On Fri, Mar 27, 2026 at 04:58:38PM +0000, Nuno Sá wrote:
typo at subject possuible
dmaengine: move dma_chan_put() after check dmaengine device's privatecnt
> In dma_release_channel(), we first called dma_chan_put() and then
> checked chan->device->privatecnt for possibly clearing DMA_PRIVATE.
> However, dma_chan_put() will call dma_device_put() which could,
> potentially (if the DMA provider is already gone for example),
> release the last reference of the device and hence freeing
> the it.
Avoid use "we"..
In dma_release_channel(), call dma_chan_put() before check
chan->device->privatecnt, which cause DMA engine device potentially is gone
when the last reference of the device is released.
Fixed it by moving dma_chan_put() after check chan->device->privatecnt.
Frank
>
> Fix it, by doing the check before calling dma_chan_put().
>
> Fixes: 0f571515c332 ("dmaengine: Add privatecnt to revert DMA_PRIVATE property")
> Signed-off-by: Nuno Sá <nuno.sa@analog.com>
> ---
> drivers/dma/dmaengine.c | 3 ++-
> 1 file changed, 2 insertions(+), 1 deletion(-)
>
> diff --git a/drivers/dma/dmaengine.c b/drivers/dma/dmaengine.c
> index 405bd2fbb4a3..9049171df857 100644
> --- a/drivers/dma/dmaengine.c
> +++ b/drivers/dma/dmaengine.c
> @@ -905,11 +905,12 @@ void dma_release_channel(struct dma_chan *chan)
> mutex_lock(&dma_list_mutex);
> WARN_ONCE(chan->client_count != 1,
> "chan reference count %d != 1\n", chan->client_count);
> - dma_chan_put(chan);
> /* drop PRIVATE cap enabled by __dma_request_channel() */
> if (--chan->device->privatecnt == 0)
> dma_cap_clear(DMA_PRIVATE, chan->device->cap_mask);
>
> + dma_chan_put(chan);
> +
> if (chan->slave) {
> sysfs_remove_link(&chan->dev->device.kobj, DMA_SLAVE_NAME);
> sysfs_remove_link(&chan->slave->kobj, chan->name);
>
> --
> 2.53.0
>