[PATCH] fix: dma-buf: unwrap_merge_complex: dma_fence_get_stub reference leaked on all paths

[PATCH] fix: dma-buf: unwrap_merge_complex: dma_fence_get_stub reference leaked on all paths

[WenTao Liang]

dma_fence_get_stub() acquires an extra reference on the global stub
  fence, but this reference is never released on any execution path. The
  stub fence is filtered out inside dma_fence_unwrap_merge (already
  signaled), so the extra reference is never consumed. Both success and
  error paths fail to call dma_fence_put on the stub.

Cc: stable@vger.kernel.org
Fixes: 245a4a7b531c ("dma-buf: generalize dma_fence unwrap & merging v3")
Signed-off-by: WenTao Liang <vulab@iscas.ac.cn>
---
 drivers/dma-buf/st-dma-fence-unwrap.c | 11 +++++++----
 1 file changed, 7 insertions(+), 4 deletions(-)

diff --git a/drivers/dma-buf/st-dma-fence-unwrap.c b/drivers/dma-buf/st-dma-fence-unwrap.c
index 72ca632e3981..b9ed85570211 100644
--- a/drivers/dma-buf/st-dma-fence-unwrap.c
+++ b/drivers/dma-buf/st-dma-fence-unwrap.c
@@ -483,7 +483,7 @@ static int unwrap_merge_order(void *arg)
 
 static int unwrap_merge_complex(void *arg)
 {
-	struct dma_fence *fence, *f1, *f2, *f3, *f4, *f5;
+	struct dma_fence *fence, *f1, *f2, *f3, *f4, *f5, *stub;
 	struct dma_fence_unwrap iter;
 	int err = -ENOMEM;
 
@@ -508,10 +508,11 @@ static int unwrap_merge_complex(void *arg)
 	if (!f4)
 		goto error_put_f3;
 
+	stub = dma_fence_get_stub();
 	/* Signaled fences should be filtered, the two arrays merged. */
-	f5 = dma_fence_unwrap_merge(f3, f4, dma_fence_get_stub());
+	f5 = dma_fence_unwrap_merge(f3, f4, stub);
 	if (!f5)
-		goto error_put_f4;
+		goto error_put_stub;
 
 	err = 0;
 	dma_fence_unwrap_for_each(fence, &iter, f5) {
@@ -532,8 +533,10 @@ static int unwrap_merge_complex(void *arg)
 		err = -EINVAL;
 	}
 
+	dma_fence_put(stub);
 	dma_fence_put(f5);
-error_put_f4:
+error_put_stub:
+	dma_fence_put(stub);
 	dma_fence_put(f4);
 error_put_f3:
 	dma_fence_put(f3);
-- 
2.39.5 (Apple Git-154)

[PATCH] fix: dma-buf: unwrap_merge_complex: dma_fence_get_stub reference leaked on all paths

[WenTao Liang]

dma_fence_get_stub() acquires an extra reference on the global stub
  fence, but this reference is never released on any execution path. The
  stub fence is filtered out inside dma_fence_unwrap_merge (already
  signaled), so the extra reference is never consumed. Both success and
  error paths fail to call dma_fence_put on the stub.

Cc: stable@vger.kernel.org
Fixes: 245a4a7b531c ("dma-buf: generalize dma_fence unwrap & merging v3")
Signed-off-by: WenTao Liang <vulab@iscas.ac.cn>
---
 drivers/dma-buf/st-dma-fence-unwrap.c | 11 +++++++----
 1 file changed, 7 insertions(+), 4 deletions(-)

diff --git a/drivers/dma-buf/st-dma-fence-unwrap.c b/drivers/dma-buf/st-dma-fence-unwrap.c
index 72ca632e3981..b9ed85570211 100644
--- a/drivers/dma-buf/st-dma-fence-unwrap.c
+++ b/drivers/dma-buf/st-dma-fence-unwrap.c
@@ -483,7 +483,7 @@ static int unwrap_merge_order(void *arg)
 
 static int unwrap_merge_complex(void *arg)
 {
-	struct dma_fence *fence, *f1, *f2, *f3, *f4, *f5;
+	struct dma_fence *fence, *f1, *f2, *f3, *f4, *f5, *stub;
 	struct dma_fence_unwrap iter;
 	int err = -ENOMEM;
 
@@ -508,10 +508,11 @@ static int unwrap_merge_complex(void *arg)
 	if (!f4)
 		goto error_put_f3;
 
+	stub = dma_fence_get_stub();
 	/* Signaled fences should be filtered, the two arrays merged. */
-	f5 = dma_fence_unwrap_merge(f3, f4, dma_fence_get_stub());
+	f5 = dma_fence_unwrap_merge(f3, f4, stub);
 	if (!f5)
-		goto error_put_f4;
+		goto error_put_stub;
 
 	err = 0;
 	dma_fence_unwrap_for_each(fence, &iter, f5) {
@@ -532,8 +533,10 @@ static int unwrap_merge_complex(void *arg)
 		err = -EINVAL;
 	}
 
+	dma_fence_put(stub);
 	dma_fence_put(f5);
-error_put_f4:
+error_put_stub:
+	dma_fence_put(stub);
 	dma_fence_put(f4);
 error_put_f3:
 	dma_fence_put(f3);
-- 
2.39.5 (Apple Git-154)

Re: [PATCH] fix: dma-buf: unwrap_merge_complex: dma_fence_get_stub reference leaked on all paths

[sashiko-bot]

Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:
- [Medium] Double free / refcount underflow on the global static `dma_fence_stub` in `unwrap_merge_complex()`.
--

commit 361d06ca0291c480e1aafadac1b89e324d9431ab
Author: WenTao Liang <vulab@iscas.ac.cn>

fix: dma-buf: unwrap_merge_complex: dma_fence_get_stub reference leaked on all paths

This commit fixes a reference leak on the global stub fence in
unwrap_merge_complex() by adding dma_fence_put() calls to the success and
error paths.

