On 3/23/26 09:18, Srinivasan Shanmugam wrote:
> amdgpu_amdkfd_submit_ib() submits a GPU job and gets a fence
> from amdgpu_ib_schedule(). This fence is used to wait for job
> completion.
>
> Currently, the code drops the fence reference using dma_fence_put()
> before calling dma_fence_wait().
>
> If dma_fence_put() releases the last reference, the fence may be
> freed before dma_fence_wait() is called. This can lead to a
> use-after-free.
>
> Fix this by waiting on the fence first and releasing the reference
> only after dma_fence_wait() completes.
>
> Fixes the below:
> drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd.c:697 amdgpu_amdkfd_submit_ib()
> warn: passing freed memory 'f' (line 696)
>
> Fixes: 9ae55f030dc52 ("drm/amdgpu: Follow up change to previous drm scheduler
> change.")
> Cc: Felix Kuehling <[email protected]>
> Cc: Dan Carpenter <[email protected]>
> Cc: Christian König <[email protected]>
> Cc: Alex Deucher <[email protected]>
> Signed-off-by: Srinivasan Shanmugam <[email protected]>
Reviewed-by: Christian König <[email protected]>
> ---
> drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd.c | 4 ++--
> 1 file changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd.c
> b/drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd.c
> index 3bfd79c89df3..cf6b8581c969 100644
> --- a/drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd.c
> +++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd.c
> @@ -692,9 +692,9 @@ int amdgpu_amdkfd_submit_ib(struct amdgpu_device *adev,
> goto err_ib_sched;
> }
>
> - /* Drop the initial kref_init count (see drm_sched_main as example) */
> - dma_fence_put(f);
> ret = dma_fence_wait(f, false);
> + /* Drop the returned fence reference after the wait completes */
> + dma_fence_put(f);
>
> err_ib_sched:
> amdgpu_job_free(job);
