From: shanzhulig shanzhulig@gmail.com

mainline inclusion from mainline-v6.5-rc1 commit 2e54154b9f27262efd0cb4f903cc7d5ad1fe9628 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I8YD58 CVE: CVE-2023-51042

Reference: https://github.com/torvalds/linux/commit/2e54154b9f27262efd0cb4f903cc7d5ad1f...

--------------------------------

fence Decrements the reference count before exiting. Avoid Race Vulnerabilities for fence use-after-free.

v2 (chk): actually fix the use after free and not just move it.

Signed-off-by: shanzhulig shanzhulig@gmail.com Signed-off-by: Christian König christian.koenig@amd.com Reviewed-by: Alex Deucher alexander.deucher@amd.com Signed-off-by: Alex Deucher alexander.deucher@amd.com Signed-off-by: GUO Zihua guozihua@huawei.com ---

v2: Removed second Reference line in commit message.

--- drivers/gpu/drm/amd/amdgpu/amdgpu_cs.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_cs.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_cs.c index 81001d879322..aa2731848c3a 100644 --- a/drivers/gpu/drm/amd/amdgpu/amdgpu_cs.c +++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_cs.c @@ -1501,15 +1501,15 @@ static int amdgpu_cs_wait_all_fences(struct amdgpu_device *adev, continue;

r = dma_fence_wait_timeout(fence, true, timeout); + if (r > 0 && fence->error) + r = fence->error; + dma_fence_put(fence); if (r < 0) return r;

if (r == 0) break; - - if (fence->error) - return fence->error; }

memset(wait, 0, sizeof(*wait));