1. Patchew
  2. linux
  3. View series

[PATCH] drm/amdgpu: fix refcount leak in amdgpu_ttm_clear_buffer()

Wentao Liang posted 1 patch 2 days, 19 hours ago 
drivers/gpu/drm/amd/amdgpu/amdgpu_ttm.c | 2 ++
1 file changed, 2 insertions(+)
[PATCH] drm/amdgpu: fix refcount leak in amdgpu_ttm_clear_buffer()
Posted by Wentao Liang 2 days, 19 hours ago 
In amdgpu_ttm_clear_buffer(), the *fence pointer is initialized with
a stub fence via dma_fence_get_stub() and may be overwritten with
job fences in the loop. On the error path (goto err), the last
reference from *fence is not released, leaking a fence reference.

The sibling function amdgpu_fill_buffer() properly releases its
local fence reference on error, confirming this is a missing
cleanup. Drop the fence reference in the error path to fix the
leak.

Cc: stable@vger.kernel.org
Fixes: a68c7eaa7a8f ("drm/amdgpu: Enable clear page functionality")
Signed-off-by: Wentao Liang <vulab@iscas.ac.cn>
---
 drivers/gpu/drm/amd/amdgpu/amdgpu_ttm.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_ttm.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_ttm.c
index 3d2e00efc741..d65f1df3574f 100644
--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_ttm.c
+++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_ttm.c
@@ -2585,6 +2585,8 @@ int amdgpu_ttm_clear_buffer(struct amdgpu_bo *bo,
 	}
 err:
 	mutex_unlock(&entity->lock);
+	dma_fence_put(*fence);
+	*fence = NULL;
 
 	return r;
 }
-- 
2.34.1
Re: [PATCH] drm/amdgpu: fix refcount leak in amdgpu_ttm_clear_buffer()
Posted by Christian König 2 days, 19 hours ago 
On 6/5/26 11:48, Wentao Liang wrote:
> In amdgpu_ttm_clear_buffer(), the *fence pointer is initialized with
> a stub fence via dma_fence_get_stub() and may be overwritten with
> job fences in the loop. On the error path (goto err), the last
> reference from *fence is not released, leaking a fence reference.
> 
> The sibling function amdgpu_fill_buffer() properly releases its
> local fence reference on error, confirming this is a missing
> cleanup. Drop the fence reference in the error path to fix the
> leak.

Absolutely clear NAK.

Even in the case of an error the fence must be returned or otherwise we run into random memory corruption.

Regards,
Christian.

> 
> Cc: stable@vger.kernel.org
> Fixes: a68c7eaa7a8f ("drm/amdgpu: Enable clear page functionality")
> Signed-off-by: Wentao Liang <vulab@iscas.ac.cn>
> ---
>  drivers/gpu/drm/amd/amdgpu/amdgpu_ttm.c | 2 ++
>  1 file changed, 2 insertions(+)
> 
> diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_ttm.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_ttm.c
> index 3d2e00efc741..d65f1df3574f 100644
> --- a/drivers/gpu/drm/amd/amdgpu/amdgpu_ttm.c
> +++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_ttm.c
> @@ -2585,6 +2585,8 @@ int amdgpu_ttm_clear_buffer(struct amdgpu_bo *bo,
>  	}
>  err:
>  	mutex_unlock(&entity->lock);
> +	dma_fence_put(*fence);
> +	*fence = NULL;
>  
>  	return r;
>  }

Patchew 2.1-devel-ea86937

© 2016 - 2026 Red Hat, Inc.