From: Jonathan Cameron <jic23@kernel.org>
To: Paul Cercueil <paul@crapouillou.net>
Cc: "Benoît Monin" <benoit.monin@bootlin.com>,
"David Lechner" <dlechner@baylibre.com>,
"Nuno Sá" <nuno.sa@analog.com>,
"Andy Shevchenko" <andy@kernel.org>,
"Thomas Petazzoni" <thomas.petazzoni@bootlin.com>,
"Jonathan Cameron" <Jonathan.Cameron@huawei.com>,
linux-iio@vger.kernel.org, linux-kernel@vger.kernel.org,
"James Nuss" <jamesnuss@nanometrics.ca>
Subject: Re: [PATCH] iio: buffer: Fix DMA fence leak in iio_buffer_enqueue_dmabuf()
Date: Mon, 20 Apr 2026 15:57:13 +0100 [thread overview]
Message-ID: <20260420155713.18c30f12@jic23-huawei> (raw)
In-Reply-To: <5fcda84716176de70b6ff968458ee4e4101b36ad.camel@crapouillou.net>
On Wed, 01 Apr 2026 18:16:10 +0200
Paul Cercueil <paul@crapouillou.net> wrote:
> Hi Benoît,
>
> Le mercredi 01 avril 2026 à 17:24 +0200, Benoît Monin a écrit :
> > iio_buffer_enqueue_dmabuf() allocates a struct iio_dma_fence (104
> > bytes,
> > kmalloc-128) via kmalloc_obj()+dma_fence_init(), which sets the
> > initial
> > kref to 1. It then calls dma_resv_add_fence() which takes a second
> > reference (kref=2), and stores a raw pointer in block->fence.
> >
> > On the success path the function returns without calling
> > dma_fence_put()
> > to release the initial reference, so every buffer enqueue permanently
> > leaks one kmalloc-128 allocation.
> >
> > The iio_buffer_cleanup() work item only releases the temporary
> > reference
> > taken during completion signalling by
> > iio_buffer_signal_dmabuf_done();
> > the initial reference from dma_fence_init() is never released.
> >
> > With four iio_rwdev instances at 240kHz and 512 samples per buffer,
> > this produces ~1875 kmalloc-128 allocations per second matching the
> > observed slab growth exactly. A test with ftrace confirmed that the
> > dma_fence_destroy event was never triggered.
> >
> > Fix by calling dma_fence_put() after dma_resv_add_fence(),
> > transferring
> > ownership of the fence to the DMA reservation object. The DMA fence
> > then
> > gets properly discarded after being signalled.
> >
> > Fixes: 3e26d9f08fbe0 ("iio: core: Add new DMABUF interface
> > infrastructure")
> > Originally-by: James Nuss <jamesnuss@nanometrics.ca>
> > Signed-off-by: Benoît Monin <benoit.monin@bootlin.com>
>
> I had a look at the code and indeed, it looks like it's not releasing
> the dma_fence properly. The fix makes sense.
>
> Reviewed-by: Paul Cercueil <paul@crapouillou.net>
Applied and marked for stable.
Thanks,
J
next prev parent reply other threads:[~2026-04-20 14:57 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-04-01 15:24 [PATCH] iio: buffer: Fix DMA fence leak in iio_buffer_enqueue_dmabuf() Benoît Monin
2026-04-01 16:16 ` Paul Cercueil
2026-04-20 14:57 ` Jonathan Cameron [this message]
2026-04-20 15:12 ` Paul Cercueil
2026-04-21 9:12 ` Benoît Monin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260420155713.18c30f12@jic23-huawei \
--to=jic23@kernel.org \
--cc=Jonathan.Cameron@huawei.com \
--cc=andy@kernel.org \
--cc=benoit.monin@bootlin.com \
--cc=dlechner@baylibre.com \
--cc=jamesnuss@nanometrics.ca \
--cc=linux-iio@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=nuno.sa@analog.com \
--cc=paul@crapouillou.net \
--cc=thomas.petazzoni@bootlin.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox