* [PATCH] dma-buf: fix reference count leak in dma_buf_poll_add_cb()
@ 2025-09-23 11:14 Dan Carpenter
2025-09-23 12:00 ` Christian König
0 siblings, 1 reply; 3+ messages in thread
From: Dan Carpenter @ 2025-09-23 11:14 UTC (permalink / raw)
To: Christian König
Cc: Sumit Semwal, Simona Vetter, linux-media, dri-devel,
linaro-mm-sig, linux-kernel, kernel-janitors
Call dma_fence_put(fence) if dma_fence_add_callback() fails.
Fixes: 6b51b02a3a0a ("dma-buf: fix and rework dma_buf_poll v7")
Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
---
From code review, not from testing. Please review carefully.
drivers/dma-buf/dma-buf.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/dma-buf/dma-buf.c b/drivers/dma-buf/dma-buf.c
index 2bcf9ceca997..a14e1f50b090 100644
--- a/drivers/dma-buf/dma-buf.c
+++ b/drivers/dma-buf/dma-buf.c
@@ -301,9 +301,9 @@ static bool dma_buf_poll_add_cb(struct dma_resv *resv, bool write,
fence) {
dma_fence_get(fence);
r = dma_fence_add_callback(fence, &dcb->cb, dma_buf_poll_cb);
+ dma_fence_put(fence);
if (!r)
return true;
- dma_fence_put(fence);
}
return false;
--
2.51.0
^ permalink raw reply related [flat|nested] 3+ messages in thread
* Re: [PATCH] dma-buf: fix reference count leak in dma_buf_poll_add_cb()
2025-09-23 11:14 [PATCH] dma-buf: fix reference count leak in dma_buf_poll_add_cb() Dan Carpenter
@ 2025-09-23 12:00 ` Christian König
2025-09-23 12:19 ` Dan Carpenter
0 siblings, 1 reply; 3+ messages in thread
From: Christian König @ 2025-09-23 12:00 UTC (permalink / raw)
To: Dan Carpenter
Cc: Sumit Semwal, Simona Vetter, linux-media, dri-devel,
linaro-mm-sig, linux-kernel, kernel-janitors
On 23.09.25 13:14, Dan Carpenter wrote:
> Call dma_fence_put(fence) if dma_fence_add_callback() fails.
Well that change is obviously incorrect.
When dma_fence_add_callback() fails we already call dma_fence_put() and drop the reference.
When the dma_fence_add_callback() call succeeds the callback will drop the reference.
The problem here is that the return code of dma_fence_add_callback() is an integer error code instead of a bool and basically has the reverse meaning than what people usually expect.
I have it on my TODO list for years to fix that, but never found the time to actually do it. If anybody wants to volunteer then please go ahead.
Regards,
Christian.
>
> Fixes: 6b51b02a3a0a ("dma-buf: fix and rework dma_buf_poll v7")
> Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
> ---
> From code review, not from testing. Please review carefully.
>
> drivers/dma-buf/dma-buf.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/drivers/dma-buf/dma-buf.c b/drivers/dma-buf/dma-buf.c
> index 2bcf9ceca997..a14e1f50b090 100644
> --- a/drivers/dma-buf/dma-buf.c
> +++ b/drivers/dma-buf/dma-buf.c
> @@ -301,9 +301,9 @@ static bool dma_buf_poll_add_cb(struct dma_resv *resv, bool write,
> fence) {
> dma_fence_get(fence);
> r = dma_fence_add_callback(fence, &dcb->cb, dma_buf_poll_cb);
> + dma_fence_put(fence);
> if (!r)
> return true;
> - dma_fence_put(fence);
> }
>
> return false;
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [PATCH] dma-buf: fix reference count leak in dma_buf_poll_add_cb()
2025-09-23 12:00 ` Christian König
@ 2025-09-23 12:19 ` Dan Carpenter
0 siblings, 0 replies; 3+ messages in thread
From: Dan Carpenter @ 2025-09-23 12:19 UTC (permalink / raw)
To: Christian König
Cc: Sumit Semwal, Simona Vetter, linux-media, dri-devel,
linaro-mm-sig, linux-kernel, kernel-janitors
On Tue, Sep 23, 2025 at 02:00:28PM +0200, Christian König wrote:
> On 23.09.25 13:14, Dan Carpenter wrote:
> > Call dma_fence_put(fence) if dma_fence_add_callback() fails.
>
> Well that change is obviously incorrect.
>
> When dma_fence_add_callback() fails we already call dma_fence_put() and drop the reference.
>
> When the dma_fence_add_callback() call succeeds the callback will drop the reference.
>
> The problem here is that the return code of dma_fence_add_callback() is an integer error code instead of a bool and basically has the reverse meaning than what people usually expect.
>
Ah, yes. You're exactly correct of course. Sorry about that.
regards,
dan carpenter
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2025-09-23 12:19 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2025-09-23 11:14 [PATCH] dma-buf: fix reference count leak in dma_buf_poll_add_cb() Dan Carpenter
2025-09-23 12:00 ` Christian König
2025-09-23 12:19 ` Dan Carpenter
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox