[PATCH] drm/amdgpu: fix refcount leak in amdgpu_ttm_clear_buffer()

Next message: Irui Wang: "[PATCH v7 4/6] media: mediatek: encoder: Add support for common firmware interface"
Previous message: Eduard Zingerman: "Re: [PATCH bpf 1/2] bpf: Keep dynamic inner array lookups nullable"
Next in thread: Christian K&#xF6;nig: "Re: [PATCH] drm/amdgpu: fix refcount leak in amdgpu_ttm_clear_buffer()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Wentao Liang

Date: Fri Jun 05 2026 - 05:52:34 EST

In amdgpu_ttm_clear_buffer(), the *fence pointer is initialized with
a stub fence via dma_fence_get_stub() and may be overwritten with
job fences in the loop. On the error path (goto err), the last
reference from *fence is not released, leaking a fence reference.

The sibling function amdgpu_fill_buffer() properly releases its
local fence reference on error, confirming this is a missing
cleanup. Drop the fence reference in the error path to fix the
leak.

Cc: stable@xxxxxxxxxxxxxxx
Fixes: a68c7eaa7a8f ("drm/amdgpu: Enable clear page functionality")
Signed-off-by: Wentao Liang <vulab@xxxxxxxxxxx>
---
drivers/gpu/drm/amd/amdgpu/amdgpu_ttm.c | 2 ++
1 file changed, 2 insertions(+)

diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_ttm.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_ttm.c
index 3d2e00efc741..d65f1df3574f 100644
--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_ttm.c
+++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_ttm.c
@@ -2585,6 +2585,8 @@ int amdgpu_ttm_clear_buffer(struct amdgpu_bo *bo,
}
err:
mutex_unlock(&entity->lock);
+ dma_fence_put(*fence);
+ *fence = NULL;

return r;
}
--
2.34.1