drivers/iio/industrialio-buffer.c | 1 + 1 file changed, 1 insertion(+)
iio_buffer_enqueue_dmabuf() allocates a struct iio_dma_fence (104 bytes,
kmalloc-128) via kmalloc_obj()+dma_fence_init(), which sets the initial
kref to 1. It then calls dma_resv_add_fence() which takes a second
reference (kref=2), and stores a raw pointer in block->fence.
On the success path the function returns without calling dma_fence_put()
to release the initial reference, so every buffer enqueue permanently
leaks one kmalloc-128 allocation.
The iio_buffer_cleanup() work item only releases the temporary reference
taken during completion signalling by iio_buffer_signal_dmabuf_done();
the initial reference from dma_fence_init() is never released.
With four iio_rwdev instances at 240kHz and 512 samples per buffer,
this produces ~1875 kmalloc-128 allocations per second matching the
observed slab growth exactly. A test with ftrace confirmed that the
dma_fence_destroy event was never triggered.
Fix by calling dma_fence_put() after dma_resv_add_fence(), transferring
ownership of the fence to the DMA reservation object. The DMA fence then
gets properly discarded after being signalled.
Fixes: 3e26d9f08fbe0 ("iio: core: Add new DMABUF interface infrastructure")
Originally-by: James Nuss <jamesnuss@nanometrics.ca>
Signed-off-by: Benoît Monin <benoit.monin@bootlin.com>
---
drivers/iio/industrialio-buffer.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/iio/industrialio-buffer.c b/drivers/iio/industrialio-buffer.c
index 46f36a6ed271..5c3df993bea2 100644
--- a/drivers/iio/industrialio-buffer.c
+++ b/drivers/iio/industrialio-buffer.c
@@ -1909,6 +1909,7 @@ static int iio_buffer_enqueue_dmabuf(struct iio_dev_buffer_pair *ib,
dma_resv_add_fence(dmabuf->resv, &fence->base,
dma_to_ram ? DMA_RESV_USAGE_WRITE : DMA_RESV_USAGE_READ);
+ dma_fence_put(&fence->base);
dma_resv_unlock(dmabuf->resv);
cookie = dma_fence_begin_signalling();
---
base-commit: 7aaa8047eafd0bd628065b15757d9b48c5f9c07d
change-id: 20260401-iio-dma-fence-5f1ceba11ef5
Best regards,
--
Benoît Monin, Bootlin
Embedded Linux and Kernel engineering
https://bootlin.com
Hi Benoît,
Le mercredi 01 avril 2026 à 17:24 +0200, Benoît Monin a écrit :
> iio_buffer_enqueue_dmabuf() allocates a struct iio_dma_fence (104
> bytes,
> kmalloc-128) via kmalloc_obj()+dma_fence_init(), which sets the
> initial
> kref to 1. It then calls dma_resv_add_fence() which takes a second
> reference (kref=2), and stores a raw pointer in block->fence.
>
> On the success path the function returns without calling
> dma_fence_put()
> to release the initial reference, so every buffer enqueue permanently
> leaks one kmalloc-128 allocation.
>
> The iio_buffer_cleanup() work item only releases the temporary
> reference
> taken during completion signalling by
> iio_buffer_signal_dmabuf_done();
> the initial reference from dma_fence_init() is never released.
>
> With four iio_rwdev instances at 240kHz and 512 samples per buffer,
> this produces ~1875 kmalloc-128 allocations per second matching the
> observed slab growth exactly. A test with ftrace confirmed that the
> dma_fence_destroy event was never triggered.
>
> Fix by calling dma_fence_put() after dma_resv_add_fence(),
> transferring
> ownership of the fence to the DMA reservation object. The DMA fence
> then
> gets properly discarded after being signalled.
>
> Fixes: 3e26d9f08fbe0 ("iio: core: Add new DMABUF interface
> infrastructure")
> Originally-by: James Nuss <jamesnuss@nanometrics.ca>
> Signed-off-by: Benoît Monin <benoit.monin@bootlin.com>
I had a look at the code and indeed, it looks like it's not releasing
the dma_fence properly. The fix makes sense.
Reviewed-by: Paul Cercueil <paul@crapouillou.net>
Cheers,
-Paul Cercueil
> ---
> drivers/iio/industrialio-buffer.c | 1 +
> 1 file changed, 1 insertion(+)
>
> diff --git a/drivers/iio/industrialio-buffer.c
> b/drivers/iio/industrialio-buffer.c
> index 46f36a6ed271..5c3df993bea2 100644
> --- a/drivers/iio/industrialio-buffer.c
> +++ b/drivers/iio/industrialio-buffer.c
> @@ -1909,6 +1909,7 @@ static int iio_buffer_enqueue_dmabuf(struct
> iio_dev_buffer_pair *ib,
>
> dma_resv_add_fence(dmabuf->resv, &fence->base,
> dma_to_ram ? DMA_RESV_USAGE_WRITE :
> DMA_RESV_USAGE_READ);
> + dma_fence_put(&fence->base);
> dma_resv_unlock(dmabuf->resv);
>
> cookie = dma_fence_begin_signalling();
>
> ---
> base-commit: 7aaa8047eafd0bd628065b15757d9b48c5f9c07d
> change-id: 20260401-iio-dma-fence-5f1ceba11ef5
>
> Best regards,
> --
> Benoît Monin, Bootlin
> Embedded Linux and Kernel engineering
> https://bootlin.com
© 2016 - 2026 Red Hat, Inc.