[PATCH] iio: buffer: Fix DMA fence leak in iio_buffer_enqueue_dmabuf()

[PATCH] iio: buffer: Fix DMA fence leak in iio_buffer_enqueue_dmabuf()

[Benoît Monin]

iio_buffer_enqueue_dmabuf() allocates a struct iio_dma_fence (104 bytes,
kmalloc-128) via kmalloc_obj()+dma_fence_init(), which sets the initial
kref to 1.  It then calls dma_resv_add_fence() which takes a second
reference (kref=2), and stores a raw pointer in block->fence.

On the success path the function returns without calling dma_fence_put()
to release the initial reference, so every buffer enqueue permanently
leaks one kmalloc-128 allocation.

The iio_buffer_cleanup() work item only releases the temporary reference
taken during completion signalling by iio_buffer_signal_dmabuf_done();
the initial reference from dma_fence_init() is never released.

With four iio_rwdev instances at 240kHz and 512 samples per buffer,
this produces ~1875 kmalloc-128 allocations per second matching the
observed slab growth exactly. A test with ftrace confirmed that the
dma_fence_destroy event was never triggered.

Fix by calling dma_fence_put() after dma_resv_add_fence(), transferring
ownership of the fence to the DMA reservation object. The DMA fence then
gets properly discarded after being signalled.

Fixes: 3e26d9f08fbe0 ("iio: core: Add new DMABUF interface infrastructure")
Originally-by: James Nuss <jamesnuss@nanometrics.ca>
Signed-off-by: Benoît Monin <benoit.monin@bootlin.com>
---
 drivers/iio/industrialio-buffer.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/drivers/iio/industrialio-buffer.c b/drivers/iio/industrialio-buffer.c
index 46f36a6ed271..5c3df993bea2 100644
--- a/drivers/iio/industrialio-buffer.c
+++ b/drivers/iio/industrialio-buffer.c
@@ -1909,6 +1909,7 @@ static int iio_buffer_enqueue_dmabuf(struct iio_dev_buffer_pair *ib,
 
 	dma_resv_add_fence(dmabuf->resv, &fence->base,
 			   dma_to_ram ? DMA_RESV_USAGE_WRITE : DMA_RESV_USAGE_READ);
+	dma_fence_put(&fence->base);
 	dma_resv_unlock(dmabuf->resv);
 
 	cookie = dma_fence_begin_signalling();

---
base-commit: 7aaa8047eafd0bd628065b15757d9b48c5f9c07d
change-id: 20260401-iio-dma-fence-5f1ceba11ef5

Best regards,
--  
Benoît Monin, Bootlin
Embedded Linux and Kernel engineering
https://bootlin.com

Re: [PATCH] iio: buffer: Fix DMA fence leak in iio_buffer_enqueue_dmabuf()

[Paul Cercueil]

Hi Benoît,

Le mercredi 01 avril 2026 à 17:24 +0200, Benoît Monin a écrit :
> iio_buffer_enqueue_dmabuf() allocates a struct iio_dma_fence (104
> bytes,
> kmalloc-128) via kmalloc_obj()+dma_fence_init(), which sets the
> initial
> kref to 1.  It then calls dma_resv_add_fence() which takes a second
> reference (kref=2), and stores a raw pointer in block->fence.
> 
> On the success path the function returns without calling
> dma_fence_put()
> to release the initial reference, so every buffer enqueue permanently
> leaks one kmalloc-128 allocation.
> 
> The iio_buffer_cleanup() work item only releases the temporary
> reference
> taken during completion signalling by
> iio_buffer_signal_dmabuf_done();
> the initial reference from dma_fence_init() is never released.
> 
> With four iio_rwdev instances at 240kHz and 512 samples per buffer,
> this produces ~1875 kmalloc-128 allocations per second matching the
> observed slab growth exactly. A test with ftrace confirmed that the
> dma_fence_destroy event was never triggered.
> 
> Fix by calling dma_fence_put() after dma_resv_add_fence(),
> transferring
> ownership of the fence to the DMA reservation object. The DMA fence
> then
> gets properly discarded after being signalled.
> 
> Fixes: 3e26d9f08fbe0 ("iio: core: Add new DMABUF interface
> infrastructure")
> Originally-by: James Nuss <jamesnuss@nanometrics.ca>
> Signed-off-by: Benoît Monin <benoit.monin@bootlin.com>

I had a look at the code and indeed, it looks like it's not releasing
the dma_fence properly. The fix makes sense.

