From: Baineng Shou <shoubaineng@gmail.com>
To: "Sumit Semwal" <sumit.semwal@linaro.org>,
"Christian König" <christian.koenig@amd.com>
Cc: Tvrtko Ursulin <tursulin@ursulin.net>,
Philipp Stanner <phasta@kernel.org>,
Akash Goel <akash.goel@arm.com>,
linux-media@vger.kernel.org, dri-devel@lists.freedesktop.org,
linaro-mm-sig@lists.linaro.org, linux-kernel@vger.kernel.org,
stable@vger.kernel.org, Baineng Shou <shoubaineng@gmail.com>
Subject: [PATCH] dma-fence: Make dma_fence_dedup_array() robust against 0-count input
Date: Mon, 29 Jun 2026 11:13:46 +0800 [thread overview]
Message-ID: <20260629031346.3875683-1-shoubaineng@gmail.com> (raw)
dma_fence_dedup_array() returns 1 when called with num_fences == 0:
the for-loop body never executes, j stays at 0, and the final
`return ++j` yields 1. This contradicts both the kernel-doc ("Return:
Number of unique fences remaining in the array") and the natural
expectation that 0 input gives 0 output.
All in-tree callers currently filter num_fences == 0 before invoking
this helper (__dma_fence_unwrap_merge() bails out via the
`if (count == 0 || count == 1)` fast path; amdgpu_userq_wait_*()
cannot reach the dedup call with a zero local count because the
amdgpu_userq_wait_add_fence() helper guarantees num_fences stays in
[0, wait_info->num_fences], and wait_info->num_fences > 0 is enforced
at the ioctl entry).
However, dma_fence_dedup_array() is EXPORT_SYMBOL_GPL, so any future
caller that forgets to pre-filter the zero case will get a misleading
return value of 1. Depending on how that caller uses the result, it
could dereference an uninitialized fence slot in the array, since the
caller's array may have been allocated but not yet populated.
Make the contract match the documentation by returning 0 early. This
also skips an unnecessary sort() call on an empty array.
Signed-off-by: Baineng Shou <shoubaineng@gmail.com>
---
drivers/dma-buf/dma-fence-unwrap.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/drivers/dma-buf/dma-fence-unwrap.c b/drivers/dma-buf/dma-fence-unwrap.c
index 53bb40e70b27..364cbf79ad73 100644
--- a/drivers/dma-buf/dma-fence-unwrap.c
+++ b/drivers/dma-buf/dma-fence-unwrap.c
@@ -97,6 +97,9 @@ int dma_fence_dedup_array(struct dma_fence **fences, int num_fences)
{
int i, j;
+ if (!num_fences)
+ return 0;
+
sort(fences, num_fences, sizeof(*fences), fence_cmp, NULL);
/*
--
2.34.1
next reply other threads:[~2026-06-29 3:13 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-29 3:13 Baineng Shou [this message]
2026-06-29 6:59 ` [PATCH] dma-fence: Make dma_fence_dedup_array() robust against 0-count input Philipp Stanner
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260629031346.3875683-1-shoubaineng@gmail.com \
--to=shoubaineng@gmail.com \
--cc=akash.goel@arm.com \
--cc=christian.koenig@amd.com \
--cc=dri-devel@lists.freedesktop.org \
--cc=linaro-mm-sig@lists.linaro.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-media@vger.kernel.org \
--cc=phasta@kernel.org \
--cc=stable@vger.kernel.org \
--cc=sumit.semwal@linaro.org \
--cc=tursulin@ursulin.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox