From 7a14a4e9b3fda05b907d0445a3be9e7c0e887f4e Mon Sep 17 00:00:00 2001 From: Sunil Khatri Date: Fri, 13 Mar 2026 12:41:22 +0530 Subject: [PATCH] drm/amdgpu/userq: fix dma_fence refcount underflow in userq path MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit An extra dma_fence_put() can drop the last reference to a fence while it is still attached to a dma_resv object. This frees the fence prematurely via dma_fence_release() while other users still hold the pointer. Later accesses through dma_resv iteration may then operate on the freed fence object, leading to refcount underflow warnings and potential hangs when walking reservation fences. Fix this by correcting the fence lifetime so the dma_resv object retains a valid reference until it is done with the fence.i [ 31.133803] refcount_t: underflow; use-after-free. [ 31.133805] WARNING: lib/refcount.c:28 at refcount_warn_saturate+0x58/0x90, CPU#18: kworker/u96:1/188 Signed-off-by: Sunil Khatri Reviewed-by: Tvrtko Ursulin Reviewed-by: Christian König Signed-off-by: Alex Deucher --- drivers/gpu/drm/amd/amdgpu/amdgpu_userq_fence.c | 6 +----- 1 file changed, 1 insertion(+), 5 deletions(-) diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_userq_fence.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_userq_fence.c index 8afd70667b49..c8b0c4600a88 100644 --- a/drivers/gpu/drm/amd/amdgpu/amdgpu_userq_fence.c +++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_userq_fence.c @@ -881,12 +881,9 @@ int amdgpu_userq_wait_ioctl(struct drm_device *dev, void *data, * be good for now */ r = dma_fence_wait(fences[i], true); - if (r) { - dma_fence_put(fences[i]); + if (r) goto free_fences; - } - dma_fence_put(fences[i]); continue; } @@ -908,7 +905,6 @@ int amdgpu_userq_wait_ioctl(struct drm_device *dev, void *data, fence_info[cnt].va = fence_drv->va; fence_info[cnt].value = fences[i]->seqno; - dma_fence_put(fences[i]); /* Increment the actual userq fence count */ cnt++; }