> diff --git a/drivers/dma-buf/st-dma-fence-unwrap.c b/drivers/dma-buf/st-dma-fence-unwrap.c
> --- a/drivers/dma-buf/st-dma-fence-unwrap.c
> +++ b/drivers/dma-buf/st-dma-fence-unwrap.c
[ ... ]
> @@ -530,8 +531,10 @@ static int unwrap_merge_complex(void *arg)
>  		err = -EINVAL;
>  	}
>  
> +	dma_fence_put(stub);
>  	dma_fence_put(f5);
> -error_put_f4:
> +error_put_stub:
> +	dma_fence_put(stub);

[Severity: Medium]
Does this cause a double-put of the stub on the success path?

When unwrap_merge_complex() successfully completes, it appears execution
will call dma_fence_put(stub) just before putting f5, and then fall right
through into the error_put_stub label where it calls dma_fence_put(stub) a
second time.

Since dma_fence_get_stub() only acquires a single reference, putting it
twice would underflow the refcount and trigger dma_fence_release(). This
could result in an attempt to call kfree_rcu() on the statically allocated
dma_fence_stub global variable, causing a panic during the selftest.

Would it be better to only place dma_fence_put(stub) after the
error_put_stub label, allowing the success path to fall through and clean
it up once naturally along with the other fences?

>  	dma_fence_put(f4);
>  error_put_f3:
>  	dma_fence_put(f3);

-- 
Sashiko AI review · https://sashiko.dev/#/patchset/20260626122836.35856-1-vulab@iscas.ac.cn?part=1

Re: [PATCH] fix: dma-buf: unwrap_merge_complex: dma_fence_get_stub reference leaked on all paths

[Christian König]

On 6/26/26 14:28, WenTao Liang wrote:
> dma_fence_get_stub() acquires an extra reference on the global stub
>   fence, but this reference is never released on any execution path. The
>   stub fence is filtered out inside dma_fence_unwrap_merge (already
>   signaled), so the extra reference is never consumed. Both success and
>   error paths fail to call dma_fence_put on the stub.
> 
> Cc: stable@vger.kernel.org
> Fixes: 245a4a7b531c ("dma-buf: generalize dma_fence unwrap & merging v3")

Just drop that, the stub fence is a global dummy and leaking reference to it is harmless.

But just in case somebody uses this code as blueprint for this own implementation we should probably clean it up.

> Signed-off-by: WenTao Liang <vulab@iscas.ac.cn>

Reviewed-by: Christian König <christian.koenig@amd.com>

> ---
>  drivers/dma-buf/st-dma-fence-unwrap.c | 11 +++++++----
>  1 file changed, 7 insertions(+), 4 deletions(-)
> 
> diff --git a/drivers/dma-buf/st-dma-fence-unwrap.c b/drivers/dma-buf/st-dma-fence-unwrap.c
> index 72ca632e3981..b9ed85570211 100644
> --- a/drivers/dma-buf/st-dma-fence-unwrap.c
> +++ b/drivers/dma-buf/st-dma-fence-unwrap.c
> @@ -483,7 +483,7 @@ static int unwrap_merge_order(void *arg)
>  
>  static int unwrap_merge_complex(void *arg)
>  {
> -	struct dma_fence *fence, *f1, *f2, *f3, *f4, *f5;
> +	struct dma_fence *fence, *f1, *f2, *f3, *f4, *f5, *stub;
>  	struct dma_fence_unwrap iter;
>  	int err = -ENOMEM;
>  
> @@ -508,10 +508,11 @@ static int unwrap_merge_complex(void *arg)
>  	if (!f4)
>  		goto error_put_f3;
>  
> +	stub = dma_fence_get_stub();
>  	/* Signaled fences should be filtered, the two arrays merged. */
> -	f5 = dma_fence_unwrap_merge(f3, f4, dma_fence_get_stub());
> +	f5 = dma_fence_unwrap_merge(f3, f4, stub);
>  	if (!f5)
> -		goto error_put_f4;
> +		goto error_put_stub;
>  
>  	err = 0;
>  	dma_fence_unwrap_for_each(fence, &iter, f5) {
> @@ -532,8 +533,10 @@ static int unwrap_merge_complex(void *arg)
>  		err = -EINVAL;
>  	}
>  
> +	dma_fence_put(stub);
>  	dma_fence_put(f5);
> -error_put_f4:
> +error_put_stub:
> +	dma_fence_put(stub);
>  	dma_fence_put(f4);
>  error_put_f3:
>  	dma_fence_put(f3);

Re: [PATCH] fix: dma-buf: unwrap_merge_complex: dma_fence_get_stub reference leaked on all paths

[WenTao Liang]

[-- Attachment #1: Type: text/plain, Size: 678 bytes --]



> 2026年6月26日 20:47，Christian König <christian.koenig@amd.com> 写道：
> 
> Just drop that, the stub fence is a global dummy and leaking reference to it is harmless.
> 
> But just in case somebody uses this code as blueprint for this own implementation we should probably clean it up.


Thanks for the review. I understand that the leak is harmless in
practice.

However, I think it's still worth cleaning up to avoid misleading
other developers who might reference this code as an example. I'd
prefer to keep this patch for the sake of code quality and
maintainability.

Please let me know if you have any objections.

Best regards,
WenTao Liang

[-- Attachment #2: Type: text/html, Size: 2549 bytes --]