On 23.09.25 13:14, Dan Carpenter wrote:
> Call dma_fence_put(fence) if dma_fence_add_callback() fails.
Well that change is obviously incorrect.
When dma_fence_add_callback() fails we already call dma_fence_put() and drop the reference.
When the dma_fence_add_callback() call succeeds the callback will drop the reference.
The problem here is that the return code of dma_fence_add_callback() is an integer error code instead of a bool and basically has the reverse meaning than what people usually expect.
I have it on my TODO list for years to fix that, but never found the time to actually do it. If anybody wants to volunteer then please go ahead.
Regards,
Christian.
>
> Fixes: 6b51b02a3a0a ("dma-buf: fix and rework dma_buf_poll v7")
> Signed-off-by: Dan Carpenter <dan.carpenter@xxxxxxxxxx>
> ---
> From code review, not from testing. Please review carefully.
>
> drivers/dma-buf/dma-buf.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/drivers/dma-buf/dma-buf.c b/drivers/dma-buf/dma-buf.c
> index 2bcf9ceca997..a14e1f50b090 100644
> --- a/drivers/dma-buf/dma-buf.c
> +++ b/drivers/dma-buf/dma-buf.c
> @@ -301,9 +301,9 @@ static bool dma_buf_poll_add_cb(struct dma_resv *resv, bool write,
> fence) {
> dma_fence_get(fence);
> r = dma_fence_add_callback(fence, &dcb->cb, dma_buf_poll_cb);
> + dma_fence_put(fence);
> if (!r)
> return true;
> - dma_fence_put(fence);
> }
>
> return false;
