On 3/28/26 11:26, Li Ming wrote:

在 2026/3/28 02:47, Li Ming 写道:

...

dma_fence_chain_find_seqno() uses dma_fence_chain_for_each() to walk a given dma_fence_chain. dma_fence_chain_for_each() always holds a reference for the current fence during iteration. The reference must be dropped after breaking out. Instead of dereferencing the last fence as intended, dma_fence_chain_find_seqno() incorrectly dereferences the first fence in the chain.

Fixes: 7bf60c52e093 ("dma-buf: add new dma_fence_chain container v7") Signed-off-by: Li Ming ming.li@zohomail.com

---

drivers/dma-buf/dma-fence-chain.c | 2 +-   1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/dma-buf/dma-fence-chain.c b/drivers/dma-buf/dma-fence-chain.c index a8a90acf4f34..71fa173aef13 100644 --- a/drivers/dma-buf/dma-fence-chain.c +++ b/drivers/dma-buf/dma-fence-chain.c @@ -103,7 +103,7 @@ int dma_fence_chain_find_seqno(struct dma_fence **pfence, uint64_t seqno)               to_dma_fence_chain(*pfence)->prev_seqno < seqno)               break;       } -    dma_fence_put(&chain->base); +    dma_fence_put(*pfence);         return 0;   }

---

base-commit: c369299895a591d96745d6492d4888259b004a9e change-id: 20260327-fix_dma_fence_chain_find_seqno-7adea64efe01

Best regards,

After looking deeper into this issue, it is not a bug.

Seems like this function requires that caller needs to hold the reference of the give fence before calling it. When pfence changed, need to transfer the reference from the original fence to the new fence. That is why it releases the reference for the original fence in the end.

Yeah exactly that. We have documented the behavior in the kerneldoc:

* Advance the fence pointer to the chain node which will signal this sequence * number.

But that is somehow not enough.

If you have suggestions how to improve the comments then please speak up. This patch has been suggested as "fix" numerous times.

Regards, Christian.

Sorry to make this noise.

Ming