Hi Sebastian,
On Tue, Mar 03, 2026 at 01:26:42PM +0100, Sebastian Brzezinka wrote:
> Since commit 541c8f2468b9 ("dma-buf: detach fence ops on signal v3"),
> fence->ops may be set to NULL via RCU when a fence signals and has no
> release/wait ops. ttm_bo_flush_all_fences() was not updated to handle
> this and directly dereferences fence->ops->signaled, leading to a NULL
> pointer dereference crash:
>
> ```
> BUG: kernel NULL pointer dereference, address: 0000000000000018
> RIP: 0010:ttm_bo_release+0x1bc/0x330 [ttm]
> ```
>
> Since dma_fence_enable_sw_signaling() already handles the signaled case
> internally (it checks DMA_FENCE_FLAG_SIGNALED_BIT before doing anything),
> the ops->signaled pre-check is redundant. Simply remove it and call
> dma_fence_enable_sw_signaling() unconditionally for each fence.
>
> Closes: https://gitlab.freedesktop.org/drm/i915/kernel/-/issues/15759
> Fixes: 541c8f2468b9 ("dma-buf: detach fence ops on signal v3")
> Cc: Christian König <[email protected]>
> Signed-off-by: Sebastian Brzezinka <[email protected]>
Reviewed-by: Andi Shyti <[email protected]>
Thanks,
Andi