Reviewed-by: Paul Cercueil <paul@crapouillou.net>

Cheers,
-Paul Cercueil

> ---
>  drivers/iio/industrialio-buffer.c | 1 +
>  1 file changed, 1 insertion(+)
> 
> diff --git a/drivers/iio/industrialio-buffer.c
> b/drivers/iio/industrialio-buffer.c
> index 46f36a6ed271..5c3df993bea2 100644
> --- a/drivers/iio/industrialio-buffer.c
> +++ b/drivers/iio/industrialio-buffer.c
> @@ -1909,6 +1909,7 @@ static int iio_buffer_enqueue_dmabuf(struct
> iio_dev_buffer_pair *ib,
>  
>  	dma_resv_add_fence(dmabuf->resv, &fence->base,
>  			   dma_to_ram ? DMA_RESV_USAGE_WRITE :
> DMA_RESV_USAGE_READ);
> +	dma_fence_put(&fence->base);
>  	dma_resv_unlock(dmabuf->resv);
>  
>  	cookie = dma_fence_begin_signalling();
> 
> ---
> base-commit: 7aaa8047eafd0bd628065b15757d9b48c5f9c07d
> change-id: 20260401-iio-dma-fence-5f1ceba11ef5
> 
> Best regards,
> --  
> Benoît Monin, Bootlin
> Embedded Linux and Kernel engineering
> https://bootlin.com

Re: [PATCH] iio: buffer: Fix DMA fence leak in iio_buffer_enqueue_dmabuf()

[Jonathan Cameron]

On Wed, 01 Apr 2026 18:16:10 +0200
Paul Cercueil <paul@crapouillou.net> wrote:

> Hi Benoît,
> 
> Le mercredi 01 avril 2026 à 17:24 +0200, Benoît Monin a écrit :
> > iio_buffer_enqueue_dmabuf() allocates a struct iio_dma_fence (104
> > bytes,
> > kmalloc-128) via kmalloc_obj()+dma_fence_init(), which sets the
> > initial
> > kref to 1.  It then calls dma_resv_add_fence() which takes a second
> > reference (kref=2), and stores a raw pointer in block->fence.
> > 
> > On the success path the function returns without calling
> > dma_fence_put()
> > to release the initial reference, so every buffer enqueue permanently
> > leaks one kmalloc-128 allocation.
> > 
> > The iio_buffer_cleanup() work item only releases the temporary
> > reference
> > taken during completion signalling by
> > iio_buffer_signal_dmabuf_done();
> > the initial reference from dma_fence_init() is never released.
> > 
> > With four iio_rwdev instances at 240kHz and 512 samples per buffer,
> > this produces ~1875 kmalloc-128 allocations per second matching the
> > observed slab growth exactly. A test with ftrace confirmed that the
> > dma_fence_destroy event was never triggered.
> > 
> > Fix by calling dma_fence_put() after dma_resv_add_fence(),
> > transferring
> > ownership of the fence to the DMA reservation object. The DMA fence
> > then
> > gets properly discarded after being signalled.
> > 
> > Fixes: 3e26d9f08fbe0 ("iio: core: Add new DMABUF interface
> > infrastructure")
> > Originally-by: James Nuss <jamesnuss@nanometrics.ca>
> > Signed-off-by: Benoît Monin <benoit.monin@bootlin.com>  
> 
> I had a look at the code and indeed, it looks like it's not releasing
> the dma_fence properly. The fix makes sense.
> 
> Reviewed-by: Paul Cercueil <paul@crapouillou.net>
Applied and marked for stable. 

