[PATCH v2 1/4] dmaengine: Fix possuible use after free

Next message: Takashi Iwai: "Re: [PATCH] ALSA: hda/intel: Add MSI X870E Tomahawk to denylist by DMI ID"
Previous message: Tejun Heo: "Re: [PATCH] sched,workqueue: Use READ_ONCE()/WRITE_ONCE() for wake_cpu accesses"
In reply to: Frank Li: "Re: [PATCH v2 3/4] dmaengine: dma-axi-dmac: fix use-after-free on unbind"
Next in thread: Frank Li: "Re: [PATCH v2 1/4] dmaengine: Fix possuible use after free"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Nuno Sá via B4 Relay

Date: Fri Mar 27 2026 - 13:06:44 EST

From: Nuno Sá <nuno.sa@xxxxxxxxxx>

In dma_release_channel(), we first called dma_chan_put() and then
checked chan->device->privatecnt for possibly clearing DMA_PRIVATE.
However, dma_chan_put() will call dma_device_put() which could,
potentially (if the DMA provider is already gone for example),
release the last reference of the device and hence freeing
the it.

Fix it, by doing the check before calling dma_chan_put().

Fixes: 0f571515c332 ("dmaengine: Add privatecnt to revert DMA_PRIVATE property")
Signed-off-by: Nuno Sá <nuno.sa@xxxxxxxxxx>
---
drivers/dma/dmaengine.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/drivers/dma/dmaengine.c b/drivers/dma/dmaengine.c
index 405bd2fbb4a3..9049171df857 100644
--- a/drivers/dma/dmaengine.c
+++ b/drivers/dma/dmaengine.c
@@ -905,11 +905,12 @@ void dma_release_channel(struct dma_chan *chan)
mutex_lock(&dma_list_mutex);
WARN_ONCE(chan->client_count != 1,
"chan reference count %d != 1\n", chan->client_count);
- dma_chan_put(chan);
/* drop PRIVATE cap enabled by __dma_request_channel() */
if (--chan->device->privatecnt == 0)
dma_cap_clear(DMA_PRIVATE, chan->device->cap_mask);

+ dma_chan_put(chan);
+
if (chan->slave) {
sysfs_remove_link(&chan->dev->device.kobj, DMA_SLAVE_NAME);
sysfs_remove_link(&chan->slave->kobj, chan->name);

--
2.53.0