From: Shivank Garg <shivankg@amd.com>
To: Vinod Koul <vkoul@kernel.org>, Frank Li <Frank.Li@kernel.org>,
"Logan Gunthorpe" <logang@deltatee.com>
Cc: <stable@vger.kernel.org>, <dmaengine@vger.kernel.org>,
<linux-kernel@vger.kernel.org>, Shivank Garg <shivankg@amd.com>
Subject: [PATCH v2 1/2] dmaengine: Fix device kref underflow in dma_chan_put()
Date: Tue, 26 May 2026 11:19:18 +0000 [thread overview]
Message-ID: <20260526-dmaengine-kref-fix-v2-1-3df60afac01d@amd.com> (raw)
In-Reply-To: <20260526-dmaengine-kref-fix-v2-0-3df60afac01d@amd.com>
dma_chan_get() takes chan->device->ref only on the slow path:
/* no kref on fast path */
if (chan->client_count) {
__module_get(owner);
chan->client_count++;
return 0;
}
if (!try_module_get(owner))
return -ENODEV;
ret = kref_get_unless_zero(&chan->device->ref);
dma_chan_put() drops the ref unconditionally, so every fast-path
get/put pair drops one extra device reference.
The bug fires when two conditions hold together: a non-private
provider has a persistent client holding chan->client_count > 0
and another client cycles dmaengine_get()/dmaengine_put().
When the kref hits zero, the subsequent dma_find_channel() returns
NULL even though the provider module is still loaded.
Fix this by dropping device->ref only on the last put, matching the
single slow-path get.
Fixes: 8ad342a86359 ("dmaengine: Add reference counting to dma_device struct")
Signed-off-by: Shivank Garg <shivankg@amd.com>
---
drivers/dma/dmaengine.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/drivers/dma/dmaengine.c b/drivers/dma/dmaengine.c
index 405bd2fbb4a3b94fd0bf44526f656f6a19feaad0..605bfa477a004cc0b03957ffb85a52308f903441 100644
--- a/drivers/dma/dmaengine.c
+++ b/drivers/dma/dmaengine.c
@@ -515,7 +515,9 @@ static void dma_chan_put(struct dma_chan *chan)
chan->route_data = NULL;
}
- dma_device_put(chan->device);
+ /* This channel is not in use anymore, drop the device ref */
+ if (!chan->client_count)
+ dma_device_put(chan->device);
module_put(dma_chan_to_owner(chan));
}
--
2.43.0
next prev parent reply other threads:[~2026-05-26 11:19 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-05-26 11:19 [PATCH v2 0/2] dmaengine: fix kref underflow and UAF in dma_chan_put() Shivank Garg
2026-05-26 11:19 ` Shivank Garg [this message]
2026-05-26 12:01 ` [PATCH v2 1/2] dmaengine: Fix device kref underflow " sashiko-bot
2026-05-26 11:19 ` [PATCH v2 2/2] dmaengine: fix use-after-free in dma_chan_put() and dma_release_channel() Shivank Garg
2026-05-26 13:06 ` sashiko-bot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260526-dmaengine-kref-fix-v2-1-3df60afac01d@amd.com \
--to=shivankg@amd.com \
--cc=Frank.Li@kernel.org \
--cc=dmaengine@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=logang@deltatee.com \
--cc=stable@vger.kernel.org \
--cc=vkoul@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox