drm/amdgpu: Initialize fences array entries in amdgpu_sa_bo_next_hole

The entries were only initialized once in amdgpu_sa_bo_new. If a fence
wasn't signalled yet in the first amdgpu_sa_bo_next_hole call, but then
got signalled before a later amdgpu_sa_bo_next_hole call, it could
destroy the fence but leave its pointer in the array, resulting in
use-after-free in amdgpu_sa_bo_new.

Reviewed-by: Christian König <christian.koenig@amd.com>
Signed-off-by: Michel Dänzer <michel.daenzer@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>

1 files changed, 3 insertions, 3 deletions

diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_sa.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_sa.c
index fb1667b35daa..12f2bf97611f 100644
--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_sa.c
+++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_sa.c
@@ -226,6 +226,8 @@ static bool amdgpu_sa_bo_next_hole(struct amdgpu_sa_manager *sa_manager,
         for (i = 0; i < AMDGPU_SA_NUM_FENCE_LISTS; ++i) {
                 struct amdgpu_sa_bo *sa_bo;
 
+                fences[i] = NULL;
+
                 if (list_empty(&sa_manager->flist[i]))
                         continue;
 
@@ -296,10 +298,8 @@ int amdgpu_sa_bo_new(struct amdgpu_sa_manager *sa_manager,
 
         spin_lock(&sa_manager->wq.lock);
         do {
-                for (i = 0; i < AMDGPU_SA_NUM_FENCE_LISTS; ++i) {
-                        fences[i] = NULL;
+                for (i = 0; i < AMDGPU_SA_NUM_FENCE_LISTS; ++i)
                         tries[i] = 0;
-                }
 
                 do {
                         amdgpu_sa_bo_try_free(sa_manager);