On 2019-11-09 10:18 a.m., Vinod Koul wrote: > Hi Logan, > > Sorry for delay in reply! > > On 22-10-19, 15:46, Logan Gunthorpe wrote: >> dma_chan_to_owner() dereferences the driver from the struct device to >> obtain the owner and call module_[get|put](). However, if the backing >> device is unbound before the dma_device is unregistered, the driver >> will be cleared and this will cause a NULL pointer dereference. > > Have you been able to repro this? If so how..? > > The expectation is that the driver shall unregister before removed. Yes, with my new driver, if I do a PCI unbind (which unregisters) while the DMA engine is in use, it panics. The point is the underlying driver can go away before the channel is removed. I suspect this is less of an issue for most devices as they wouldn't normally be unbound while in use (for example there's really no reason to ever unbind IOAT seeing it's built into the system). Though, the fact is, the user could unbind these devices at anytime and we don't want to panic if they do. >> >> Instead, store a pointer to the owner module in the dma_device struct >> so the module reference can be properly put when the channel is put, even >> if the backing device was destroyed first. >> >> This change helps to support a safer unbind of DMA engines. > > For error cases which should be fixed, so maybe this is a right way and > gets things fixed :) Yes, if you'd like to merge the first two patches ahead of the rest, that would make sense to me. Thanks, Logan