Thanks,

J

Re: [PATCH] iio: buffer: Fix DMA fence leak in iio_buffer_enqueue_dmabuf()

[Paul Cercueil]

Hi Benoît,

By the way, I did the exact same mistake in the functionfs code
(drivers/usb/gadget/function/f_fs.c), do you want to fix it there too?

(or I'll do it myself eventually)

Cheers,
-Paul

Le mercredi 01 avril 2026 à 17:24 +0200, Benoît Monin a écrit :
> iio_buffer_enqueue_dmabuf() allocates a struct iio_dma_fence (104
> bytes,
> kmalloc-128) via kmalloc_obj()+dma_fence_init(), which sets the
> initial
> kref to 1.  It then calls dma_resv_add_fence() which takes a second
> reference (kref=2), and stores a raw pointer in block->fence.
> 
> On the success path the function returns without calling
> dma_fence_put()
> to release the initial reference, so every buffer enqueue permanently
> leaks one kmalloc-128 allocation.
> 
> The iio_buffer_cleanup() work item only releases the temporary
> reference
> taken during completion signalling by
> iio_buffer_signal_dmabuf_done();
> the initial reference from dma_fence_init() is never released.
> 
> With four iio_rwdev instances at 240kHz and 512 samples per buffer,
> this produces ~1875 kmalloc-128 allocations per second matching the
> observed slab growth exactly. A test with ftrace confirmed that the
> dma_fence_destroy event was never triggered.
> 
> Fix by calling dma_fence_put() after dma_resv_add_fence(),
> transferring
> ownership of the fence to the DMA reservation object. The DMA fence
> then
> gets properly discarded after being signalled.
> 
> Fixes: 3e26d9f08fbe0 ("iio: core: Add new DMABUF interface
> infrastructure")
> Originally-by: James Nuss <jamesnuss@nanometrics.ca>
> Signed-off-by: Benoît Monin <benoit.monin@bootlin.com>
> ---
>  drivers/iio/industrialio-buffer.c | 1 +
>  1 file changed, 1 insertion(+)
> 
> diff --git a/drivers/iio/industrialio-buffer.c
> b/drivers/iio/industrialio-buffer.c
> index 46f36a6ed271..5c3df993bea2 100644
> --- a/drivers/iio/industrialio-buffer.c
> +++ b/drivers/iio/industrialio-buffer.c
> @@ -1909,6 +1909,7 @@ static int iio_buffer_enqueue_dmabuf(struct
> iio_dev_buffer_pair *ib,
>  
>  	dma_resv_add_fence(dmabuf->resv, &fence->base,
>  			   dma_to_ram ? DMA_RESV_USAGE_WRITE :
> DMA_RESV_USAGE_READ);
> +	dma_fence_put(&fence->base);
>  	dma_resv_unlock(dmabuf->resv);
>  
>  	cookie = dma_fence_begin_signalling();
> 
> ---
> base-commit: 7aaa8047eafd0bd628065b15757d9b48c5f9c07d
> change-id: 20260401-iio-dma-fence-5f1ceba11ef5
> 
> Best regards,
> --  
> Benoît Monin, Bootlin
> Embedded Linux and Kernel engineering
> https://bootlin.com

Re: [PATCH] iio: buffer: Fix DMA fence leak in iio_buffer_enqueue_dmabuf()

[Benoît Monin]

Hi Paul,

On Monday, 20 April 2026 at 17:12:46 CEST, Paul Cercueil wrote:
> By the way, I did the exact same mistake in the functionfs code
> (drivers/usb/gadget/function/f_fs.c), do you want to fix it there too?
> 
> (or I'll do it myself eventually)
> 
I have never used functionfs so I will let you fix it.

Best regards,
-- 
Benoît Monin, Bootlin
Embedded Linux and Kernel engineering
https://bootlin.com