Hi Logan,
Sorry for delay in reply!
On 22-10-19, 15:46, Logan Gunthorpe wrote:
> dma_chan_to_owner() dereferences the driver from the struct device to
> obtain the owner and call module_[get|put](). However, if the backing
> device is unbound before the dma_device is unregistered, the driver
> will be cleared and this will cause a NULL pointer dereference.
Have you been able to repro this? If so how..?
The expectation is that the driver shall unregister before removed.
>
> Instead, store a pointer to the owner module in the dma_device struct
> so the module reference can be properly put when the channel is put, even
> if the backing device was destroyed first.
>
> This change helps to support a safer unbind of DMA engines.
For error cases which should be fixed, so maybe this is a right way and
gets things fixed :)
> If the dma_device is unregistered in the driver's remove function,
> there's no guarantee that there are no existing clients and a users
> action may trigger the WARN_ONCE in dma_async_device_unregister()
> which is unlikely to leave the system in a consistent state.
> Instead, a better approach is to allow the backing driver to go away
> and fail any subsequent requests to it.
>
> Signed-off-by: Logan Gunthorpe <logang@xxxxxxxxxxxx>
> ---
> drivers/dma/dmaengine.c | 4 +++-
> include/linux/dmaengine.h | 2 ++
> 2 files changed, 5 insertions(+), 1 deletion(-)
>
> diff --git a/drivers/dma/dmaengine.c b/drivers/dma/dmaengine.c
> index 03ac4b96117c..4b604086b1b3 100644
> --- a/drivers/dma/dmaengine.c
> +++ b/drivers/dma/dmaengine.c
> @@ -179,7 +179,7 @@ __dma_device_satisfies_mask(struct dma_device *device,
>
> static struct module *dma_chan_to_owner(struct dma_chan *chan)
> {
> - return chan->device->dev->driver->owner;
> + return chan->device->owner;
> }
>
> /**
> @@ -919,6 +919,8 @@ int dma_async_device_register(struct dma_device *device)
> return -EIO;
> }
>
> + device->owner = device->dev->driver->owner;
> +
> if (dma_has_cap(DMA_MEMCPY, device->cap_mask) && !device->device_prep_dma_memcpy) {
> dev_err(device->dev,
> "Device claims capability %s, but op is not defined\n",
> diff --git a/include/linux/dmaengine.h b/include/linux/dmaengine.h
> index 8fcdee1c0cf9..13aa0abb71de 100644
> --- a/include/linux/dmaengine.h
> +++ b/include/linux/dmaengine.h
> @@ -674,6 +674,7 @@ struct dma_filter {
> * @fill_align: alignment shift for memset operations
> * @dev_id: unique device ID
> * @dev: struct device reference for dma mapping api
> + * @owner: owner module (automatically set based on the provided dev)
> * @src_addr_widths: bit mask of src addr widths the device supports
> * Width is specified in bytes, e.g. for a device supporting
> * a width of 4 the mask should have BIT(4) set.
> @@ -737,6 +738,7 @@ struct dma_device {
>
> int dev_id;
> struct device *dev;
> + struct module *owner;
>
> u32 src_addr_widths;
> u32 dst_addr_widths;
> --
> 2.20.1
--
~Vinod
