When a channel is removed from dmaengine, too many kref_put() calls
are made and the device removal happens too soon, usually causing
a panic.
Cc: Haavard Skinnemoen <[email protected]>
Cc: Dan Williams <[email protected]>
Signed-off-by: Shannon Nelson <[email protected]>
---
drivers/dma/dmaengine.c | 3 +--
1 files changed, 1 insertions(+), 2 deletions(-)
diff --git a/drivers/dma/dmaengine.c b/drivers/dma/dmaengine.c
index 84257f7..245da53 100644
--- a/drivers/dma/dmaengine.c
+++ b/drivers/dma/dmaengine.c
@@ -134,8 +134,7 @@ static void dma_async_device_cleanup(struct kref *kref);
static void dma_dev_release(struct device *dev)
{
- struct dma_chan *chan = to_dma_chan(dev);
- kref_put(&chan->device->refcount, dma_async_device_cleanup);
+ return;
}
static struct class dma_devclass = {
On Fri, Oct 26, 2007 at 04:56:48PM -0700, Shannon Nelson wrote:
> static void dma_dev_release(struct device *dev)
> {
> - struct dma_chan *chan = to_dma_chan(dev);
> - kref_put(&chan->device->refcount, dma_async_device_cleanup);
> + return;
> }
Practically guaranteed to be broken. Empty ->release() is almost certain
to mean that you can get operations on already freed object.
On Fri, 26 Oct 2007 16:56:48 -0700
Shannon Nelson <[email protected]> wrote:
> @@ -134,8 +134,7 @@ static void dma_async_device_cleanup(struct kref
> *kref);
> static void dma_dev_release(struct device *dev)
> {
> - struct dma_chan *chan = to_dma_chan(dev);
> - kref_put(&chan->device->refcount, dma_async_device_cleanup);
> + return;
> }
Hmm...what prevents dma_chan_cleanup() from being called while someone
still holds a reference to the "class" device? This will allow the
module removal to proceed, the device to be freed, and things will blow
up...
I think my patch is better. By taking two references, the order in
which the cleanup functions are called doesn't matter -- both have to
complete before the module removal is allowed to proceed.
HÃ¥vard