1. Patchew
  2. linux
  3. View series

[PATCH] dma-fence: Dereference correct dma_fence in dma_fence_chain_find_seqno()

Li Ming posted 1 patch 5 days, 23 hours ago
There is a newer version of this series
drivers/dma-buf/dma-fence-chain.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
[PATCH] dma-fence: Dereference correct dma_fence in dma_fence_chain_find_seqno()
Posted by Li Ming 5 days, 23 hours ago 
dma_fence_chain_find_seqno() uses dma_fence_chain_for_each() to walk a
given dma_fence_chain. dma_fence_chain_for_each() always holds a
reference for the current fence during iteration. The reference must
be dropped after breaking out. Instead of dereferencing the last fence
as intended, dma_fence_chain_find_seqno() incorrectly dereferences the
first fence in the chain.

Fixes: 7bf60c52e093 ("dma-buf: add new dma_fence_chain container v7")
Signed-off-by: Li Ming <ming.li@zohomail.com>
---
 drivers/dma-buf/dma-fence-chain.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/dma-buf/dma-fence-chain.c b/drivers/dma-buf/dma-fence-chain.c
index a8a90acf4f34..71fa173aef13 100644
--- a/drivers/dma-buf/dma-fence-chain.c
+++ b/drivers/dma-buf/dma-fence-chain.c
@@ -103,7 +103,7 @@ int dma_fence_chain_find_seqno(struct dma_fence **pfence, uint64_t seqno)
 		    to_dma_fence_chain(*pfence)->prev_seqno < seqno)
 			break;
 	}
-	dma_fence_put(&chain->base);
+	dma_fence_put(*pfence);
 
 	return 0;
 }

---
base-commit: c369299895a591d96745d6492d4888259b004a9e
change-id: 20260327-fix_dma_fence_chain_find_seqno-7adea64efe01

Best regards,
-- 
Li Ming <ming.li@zohomail.com>
Re: [PATCH] dma-fence: Dereference correct dma_fence in dma_fence_chain_find_seqno()
Posted by Christian König 3 days, 4 hours ago 
On 3/27/26 15:33, Li Ming wrote:
> dma_fence_chain_find_seqno() uses dma_fence_chain_for_each() to walk a
> given dma_fence_chain. dma_fence_chain_for_each() always holds a
> reference for the current fence during iteration. The reference must
> be dropped after breaking out. Instead of dereferencing the last fence
> as intended, dma_fence_chain_find_seqno() incorrectly dereferences the
> first fence in the chain.

Well once more: Absolutely clear NAK and please search the mailing list for similar changes before you send a patch out.

The existing code is perfectly correct and I can't count how often I had to reject that patch.

I think the functionality is obvious but it looks like we really need to add a comment here.

Regards,
Christian.

> 
> Fixes: 7bf60c52e093 ("dma-buf: add new dma_fence_chain container v7")
> Signed-off-by: Li Ming <ming.li@zohomail.com>
> ---
>  drivers/dma-buf/dma-fence-chain.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/drivers/dma-buf/dma-fence-chain.c b/drivers/dma-buf/dma-fence-chain.c
> index a8a90acf4f34..71fa173aef13 100644
> --- a/drivers/dma-buf/dma-fence-chain.c
> +++ b/drivers/dma-buf/dma-fence-chain.c
> @@ -103,7 +103,7 @@ int dma_fence_chain_find_seqno(struct dma_fence **pfence, uint64_t seqno)
>                     to_dma_fence_chain(*pfence)->prev_seqno < seqno)
>                         break;
>         }
> -       dma_fence_put(&chain->base);
> +       dma_fence_put(*pfence);
> 
>         return 0;
>  }
> 
> ---
> base-commit: c369299895a591d96745d6492d4888259b004a9e
> change-id: 20260327-fix_dma_fence_chain_find_seqno-7adea64efe01
> 
> Best regards,
> --
> Li Ming <ming.li@zohomail.com>
>

Patchew 2.1-devel-ea86937

© 2016 - 2026 Red Hat, Inc.