Re: [PATCH] dma-fence: Make dma_fence_dedup_array() robust against 0-count input
From: Christian König
Date: Mon Jun 29 2026 - 04:48:34 EST
On 6/29/26 05:13, Baineng Shou wrote:
> dma_fence_dedup_array() returns 1 when called with num_fences == 0:
> the for-loop body never executes, j stays at 0, and the final
> `return ++j` yields 1. This contradicts both the kernel-doc ("Return:
> Number of unique fences remaining in the array") and the natural
> expectation that 0 input gives 0 output.
Good catch.
>
> All in-tree callers currently filter num_fences == 0 before invoking
> this helper (__dma_fence_unwrap_merge() bails out via the
> `if (count == 0 || count == 1)` fast path; amdgpu_userq_wait_*()
> cannot reach the dedup call with a zero local count because the
> amdgpu_userq_wait_add_fence() helper guarantees num_fences stays in
> [0, wait_info->num_fences], and wait_info->num_fences > 0 is enforced
> at the ioctl entry).
That's not correct, wait_info->num_fences is just the maximum amount of fences we return.
It is perfectly possible that amdgpu never finds any fences to add to the array.
>
> However, dma_fence_dedup_array() is EXPORT_SYMBOL_GPL, so any future
> caller that forgets to pre-filter the zero case will get a misleading
> return value of 1. Depending on how that caller uses the result, it
> could dereference an uninitialized fence slot in the array, since the
> caller's array may have been allocated but not yet populated.
>
> Make the contract match the documentation by returning 0 early. This
> also skips an unnecessary sort() call on an empty array.
>
> Signed-off-by: Baineng Shou <shoubaineng@xxxxxxxxx>
Reviewed-by: Christian König <christian.koenig@xxxxxxx>
I will add a CC stable before pushing to drm-misc-fixes.
Thanks,
Christian.
> ---
> drivers/dma-buf/dma-fence-unwrap.c | 3 +++
> 1 file changed, 3 insertions(+)
>
> diff --git a/drivers/dma-buf/dma-fence-unwrap.c b/drivers/dma-buf/dma-fence-unwrap.c
> index 53bb40e70b27..364cbf79ad73 100644
> --- a/drivers/dma-buf/dma-fence-unwrap.c
> +++ b/drivers/dma-buf/dma-fence-unwrap.c
> @@ -97,6 +97,9 @@ int dma_fence_dedup_array(struct dma_fence **fences, int num_fences)
> {
> int i, j;
>
> + if (!num_fences)
> + return 0;
> +
> sort(fences, num_fences, sizeof(*fences), fence_cmp, NULL);
>
> /*
> --
> 2.34.1
>