Re: [PATCH RESEND] dma-fence: Dereference correct dma_fence in dma_fence_chain_find_seqno()

From: Christian König

Date: Mon Mar 30 2026 - 13:39:52 EST

On 3/28/26 11:26, Li Ming wrote:
>
> 在 2026/3/28 02:47, Li Ming 写道:
>> dma_fence_chain_find_seqno() uses dma_fence_chain_for_each() to walk a
>> given dma_fence_chain. dma_fence_chain_for_each() always holds a
>> reference for the current fence during iteration. The reference must
>> be dropped after breaking out. Instead of dereferencing the last fence
>> as intended, dma_fence_chain_find_seqno() incorrectly dereferences the
>> first fence in the chain.
>>
>> Fixes: 7bf60c52e093 ("dma-buf: add new dma_fence_chain container v7")
>> Signed-off-by: Li Ming <ming.li@xxxxxxxxxxxx>
>> ---
>>   drivers/dma-buf/dma-fence-chain.c | 2 +-
>>   1 file changed, 1 insertion(+), 1 deletion(-)
>>
>> diff --git a/drivers/dma-buf/dma-fence-chain.c b/drivers/dma-buf/dma-fence-chain.c
>> index a8a90acf4f34..71fa173aef13 100644
>> --- a/drivers/dma-buf/dma-fence-chain.c
>> +++ b/drivers/dma-buf/dma-fence-chain.c
>> @@ -103,7 +103,7 @@ int dma_fence_chain_find_seqno(struct dma_fence **pfence, uint64_t seqno)
>>               to_dma_fence_chain(*pfence)->prev_seqno < seqno)
>>               break;
>>       }
>> -    dma_fence_put(&chain->base);
>> +    dma_fence_put(*pfence);
>>         return 0;
>>   }
>>
>> ---
>> base-commit: c369299895a591d96745d6492d4888259b004a9e
>> change-id: 20260327-fix_dma_fence_chain_find_seqno-7adea64efe01
>>
>> Best regards,
>
> After looking deeper into this issue, it is not a bug.
>
> Seems like this function requires that caller needs to hold the reference of the give fence before calling it. When pfence changed, need to transfer the reference from the original fence to the new fence. That is why it releases the reference for the original fence in the end.

Yeah exactly that. We have documented the behavior in the kerneldoc:

* Advance the fence pointer to the chain node which will signal this sequence
* number.

But that is somehow not enough.

If you have suggestions how to improve the comments then please speak up. This patch has been suggested as "fix" numerous times.

Regards,
Christian.


>
> Sorry to make this noise.
>
>
> Ming
>