dmaengine: Call module_put() after device_free_chan_resources()

The module reference is taken to ensure the callbacks still exist
when they are called. If the channel holds the last reference to the
module, the module can disappear before device_free_chan_resources() is
called and would cause a call into free'd memory.

Signed-off-by: Logan Gunthorpe <logang@deltatee.com>
Link: https://lore.kernel.org/r/20191216190120.21374-3-logang@deltatee.com
Signed-off-by: Vinod Koul <vkoul@kernel.org>

diff --git a/drivers/dma/dmaengine.c b/drivers/dma/dmaengine.c
index 4b60408..776fdf5 100644 (file)
--- a/drivers/dma/dmaengine.c
+++ b/drivers/dma/dmaengine.c
@@ -250,7 +250,6 @@ static void dma_chan_put(struct dma_chan *chan)
                return;
 
        chan->client_count--;
-       module_put(dma_chan_to_owner(chan));
 
        /* This channel is not in use anymore, free it */
        if (!chan->client_count && chan->device->device_free_chan_resources) {
@@ -259,6 +258,8 @@ static void dma_chan_put(struct dma_chan *chan)
                chan->device->device_free_chan_resources(chan);
        }
 
+       module_put(dma_chan_to_owner(chan));
+
        /* If the channel is used via a DMA request router, free the mapping */
        if (chan->router && chan->router->route_free) {
                chan->router->route_free(chan->router->dev, chan->route_data);