00e0ae4f

drivers/gpu/drm/xe/xe_migrate.c

+1 −1
Original line number Diff line number Diff line
@@ -1177,7 +1177,7 @@ struct dma_fence *xe_migrate_clear(struct xe_migrate *m, 
err_sync:

		/* Sync partial copies if any. FIXME: job_mutex? */

		if (fence) {

			dma_fence_wait(m->fence, false);

			dma_fence_wait(fence, false);

			dma_fence_put(fence);

		}