Re: [PATCH] iio: buffer: Fix DMA fence leak in iio_buffer_enqueue_dmabuf()

[Jonathan Cameron]

On Wed, 01 Apr 2026 18:16:10 +0200
Paul Cercueil <paul@xxxxxxxxxxxxxxx> wrote:

> Hi Benoît,
> 
> Le mercredi 01 avril 2026 à 17:24 +0200, Benoît Monin a écrit :
> > iio_buffer_enqueue_dmabuf() allocates a struct iio_dma_fence (104
> > bytes,
> > kmalloc-128) via kmalloc_obj()+dma_fence_init(), which sets the
> > initial
> > kref to 1.  It then calls dma_resv_add_fence() which takes a second
> > reference (kref=2), and stores a raw pointer in block->fence.
> > 
> > On the success path the function returns without calling
> > dma_fence_put()
> > to release the initial reference, so every buffer enqueue permanently
> > leaks one kmalloc-128 allocation.
> > 
> > The iio_buffer_cleanup() work item only releases the temporary
> > reference
> > taken during completion signalling by
> > iio_buffer_signal_dmabuf_done();
> > the initial reference from dma_fence_init() is never released.
> > 
> > With four iio_rwdev instances at 240kHz and 512 samples per buffer,
> > this produces ~1875 kmalloc-128 allocations per second matching the
> > observed slab growth exactly. A test with ftrace confirmed that the
> > dma_fence_destroy event was never triggered.
> > 
> > Fix by calling dma_fence_put() after dma_resv_add_fence(),
> > transferring
> > ownership of the fence to the DMA reservation object. The DMA fence
> > then
> > gets properly discarded after being signalled.
> > 
> > Fixes: 3e26d9f08fbe0 ("iio: core: Add new DMABUF interface
> > infrastructure")
> > Originally-by: James Nuss <jamesnuss@xxxxxxxxxxxxxx>
> > Signed-off-by: Benoît Monin <benoit.monin@xxxxxxxxxxx>  
> 
> I had a look at the code and indeed, it looks like it's not releasing
> the dma_fence properly. The fix makes sense.
> 
> Reviewed-by: Paul Cercueil <paul@xxxxxxxxxxxxxxx>
Applied and marked for stable. 

Thanks,

J