On Mon, Jun 08, 2026 at 06:15:40AM +0000, Wentao Liang wrote: > xe_range_fence_insert() acquires a reference on fence via > dma_fence_get() and stores it in rfence->fence. It then calls > dma_fence_add_callback() and handles two cases: when the callback > is successfully registered (err == 0) the fence is transferred to > the tree for later cleanup; when the fence is already signaled > (err == -ENOENT) it manually drops the extra reference with > dma_fence_put(fence). > > However, dma_fence_add_callback() can fail with other errors > (e.g. -EINVAL) and in that case the code falls through to the free: > label without releasing the acquired reference, leaking it. > > Fix the leak by adding an else branch that calls dma_fence_put() > before jumping to free: for any error other than -ENOENT. > > Cc: [email protected]
I’m going to drop the stable tag when I merge this, as in practice dma_fence_add_callback can only return -ENOENT unless the arguments passed are garbage. In this case, we are clearly passing valid input, or our driver would already be exploding. Anyway, this looks like a good change for completeness. With that: Reviewed-by: Matthew Brost <[email protected]> Thanks for the patch. Matt > Fixes: 845f64bdbfc9 ("drm/xe: Introduce a range-fence utility") > Signed-off-by: Wentao Liang <[email protected]> > --- > drivers/gpu/drm/xe/xe_range_fence.c | 2 ++ > 1 file changed, 2 insertions(+) > > diff --git a/drivers/gpu/drm/xe/xe_range_fence.c > b/drivers/gpu/drm/xe/xe_range_fence.c > index 372378e89e98..3d8fa194a7b0 100644 > --- a/drivers/gpu/drm/xe/xe_range_fence.c > +++ b/drivers/gpu/drm/xe/xe_range_fence.c > @@ -77,6 +77,8 @@ int xe_range_fence_insert(struct xe_range_fence_tree *tree, > } else if (err == 0) { > xe_range_fence_tree_insert(rfence, &tree->root); > return 0; > + } else { > + dma_fence_put(fence); > } > > free: > -- > 2.34.1 >
