1. Patchew
  2. linux
  3. View series

[PATCH RESEND] dma-fence: Dereference correct dma_fence in dma_fence_chain_find_seqno()

Li Ming posted 1 patch 5 days, 19 hours ago 
drivers/dma-buf/dma-fence-chain.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
[PATCH RESEND] dma-fence: Dereference correct dma_fence in dma_fence_chain_find_seqno()
Posted by Li Ming 5 days, 19 hours ago 
dma_fence_chain_find_seqno() uses dma_fence_chain_for_each() to walk a
given dma_fence_chain. dma_fence_chain_for_each() always holds a
reference for the current fence during iteration. The reference must
be dropped after breaking out. Instead of dereferencing the last fence
as intended, dma_fence_chain_find_seqno() incorrectly dereferences the
first fence in the chain.

Fixes: 7bf60c52e093 ("dma-buf: add new dma_fence_chain container v7")
Signed-off-by: Li Ming <ming.li@zohomail.com>
---
 drivers/dma-buf/dma-fence-chain.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/dma-buf/dma-fence-chain.c b/drivers/dma-buf/dma-fence-chain.c
index a8a90acf4f34..71fa173aef13 100644
--- a/drivers/dma-buf/dma-fence-chain.c
+++ b/drivers/dma-buf/dma-fence-chain.c
@@ -103,7 +103,7 @@ int dma_fence_chain_find_seqno(struct dma_fence **pfence, uint64_t seqno)
 		    to_dma_fence_chain(*pfence)->prev_seqno < seqno)
 			break;
 	}
-	dma_fence_put(&chain->base);
+	dma_fence_put(*pfence);
 
 	return 0;
 }

---
base-commit: c369299895a591d96745d6492d4888259b004a9e
change-id: 20260327-fix_dma_fence_chain_find_seqno-7adea64efe01

Best regards,
-- 
Li Ming <ming.li@zohomail.com>
Re: [PATCH RESEND] dma-fence: Dereference correct dma_fence in dma_fence_chain_find_seqno()
Posted by Li Ming 5 days, 3 hours ago 
在 2026/3/28 02:47, Li Ming 写道:
> dma_fence_chain_find_seqno() uses dma_fence_chain_for_each() to walk a
> given dma_fence_chain. dma_fence_chain_for_each() always holds a
> reference for the current fence during iteration. The reference must
> be dropped after breaking out. Instead of dereferencing the last fence
> as intended, dma_fence_chain_find_seqno() incorrectly dereferences the
> first fence in the chain.
>
> Fixes: 7bf60c52e093 ("dma-buf: add new dma_fence_chain container v7")
> Signed-off-by: Li Ming <ming.li@zohomail.com>
> ---
>   drivers/dma-buf/dma-fence-chain.c | 2 +-
>   1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/drivers/dma-buf/dma-fence-chain.c b/drivers/dma-buf/dma-fence-chain.c
> index a8a90acf4f34..71fa173aef13 100644
> --- a/drivers/dma-buf/dma-fence-chain.c
> +++ b/drivers/dma-buf/dma-fence-chain.c
> @@ -103,7 +103,7 @@ int dma_fence_chain_find_seqno(struct dma_fence **pfence, uint64_t seqno)
>   		    to_dma_fence_chain(*pfence)->prev_seqno < seqno)
>   			break;
>   	}
> -	dma_fence_put(&chain->base);
> +	dma_fence_put(*pfence);
>   
>   	return 0;
>   }
>
> ---
> base-commit: c369299895a591d96745d6492d4888259b004a9e
> change-id: 20260327-fix_dma_fence_chain_find_seqno-7adea64efe01
>
> Best regards,

After looking deeper into this issue, it is not a bug.

Seems like this function requires that caller needs to hold the 
reference of the give fence before calling it. When pfence changed, need 
to transfer the reference from the original fence to the new fence. That 
is why it releases the reference for the original fence in the end.

Sorry to make this noise.


Ming
Re: [PATCH RESEND] dma-fence: Dereference correct dma_fence in dma_fence_chain_find_seqno()
Posted by Christian König 2 days, 20 hours ago 
On 3/28/26 11:26, Li Ming wrote:
> 
> 在 2026/3/28 02:47, Li Ming 写道:
>> dma_fence_chain_find_seqno() uses dma_fence_chain_for_each() to walk a
>> given dma_fence_chain. dma_fence_chain_for_each() always holds a
>> reference for the current fence during iteration. The reference must
>> be dropped after breaking out. Instead of dereferencing the last fence
>> as intended, dma_fence_chain_find_seqno() incorrectly dereferences the
>> first fence in the chain.
>>
>> Fixes: 7bf60c52e093 ("dma-buf: add new dma_fence_chain container v7")
>> Signed-off-by: Li Ming <ming.li@zohomail.com>
>> ---
>>   drivers/dma-buf/dma-fence-chain.c | 2 +-
>>   1 file changed, 1 insertion(+), 1 deletion(-)
>>
>> diff --git a/drivers/dma-buf/dma-fence-chain.c b/drivers/dma-buf/dma-fence-chain.c
>> index a8a90acf4f34..71fa173aef13 100644
>> --- a/drivers/dma-buf/dma-fence-chain.c
>> +++ b/drivers/dma-buf/dma-fence-chain.c
>> @@ -103,7 +103,7 @@ int dma_fence_chain_find_seqno(struct dma_fence **pfence, uint64_t seqno)
>>               to_dma_fence_chain(*pfence)->prev_seqno < seqno)
>>               break;
>>       }
>> -    dma_fence_put(&chain->base);
>> +    dma_fence_put(*pfence);
>>         return 0;
>>   }
>>
>> ---
>> base-commit: c369299895a591d96745d6492d4888259b004a9e
>> change-id: 20260327-fix_dma_fence_chain_find_seqno-7adea64efe01
>>
>> Best regards,
> 
> After looking deeper into this issue, it is not a bug.
> 
> Seems like this function requires that caller needs to hold the reference of the give fence before calling it. When pfence changed, need to transfer the reference from the original fence to the new fence. That is why it releases the reference for the original fence in the end.

Yeah exactly that. We have documented the behavior in the kerneldoc:

 * Advance the fence pointer to the chain node which will signal this sequence
 * number.

But that is somehow not enough.

If you have suggestions how to improve the comments then please speak up. This patch has been suggested as "fix" numerous times.

Regards,
Christian.


> 
> Sorry to make this noise.
> 
> 
> Ming
>

Patchew 2.1-devel-ea86937

© 2016 - 2026 Red Hat, Inc.