[PATCH] fix: dma-buf: unwrap_merge_complex: dma_fence_get_stub reference leaked on all paths
From: WenTao Liang
Date: Fri Jun 26 2026 - 08:30:18 EST
dma_fence_get_stub() acquires an extra reference on the global stub
fence, but this reference is never released on any execution path. The
stub fence is filtered out inside dma_fence_unwrap_merge (already
signaled), so the extra reference is never consumed. Both success and
error paths fail to call dma_fence_put on the stub.
Cc: stable@xxxxxxxxxxxxxxx
Fixes: 245a4a7b531c ("dma-buf: generalize dma_fence unwrap & merging v3")
Signed-off-by: WenTao Liang <vulab@xxxxxxxxxxx>
---
drivers/dma-buf/st-dma-fence-unwrap.c | 11 +++++++----
1 file changed, 7 insertions(+), 4 deletions(-)
diff --git a/drivers/dma-buf/st-dma-fence-unwrap.c b/drivers/dma-buf/st-dma-fence-unwrap.c
index 72ca632e3981..b9ed85570211 100644
--- a/drivers/dma-buf/st-dma-fence-unwrap.c
+++ b/drivers/dma-buf/st-dma-fence-unwrap.c
@@ -483,7 +483,7 @@ static int unwrap_merge_order(void *arg)
static int unwrap_merge_complex(void *arg)
{
- struct dma_fence *fence, *f1, *f2, *f3, *f4, *f5;
+ struct dma_fence *fence, *f1, *f2, *f3, *f4, *f5, *stub;
struct dma_fence_unwrap iter;
int err = -ENOMEM;
@@ -508,10 +508,11 @@ static int unwrap_merge_complex(void *arg)
if (!f4)
goto error_put_f3;
+ stub = dma_fence_get_stub();
/* Signaled fences should be filtered, the two arrays merged. */
- f5 = dma_fence_unwrap_merge(f3, f4, dma_fence_get_stub());
+ f5 = dma_fence_unwrap_merge(f3, f4, stub);
if (!f5)
- goto error_put_f4;
+ goto error_put_stub;
err = 0;
dma_fence_unwrap_for_each(fence, &iter, f5) {
@@ -532,8 +533,10 @@ static int unwrap_merge_complex(void *arg)
err = -EINVAL;
}
+ dma_fence_put(stub);
dma_fence_put(f5);
-error_put_f4:
+error_put_stub:
+ dma_fence_put(stub);
dma_fence_put(f4);
error_put_f3:
dma_fence_put(f3);
--
2.39.5 (Apple Git-154)