On 6/7/26 12:03, Wentao Liang wrote: > dma_fence_unwrap_for_each() internally calls dma_fence_unwrap_first() > which does cursor->chain = dma_fence_get(head), taking an extra > reference. On normal loop completion, dma_fence_unwrap_next() > releases this via dma_fence_chain_walk() -> dma_fence_put(). > > When virtio_gpu_do_fence_wait() fails and the function returns early > from inside the loop, the cursor->chain reference is never released. > This is the only caller in the entire kernel that does an early return > inside dma_fence_unwrap_for_each. > > Add dma_fence_put(itr.chain) before the early return. > > Cc: [email protected] > Fixes: eba57fb5498f ("drm/virtio: Wait for each dma-fence of in-fence array > individually") > Signed-off-by: Wentao Liang <[email protected]> > --- > drivers/gpu/drm/virtio/virtgpu_submit.c | 4 +++- > 1 file changed, 3 insertions(+), 1 deletion(-) > > diff --git a/drivers/gpu/drm/virtio/virtgpu_submit.c > b/drivers/gpu/drm/virtio/virtgpu_submit.c > index dae761fa5788..32cb1e4aa425 100644 > --- a/drivers/gpu/drm/virtio/virtgpu_submit.c > +++ b/drivers/gpu/drm/virtio/virtgpu_submit.c > @@ -65,8 +65,10 @@ static int virtio_gpu_dma_fence_wait(struct > virtio_gpu_submit *submit, > > dma_fence_unwrap_for_each(f, &itr, fence) { > err = virtio_gpu_do_fence_wait(submit, f); > - if (err) > + if (err) { > + dma_fence_put(itr.chain); > return err; > + } > } > > return 0;
Applied to misc-fixes, thanks! -- Best regards, Dmitry
