From: Pan Bian bianpan2016@163.com
[ Upstream commit 946ab8db6953535a3a88c957db8328beacdfed9d ]
The object fence is not set to NULL after its reference is dropped. As a result, its reference may be dropped again if error occurs after that, which may lead to a use after free bug. To avoid the issue, fence is explicitly set to NULL after dropping its reference.
Acked-by: Christian König christian.koenig@amd.com Signed-off-by: Pan Bian bianpan2016@163.com Signed-off-by: Alex Deucher alexander.deucher@amd.com Signed-off-by: Sasha Levin sashal@kernel.org --- drivers/gpu/drm/amd/amdgpu/amdgpu_test.c | 2 ++ 1 file changed, 2 insertions(+)
diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_test.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_test.c index ed8c3739015b..b35b0741fd97 100644 --- a/drivers/gpu/drm/amd/amdgpu/amdgpu_test.c +++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_test.c @@ -125,6 +125,7 @@ static void amdgpu_do_test_moves(struct amdgpu_device *adev) }
dma_fence_put(fence); + fence = NULL;
r = amdgpu_bo_kmap(vram_obj, &vram_map); if (r) { @@ -170,6 +171,7 @@ static void amdgpu_do_test_moves(struct amdgpu_device *adev) }
dma_fence_put(fence); + fence = NULL;
r = amdgpu_bo_kmap(gtt_obj[i], >t_map); if (r) {