Re: [PATCH 2/5] dmaengine: Call module_put() after device_free_chan_resources()
From: Vinod Koul
Date: Mon Dec 23 2019 - 23:37:20 EST
On 16-12-19, 12:01, Logan Gunthorpe wrote:
> The module reference is taken to ensure the callbacks still exist
> when they are called. If the channel holds the last reference to the
> module, the module can disappear before device_free_chan_resources() is
> called and would cause a call into free'd memory.
>
> Signed-off-by: Logan Gunthorpe <logang@xxxxxxxxxxxx>
> ---
> drivers/dma/dmaengine.c | 3 ++-
> 1 file changed, 2 insertions(+), 1 deletion(-)
>
> diff --git a/drivers/dma/dmaengine.c b/drivers/dma/dmaengine.c
> index 4b604086b1b3..776fdf535a3a 100644
> --- a/drivers/dma/dmaengine.c
> +++ b/drivers/dma/dmaengine.c
> @@ -250,7 +250,6 @@ static void dma_chan_put(struct dma_chan *chan)
> return;
>
> chan->client_count--;
> - module_put(dma_chan_to_owner(chan));
>
> /* This channel is not in use anymore, free it */
> if (!chan->client_count && chan->device->device_free_chan_resources) {
> @@ -259,6 +258,8 @@ static void dma_chan_put(struct dma_chan *chan)
> chan->device->device_free_chan_resources(chan);
> }
>
> + module_put(dma_chan_to_owner(chan));
> +
> /* If the channel is used via a DMA request router, free the mapping */
> if (chan->router && chan->router->route_free) {
> chan->router->route_free(chan->router->dev, chan->route_data);
I think this should be moved here after route_free() and will take care
of route cleanup as well
Thanks
--
~Vinod